本章节,要讲的是SSH远端连线的机制与原理,以及SSH的使用方式。
OpenSSH实做了Secure Shell或是称作SSH Protocol,它提供了一种加解密之安全连线方式供远端的使用者可以透过此加密通讯协定进行远端连线与存取远端的主机。以下是一些常见的SSH指令的用法:
[rockylinux@workstation ~]$ ssh rockylinux@localhost
rockylinux@localhost's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Thu Sep 30 23:36:11 2021
[rockylinux@workstation ~]$
从上述的执行指令可以得知,这就是一个基本的SSH指令用法,远端连上去之後,基本上与在桌面环境上使用终端机的操作一模一样,当操作完成之後,要离开并关闭这个连线,执行exit
或是logout
之指令即可,相关的指令执行後所输出的讯息如下:
[rockylinux@workstation ~]$ ssh rockylinux@localhost
rockylinux@localhost's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Fri Oct 1 00:58:54 2021 from 192.168.0.9
[rockylinux@workstation ~]$ logout
Connection to localhost closed.
[rockylinux@workstation ~]$ ssh rockylinux@localhost
rockylinux@localhost's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Fri Oct 1 00:58:57 2021 from ::1
[rockylinux@workstation ~]$ exit
logout
Connection to localhost closed.
[rockylinux@workstation ~]$
还记得前面的章节有提到w
这个指令吗?这个指令可以查看目前有多少的使用者使用SSH来登入到此主机上,相关的指令执行所输出的结果如下:
[rockylinux@workstation ~]$ w
01:01:18 up 3:14, 2 users, load average: 0.01, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
rockylin pts/0 192.168.0.9 00:58 2.00s 0.11s 0.02s w
rockylin tty2 tty2 23:36 3:13m 40.23s 0.27s /usr/libexec/tracker-miner-fs
[rockylinux@workstation ~]$
当作业系统安装好之後,主机金钥便会自己产生,并存放到/etc/ssh/
之目录档里面,而这个资料夹也是存放SSH server之设定档,在这个目录底下有sshd_config
便是可以调整与设定SSH server了,若要观看更多有关於此设定档的设定内容说明,可以使用sudo man /etc/ssh/sshd_config
指令来做到。
当使用SSH第一次连到远端的主机的时候,会询问公开金钥的fingerprint是否要信任远方主机传过来的公开金钥,需先确认主机的公钥,当输入「yes」的时候,就会将此公开金钥存到当前使用者家目录中的.ssh目录中,并储存成known_hosts档案,接着自此之後再用此指令连上远端的时候,便不再询问并直接连上,而当known_hosts所存放的fingerprint有所不同时,在使用SSH进行连线的时候,则会跳出警告,则表示hash值验证有误,若确定这个是正常的行为,像是:主机重灌就有可能会发生,因为主机的host key已经重新产一组,则移除host上之fingerprint,并重新建立与储存host之公钥之杂凑资讯到known_hosts中,相关的指令执行所输出的讯息如下:
[rockylinux@workstation ~]$ ssh [email protected]
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:N6ZipKZheNYa53L7olZj/hgn1dmz4POF3HzQuTvgQjI.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
从上面可以发现到,这是第一次连线到[email protected]之主机,因此跳出这样的提示的讯息询问,这个可以知道是使用ECDSA之Host public key的,因此回到此虚拟主机并使用下列的指令将fingerprint给输出出来:
[rockylinux@workstation ~]$ ssh [email protected]
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:N6ZipKZheNYa53L7olZj/hgn1dmz4POF3HzQuTvgQjI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C
[rockylinux@workstation ~]$ ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
256 SHA256:N6ZipKZheNYa53L7olZj/hgn1dmz4POF3HzQuTvgQjI no comment (ECDSA)
[rockylinux@workstation ~]$
从上述的指令,这就可以发现fingerprint是相同的,接着就可以放心地按下「yes」并将此讯息存放到known_hosts的档案中,相关的执行指令的操作如下:
[rockylinux@workstation ~]$ ssh [email protected]
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:N6ZipKZheNYa53L7olZj/hgn1dmz4POF3HzQuTvgQjI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Fri Oct 1 00:59:07 2021 from ::1
[rockylinux@workstation ~]$ exit
logout
Connection to 127.0.0.1 closed.
[rockylinux@workstation ~]$ cat ~/.ssh/known_hosts
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKnKNWcTQ7yTDdfdZ3rcg7Pg1H+an8BmXZxuyK5CP/BVE/qFVq5Q7EeA2e8M5Qhnw7RS34VdRIVhmt5y3dHqc2o=
[rockylinux@workstation ~]$
接着使用exit
指令离开此远端shell,为了要模拟远端主机所存取的Host public key有问题,以root使用者并用手动的方式将ssh_host_ecdsa_key
与ssh_host_ecdsa_key.pub
并将sshd服务重新启动,这时候就会重新产生一组全新的ssh_host_ecdsa_key
与ssh_host_ecdsa_key.pub
档案了,相关的指令执行输出的讯息如下:
[rockylinux@workstation ~]$ sudo rm /etc/ssh/ssh_host_ecdsa_key*
[rockylinux@workstation ~]$ ls /etc/ssh/
moduli ssh_config.d ssh_host_ed25519_key ssh_host_rsa_key
ssh_config sshd_config ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
[rockylinux@workstation ~]$ sudo systemctl restart sshd
[rockylinux@workstation ~]$ ls /etc/ssh/
moduli ssh_config.d ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
ssh_config sshd_config ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
[rockylinux@workstation ~]$
接着再使用ssh [email protected]
指令进行远端登入,则会发生fingerprint有问题的错误了,相关执行指令的输出讯息如下:
[rockylinux@workstation ~]$ ssh [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:jtNpnVUOQFBlVo5shPfHdnogsQq/LtxbFLmgaeJJDjI.
Please contact your system administrator.
Add correct host key in /home/rockylinux/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/rockylinux/.ssh/known_hosts:1
ECDSA host key for 127.0.0.1 has changed and you have requested strict checking.
Host key verification failed.
[rockylinux@workstation ~]$
从上述的警告讯息得知,存放在known_hosts对应到此主机的fingerprint hash与远端的不同,确认过远端主机是删除相关的公私钥并重新启动SSH server服务重新产一组的原因之後,可以将此行删除,接着再次执行ssh [email protected]
指令,则会询问fingerprint是不是对的问题了,那就重复上述的步骤进行验证与登入,相关的指令执行所输出的讯息如下:
[rockylinux@workstation ~]$ cat ~/.ssh/known_hosts
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKnKNWcTQ7yTDdfdZ3rcg7Pg1H+an8BmXZxuyK5CP/BVE/qFVq5Q7EeA2e8M5Qhnw7RS34VdRIVhmt5y3dHqc2o=
[rockylinux@workstation ~]$ vim ~/.ssh/known_hosts
[rockylinux@workstation ~]$ cat ~/.ssh/known_hosts
[rockylinux@workstation ~]$ ssh [email protected]
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:jtNpnVUOQFBlVo5shPfHdnogsQq/LtxbFLmgaeJJDjI.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
有关於SSH连线之间做了什麽事情,由下列的示意图所示:
另外,SSH有分版本,分别为1与2,目前都是使用第2版,而第2版就会有四种host key在作业系统安装的时候给产生出来,主要有RSA、DSA、ECDSA与ECD25519等几种,相关的所自动产生的所有Host公钥可以在/etc/ssh目录底下找到,相关的指令执行所输出的讯息如下:
[rockylinux@workstation ~]$ ls /etc/ssh/
moduli ssh_config.d ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
ssh_config sshd_config ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
ssh rockylinux@localhost
指令登入并验证fingerprint。.ssh/known_hosts
档案删除,并再执行一次ssh rockylinux@localhost
观察输出的讯息,并试着修复。
>>: [DAY 15] RNN 的实作以及 Regression 例子
今天写广度优先搜寻(DFS),与BFS相同,DFS是一种图形搜寻演算法,在解题的时候会用来爆搜的其中...
Aloha!我是少女人妻 Uerica!终於来到最後一天了!如果生命只剩一天,我想我会拿来学资料结构...
BOM ( Browser Object Model ) 浏览器物件模型 BOM 核心是 windo...
Vue的安装方式有很多种像我这次是使用CND的方式来使用Vue 首先呢我们可以先到Vue的网站 可以...
Mikrotik RouterOS从入门到实战系列-Mikrotik入门第三课 CAPsMAN无线控...