tachtler:ssh
Inhaltsverzeichnis
SSH
SSH oder Secure Shell bezeichnet sowohl ein Netzwerkprotokoll als auch entsprechende Programme, mit deren Hilfe man auf eine sichere Art und Weise eine verschlüsselte Netzwerkverbindung mit einem entfernten Computer herstellen kann.
Die hier beschriebene Variante von SSH ist OpenSSH, welche eine freie Version der SSH-Verbindungssuite ist.
Installation
Folgende Pakete sollten für den Betrieb von OpenSSH als Server und Client installiert werden:
openssh(openssh.i386)openssh-askpass(openssh-askpass.i386)openssh-clients(openssh-clients.i386)openssh-server(openssh-server.i386)
Die OpenSSH-Variante der SSH-Verbindungssuite besteht aus folgenden Komponenten:
sshDas Basis-ClientprogrammsshdDer Dienst (Daemon), der für das Einloggen auf fremden Rechnern verantwortlich istssh_configDie Konfigurationsdatei des Clientssshd_configDie Konfigurationsdatei des Dienstes (Daemon)ssh-agentEin Authetifikationsagent, der private Schlüssel verwalten kannssh-addWerzug zum hinzufügen von Schlüsseln zumssh-agentsftpFTP-ähnliches ProgrammscpKopierprogrammssh-keygenSchlüsselerzeugungs-Werkzeugssh-keyscanWerzeug, um öffentliche Schlüssel von verschiedenen anderen HOSTs zu holenssh-keysignHilfsprogramm für hostbasierte Authentifikation
Konfiguration
Konfigurationsdateien
Grundsätzlich sind die folgenden beiden Konfigurationsdateien für ssh und sshd die wichtigsten Bestandteile der OpenSSH-Installation.
/etc/ssh/ssh_configoder lokal, Benutzerbezogen~/.ssh/configfür –>ssh/etc/ssh/sshd_configfür –>sshd
Nach einer erfolgreichen Installation, sind aktuell standardmässig folgende Dateien im Verzeichnis /etc/ssh zu finden
/etc/ssh/moduliSystemweite Diffie-Hellmann Haupt-Module fürsshd/etc/ssh/ssh_configDie Konfigurationsdatei des Clients/etc/ssh/sshd_configDie Konfigurationsdatei des Dienstes (Deamon)/etc/ssh/ssh_host_dsa_keyPrivater Schlüssel des Host (SSH2-DSA)/etc/ssh/ssh_host_dsa_key.pubÖffentlicher Schlüssel des Host (SSH2-DSA)/etc/ssh/ssh_host_keyPrivater Schlüssel des Host (SSH1)/etc/ssh/ssh_host_key.pubÖffentlicher Schlüssel des Host (SSH1)/etc/ssh/ssh_host_rsa_keyPrivater Schlüssel des Host (SSH2-RSA)/etc/ssh/ssh_host_rsa_key.pubÖffentlicher Schlüssel des Host (SSH2-RSA)
Falls die Die SSH-Verbindungssuite mit „Schlüssel-Authetifizierung“ genutzt werden soll, sind mindestens zwei der folgende Dateien (privater und öffentlicher Schlüssel) standardmässig in dem jeweiligen home-Verzeichnis des Benutzers mittels z.B. ssh-keygen zu erzeugen:
~/.ssh/id_dsaPrivater Schlüssel nach SSH2-DSA~/.ssh/id_dsa.pubÖffentlicher Schlüssel nach SSH2-DSA –> beginnt im Text mit –>ssh-dss~/.ssh/identityPrivater Schlüssel nach SSH1-RSA~/.ssh/identity.pubÖffentlicher Schlüssel nach SSH1-RSA –> beginnt im Text mit –>1024o.ä(bits)~/.ssh/id_rsaPrivater Schlüssel nach SSH2-RSA~/.ssh/id_rsa.pubÖffentlicher Schlüssel nach SSH2-RSA –> beginnt im Text mit –>ssh-rsa
Konfiguration SSH-Daemon
Die folgende Konfigurationsdatei des SSH-Daemons wurde auf höhere Sicherheitsbedürfnisse angepasst.
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS AllowUsers klaus AddressFamily inet Banner /etc/issue.net ChallengeResponseAuthentication no GSSAPIAuthentication no GSSAPICleanupCredentials yes HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key ListenAddress 192.168.0.10:22 ListenAddress 127.0.0.1:2222 MaxAuthTries 12 Protocol 2 Subsystem sftp /usr/libexec/openssh/sftp-server SyslogFacility AUTHPRIV UsePAM yes UsePrivilegeSeparation sandbox X11Forwarding yes # Settings for Key-Authorization AuthorizedKeysFile %h/.ssh/authorized_keys PasswordAuthentication no PermitRootLogin no PermitEmptyPasswords no RSAAuthentication no # AcceptEnv # Specifies what environment variables sent by the client will be # copied into the session's environ(7). See SendEnv in # ssh_config(5) for how to configure the client. Note that envi- # ronment passing is only supported for protocol 2. Variables are # specified by name, which may contain the wildcard characters `*' # and `?'. Multiple environment variables may be separated by # whitespace or spread across multiple AcceptEnv directives. Be # warned that some environment variables could be used to bypass # restricted user environments. For this reason, care should be # taken in the use of this directive. The default is not to accept # any environment variables. # AddressFamily # Specifies which address family should be used by sshd(8). Valid # arguments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' # (use IPv6 only). The default is ``any''. # AddressFamily any # AllowGroups -DISABLED- # This keyword can be followed by a list of group name patterns, # separated by spaces. If specified, login is allowed only for # users whose primary group or supplementary group list matches one # of the patterns. Only group names are valid; a numerical group # ID is not recognized. By default, login is allowed for all # groups. The allow/deny directives are processed in the following # order: DenyUsers, AllowUsers, DenyGroups, and finally # AllowGroups. # # See PATTERNS in ssh_config(5) for more information on patterns. # AllowGroups # AllowTcpForwarding # Specifies whether TCP forwarding is permitted. The default is # ``yes''. Note that disabling TCP forwarding does not improve se- # curity unless users are also denied shell access, as they can al- # ways install their own forwarders. # AllowTcpForwarding yes # AllowUsers -DISABLED- # This keyword can be followed by a list of user name patterns, # separated by spaces. If specified, login is allowed only for us- # er names that match one of the patterns. Only user names are # valid; a numerical user ID is not recognized. By default, login # is allowed for all users. If the pattern takes the form US- # ER@HOST then USER and HOST are separately checked, restricting # logins to particular users from particular hosts. The allow/deny # directives are processed in the following order: DenyUsers, # AllowUsers, DenyGroups, and finally AllowGroups. # # See PATTERNS in ssh_config(5) for more information on patterns. # AuthorizedKeysFile # Specifies the file that contains the public keys that can be used # for user authentication. AuthorizedKeysFile may contain tokens # of the form %T which are substituted during connection setup. # The following tokens are defined: %% is replaced by a literal # '%', %h is replaced by the home directory of the user being au- # thenticated, and %u is replaced by the username of that user. # After expansion, AuthorizedKeysFile is taken to be an absolute # path or one relative to the user's home directory. The default # is ``.ssh/authorized_keys''. # Banner # In some jurisdictions, sending a warning message before authenti- # cation may be relevant for getting legal protection. The con- # tents of the specified file are sent to the remote user before # authentication is allowed. This option is only available for # protocol version 2. By default, no banner is displayed. # ChallengeResponseAuthentication # Specifies whether challenge-response authentication is allowed. # All authentication styles from login.conf(5) are supported. The # default is ``yes''. # Ciphers # Specifies the ciphers allowed for protocol version 2. Multiple # ciphers must be comma-separated. The supported ciphers are # ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'', # ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', ``arcfour128'', # ``arcfour256'', ``arcfour'', ``blowfish-cbc'', and # ``cast128-cbc''. The default is: # # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, # arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, # aes192-ctr,aes256-ctr # ClientAliveCountMax # Sets the number of client alive messages (see below) which may be # sent without sshd(8) receiving any messages back from the client. # If this threshold is reached while client alive messages are be- # ing sent, sshd will disconnect the client, terminating the ses- # sion. It is important to note that the use of client alive mes- # sages is very different from TCPKeepAlive (below). The client # alive messages are sent through the encrypted channel and there- # fore will not be spoofable. The TCP keepalive option enabled by # TCPKeepAlive is spoofable. The client alive mechanism is valu- # able when the client or server depend on knowing when a connec- # tion has become inactive. # # The default value is 3. If ClientAliveInterval (see below) is # set to 15, and ClientAliveCountMax is left at the default, unre- # sponsive SSH clients will be disconnected after approximately 45 # seconds. This option applies to protocol version 2 only. # ClientAliveCountMax 3 # ClientAliveInterval # Sets a timeout interval in seconds after which if no data has # been received from the client, sshd(8) will send a message # through the encrypted channel to request a response from the # client. The default is 0, indicating that these messages will # not be sent to the client. This option applies to protocol ver- # sion 2 only. # # ClientAliveInterval 0 # Compression # Specifies whether compression is allowed, or delayed until the # user has authenticated successfully. The argument must be # ``yes'', ``delayed'', or ``no''. The default is ``delayed''. # Compression delayed # DenyGroups -DISABLED- # This keyword can be followed by a list of group name patterns, # separated by spaces. Login is disallowed for users whose primary # group or supplementary group list matches one of the patterns. # Only group names are valid; a numerical group ID is not recog- # nized. By default, login is allowed for all groups. The al- # low/deny directives are processed in the following order: # DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. # # See PATTERNS in ssh_config(5) for more information on patterns. # DenyGroups # DenyUsers -DISABLED- # This keyword can be followed by a list of user name patterns, # separated by spaces. Login is disallowed for user names that # match one of the patterns. Only user names are valid; a numeri- # cal user ID is not recognized. By default, login is allowed for # all users. If the pattern takes the form USER@HOST then USER and # HOST are separately checked, restricting logins to particular # users from particular hosts. The allow/deny directives are pro- # cessed in the following order: DenyUsers, AllowUsers, DenyGroups, # and finally AllowGroups. # # See PATTERNS in ssh_config(5) for more information on patterns. # DenyUsers # ForceCommand # Forces the execution of the command specified by ForceCommand, # ignoring any command supplied by the client. The command is in- # voked by using the user's login shell with the -c option. This # applies to shell, command, or subsystem execution. It is most # useful inside a Match block. The command originally supplied by # the client is available in the SSH_ORIGINAL_COMMAND environment # variable. # ForceCommand # GatewayPorts # Specifies whether remote hosts are allowed to connect to ports # forwarded for the client. By default, sshd(8) binds remote port # forwardings to the loopback address. This prevents other remote # hosts from connecting to forwarded ports. GatewayPorts can be # used to specify that sshd should allow remote port forwardings to # bind to non-loopback addresses, thus allowing other hosts to con- # nect. The argument may be ``no'' to force remote port forward- # ings to be available to the local host only, ``yes'' to force re- # mote port forwardings to bind to the wildcard address, or # ``clientspecified'' to allow the client to select the address to # which the forwarding is bound. The default is ``no''. # GatewayPorts no # GSSAPIAuthentication # Specifies whether user authentication based on GSSAPI is allowed. # The default is ``no''. Note that this option applies to protocol # version 2 only. # GSSAPICleanupCredentials # Specifies whether to automatically destroy the user's credentials # cache on logout. The default is ``yes''. Note that this option # applies to protocol version 2 only. # HostbasedAuthentication # Specifies whether rhosts or /etc/hosts.equiv authentication to- # gether with successful public key client host authentication is # allowed (host-based authentication). This option is similar to # RhostsRSAAuthentication and applies to protocol version 2 only. # The default is ``no''. # HostbasedAuthentication no # HostbasedUsesNameFromPacketOnly # Specifies whether or not the server will attempt to perform a re- # verse name lookup when matching the name in the ~/.shosts, # ~/.rhosts, and /etc/hosts.equiv files during # HostbasedAuthentication. A setting of ``yes'' means that sshd(8) # uses the name supplied by the client rather than attempting to # resolve the name from the TCP connection itself. The default is # ``no''. # HostbasedUsesNameFromPacketOnly no # HostKey # Specifies a file containing a private host key used by SSH. The # default is /etc/ssh/ssh_host_key for protocol version 1, and # /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- # tocol version 2. Note that sshd(8) will refuse to use a file if # it is group/world-accessible. It is possible to have multiple # host key files. ``rsa1'' keys are used for version 1 and ``dsa'' # or ``rsa'' are used for version 2 of the SSH protocol. # HostKey # IgnoreRhosts # Specifies that .rhosts and .shosts files will not be used in # RhostsRSAAuthentication or HostbasedAuthentication. # # /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- # fault is ``yes''. # IgnoreRhosts yes # IgnoreUserKnownHosts # Specifies whether sshd(8) should ignore the user's # ~/.ssh/known_hosts during RhostsRSAAuthentication or # HostbasedAuthentication. The default is ``no''. # IgnoreUserKnownHosts no # KerberosAuthentication # Specifies whether the password provided by the user for # PasswordAuthentication will be validated through the Kerberos # KDC. To use this option, the server needs a Kerberos servtab # which allows the verification of the KDC's identity. The default # is ``no''. # KerberosAuthentication no # KerberosGetAFSToken # If AFS is active and the user has a Kerberos 5 TGT, attempt to # acquire an AFS token before accessing the user's home directory. # The default is ``no''. # KerberosGetAFSToken no # KerberosOrLocalPasswd # If password authentication through Kerberos fails then the pass- # word will be validated via any additional local mechanism such as # /etc/passwd. The default is ``yes''. # KerberosOrLocalPasswd yes # KerberosTicketCleanup # Specifies whether to automatically destroy the user's ticket # cache file on logout. The default is ``yes''. # KerberosTicketCleanup yes # KeyRegenerationInterval # In protocol version 1, the ephemeral server key is automatically # regenerated after this many seconds (if it has been used). The # purpose of regeneration is to prevent decrypting captured ses- # sions by later breaking into the machine and stealing the keys. # The key is never stored anywhere. If the value is 0, the key is # never regenerated. The default is 3600 (seconds). # KeyRegenerationInterval 3600 # ListenAddress -DISABLED- # Specifies the local addresses sshd(8) should listen on. The fol- # lowing forms may be used: # # ListenAddress host|IPv4_addr|IPv6_addr # ListenAddress host|IPv4_addr:port # ListenAddress [host|IPv6_addr]:port # # If port is not specified, sshd will listen on the address and all # prior Port options specified. The default is to listen on all # local addresses. Multiple ListenAddress options are permitted. # Additionally, any Port options must precede this option for non- # port qualified addresses. # ListenAddress # LoginGraceTime # The server disconnects after this time if the user has not suc- # cessfully logged in. If the value is 0, there is no time limit. # The default is 120 seconds. # LoginGraceTime 120 # LogLevel # Gives the verbosity level that is used when logging messages from # sshd(8). The possible values are: QUIET, FATAL, ERROR, INFO, # VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. # DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify # higher levels of debugging output. Logging with a DEBUG level # violates the privacy of users and is not recommended. # LogLevel INFO # MACs Specifies the available MAC (message authentication code) algo- # rithms. The MAC algorithm is used in protocol version 2 for data # integrity protection. Multiple algorithms must be comma-separat- # ed. The default is: # # hmac-md5,hmac-sha1,umac-64@openssh.com, # hmac-ripemd160,hmac-sha1-96,hmac-md5-96 # MACs hmac-md5,hmac-sha1,umac-64@openssh.com, # hmac-ripemd160,hmac-sha1-96,hmac-md5-96 # Match Introduces a conditional block. If all of the criteria on the # Match line are satisfied, the keywords on the following lines # override those set in the global section of the config file, un- # til either another Match line or the end of the file. The argu- # ments to Match are one or more criteria-pattern pairs. The # available criteria are User, Group, Host, and Address. Only a # subset of keywords may be used on the lines following a Match # keyword. Available keywords are AllowTcpForwarding, Banner, # ForceCommand, GatewayPorts, GSSApiAuthentication, # KbdInteractiveAuthentication, KerberosAuthentication, # PasswordAuthentication, PermitOpen, RhostsRSAAuthentication, # RSAAuthentication, X11DisplayOffset, X11Forwarding, and # X11UseLocalHost. # Match # MaxAuthTries # Specifies the maximum number of authentication attempts permitted # per connection. Once the number of failures reaches half this # value, additional failures are logged. The default is 6. # MaxAuthTries 6 # MaxStartups # Specifies the maximum number of concurrent unauthenticated con- # nections to the SSH daemon. Additional connections will be # dropped until authentication succeeds or the LoginGraceTime ex- # pires for a connection. The default is 10. # # Alternatively, random early drop can be enabled by specifying the # three colon separated values ``start:rate:full'' (e.g. # "10:30:60"). sshd(8) will refuse connection attempts with a # probability of ``rate/100'' (30%) if there are currently # ``start'' (10) unauthenticated connections. The probability in- # creases linearly and all connection attempts are refused if the # number of unauthenticated connections reaches ``full'' (60). # MaxStartups 10 # PasswordAuthentication # Specifies whether password authentication is allowed. The de- # fault is ``yes''. # PermitEmptyPasswords # When password authentication is allowed, it specifies whether the # server allows login to accounts with empty password strings. The # default is ``no''. # PermitOpen -DISABLED- # Specifies the destinations to which TCP port forwarding is per- # mitted. The forwarding specification must be one of the follow- # ing forms: # # PermitOpen host:port # PermitOpen IPv4_addr:port # PermitOpen [IPv6_addr]:port # # Multiple forwards may be specified by separating them with # whitespace. An argument of ``any'' can be used to remove all re- # strictions and permit any forwarding requests. By default all # port forwarding requests are permitted. # PermitOpen # PermitRootLogin # Specifies whether root can log in using ssh(1). The argument # must be ``yes'', ``without-password'', ``forced-commands-only'', # or ``no''. The default is ``yes''. # # If this option is set to ``without-password'', password authenti- # cation is disabled for root. # # If this option is set to ``forced-commands-only'', root login # with public key authentication will be allowed, but only if the # command option has been specified (which may be useful for taking # remote backups even if root login is normally not allowed). All # other authentication methods are disabled for root. # # If this option is set to ``no'', root is not allowed to log in. # PermitTunnel # Specifies whether tun(4) device forwarding is allowed. The argu- # ment must be ``yes'', ``point-to-point'' (layer 3), ``ethernet'' # (layer 2), or ``no''. Specifying ``yes'' permits both ``point- # to-point'' and ``ethernet''. The default is ``no''. # PermitTunnel no # PermitUserEnvironment # Specifies whether ~/.ssh/environment and environment= options in # ~/.ssh/authorized_keys are processed by sshd(8). The default is # ``no''. Enabling environment processing may enable users to by- # pass access restrictions in some configurations using mechanisms # such as LD_PRELOAD. # PermitUserEnvironment no # PidFile -DISABLED- # Specifies the file that contains the process ID of the SSH dae- # mon. The default is /var/run/sshd.pid. # PidFile # Port Specifies the port number that sshd(8) listens on. The default # is 22. Multiple options of this type are permitted. See also # ListenAddress. # Port 22 # PrintLastLog # Specifies whether sshd(8) should print the date and time of the # last user login when a user logs in interactively. The default # is ``yes''. # PrintLastLog yes # PrintMotd # Specifies whether sshd(8) should print /etc/motd when a user logs # in interactively. (On some systems it is also printed by the # shell, /etc/profile, or equivalent.) The default is ``yes''. # PrintMotd yes # Protocol # Specifies the protocol versions sshd(8) supports. The possible # values are `1' and `2'. Multiple versions must be comma-separat- # ed. The default is ``2,1''. Note that the order of the protocol # list does not indicate preference, because the client selects # among multiple protocol versions offered by the server. Specify- # ing ``2,1'' is identical to ``1,2''. # PubkeyAuthentication # Specifies whether public key authentication is allowed. The de- # fault is ``yes''. Note that this option applies to protocol ver- # sion 2 only. # PubkeyAuthentication yes # RhostsRSAAuthentication # Specifies whether rhosts or /etc/hosts.equiv authentication to- # gether with successful RSA host authentication is allowed. The # default is ``no''. This option applies to protocol version 1 on- # ly. # RhostsRSAAuthentication no # RSAAuthentication # Specifies whether pure RSA authentication is allowed. The de- # fault is ``yes''. This option applies to protocol version 1 on- # ly. # ServerKeyBits # Defines the number of bits in the ephemeral protocol version 1 # server key. The minimum value is 512, and the default is 768. # ServerKeyBits 768 # StrictModes # Specifies whether sshd(8) should check file modes and ownership # of the user's files and home directory before accepting login. # This is normally desirable because novices sometimes accidentally # leave their directory or files world-writable. The default is # ``yes''. # StrictModes yes # Subsystem # Configures an external subsystem (e.g. file transfer daemon). # Arguments should be a subsystem name and a command (with optional # arguments) to execute upon subsystem request. The command # sftp-server(8) implements the ``sftp'' file transfer subsystem. # By default no subsystems are defined. Note that this option ap- # plies to protocol version 2 only. # SyslogFacility # Gives the facility code that is used when logging messages from # sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, # LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- # fault is AUTH. # TCPKeepAlive # Specifies whether the system should send TCP keepalive messages # to the other side. If they are sent, death of the connection or # crash of one of the machines will be properly noticed. However, # this means that connections will die if the route is down tem- # porarily, and some people find it annoying. On the other hand, # if TCP keepalives are not sent, sessions may hang indefinitely on # the server, leaving ``ghost'' users and consuming server re- # sources. # # The default is ``yes'' (to send TCP keepalive messages), and the # server will notice if the network goes down or the client host # crashes. This avoids infinitely hanging sessions. # # To disable TCP keepalive messages, the value should be set to # ``no''. # TCPKeepAlive yes # UseDNS Specifies whether sshd(8) should look up the remote host name and # check that the resolved host name for the remote IP address maps # back to the very same IP address. The default is ``yes''. # UseDNS yes # UseLogin # Specifies whether login(1) is used for interactive login ses- # sions. The default is ``no''. Note that login(1) is never used # for remote command execution. Note also, that if this is en- # abled, X11Forwarding will be disabled because login(1) does not # know how to handle xauth(1) cookies. If UsePrivilegeSeparation # is specified, it will be disabled after authentication. # UseLogin no # UsePrivilegeSeparation # Specifies whether sshd(8) separates privileges by creating an un- # privileged child process to deal with incoming network traffic. # After successful authentication, another process will be created # that has the privilege of the authenticated user. The goal of # privilege separation is to prevent privilege escalation by con- # taining any corruption within the unprivileged processes. The # default is ``yes''. # UsePrivilegeSeparation yes # X11DisplayOffset # Specifies the first display number available for sshd(8)'s X11 # forwarding. This prevents sshd from interfering with real X11 # servers. The default is 10. # X11DisplayOffset 10 # X11Forwarding # Specifies whether X11 forwarding is permitted. The argument must # be ``yes'' or ``no''. The default is ``no''. # # When X11 forwarding is enabled, there may be additional exposure # to the server and to client displays if the sshd(8) proxy display # is configured to listen on the wildcard address (see # X11UseLocalhost below), though this is not the default. Addi- # tionally, the authentication spoofing and authentication data # verification and substitution occur on the client side. The se- # curity risk of using X11 forwarding is that the client's X11 dis- # play server may be exposed to attack when the SSH client requests # forwarding (see the warnings for ForwardX11 in ssh_config(5)). A # system administrator may have a stance in which they want to pro- # tect clients that may expose themselves to attack by unwittingly # requesting X11 forwarding, which can warrant a ``no'' setting. # # Note that disabling X11 forwarding does not prevent users from # forwarding X11 traffic, as users can always install their own # forwarders. X11 forwarding is automatically disabled if UseLogin # is enabled. # X11UseLocalhost # Specifies whether sshd(8) should bind the X11 forwarding server # to the loopback address or to the wildcard address. By default, # sshd binds the forwarding server to the loopback address and sets # the hostname part of the DISPLAY environment variable to # ``localhost''. This prevents remote hosts from connecting to the # proxy display. However, some older X11 clients may not function # with this configuration. X11UseLocalhost may be set to ``no'' to # specify that the forwarding server should be bound to the wild- # card address. The argument must be ``yes'' or ``no''. The de- # fault is ``yes''. # X11UseLocalhost yes # XAuthLocation -DISABLED- # Specifies the full pathname of the xauth(1) program. The default # is /usr/X11R6/bin/xauth. # XAuthLocation # UsePAM no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no
Optionen die dem Standard entsprechen sind auskommentiert. Optionen die explizit gesetzt werden müssen, oder nicht dem Standard entsprechen, sind über den Erklärungen zu den Optionen in alphabetischer Reihenfolge innerhalb der Konfigurationsdatei am Anfang angegeben.
Konfiguration SSH-Client
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * ForwardX11Trusted yes GSSAPIAuthentication no SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE SendEnv XMODIFIERS # Host Restricts the following declarations (up to the next Host key- # word) to be only for those hosts that match one of the patterns # given after the keyword. A single `*' as a pattern can be used # to provide global defaults for all hosts. The host is the # hostname argument given on the command line (i.e. the name is not # converted to a canonicalized host name before matching). # # See PATTERNS for more information on patterns. # AddressFamily # Specifies which address family to use when connecting. Valid ar- # guments are ``any'', ``inet'' (use IPv4 only), or ``inet6'' (use # IPv6 only). # AddressFamily any # BatchMode # If set to ``yes'', passphrase/password querying will be disabled. # This option is useful in scripts and other batch jobs where no # user is present to supply the password. The argument must be # ``yes'' or ``no''. The default is ``no''. # BatchMode no # BindAddress # Use the specified address on the local machine as the source ad- # dress of the connection. Only useful on systems with more than # one address. Note that this option does not work if # UsePrivilegedPort is set to ``yes''. # BindAddress 192.168.0.117 # ChallengeResponseAuthentication # Specifies whether to use challenge-response authentication. The # argument to this keyword must be ``yes'' or ``no''. The default # is ``yes''. # ChallengeResponseAuthentication yes # CheckHostIP # If this flag is set to ``yes'', ssh(1) will additionally check # the host IP address in the known_hosts file. This allows ssh to # detect if a host key changed due to DNS spoofing. If the option # is set to ``no'', the check will not be executed. The default is # ``yes''. # CheckHostIP yes # Cipher Specifies the cipher to use for encrypting the session in proto- # col version 1. Currently, ``blowfish'', ``3des'', and ``des'' # are supported. des is only supported in the ssh(1) client for # interoperability with legacy protocol 1 implementations that do # not support the 3des cipher. Its use is strongly discouraged due # to cryptographic weaknesses. The default is ``3des''. # Cipher 3des # Ciphers # Specifies the ciphers allowed for protocol version 2 in order of # preference. Multiple ciphers must be comma-separated. The sup- # ported ciphers are ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', # ``aes256-cbc'', ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'', # ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'', # and ``cast128-cbc''. The default is: # # aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, # arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, # aes192-ctr,aes256-ctr # # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, # arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr, # aes192-ctr,aes256-ctr # ClearAllForwardings # Specifies that all local, remote, and dynamic port forwardings # specified in the configuration files or on the command line be # cleared. This option is primarily useful when used from the # ssh(1) command line to clear port forwardings set in configura- # tion files, and is automatically set by scp(1) and sftp(1). The # argument must be ``yes'' or ``no''. The default is ``no''. # ClearAllForwardings no # Compression # Specifies whether to use compression. The argument must be # ``yes'' or ``no''. The default is ``no''. # Compression yes # CompressionLevel # Specifies the compression level to use if compression is enabled. # The argument must be an integer from 1 (fast) to 9 (slow, best). # The default level is 6, which is good for most applications. The # meaning of the values is the same as in gzip(1). Note that this # option applies to protocol version 1 only. # CompressionLevel 6 # ConnectionAttempts # Specifies the number of tries (one per second) to make before ex- # iting. The argument must be an integer. This may be useful in # scripts if the connection sometimes fails. The default is 1. # ConnectionAttempts 1 # ConnectTimeout # Specifies the timeout (in seconds) used when connecting to the # SSH server, instead of using the default system TCP timeout. # This value is used only when the target is down or really un- # reachable, not when it refuses the connection. # ConnectTimeout 0 # ControlMaster # Enables the sharing of multiple sessions over a single network # connection. When set to ``yes'', ssh(1) will listen for connec- # tions on a control socket specified using the ControlPath argu- # ment. Additional sessions can connect to this socket using the # same ControlPath with ControlMaster set to ``no'' (the default). # These sessions will try to reuse the master instance's network # connection rather than initiating new ones, but will fall back to # connecting normally if the control socket does not exist, or is # not listening. # # Setting this to ``ask'' will cause ssh to listen for control con- # nections, but require confirmation using the SSH_ASKPASS program # before they are accepted (see ssh-add(1) for details). If the # ControlPath cannot be opened, ssh will continue without connect- # ing to a master instance. # # X11 and ssh-agent(1) forwarding is supported over these multi- # plexed connections, however the display and agent forwarded will # be the one belonging to the master connection i.e. it is not pos- # sible to forward multiple displays or agents. # # Two additional options allow for opportunistic multiplexing: try # to use a master connection but fall back to creating a new one if # one does not already exist. These options are: ``auto'' and # ``autoask''. The latter requires confirmation like the ``ask'' # option. # ControlMaster no # ControlPath # Specify the path to the control socket used for connection shar- # ing as described in the ControlMaster section above or the string # ``none'' to disable connection sharing. In the path, `%l' will # be substituted by the local host name, `%h' will be substituted # by the target host name, `%p' the port, and `%r' by the remote # login username. It is recommended that any ControlPath used for # opportunistic connection sharing include at least %h, %p, and %r. # This ensures that shared connections are uniquely identified. # ControlPath none # DynamicForward -DISABLED- # Specifies that a TCP port on the local machine be forwarded over # the secure channel, and the application protocol is then used to # determine where to connect to from the remote machine. # # The argument must be [bind_address:]port. IPv6 addresses can be # specified by enclosing addresses in square brackets or by using # an alternative syntax: [bind_address/]port. By default, the lo- # cal port is bound in accordance with the GatewayPorts setting. # However, an explicit bind_address may be used to bind the connec- # tion to a specific address. The bind_address of ``localhost'' # indicates that the listening port be bound for local use only, # while an empty address or `*' indicates that the port should be # available from all interfaces. # # Currently the SOCKS4 and SOCKS5 protocols are supported, and # ssh(1) will act as a SOCKS server. Multiple forwardings may be # specified, and additional forwardings can be given on the command # line. Only the superuser can forward privileged ports. # DynamicForward # EnableSSHKeysign # Setting this option to ``yes'' in the global client configuration # file /etc/ssh/ssh_config enables the use of the helper program # ssh-keysign(8) during HostbasedAuthentication. The argument must # be ``yes'' or ``no''. The default is ``no''. This option should # be placed in the non-hostspecific section. See ssh-keysign(8) # for more information. # EnableSSHKeysign no # EscapeChar # Sets the escape character (default: `~'). The escape character # can also be set on the command line. The argument should be a # single character, `^' followed by a letter, or ``none'' to dis- # able the escape character entirely (making the connection trans- # parent for binary data). # EscapeChar ~ # ExitOnForwardFailure # Specifies whether ssh(1) should terminate the connection if it # cannot set up all requested dynamic, tunnel, local, and remote # port forwardings. The argument must be ``yes'' or ``no''. The # default is ``no''. # ExitOnForwardFailure no # ForwardAgent # Specifies whether the connection to the authentication agent (if # any) will be forwarded to the remote machine. The argument must # be ``yes'' or ``no''. The default is ``no''. # # Agent forwarding should be enabled with caution. Users with the # ability to bypass file permissions on the remote host (for the # agent's Unix-domain socket) can access the local agent through # the forwarded connection. An attacker cannot obtain key material # from the agent, however they can perform operations on the keys # that enable them to authenticate using the identities loaded into # the agent. # ForwardAgent no # ForwardX11 # Specifies whether X11 connections will be automatically redirect- # ed over the secure channel and DISPLAY set. The argument must be # ``yes'' or ``no''. The default is ``no''. # # X11 forwarding should be enabled with caution. Users with the # ability to bypass file permissions on the remote host (for the # user's X11 authorization database) can access the local X11 dis- # play through the forwarded connection. An attacker may then be # able to perform activities such as keystroke monitoring if the # ForwardX11Trusted option is also enabled # ForwardX11 no # ForwardX11Trusted # If this option is set to ``yes'', remote X11 clients will have # full access to the original X11 display. # # If this option is set to ``no'', remote X11 clients will be con- # sidered untrusted and prevented from stealing or tampering with # data belonging to trusted X11 clients. Furthermore, the xauth(1) # token used for the session will be set to expire after 20 min- # utes. Remote clients will be refused access after this time. # # The default is ``no''. # # See the X11 SECURITY extension specification for full details on # the restrictions imposed on untrusted clients. # GatewayPorts # Specifies whether remote hosts are allowed to connect to local # forwarded ports. By default, ssh(1) binds local port forwardings # to the loopback address. This prevents other remote hosts from # connecting to forwarded ports. GatewayPorts can be used to spec- # ify that ssh should bind local port forwardings to the wildcard # address, thus allowing remote hosts to connect to forwarded # ports. The argument must be ``yes'' or ``no''. The default is # ``no''. # GatewayPorts no # GlobalKnownHostsFile -DISABLED- # Specifies a file to use for the global host key database instead # of /etc/ssh/ssh_known_hosts. # GlobalKnownHostsFile # GSSAPIAuthentication # Specifies whether user authentication based on GSSAPI is allowed. # The default is ``no''. Note that this option applies to protocol # version 2 only. # GSSAPIDelegateCredentials # Forward (delegate) credentials to the server. The default is # ``no''. Note that this option applies to protocol version 2 on- # ly. # GSSAPIDelegateCredentials no # HashKnownHosts # Indicates that ssh(1) should hash host names and addresses when # they are added to ~/.ssh/known_hosts. These hashed names may be # used normally by ssh(1) and sshd(8), but they do not reveal iden- # tifying information should the file's contents be disclosed. The # default is ``no''. Note that existing names and addresses in # known hosts files will not be converted automatically, but may be # manually hashed using ssh-keygen(1). # HashKnownHosts no # HostbasedAuthentication # Specifies whether to try rhosts based authentication with public # key authentication. The argument must be ``yes'' or ``no''. The # default is ``no''. This option applies to protocol version 2 on- # ly and is similar to RhostsRSAAuthentication. # HostbasedAuthentication no # HostKeyAlgorithms # Specifies the protocol version 2 host key algorithms that the # client wants to use in order of preference. The default for this # option is: ``ssh-rsa,ssh-dss''. # HostKeyAlgorithms ssh-rsa,ssh-dss # HostKeyAlias -DISABLED- # Specifies an alias that should be used instead of the real host # name when looking up or saving the host key in the host key # database files. This option is useful for tunneling SSH connec- # tions or for multiple servers running on a single host. # HostKeyAlias # HostName -DISABLED- # Specifies the real host name to log into. This can be used to # specify nicknames or abbreviations for hosts. The default is the # name given on the command line. Numeric IP addresses are also # permitted (both on the command line and in HostName specifica- # tions). # HostName # IdentityFile # Specifies a file from which the user's RSA or DSA authentication # identity is read. The default is ~/.ssh/identity for protocol # version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol ver- # sion 2. Additionally, any identities represented by the authen- # tication agent will be used for authentication. # # The file name may use the tilde syntax to refer to a user's home # directory or one of the following escape characters: `%d' (local # user's home directory), `%u' (local user name), `%l' (local host # name), `%h' (remote host name) or `%r' (remote user name). # # It is possible to have multiple identity files specified in con- # figuration files; all these identities will be tried in sequence. # IdentityFile ~/.ssh/id_rsa # IdentitiesOnly # Specifies that ssh(1) should only use the authentication identity # files configured in the ssh_config files, even if ssh-agent(1) # offers more identities. The argument to this keyword must be # ``yes'' or ``no''. This option is intended for situations where # ssh-agent offers many different identities. The default is # ``no''. # IdentitiesOnly no # KbdInteractiveDevices -DISABLED- # Specifies the list of methods to use in keyboard-interactive au- # thentication. Multiple method names must be comma-separated. # The default is to use the server specified list. The methods # available vary depending on what the server supports. For an # OpenSSH server, it may be zero or more of: ``bsdauth'', ``pam'', # and ``skey''. # KbdInteractiveDevices # LocalCommand -DISABLED- # Specifies a command to execute on the local machine after suc- # cessfully connecting to the server. The command string extends # to the end of the line, and is executed with /bin/sh. This di- # rective is ignored unless PermitLocalCommand has been enabled. # LocalCommand # LocalForward -DISABLED- # Specifies that a TCP port on the local machine be forwarded over # the secure channel to the specified host and port from the remote # machine. The first argument must be [bind_address:]port and the # second argument must be host:hostport. IPv6 addresses can be # specified by enclosing addresses in square brackets or by using # an alternative syntax: [bind_address/]port and host/hostport. # Multiple forwardings may be specified, and additional forwardings # can be given on the command line. Only the superuser can forward # privileged ports. By default, the local port is bound in accor- # dance with the GatewayPorts setting. However, an explicit # bind_address may be used to bind the connection to a specific ad- # dress. The bind_address of ``localhost'' indicates that the lis- # tening port be bound for local use only, while an empty address # or `*' indicates that the port should be available from all in- # terfaces. # LocalForward # LogLevel # Gives the verbosity level that is used when logging messages from # ssh(1). The possible values are: QUIET, FATAL, ERROR, INFO, VER- # BOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. # DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify # higher levels of verbose output. # LogLevel INFO # MACs Specifies the MAC (message authentication code) algorithms in or- # der of preference. The MAC algorithm is used in protocol version # 2 for data integrity protection. Multiple algorithms must be # comma-separated. The default is: # # hmac-md5,hmac-sha1,umac-64@openssh.com, # hmac-ripemd160,hmac-sha1-96,hmac-md5-96 # MACs hmac-md5,hmac-sha1,umac-64@openssh.com, # hmac-ripemd160,hmac-sha1-96,hmac-md5-96 # NoHostAuthenticationForLocalhost # This option can be used if the home directory is shared across # machines. In this case localhost will refer to a different ma- # chine on each of the machines and the user will get many warnings # about changed host keys. However, this option disables host au- # thentication for localhost. The argument to this keyword must be # ``yes'' or ``no''. The default is to check the host key for lo- # calhost. # NoHostAuthenticationForLocalhost no # NumberOfPasswordPrompts # Specifies the number of password prompts before giving up. The # argument to this keyword must be an integer. The default is 3. # NumberOfPasswordPrompts 3 # PasswordAuthentication # Specifies whether to use password authentication. The argument # to this keyword must be ``yes'' or ``no''. The default is # ``yes''. # PasswordAuthentication no # PermitLocalCommand # Allow local command execution via the LocalCommand option or us- # ing the !command escape sequence in ssh(1). The argument must be # ``yes'' or ``no''. The default is ``no''. # PermitLocalCommand no # Port Specifies the port number to connect on the remote host. The de- # fault is 22. # Port 22 # PreferredAuthentications # Specifies the order in which the client should try protocol 2 au- # thentication methods. This allows a client to prefer one method # (e.g. keyboard-interactive) over another method (e.g. password) # The default for this option is: ``gssapi-with-mic,hostbased, # publickey, keyboard-interactive, password''. # PreferredAuthentications gssapi-with-mic,hostbased,publickey, # keyboard-interactive,password # Protocol # Specifies the protocol versions ssh(1) should support in order of # preference. The possible values are `1' and `2'. Multiple ver- # sions must be comma-separated. The default is ``2,1''. This # means that ssh tries version 2 and falls back to version 1 if # version 2 is not available. # Protocol 2 # ProxyCommand -DISABLED- # Specifies the command to use to connect to the server. The com- # mand string extends to the end of the line, and is executed with # /bin/sh. In the command string, `%h' will be substituted by the # host name to connect and `%p' by the port. The command can be # basically anything, and should read from its standard input and # write to its standard output. It should eventually connect an # sshd(8) server running on some machine, or execute sshd -i some- # where. Host key management will be done using the HostName of # the host being connected (defaulting to the name typed by the us- # er). Setting the command to ``none'' disables this option en- # tirely. Note that CheckHostIP is not available for connects with # a proxy command. # # This directive is useful in conjunction with nc(1) and its proxy # support. For example, the following directive would connect via # an HTTP proxy at 192.0.2.0: # # ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p # ProxyCommand # PubkeyAuthentication # Specifies whether to try public key authentication. The argument # to this keyword must be ``yes'' or ``no''. The default is # ``yes''. This option applies to protocol version 2 only. # PubkeyAuthentication yes # RekeyLimit # Specifies the maximum amount of data that may be transmitted be- # fore the session key is renegotiated. The argument is the number # of bytes, with an optional suffix of `K', `M', or `G' to indicate # Kilobytes, Megabytes, or Gigabytes, respectively. The default is # between `1G' and `4G', depending on the cipher. This option ap- # plies to protocol version 2 only. # RekeyLimit 1G # RemoteForward -DISABLED- # Specifies that a TCP port on the remote machine be forwarded over # the secure channel to the specified host and port from the local # machine. The first argument must be [bind_address:]port and the # second argument must be host:hostport. IPv6 addresses can be # specified by enclosing addresses in square brackets or by using # an alternative syntax: [bind_address/]port and host/hostport. # Multiple forwardings may be specified, and additional forwardings # can be given on the command line. Only the superuser can forward # privileged ports. # # If the bind_address is not specified, the default is to only bind # to loopback addresses. If the bind_address is `*' or an empty # string, then the forwarding is requested to listen on all inter- # faces. Specifying a remote bind_address will only succeed if the # server's GatewayPorts option is enabled (see sshd_config(5)) # RemoteForward # RhostsRSAAuthentication # Specifies whether to try rhosts based authentication with RSA # host authentication. The argument must be ``yes'' or ``no''. # The default is ``no''. This option applies to protocol version 1 # only and requires ssh(1) to be setuid root. # RhostsRSAAuthentication no # RSAAuthentication # Specifies whether to try RSA authentication. The argument to # this keyword must be ``yes'' or ``no''. RSA authentication will # only be attempted if the identity file exists, or an authentica- # tion agent is running. The default is ``yes''. Note that this # option applies to protocol version 1 only. # RSAAuthentication yes # SendEnv # Specifies what variables from the local environ(7) should be sent # to the server. Note that environment passing is only supported # for protocol 2. The server must also support it, and the server # must be configured to accept these environment variables. Refer # to AcceptEnv in sshd_config(5) for how to configure the server. # Variables are specified by name, which may contain wildcard char- # acters. Multiple environment variables may be separated by # whitespace or spread across multiple SendEnv directives. The de- # fault is not to send any environment variables. # # See PATTERNS for more information on patterns. # ServerAliveCountMax # Sets the number of server alive messages (see below) which may be # sent without ssh(1) receiving any messages back from the server. # If this threshold is reached while server alive messages are be- # ing sent, ssh will disconnect from the server, terminating the # session. It is important to note that the use of server alive # messages is very different from TCPKeepAlive (below). The server # alive messages are sent through the encrypted channel and there- # fore will not be spoofable. The TCP keepalive option enabled by # TCPKeepAlive is spoofable. The server alive mechanism is valu- # able when the client or server depend on knowing when a connec- # tion has become inactive. # # The default value is 3. If, for example, ServerAliveInterval # (see below) is set to 15 and ServerAliveCountMax is left at the # default, if the server becomes unresponsive, ssh will disconnect # after approximately 45 seconds. This option applies to protocol # version 2 only # ServerAliveCountMax 3 # ServerAliveInterval # Sets a timeout interval in seconds after which if no data has # been received from the server, ssh(1) will send a message through # the encrypted channel to request a response from the server. The # default is 0, indicating that these messages will not be sent to # the server. This option applies to protocol version 2 only. # ServerAliveInterval 0 # SmartcardDevice -DISABLED- # Specifies which smartcard device to use. The argument to this # keyword is the device ssh(1) should use to communicate with a # smartcard used for storing the user's private RSA key. By de- # fault, no device is specified and smartcard support is not acti- # vated. # SmartcardDevice # StrictHostKeyChecking # If this flag is set to ``yes'', ssh(1) will never automatically # add host keys to the ~/.ssh/known_hosts file, and refuses to con- # nect to hosts whose host key has changed. This provides maximum # protection against trojan horse attacks, though it can be annoy- # ing when the /etc/ssh/ssh_known_hosts file is poorly maintained # or when connections to new hosts are frequently made. This op- # tion forces the user to manually add all new hosts. If this flag # is set to ``no'', ssh will automatically add new host keys to the # user known hosts files. If this flag is set to ``ask'', new host # keys will be added to the user known host files only after the # user has confirmed that is what they really want to do, and ssh # will refuse to connect to hosts whose host key has changed. The # host keys of known hosts will be verified automatically in all # cases. The argument must be ``yes'', ``no'', or ``ask''. The # default is ``ask''. # StrictHostKeyChecking ask # TCPKeepAlive # Specifies whether the system should send TCP keepalive messages # to the other side. If they are sent, death of the connection or # crash of one of the machines will be properly noticed. However, # this means that connections will die if the route is down tem- # porarily, and some people find it annoying. # # The default is ``yes'' (to send TCP keepalive messages), and the # client will notice if the network goes down or the remote host # dies. This is important in scripts, and many users want it too. # # To disable TCP keepalive messages, the value should be set to # ``no'' # TCPKeepAlive yes # Tunnel Request tun(4) device forwarding between the client and the serv- # er. The argument must be ``yes'', ``point-to-point'' (layer 3), # ``ethernet'' (layer 2), or ``no''. Specifying ``yes'' requests # the default tunnel mode, which is ``point-to-point''. The de- # fault is ``no''. # Tunnel no # TunnelDevice # Specifies the tun(4) devices to open on the client (local_tun) # and the server (remote_tun). # # The argument must be local_tun[:remote_tun]. The devices may be # specified by numerical ID or the keyword ``any'', which uses the # next available tunnel device. If remote_tun is not specified, it # defaults to ``any''. The default is ``any:any''. # TunnelDevice any:any # UsePrivilegedPort # Specifies whether to use a privileged port for outgoing connec- # tions. The argument must be ``yes'' or ``no''. The default is # ``no''. If set to ``yes'', ssh(1) must be setuid root. Note # that this option must be set to ``yes'' for # RhostsRSAAuthentication with older servers. # UsePrivilegedPort no # User Specifies the user to log in as. This can be useful when a dif- # ferent user name is used on different machines. This saves the # trouble of having to remember to give the user name on the com- # mand line. # User # UserKnownHostsFile -DISABLED- # Specifies a file to use for the user host key database instead of # ~/.ssh/known_hosts. # UserKnownHostsFile # VerifyHostKeyDNS # Specifies whether to verify the remote key using DNS and SSHFP # resource records. If this option is set to ``yes'', the client # will implicitly trust keys that match a secure fingerprint from # DNS. Insecure fingerprints will be handled as if this option was # set to ``ask''. If this option is set to ``ask'', information on # fingerprint match will be displayed, but the user will still need # to confirm new host keys according to the StrictHostKeyChecking # option. The argument must be ``yes'', ``no'', or ``ask''. The # default is ``no''. Note that this option applies to protocol # version 2 only. # # See also VERIFYING HOST KEYS in ssh(1). # VerifyHostKeyDNS no # XAuthLocation -DISABLED- # Specifies the full pathname of the xauth(1) program. The default # is /usr/X11R6/bin/xauth. # XAuthLocation
Optionen die dem Standard entsprechen sind auskommentiert. Optionen die explizit gesetzt werden müssen, oder nicht dem Standard entsprechen, sind über den Erklärungen zu den Optionen in alphabetischer Reihenfolge innerhalb der Konfigurationsdatei am Anfang angegeben.
Starten des SSH-Daemons
Um die einzelnen Verbindungsmöglichkeiten der SSH-Verbindungssuite nutzen zu können, muss der Dienst (Daemon) sshd gestartet sein. Dies kann wie gewohnt mit folgendem Befehl überprüft werden:
# /sbin/service sshd status
Falls der Dienst (Daemon) sshd nicht gestartete sein sollte, wird dieser über die Einagbe des folgenden Befehls gestartet:
# /sbin/service sshd start
Um den Dienst (Daemon) sshd automatisch bei jedem Systemstart zu starten, kann die Einrichtung eines Start-Scriptes über folgenden Befehl erreicht werden:
# chkconfig sshd on
Ein Überprüfung ob der Dienst (Daemon) sshd wirklich bei jedem Systemstart automatisch mit gestartet wird, kann durch folgenden Befehl erreicht werden:
# chkconfig --list | grep sshd
wodurch in etwa folgende Ausgabe erfolgen sollte:
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Wichtig ist hier, der Schalter on bei den Runleveln - 2 3 4 5.
Aufruf des SSH-Clients
Der SSH-Client ssh ist das Programm mit dem eine Verbindung zu einem entfernten Rechner aufgebaut werden kann. Es wird eine shell auf dem entfernten Rechner geöffnet, so als ob direkt an diesem Rechner gearbeitet werden würde. Es gibt verschiedene Möglichkeiten der Anmeldung und auch der Authentifizierung.
Passwortgesicherte Authentifizierung
Standardmässig nach erfolgreicher und vorkonfigurierter Installation (meist durch den Linux-Distributor) kann die Nutzung von SSH durch eine „passwortgesicherte Authentifikation“ ohne zusätzlichen Konfigurationsaufwand genutzt werden.
Beispiele:
# ssh 192.168.0.2 # ssh username@192.168.0.2 # ssh -l username 192.168.0.2
Im der ersten Zeile erolgt der Zugriff auf den Rechner mit der IP-Adresse 192.168.0.2 unter Verwendung des Benutzer mit dem Namen, mit dem er gerade auf dem lokalen Rechner angemeldet ist. Die Zeile zwei und drei sind in der Konsequenz des Aufrufs indetisch. Hier wird der Zugriff auf den Rechner mit der IP-Adresse 192.168.0.2 unter Verwendung des Benutzer username versucht.
Erstmalige Verbindung
Bei dem ersten Verbindungsaufbau zu einem entfernten Rechner, ist dem lokalen Rechner der entferte Rechner noch nicht bekannt. Dieser Zustand führt bei entsprechender Konfiguration in der Konfigurationsdatei ssh_config durch den Parameter
StrictHostKeyChecking ask
mögliche Einstellungen für den Parameter StrictHostKeyChecking sind
yes–> Identität immer übeprüfenno–> Identität nie überprüfenask–> Identität bestätigen (Standardeinstellung)
zu folgender Nachfrage
$ ssh username@192.168.0.2 The authenticity of host '192.168.0.2 (192.168.0.2) can't be established. RSA key fingerprint is a5:45:b4:60:45:33:b7:35:a5:45:f5:45:ac:dc:b7:22. Are you sure you want to continue connecting (yes/no)?
Der „fingerprint“ des entfernten Rechners könnte am entfernten Rechner mit folgendem Befehl überprüft werden
# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key
welcher eine Ausgabe in etwa wie diese erzeugen sollte
2048 a5:45:b4:60:45:33:b7:35:a5:45:f5:45:ac:dc:b7:22 /etc/ssh/ssh_host_rsa_key.pub
Weitere Möglichkeiten der Überprüfung sind mit folgendem Befehl in der Hilfeseite (man-Page) nachzulesen
# man ssh
Die Nachfrage (falls Ihnen der Rechner bekannt sein sollte und Sie dem „fingerprint“ vertrauen) kann mit yes beantwortet werden, was folgende Ausgabe
# Warning: Permanently added '192.168.0.2' (RSA) to the list of known hosts.
und Konsequenz zur Folge hat.
Der öffentliche Schlüssel des entfernten Rechners wird zum (falls nicht vorhanden) neuen Verzeichnis und zur (falls nicht vorhandenen) neuen Datei
~/.ssh/known-hosts
hinzugefügt.
Falls sich der Schlüssel des entfernten Rechners ändern sollte, muss dieser aus der obengenannten Datei entfernt werden, da dies sonst zu einer Fehlermeldungen und zu einer nicht zustandekommenden Verbindungen führt!
Die Nachfrage (falls Ihnen der Rechner nicht bekannt sein sollte und Sie dem „fingerprint“ nicht vertrauen) sollte mit no beantwortet werden, was zu folgende Ausgabe führt
Host key verification failed.
und keinen Verbindungsaufbau als Konsequenz hat.
Nach der ersten Verbindung
Anschließend wird die Authentifizierung durch Eingabe des zum Benutzer auf dem entfernten Rechner gehörigen Passworts abgefragt.
$ ssh username@192.168.0.2 username@192.168.0.2's password:
Falls das korrekte Passwort eingegeben wurde, sollte eine Bestätigung der Anmeldung mit dem entsprechenden Benutzernamen (in unserem Beispiel hier username) in etwa wie folgt aussehen
$ ssh username@192.168.0.2 username@192.168.0.2's password: Last login: Tue Aug 21 13:22:46 2007 from 192.168.0.3
"Public-Key" Authentifizierung
Eine weitaus bequemere Möglichkeit sich an einem entfernten Rechner anzumelden, ist die Verwendung eines digitalen Schlüssels. Dabei wird auf dem entfernten Rechner eine Datei hinterlegt, die den öffentlichen Schlüssel enthält und mit dem dazugehörigen Gegenstück, dem privaten Schlüssel, eine Kommunikation erlaubt. Der private Schlüssel kann eine Passphrase (Passwortabfrage) enthalten, muss aber keine Passphrase enthalten. (Ohne Passphrase, wenn ein Dienst (Daemon) sich dieser Authentifizierung bedient). Die Passphrase ersetzt hier die Eingabe eines Passwortes und gilt nur für die Verbindung per SSH.
Erzeugen eines digitalen Schlüsselpaares
Ein digitales Schlüsselpaar kann mit ssh-keygen erzeugt werden.
Hier ein Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, genauer gesagt eines SSH2-RSA-Schlüssels
ssh-keygen -b 4096 -t rsa -C username@rechner.tld Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa. Your public key has been saved in /home/username/.ssh/id_rsa.pub. The key fingerprint is: f7:34:69:ce:d6:28:a5:72:78:a7:0b:7d:16:8d:f6:f6 username@rechner.tld The key's randomart image is: +--[ RSA 4096]----+ | | | | | | | + | | S . X . | | + X * | | + * X + | | = B . . | | o. E| +-----------------+
Hier ein weiteres Beispiel für die Erzeugung eines solchen digitalen Schlüsselpaares, genauer gesagt eines ECDSA-SHA2-NISTP256 Schlüssels
$ ssh-keygen -b 256 -t ecdsa -C username@rechner.tld Generating public/private ecdsa key pair. Enter file in which to save the key (/home/username/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_ecdsa. Your public key has been saved in /home/username/.ssh/id_ecdsa.pub. The key fingerprint is: 17:62:9a:c8:92:e1:c7:b0:68:a8:8f:79:7d:7c:07:89 username@rechner.tld The key's randomart image is: +--[ECDSA 256]---+ | | | | | o o . | |.o B . + . . | |o.= = o.S.. | |o o E o. | |. . . . | | +. . o . . | |o.. . . . | +-----------------+
ACHTUNG - Aufgrund der Inkompatibilität von ECDSA-Schlüssel zu OpenSSH-Version VOR Version 5.7, sollte der Einsatz genau geprüft werden. Auch wurde das Unterverfahren NIST mit Unterstützung der NSA erstellt !!!
"Fingerprint" des digitalen Schlüsselpaares
Alle verwendeten Schlüsselpaare haben einen sogenannten „Fingerprint“ (Fingerabdruck). Der „Fingerprint“ ist hilfreich, wenn man einen Schlüssel vergleichen will, jedoch nicht den ganzen Schlüssel dazu heranziehen will. Auch ein Vergleich über z.B. Telefon ist möglich - hierfür gibt es sogar eine Unterstützung die sich „Bubble Babble“ nennt und den „Fingerprint“ in einer leichter lesbaren Form darstellt.
Der Fingerabdruck in hexadezimaler Darstellung, kann über folgenden Befehl angezeigt werden
$ ssh-keygen -l -f ~/.ssh/id_rsa.pub 4096 ae:c3:ac:15:a2:e0:62:59:33:19:ca:46:81:65:62:24 /username/.ssh/id_rsa.pub
Der Fingerabdruck in „Bubble Babble“ Darstellung, kann über folgenden Befehl angezeigt werden
$ ssh-keygen -B -f ~/.ssh/id_rsa.pub 4096 qwzer-sdfgg-ljkkr-yxcge-hthvc-qosng-bdtjg-pwmfh-opang-ncvet-kjdfh /username/.ssh/id_rsa.pub
Hinterlegung des öffentlichen Schlüssels
Um eine erfolgreiche Anmeldung via „Public-Key“-Autentifizierung durchführen zu können, muss der öffentliche Schlüssel eines Schlüsselpaares auf dem Server, auf den zugegriffen werden soll, hinterlegt werden. Der öffentliche Schlüssel wird in der Datei ~/.ssh/authorized_keys des jeweiligen Benutzers gespeichert.
Falls die Datei ~/.ssh/authorized_keys noch nicht bestehen sollte, kann diese mit folgendem Befehl angelegt werden
# touch ~/.ssh/authorized_keys
Im Verzeichnis ~/.ssh sollten dann mindestens folgende Dateien anthalten sein
# ll total 8 -rw-r--r-- 1 root root 0 Aug 24 13:09 authorized_keys -rw------- 1 root root 3311 Aug 23 16:16 id_rsa -rw-r--r-- 1 root root 743 Aug 23 16:16 id_rsa.pub
Nun können Sie den öffentlichen Schlüssel hier z.B. id_rsa.pub in die Datei authorized_keys hineinkopieren, was mit folgendem Befehl druchgeführt werden sollte (so können auch mehrere Schlüssel hinzugefügt werden)
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys # ll total 12 -rw-r--r-- 1 root root 743 Aug 24 13:15 authorized_keys -rw------- 1 root root 3311 Aug 23 16:16 id_rsa -rw-r--r-- 1 root root 743 Aug 23 16:16 id_rsa.pub
Wichtig ist, das die Rechte der Datei authorized_keys mit folgendem Befehl wie folgt geändert werden (dies sollten Sie als root erledigen)
# chmod 600 authorized_keys # ll ~/.ssh/authorized_keys -rw------- 1 username usergroup 744 Aug 24 14:58 /home/username/.ssh/authorized_keys
da sonst zwar root, auch ohne diese Beschränkung der Rechte auf lesen und schreiben (rw) nur auf den Inhaber, SSH erfolgreich betreiben kann, jedoch sonst kein „normaler“ Benutzer, wie hier z.B. username. Dies würde mit der folgenden Fehlermeldung in der Datei /var/log/secure quittiert werden
Aug 24 15:17:42 localhost sshd[9035]: Authentication refused: bad ownership or modes for file /home/username/.ssh/authorized_keys
Jetzt muss der private Schlüssel id_rsa nur noch auf den Rechner kopiert werden, von dem aus Sie auf den Rechner mit dem öffentlichen Schlüssel zugreifen wollen, oder auf einen USB-Stick, Diskette usw., je nach Vorlieben und Sicherheitsanforderungen.
Als Beispiel wird von dem lokalen Rechner auf einen entfernten Rechner mit der IP-Adresse 192.168.0.2 zugegriffen. Voraussetzung hierfür ist, dass auf dem entfernten Rechner mit der IP-Adresse 192.168.0.2 der öffentliche Schlüssel vorhanden ist. Im übertragenen Sinne heist das auf 192.168.0.2/home/username/.ssh/authorized_keys muss der öffentlichen Schlüssel des Benutzer enthalten sein.
# ssh -l username 192.168.0.2 -i ~/.ssh/id_rsa
Hinterlegung des öffentlichen Schlüssels mittels ''ssh-copy-id''
Eine etwas einfachere Methode den „öffentlichen Schlüssel“ auf einem entfernten Rechner zu hinterlegen, ist dies mit Hilfe von ssh-copy-id durchzuführen. ssh-copy-id ist ein einfaches shell-Script mit folgendem Inhalt, was letztendlich alle notwendigen Schritte erledigt:
$ cat /usr/bin/ssh-copy-id #!/bin/sh # Shell script to install your identity.pub on a remote machine # Takes the remote machine name as an argument. # Obviously, the remote machine must accept password authentication, # or one of the other keys in your ssh-agent, for this to work. ID_FILE="${HOME}/.ssh/identity.pub" if [ "-i" = "$1" ]; then shift # check if we have 2 parameters left, if so the first is the new ID file if [ -n "$2" ]; then if expr "$1" : ".*\.pub" ; then ID_FILE="$1" else ID_FILE="$1.pub" fi shift # and this should leave $1 as the target name fi else if [ x$SSH_AUTH_SOCK != x ] ; then GET_ID="$GET_ID ssh-add -L" fi fi if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then GET_ID="cat ${ID_FILE}" fi if [ -z "`eval $GET_ID`" ]; then echo "$0: ERROR: No identities found" >&2 exit 1 fi if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 exit 1 fi { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 cat <<EOF Now try logging into the machine, with "ssh '$1'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. EOF
Der Aufruf des shell-Scriptes ssh-copy-id sollte wie folgt aussehen:
$ ssh-copy-id -i ~/.ssh/id_rsa_pub username@192.168.0.2
Anschliessend erfolgt eine Aufforderung zur Eingabe des Passwort - nicht der Passphrase:
username@192.168.0.2 password: Now try logging into the machine, with "ssh 'username@192.168.0.2'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Eine Überprüfung, ob das Kopieren des „öffentlichen Schlüssels“ erfolgreich war, können Sie einfach mit einem ssh-Zugriff auf den entfernten Rechner mit folgendem Befehl:
$ ssh username@192.168.0.2 Enter passphrase for key '/home/username/.ssh/id_rsa':
Nach erfolgreicher Eingabe der „Passphrase“ (falls für den „privaten Schlüssel“ eine vorhanden ist) sollte der Zugriff auf den entfernten Rechner möglich sein:
Last login: Tue Aug 21 13:22:46 2007 from 192.168.0.3 $
Einsatz eines "Agenten"
Aus Sicherheitsgründen ist der Verzicht auf eine „Passphrase“ - einer Passwortabfrage für den privaten Schlüssel nicht zu empfehlen. Allerdings kann es in einer längeren Sitzung etwas umständlich sein, immer die „Passphrase“ bei jeder erneuten Anmeldung an einem entfernten Rechner, eingeben zu müssen.
Hier kann das Programm ssh-agent Abhilfe schaffen. Das Programm ssh-agent fragt einmalig nach dem Einbinden eines „privaten Schlüssel“ mit „Passphrase“ diese ab und merkt sich diese bis z.B. dem Beenden der Shell, oder bis zum Ausschalten des Rechners. D.h. eine Eingabe der „Passphrase“ ist zwar immer noch erforderlich, allerdings nicht mehr bei jedem Verbindungsaufbau mit einem entfernten Rechner innerhalb der Shell, bzw. der „Session“.
Der Start des Agenten erfolgt durch folgenden Befehl
$ eval $(ssh-agent) Agent pid 2275
wobei diese besondere Art des startens der Anwendung durch den Zusatz eval am Anfang der Zeile bewirkt, dass einige Umgebungsvariablen der aktuellen Shell geändert werden. Das Programm ssh-agent läuft somit im Hintergrund. Merklich wurden folgende Umgebungsvariablen in der Shell geändert, bzw. eingefügt.
SHLVL=2 SSH_AGENT_PID=3018 SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass SSH_AUTH_SOCK=/tmp/ssh-dtMoYS2959/agent.2959
Anschliessend müssen dem Agenten noch der oder die „private(n) Schlüssel“ mitgeteilt werden, den oder die er Verwalten soll. Dies kann mit dem folgendem Befehl durchgeführt werden
$ ssh-add ~/.ssh/id_rsa Enter passphrase for /home/username/.ssh/id_rsa: Identity added: /home/username/.ssh/id_rsa (/home/username/.ssh/id_rsa)
Nach erfolgreicher Eingabe der „Passphrase“ wird diese nicht mehr abgefragt.
Ausführen von Kommandos auf einem entfernten Rechner über ''ssh''
Hier ein Beispiel, welches die Laufzeit (uptime) eines entfernten Rechners als Ausgabe auf dem lokalen Rechner darstellt.
# ssh username@192.168.0.2 uptime username@192.168.0.2's password: 4:13pm up 5 days, 3:17, 5 users, load average: 0.00, 0.00, 0.00
Kopieren mit scp
Dies lässt sich am besten an einem kleinen Beispiel demonstrieren, in dem vom lokalen Rechner aus auf einen entfernten Rechner mit der IP-Adresse 192.168.0.2 eine Datei mit dem Namen transfer.txt kopiert wird.
# scp /home/username/transfer.txt username@192.168.0.2:/home/username/transfer.txt username@192.168.0.2's password: transfer.txt 100% |******************************| 795 00:00
Dies ist natürlich auch in die andere Richtung möglich, in dem vom entfernten Rechner mit der IP-Adresse 192.168.0.2 aus auf den lokalen Rechner eine Datei mit dem Namen backtransfer.txt kopiert wird.
# scp username@192.168.0.2:/home/username/backtransfer.txt /home/username/backtransfer.txt username@192.168.0.2's password: backtransfer.txt 100% |******************************| 795 00:00
Falls der Benutzername auf dem lokalen und dem entfernten Rechner identisch ist, kann dieser auch weggelassen werden. Dies gilt auch für den Dateinamen, falls er beim kopieren nicht geändert werden soll.
Kopieren mit sftp
Dies lässt sich am besten am gleichen Beispiel demonstrieren, wie das beim Kopieren mit scp der Fall war , in dem vom lokalen Rechner aus auf einen entfernten Rechner mit der IP-Adresse 192.168.0.2 eine Datei mit dem Namen transfer.txt transferiert wird.
$ sftp username@192.168.0.2 Connecting to 192.168.0.2... username@192.168.0.2's password: sftp> put transfer.txt Uploading transfer.txt to /home/username/transfer.txt sftp> quit
Anschliessend die die Datei backtransfer.txt vom entfernten auf den lokalen Rechner kopiert.
$ sftp username@192.168.0.2 Connecting to 192.168.0.2... username@192.168.0.2's password: sftp> get backtransfer.txt Fetching /home/klaus/backtransfer.txt to backtransfer.txt sftp> quit
tachtler/ssh.txt · Zuletzt geändert: 2014/10/01 16:19 von klaus