Owen Ouyang's Home

Daily Life

0%

SSH 安全

發表於 更新於 Disqus:
文章字數: 16k 所需閱讀時間 ≈ 15 分鐘

內容

  1. 關於 SSH 與安全
  2. 什麼是 SSH
  3. SSH 如何運作
  4. 安全的使用 SSH
  5. SSH 實踐
  6. 總結

關於 SSH 與安全

SSH 比傳統的 TELNET 等方式提供了更安全的連線方式

SSH 是安全的遠端連線,但是我們真的有安全的使用 SSH 嗎?

SSH 是用來取代傳統 TELNET 遠端連線的工具,最主要目的就是要解決和遠端主機的安全問題。

本文希望提供一些 SSH 更安全使用的一些建議,希望可以讓大家可以更安心的使用現代的系統,沒有後顧之憂。

什麼是 SSH

Secure Shell wiki 對 SSH 有簡單的解釋。

1
2
3
4
5
6
7
8
9
10
11
12
13
Secure Shell(安全外殼協定,簡稱SSH)是一種加密的網路傳輸協定,可在不安全的網路中為網路服務提供安全的傳輸環境。

SSH通過在網路中建立安全隧道來實現SSH客戶端與伺服器之間的連接。

SSH最常見的用途是遠端登錄系統,人們通常利用SSH來傳輸命令行介面和遠端執行命令。

SSH使用頻率最高的場合是類Unix系統,但是Windows作業系統也能有限度地使用SSH。

2015年,微軟宣布將在未來的作業系統中提供原生SSH協定支援[3],Windows 10 1803版本已提供OpenSSH工具。

在設計上,SSH是Telnet和非安全shell的替代品。Telnet和Berkeley rlogin、rsh、rexec等協定採用明文傳輸,使用不可靠的密碼,容易遭到監聽、嗅探和中間人攻擊。

SSH旨在保證非安全網路環境(例如網際網路)中資訊加密完整可靠。

概述

  • SSH以非對稱加密實現身分驗證。
  • 身分驗證有多種途徑,例如其中一種方法是使用自動生成的公鑰-私鑰對來簡單地加密網路連接,隨後使用密碼認證進行登錄;另一種方法是人工生成一對公鑰和私鑰,通過生成的金鑰進行認證,這樣就可以在不輸入密碼的情況下登錄。
  • 任何人都可以自行生成金鑰。
  • 公鑰需要放在待存取的電腦之中,而對應的私鑰需要由使用者自行保管。
  • 認證過程基於生成出來的私鑰,但整個認證過程中私鑰本身不會傳輸到網路中。
  • 因為SSH只驗證提供使用者是否擁有與公鑰相匹配的私鑰,只要接受公鑰而且金鑰匹配伺服器就會授予許可。
  • 這樣的話,一旦接受了惡意攻擊者的公鑰,那麼系統也會把攻擊者視為合法使用者

應用

  • SSH的經典用途是登入到遠端電腦中執行命令。
  • 除此之外,SSH也支援隧道協定埠對映X11連接。藉助SFTPSCP協定,SSH還可以傳輸檔案
  • SSH使用客戶端-伺服器模型,標準埠為22。
  • 檔案管理軟體(同步、複製、刪除等)。

linux 安裝 ssh client

  • centos
    1
    $ sudo yum install -y openssh-client
  • ubuntu
    1
    $ sudo apt-get install -y openssh-client
  • windows

    windows 10 x64 - WSL windows 10 提供的 linux 環境

    mobaxterm 推薦功能強大,支持正版軟體,可以贊助專業版

    putty 輕薄短小

認證方式

  • 密碼 - 傳統 (類似 telnet 登入方式)
  • 密匙 - 推薦, 安全

金鑰管理

  • 已許可登錄的公鑰通常儲存在使用者 /home 目錄的 ~/.ssh/authorized_keys 檔案中,該檔案只由SSH使用。
  • 當遠端機器持有公鑰,而本地持有對應私鑰時,登錄過程不再需要手動輸入密碼。
  • 另外為了額外的安全性,私鑰本身也能用密碼保護。
  • 私鑰會儲存在固定位置,也可以通過命令行參數指定(例如ssh命令的「-i」選項)。
  • ssh-keygen是生成金鑰的工具之一。

SSH也支援基於密碼的身分驗證,此時金鑰是自動生成的。若客戶端和伺服器端從未進行過身分驗證,SSH未記錄伺服器端所使用的金鑰,那麼攻擊者可以模仿伺服器端請求並取得密碼,即中間人攻擊。但是密碼認證可以禁用,而且SSH客戶端在發現新金鑰或未知伺服器時會向使用者發出警告。

ssh 連線

1
2
3
4
5
6
$ ssh alpine@node2
The authenticity of host 'node2 (192.168.0.27)' can't be established.
RSA key fingerprint is SHA256:1GK08rjZ3N/bdG5XgMT0ERECdthc09muRMYHlzYEOdw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'node2,192.168.0.27' (RSA) to the list of known hosts.
alpine@node2's password:

產生金匙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
node3:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/alpine/.ssh/id_rsa): 
Created directory '/home/alpine/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/alpine/.ssh/id_rsa
Your public key has been saved in /home/alpine/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:iMC4C0GFqUmiAjtKa7i3ltCeCZAlCYBS0lyKBTJYmag alpine@node3
The key's randomart image is:
+---[RSA 3072]----+
|%XB=.            |
|%@*.             |
|%*+              |
|E+ . . .         |
|Oo. . . S        |
|*+.              |
|o= +             |
|. B              |
| o..             |
+----[SHA256]-----+
1
2
3
4
node3:~$ ls -l .ssh
total 8
-rw-------    1 alpine   alpine        2602 Feb 26 01:21 id_rsa
-rw-r--r--    1 alpine   alpine         566 Feb 26 01:21 id_rsa.pub
  • 上傳金匙
1
2
3
4
5
6
7
8
9
10
node2:~$ ssh-copy-id alpine@node3
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alpine/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
alpine@node3's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'alpine@node3'"
and check to make sure that only the key(s) you wanted were added.
  • 金匙登入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
node2:~$ ssh alpine@node3
node3:~$ 
node3:~$ logout
Connection to node3 closed.
node2:~$ ls -lia . .ssh
.:
total 4
108741282 drwxr-sr-x    3 alpine   alpine          39 Feb 26 02:04 .
67191552 drwxr-xr-x    1 root     root            20 Feb 26 01:07 ..
108735104 -rw-------    1 alpine   alpine           8 Feb 26 02:01 .bash_history
1225118 drwx--S---    2 alpine   alpine          57 Feb 26 02:08 .ssh

.ssh:
total 12
1225118 drwx--S---    2 alpine   alpine          57 Feb 26 02:08 .
108741282 drwxr-sr-x    3 alpine   alpine          39 Feb 26 02:04 ..
1273921 -rw-------    1 alpine   alpine        2602 Feb 26 02:07 id_rsa
1273922 -rw-r--r--    1 alpine   alpine         566 Feb 26 02:07 id_rsa.pub
1225108 -rw-r--r--    1 alpine   alpine         572 Feb 26 02:04 known_hosts
node2:~$ cat .ssh/known_hosts
node3,192.168.0.26 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7V6zQ4FENkPY+Vg7kN7ji0Pxb2Nmsn+KMtaTnTxTEXoz3Jyjh7VxQN9xRPrUaJYTNTfzVv4BekgGthpD8L/OfPPtVvhvOAgW94dcB+ybeD7LRplzj/DbVgr9AQLRXWEQuDZJgjcJRJJiyeXW5zlI07UB5iALgqLxIA9znb1Jae01BifkUPYvNKQHXvgZAy9U3NyZgZyLqv0paGfFDD6FZYIHtKlPFfX7pq7IF2kdzfAymI5IMGNgSo/p+ptTKquoZyA2UX1Yd8ijcY1DgOsPCCzEbe2KalyA+r5wwiegufIMCMCe6A4b/PM5ivqzSD4dgvfulWgHnNqSmw5ONbmGLHbLxpnpWnilORMjX1vO8deUYehFSQZZXSO6iLCn/YDlwkVqXSGM/v0s9EQpwErTg3QuBO68pVCPI91GIftksfGM4SdlKaHFEnYJ3BApOCWF27fXim/VSmM8ZKjHjtrVhXZ9G3jSKM4cBXKfnzazUOw6DJ6eFmrOotpENRuf+bE=

ssh 的安全機制

  • SSH能夠阻止一些因直接暴露在網際網路而產生的安全問題,在解決連接問題上發揮了重要作用。
  • SSH隧道可以在網際網路、防火牆和機器之間提供一個安全的通道。

基本安全

SSH 提供了很多安全機制來確保我們的安全性,不過如果我們使用不當,仍然面臨相當的安全威脅。

加強金匙安全 - passphrase

1
2
3
4
5
node3:~$ ssh-keygen -f .ssh/id_rsa -p
Key has comment 'alpine@node3'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

安全性 VS 便利性

  • 有 passphrase 登入
    1
    2
    3
    node3:~$ ssh alpine@node2
    Enter passphrase for key '/home/alpine/.ssh/id_rsa': 
    node2:~$

    ssh-agent

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
node3:~$ ssh alpine@node2
Enter passphrase for key '/home/alpine/.ssh/id_rsa': 
node2:~$ 
node2:~$ eval $(ssh-agent -s)
Agent pid 32095
node2:~$ export
declare -x CHARSET="UTF-8"
declare -x HOME="/home/alpine"
declare -x LANG="C.UTF-8"
declare -x LC_COLLATE="C"
declare -x LOGNAME="alpine"
declare -x MAIL="/var/mail/alpine"
declare -x OLDPWD
declare -x PAGER="less"
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -x PS1="\\h:\\w\\\$ "
declare -x PWD="/home/alpine"
declare -x SHELL="/bin/bash"
declare -x SHLVL="1"
declare -x SSH_AGENT_PID="32095"
declare -x SSH_AUTH_SOCK="/tmp/ssh-0EbOKtlHGdyD/agent.32094"
declare -x SSH_CLIENT="192.168.0.26 58954 22"
declare -x SSH_CONNECTION="192.168.0.26 58954 192.168.0.27 22"
declare -x SSH_TTY="/dev/pts/3"
declare -x TERM="xterm"
declare -x USER="alpine"
node2:~$ ssh-add
Identity added: /home/alpine/.ssh/id_rsa (alpine@node2)
node2:~$ ssh alpine@node3

forward agent

減少密匙上傳危險

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
node2:~$ ssh-copy-id owen@node2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alpine/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
expr: warning: '^ERROR: ': using '^' as the first character
of a basic regular expression is not portable; it is ignored
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
owen@node2's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'owen@node2'"
and check to make sure that only the key(s) you wanted were added.

node2:~$ ssh-copy-id owen@node3
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alpine/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
expr: warning: '^ERROR: ': using '^' as the first character
of a basic regular expression is not portable; it is ignored
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
owen@node3's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'owen@node3'"
and check to make sure that only the key(s) you wanted were added.

node2:~$ eval $(ssh-agent -s)
Agent pid 17509
node2:~$ ssh-add
Identity added: /home/alpine/.ssh/id_rsa (alpine@node2)
node2:~$ ssh owen@node2
node2:~$ ssh owen@node3
owen@node3's password: 
node3:~$ logout
Connection to node3 closed.
node2:~$ logout
Connection to node2 closed.
node2:~$ ssh -A owen@node2
node2:~$ ssh owen@node3
node3:~$

ssh config

  • ~/.ssh/config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
node2:~$ ssh o
node3:~$ logout
Connection to node3 closed.
node2:~$ cat .ssh/config
host o
 hostname node3
 user owen
 
node2:~$ ssh o
node3:~$ logout
Connection to node3 closed.
node2:~$ cat .ssh/config
host a
 hostname node3
 user alpine
host o
 hostname node3
 user owen

ssh 除錯

  • -v 第一級除錯模式 -vv 第二級除錯模式 -vvv 第三級除錯模式
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    node2:~$ ssh -vv owen@node3
    OpenSSH_8.3p1, OpenSSL 1.1.1i  8 Dec 2020
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
    debug2: resolving "node3" port 22
    debug2: ssh_connect_direct
    debug1: Connecting to node3 [192.168.0.26] port 22.
    debug1: Connection established.
    debug1: identity file /home/owen/.ssh/id_rsa type -1
    debug1: identity file /home/owen/.ssh/id_rsa-cert type -1
    debug1: identity file /home/owen/.ssh/id_dsa type -1
    debug1: identity file /home/owen/.ssh/id_dsa-cert type -1
    debug1: identity file /home/owen/.ssh/id_ecdsa type -1
    debug1: identity file /home/owen/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/owen/.ssh/id_ecdsa_sk type -1
    debug1: identity file /home/owen/.ssh/id_ecdsa_sk-cert type -1
    debug1: identity file /home/owen/.ssh/id_ed25519 type -1
    debug1: identity file /home/owen/.ssh/id_ed25519-cert type -1
    debug1: identity file /home/owen/.ssh/id_ed25519_sk type -1
    debug1: identity file /home/owen/.ssh/id_ed25519_sk-cert type -1
    debug1: identity file /home/owen/.ssh/id_xmss type -1
    debug1: identity file /home/owen/.ssh/id_xmss-cert type -1
    debug1: Local version string SSH-2.0-OpenSSH_8.3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_8.3
    debug1: match: OpenSSH_8.3 pat OpenSSH* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to node3:22 as 'owen'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: local client KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
    debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com
    debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: none,zlib@openssh.com,zlib
    debug2: compression stoc: none,zlib@openssh.com,zlib
    debug2: languages ctos: 
    debug2: languages stoc: 
    debug2: first_kex_follows 0 
    debug2: reserved 0 
    debug2: peer server KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa
    debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: none,zlib@openssh.com
    debug2: compression stoc: none,zlib@openssh.com
    debug2: languages ctos: 
    debug2: languages stoc: 
    debug2: first_kex_follows 0 
    debug2: reserved 0 
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: rsa-sha2-512
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ssh-rsa SHA256:1GK08rjZ3N/bdG5XgMT0ERECdthc09muRMYHlzYEOdw
    debug1: Host 'node3' is known and matches the RSA host key.
    debug1: Found key in /home/owen/.ssh/known_hosts:2
    debug2: set_newkeys: mode 1
    debug1: rekey out after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug2: set_newkeys: mode 0
    debug1: rekey in after 134217728 blocks
    debug1: Will attempt key: alpine@node2 RSA SHA256:itRI2ktscmjjrpCN7MpS7m4ICZ6IHvuXa4xhFEXGJIU agent
    debug1: Will attempt key: /home/owen/.ssh/id_rsa 
    debug1: Will attempt key: /home/owen/.ssh/id_dsa 
    debug1: Will attempt key: /home/owen/.ssh/id_ecdsa 
    debug1: Will attempt key: /home/owen/.ssh/id_ecdsa_sk 
    debug1: Will attempt key: /home/owen/.ssh/id_ed25519 
    debug1: Will attempt key: /home/owen/.ssh/id_ed25519_sk 
    debug1: Will attempt key: /home/owen/.ssh/id_xmss 
    debug2: pubkey_prepare: done
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Offering public key: alpine@node2 RSA SHA256:itRI2ktscmjjrpCN7MpS7m4ICZ6IHvuXa4xhFEXGJIU agent
    debug2: we sent a publickey packet, wait for reply
    debug1: Server accepts key: alpine@node2 RSA SHA256:itRI2ktscmjjrpCN7MpS7m4ICZ6IHvuXa4xhFEXGJIU agent
    debug1: Authentication succeeded (publickey).
    Authenticated to node3 ([192.168.0.26]:22).
    debug1: channel 0: new [client-session]
    debug2: channel 0: send open
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
    debug1: Remote: /home/owen/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
    debug1: Remote: /home/owen/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
    debug2: channel_input_open_confirmation: channel 0: callback start
    debug2: fd 3 setting TCP_NODELAY
    debug2: client_session2_setup: id 0
    debug2: channel 0: request pty-req confirm 1
    debug2: channel 0: request shell confirm 1
    debug2: channel_input_open_confirmation: channel 0: callback done
    debug2: channel 0: open confirm rwindow 0 rmax 32768
    debug2: channel_input_status_confirm: type 99 id 0
    debug2: PTY allocation request accepted on channel 0
    debug2: channel 0: rcvd adjust 2097152
    debug2: channel_input_status_confirm: type 99 id 0
    debug2: shell request accepted on channel 0

    安全進階建議

  • 禁止 root 登錄
1
2
3
4
$ cat /etc/ssh/sshd_config
...
	PermitRootLogin no
...
  • 使用IPTABLES過濾限制 ssh 登入 ip

例如,允許來自192.168.0.0/24網絡的流量,否則丟棄流量(至端口22)。DROP如果您的iptables默認策略配置為,則不需要該規則DROP。

1
2
$ sudo iptables -A INPUT -p tcp --dport 22 --source 192.168.0.0/24 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 22 -j DROP
  • 廢除密碼登錄, 強迫使用 RSA 驗證
1
2
3
4
5
6
$ cat /etc/ssh/sshd_config
...
	RSAAuthentication yes
	PubkeyAuthentication yes
	PasswordAuthentication no
...
  • 限制 ssh 使用者名單
1
2
3
4
5
$ cat /etc/pam.d/sshd
...
	auth       required     pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
...
#  echo user1 >> /etc/ssh_users

  • fail2ban 讓你用最少的力氣同時對 ssh 跟 apache 施以最基本的防護、 抵擋暴力攻擊和收割機騷擾。

  • 使用TCP包裝器限制 ssh 登入 ip

默認情況下,拒絕所有主機。

1
2
$ cat /etc/hosts.deny
sshd : ALL

然後在hosts.allow中列出允許的主機。例如,允許網絡192.168.0.0/24和localhost。

1
2
3
4
5
$ cat /etc/hosts.allow
sshd : 192.168.0.0/24
sshd : 127.0.0.1
sshd : [::1]

  • 使用authorized_keys限制 ssh 從某些 IP 登錄

    將ssh密鑰或基於ca的密鑰限制為.ssh/authorized_keys給定用戶主目錄文件中的一組地址

1
2
$ cat ~/.ssh/authorized_keys
from="192.168.1.*,192.168.2.*" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA...etc...mnMo7n1DD user

參考