×
思维导图备注
SSH, the Secure Shell, 2nd Edit - Daniel J. Barrett;Richard E. Si
首页
收藏书籍
阅读记录
书签管理
我的书签
添加书签
移除书签
The Architecture of an SSH System
浏览
19
扫码
小字体
中字体
大字体
2022-02-24 01:57:43
请
登录
再阅读
上一篇:
下一篇:
Preface
Protect Your Network with SSH
Intended Audience
End-User Audience
System-Administrator Audience
Reading This Book
Our Approach
Which Chapters Are for You?
Supported Platforms
Disclaimers
Conventions Used in This Book
Comments and Questions
Safari Enabled
Acknowledgments
1. Introduction to SSH
What Is SSH?
What SSH Is Not
The SSH Protocol
1.3.1 Protocols, Products, Clients, and Confusion
Overview of SSH Features
1.4.1 Secure Remote Logins
1.4.2 Secure File Transfer
1.4.3 Secure Remote Command Execution
1.4.4 Keys and Agents
1.4.5 Access Control
1.4.6 Port Forwarding
History of SSH
Related Technologies
1.6.1 rsh Suite (r-Commands)
1.6.2 Pretty Good Privacy (PGP) and GNU Privacy Guard (GnuPG)
1.6.3 Kerberos
1.6.4 IPSEC and Virtual Private Networks
1.6.5 Secure Remote Password (SRP)
1.6.6 Secure Socket Layer (SSL) Protocol
1.6.7 SSL-Enhanced Telnet and FTP
1.6.8 stunnel
1.6.9 Firewalls
Summary
2. Basic Client Use
A Running Example
Remote Terminal Sessions with ssh
2.2.1 File Transfer with scp
Adding Complexity to the Example
2.3.1 Known Hosts
2.3.2 The Escape Character
Authentication by Cryptographic Key
2.4.1 A Brief Introduction to Keys
2.4.2 Generating Key Pairs with ssh-keygen
2.4.3 Installing a Public Key on an SSH Server Machine
2.4.4 If You Change Your Key
The SSH Agent
2.5.1 Agents and Automation
2.5.2 A More Complex Passphrase Problem
2.5.3 Agent Forwarding
Connecting Without a Password or Passphrase
Miscellaneous Clients
2.7.1 sftp
2.7.2 slogin
Summary
3. Inside SSH
Overview of Features
3.1.1 Privacy (Encryption)
3.1.2 Integrity
3.1.3 Authentication
3.1.4 Authorization
3.1.5 Forwarding (Tunneling)
A Cryptography Primer
3.2.1 How Secure Is Secure?
3.2.2 Public-and Secret-Key Cryptography
3.2.3 Hash Functions
The Architecture of an SSH System
Inside SSH-2
3.4.1 Protocol Summary
3.4.2 SSH Transport Layer Protocol (SSH-TRANS)
3.4.3 SSH Authentication Protocol (SSH-AUTH)
3.4.4 SSH Connection Protocol (SSH-CONN)
Inside SSH-1
Implementation Issues
3.6.1 Host Keys
3.6.2 Authorization in Hostbased Authentication
3.6.3 SSH-1 Backward Compatibility
3.6.4 Randomness
3.6.5 Privilege Separation in OpenSSH
SSH and File Transfers (scp and sftp)
3.7.1 What's in a Name?
3.7.2 scp Details
3.7.3 scp2/sftp Details
Algorithms Used by SSH
3.8.1 Public-Key Algorithms
3.8.2 Secret-Key Algorithms
3.8.3 Hash Functions
3.8.4 Compression Algorithms: zlib
Threats SSH Can Counter
3.9.1 Eavesdropping
3.9.2 Name Service and IP Spoofing
3.9.3 Connection Hijacking
3.9.4 Man-in-the-Middle Attacks
Threats SSH Doesn't Prevent
3.10.1 Password Cracking
3.10.2 IP and TCP Attacks
3.10.3 Traffic Analysis
3.10.4 Covert Channels
3.10.5 Carelessness
Threats Caused by SSH
Summary
4. Installation and Compile-Time Configuration
Overview
4.1.1 Install the Prerequisites
4.1.2 Obtain the Sources
4.1.3 Verify the Signature
4.1.4 Extract the Source Files
4.1.5 Perform Compile-Time Configuration
4.1.6 Compile Everything
4.1.7 Install the Programs and Configuration Files
Installing OpenSSH
4.2.1 Prerequisites
4.2.2 Downloading and Extracting the Files
4.2.3 Building and Installing
4.2.4 Configuration Options
Installing Tectia
4.3.1 Prerequisites
4.3.2 Obtaining and Extracting the Files
4.3.3 Verifying with md5sum
4.3.4 Building and Installing
4.3.5 Configuration Options
4.3.6 SSH-1 Compatibility Support for Tectia
Software Inventory
Replacing r-Commands with SSH
4.5.1 Concurrent Versions System (CVS)
4.5.2 GNU Emacs
4.5.3 Pine
4.5.4 rsync, rdist
Summary
5. Serverwide Configuration
Running the Server
5.1.1 Running sshd as the Superuser
5.1.2 Running sshd as an Ordinary User
Server Configuration: An Overview
5.2.1 Server Configuration Files
5.2.2 Checking Configuration Files
5.2.3 Command-Line Options
5.2.4 Changing the Configuration
5.2.5 A Tricky Reconfiguration Example
Getting Ready: Initial Setup
5.3.1 File Locations
5.3.2 File Permissions
5.3.3 TCP/IP Settings
5.3.4 Key Regeneration
5.3.5 Encryption Algorithms
5.3.6 Integrity-Checking (MAC) Algorithms
5.3.7 SSH Protocol Settings
5.3.8 Compression
Authentication: Verifying Identities
5.4.1 Authentication Syntax
5.4.2 Password Authentication
5.4.3 Public-Key Authentication
5.4.4 Hostbased Authentication
5.4.5 Keyboard-Interactive Authentication
5.4.6 PGP Authentication
5.4.7 Kerberos Authentication
5.4.8 PAM Authentication
5.4.9 Privilege Separation
5.4.10 Selecting a Login Program
Access Control: Letting People In
5.5.1 Account Access Control
5.5.2 Group Access Control
5.5.3 Hostname Access Control
5.5.4 shosts Access Control
5.5.5 Root Access Control
5.5.6 External Access Control
5.5.7 Restricting Directory Access with chroot
5.5.8 Summary of Authentication and Access Control
User Logins and Accounts
5.6.1 Welcome Messages for the User
5.6.2 Setting Environment Variables
5.6.3 Initialization Scripts
Forwarding
5.7.1 Port Forwarding
5.7.2 X Forwarding
5.7.3 Agent Forwarding
Subsystems
Logging and Debugging
5.9.1 OpenSSH Logging and Debugging
5.9.2 Tectia Logging and Debugging
5.9.3 Debugging Under inetd or xinetd
Compatibility Between SSH-1 and SSH-2 Servers
5.10.1 Security Issues with Tectia's SSH-1 Compatibility Mode
Summary
6. Key Management and Agents
What Is an Identity?
6.1.1 OpenSSH Identities
6.1.2 Tectia Identities
Creating an Identity
6.2.1 Generating Keys for OpenSSH
6.2.2 Generating Keys for Tectia
6.2.3 Selecting a Passphrase
6.2.4 Generating New Groups for Diffie-Hellman Key Exchange
SSH Agents
6.3.1 Agents Do Not Expose Keys
6.3.2 Starting an Agent
6.3.3 Loading Keys with ssh-add
6.3.4 Agents and Security
6.3.5 Agent Forwarding
6.3.6 Agent CPU Usage
6.3.7 Debugging the Agent
Multiple Identities
6.4.1 Switching Identities Manually
6.4.2 Switching Identities with an Agent
6.4.3 Tailoring Sessions Based on Identity
PGP Authentication in Tectia
Tectia External Keys
Summary
7. Advanced Client Use
How to Configure Clients
7.1.1 Command-Line Options
7.1.2 Client Configuration Files
7.1.3 Environment Variables
Precedence
Introduction to Verbose Mode
Client Configuration in Depth
7.4.1 Remote Account Name
7.4.2 User Identity
7.4.3 Host Keys and Known-Hosts Databases
7.4.4 SSH Protocol Settings
7.4.5 TCP/IP Settings
7.4.6 Making Connections
7.4.7 Proxies and SOCKS
7.4.8 Forwarding
7.4.9 Encryption Algorithms
7.4.10 Integrity-Checking (MAC) Algorithms
7.4.11 Host Key Types
7.4.12 Session Rekeying
7.4.13 Authentication
7.4.14 Data Compression
7.4.15 Program Locations
7.4.16 Subsystems
7.4.17 Logging and Debugging
7.4.18 Random Seeds
Secure Copy with scp
7.5.1 Full Syntax of scp
7.5.2 Handling of Wildcards
7.5.3 Recursive Copy of Directories
7.5.4 Preserving Permissions
7.5.5 Automatic Removal of Original File
7.5.6 Safety Features
7.5.7 Batch Mode
7.5.8 User Identity
7.5.9 SSH Protocol Settings
7.5.10 TCP/IP Settings
7.5.11 Encryption Algorithms
7.5.12 Controlling Bandwidth
7.5.13 Data Compression
7.5.14 File Conversion
7.5.15 Optimizations
7.5.16 Statistics Display
7.5.17 Locating the ssh Executable
7.5.18 Getting Help
7.5.19 For Internal Use Only
7.5.20 Further Configuration
Secure, Interactive Copy with sftp
7.6.1 Interactive Commands
7.6.2 Command-Line Options
Summary
8. Per-Account Server Configuration
Limits of This Technique
8.1.1 Overriding Serverwide Settings
8.1.2 Authentication Issues
Public-Key-Based Configuration
8.2.1 OpenSSH Authorization Files
8.2.2 Tectia Authorization Files
8.2.3 Forced Commands
8.2.4 Restricting Access by Host or Domain
8.2.5 Setting Environment Variables
8.2.6 Setting Idle Timeout
8.2.7 Disabling or Limiting Forwarding
8.2.8 Disabling TTY Allocation
Hostbased Access Control
The User rc File
Summary
9. Port Forwarding and X Forwarding
What Is Forwarding?
Port Forwarding
9.2.1 Local Forwarding
9.2.2 Trouble with Multiple Connections
9.2.3 Comparing Local and Remote Port Forwarding
9.2.4 Forwarding Off-Host
9.2.5 Bypassing a Firewall
9.2.6 Port Forwarding Without a Remote Login
9.2.7 The Listening Port Number
9.2.8 Choosing the Target Forwarding Address
9.2.9 Termination
9.2.10 Configuring Port Forwarding in the Server
9.2.11 Protocol-Specific Forwarding: FTP
Dynamic Port Forwarding
9.3.1. SOCKS v4, SOCKS v5, and Names
9.3.2 Other Uses of Dynamic Forwarding
X Forwarding
9.4.1 The X Window System
9.4.2 How X Forwarding Works
9.4.3 Enabling X Forwarding
9.4.4 Configuring X Forwarding
9.4.5 X Authentication
9.4.6 Further Issues
Forwarding Security: TCP-Wrappers and libwrap
9.5.1 TCP-Wrappers Configuration
9.5.2 Notes About TCP-Wrappers
Summary
10. A Recommended Setup
The Basics
Compile-Time Configuration
Serverwide Configuration
10.3.1 Disable Other Means of Access
10.3.2 sshd_config for OpenSSH
10.3.3 sshd2_config for Tectia
Per-Account Configuration
Key Management
Client Configuration
Remote Home Directories (NFS, AFS)
10.7.1 NFS Security Risks
10.7.2 NFS Access Problems
10.7.3 AFS Access Problems
Summary
11. Case Studies
Unattended SSH: Batch or cron Jobs
11.1.1 Password Authentication
11.1.2 Public-Key Authentication
11.1.3 Hostbased Authentication
11.1.4 Kerberos
11.1.5 General Precautions for Batch Jobs
11.1.6 Recommendations
FTP and SSH
11.2.1 FTP-Specific Tools for SSH
11.2.2 Static Port Forwarding and FTP: A Study in Pain
11.2.3 The FTP Protocol
11.2.4 Forwarding the Control Connection
11.2.5 FTP, Firewalls, and Passive Mode
11.2.6 FTP and Network Address Translation (NAT)
11.2.7 All About Data Connections
11.2.8 Forwarding the Data Connection
Pine, IMAP, and SSH
11.3.1 Securing IMAP Authentication
11.3.2 Mail Relaying and News Access
11.3.3 Using a Connection Script
Connecting Through a Gateway Host
11.4.1 Making Transparent SSH Connections
11.4.2 Using SCP Through a Gateway
11.4.3 Another Approach: SSH-in-SSH (Port Forwarding)
11.4.4 SSH-in-SSH with a Proxy Command (OpenSSH)
11.4.5 Comparing the Techniques
Scalable Authentication for SSH
11.5.1 Tectia with X.509 Certificates
11.5.2 OpenSSH and Tectia with Kerberos
Tectia Extensions to Server Configuration Files
11.6.1 Metaconfiguration
11.6.2 Subconfiguration Files
11.6.3 Quoted Values
Tectia Plugins
11.7.1 A Plugin for Changing Expired Passwords
11.7.2 A Plugin for Keyboard-Interactive Authentication
11.7.3 A Plugin for External Authorization
12. Troubleshooting and FAQ
Debug Messages: Your First Line of Defense
12.1.1 Client Debugging
12.1.2 Server Debugging
Problems and Solutions
12.2.1 General Problems
12.2.2 Authentication Problems
12.2.3 Key and Agent Problems
12.2.4 Server Problems
12.2.5 Client Problems
Other SSH Resources
12.3.1 Web Sites
12.3.2 Usenet Newsgroups
13. Overview of Other Implementations
Common Features
Covered Products
Other SSH Products
13.3.1 BeOS
13.3.2 Commodore Amiga
13.3.3 GNU Emacs
13.3.4 Java
13.3.5 Macintosh OS 9
13.3.6 Macintosh OS X
13.3.7 Microsoft Windows
13.3.8 Microsoft Windows CE (PocketPC)
13.3.9 OS/2
13.3.10 Palm OS
13.3.11 Perl
13.3.12 Unix Variants (Linux, OpenBSD, etc.)
13.3.13 VMS
14. OpenSSH for Windows
Installation
Using the SSH Clients
Setting Up the SSH Server
14.3.1 Opening Remote Windows on the Desktop
Public-Key Authentication
14.4.1 Running an Agent
Troubleshooting
Summary
15. OpenSSH for Macintosh
Using the SSH Clients
Using the OpenSSH Server
15.2.1 Enabling the Server
15.2.2 Opening the Firewall
15.2.3 Control by xinetd
15.2.4 Server Configuration Details
15.2.5 Kerberos Support
16. Tectia for Windows
Obtaining and Installing
Basic Client Use
Key Management
Accession Lite
Advanced Client Use
Port Forwarding
Connector
16.7.1 General Settings
16.7.2 Servers for Outgoing SSH Connections
16.7.3 Filter Rules for Dynamic Port Forwarding
16.7.4 Configuration File
File Transfers
Command-Line Programs
Troubleshooting
Server
16.11.1 Server Operation
16.11.2 Server Configuration
16.11.3 Commands and Interactive Sessions
16.11.4 Authentication
16.11.5 Access Control
16.11.6 Forwarding
16.11.7 SFTP Server
16.11.8 Logging and Debugging
17. SecureCRT and SecureFX for Windows
Obtaining and Installing
Basic Client Use
Key Management
17.3.1 Key Generation Wizard
17.3.2 Using Multiple Identities
17.3.3 The SSH Agent
Advanced Client Use
17.4.1 Mandatory Fields
17.4.2 Data Compression
17.4.3 Firewall Use
Forwarding
17.5.1 Port Forwarding
17.5.2 X Forwarding
Command-Line Client Programs
File Transfer
17.7.1 The vcp and vsftp Commands
17.7.2 Zmodem File Transfer
17.7.3 SecureFX
Troubleshooting
17.8.1 Authentication
17.8.2 Forwarding
VShell
Summary
18. PuTTY for Windows
Obtaining and Installing
Basic Client Use
18.2.1 Plink, a Console Client
18.2.2 Running Remote Commands
File Transfer
18.3.1 File Transfer with PSCP
18.3.2 File Transfer with PSFTP
Key Management
18.4.1 Choosing a Key
18.4.2 Pageant, an SSH Agent
Advanced Client Use
18.5.1 Saved Sessions
18.5.2 Host Keys
18.5.3 Choosing a Protocol Version
18.5.4 TCP/IP Settings
18.5.5 Pseudo-Terminal Allocation
18.5.6 Proxies and SOCKS
18.5.7 Encryption Algorithms
18.5.8 Authentication
18.5.9 Compression
18.5.10 Logging and Debugging
18.5.11 Batch Jobs
Forwarding
18.6.1 Forwarding with PuTTY
18.6.2 Forwarding with Plink
Summary
A. OpenSSH 4.0 New Features
Server Features: sshd
Logging of Access Control Violations
AddressFamily Keyword
Password and Account Expiration Warnings
Client Features: ssh, scp, and sftp
KbdInteractiveDevices Keyword
More Control for Connection Sharing
Hashing of Hostnames
Port Forwarding
sftp Command-Line Features
ssh-keygen
Hashing Your Known Hosts File
Managing Hosts
B. Tectia Manpage for sshregex
Regex Syntax: Egrep Patterns
Escaped Tokens for Regex Syntax Egrep
Regex Syntax: ZSH_FILEGLOB (or Traditional) Patterns
Character Sets for Egrep and ZSH_FILEGLOB
Regex Syntax: SSH Patterns
Escaped Tokens for Regex Syntax SSH
Character Sets for Regex Syntax SSH
Authors
See Also
C. Tectia Module Names for Debugging
D. SSH-1 Features of OpenSSH and Tectia
OpenSSH Features
Serverwide Configuration
Client Configuration
Files
Tectia Features
Serverwide Configuration
Client Configuration
File Transfers
Key Management
Authentication Agent
E. SSH Quick Reference
Legend
sshd Options
sshd Keywords
ssh Options
scp Options
ssh and scp Keywords
ssh-keygen Options
ssh-agent Options
ssh-add Options
Identity and Authorization Files, OpenSSH
Identity and Authorization Files, Tectia
Environment Variables
Index
暂无相关搜索结果!
×
二维码
手机扫一扫,轻松掌上学
×
《SSH, the Secure Shell, 2nd Edit - Daniel J. Barrett;Richard E. Si》电子书下载
请下载您需要的格式的电子书,随时随地,享受学习的乐趣!
EPUB 电子书
×
书签列表
×
阅读记录
阅读进度:
0.00%
(
0/0
)
重置阅读进度