思维导图备注

SSH, the Secure Shell, 2nd Edit - Daniel J. Barrett;Richard E. Si
首页 收藏书籍 阅读记录
  • 书签 我的书签
  • 添加书签 添加书签 移除书签 移除书签

3.6.5 Privilege Separation in OpenSSH

浏览 13 扫码
  • 小字体
  • 中字体
  • 大字体
2022-02-24 01:57:43
请 登录 再阅读
上一篇:
下一篇:
  • 书签
  • 添加书签 移除书签
  • Preface
    • Protect Your Network with SSH
    • Intended Audience
      • End-User Audience
      • System-Administrator Audience
    • Reading This Book
    • Our Approach
    • Which Chapters Are for You?
    • Supported Platforms
    • Disclaimers
    • Conventions Used in This Book
    • Comments and Questions
    • Safari Enabled
    • Acknowledgments
  • 1. Introduction to SSH
    • What Is SSH?
    • What SSH Is Not
    • The SSH Protocol
      • 1.3.1 Protocols, Products, Clients, and Confusion
    • Overview of SSH Features
      • 1.4.1 Secure Remote Logins
      • 1.4.2 Secure File Transfer
      • 1.4.3 Secure Remote Command Execution
      • 1.4.4 Keys and Agents
      • 1.4.5 Access Control
      • 1.4.6 Port Forwarding
    • History of SSH
    • Related Technologies
      • 1.6.1 rsh Suite (r-Commands)
      • 1.6.2 Pretty Good Privacy (PGP) and GNU Privacy Guard (GnuPG)
      • 1.6.3 Kerberos
      • 1.6.4 IPSEC and Virtual Private Networks
      • 1.6.5 Secure Remote Password (SRP)
      • 1.6.6 Secure Socket Layer (SSL) Protocol
      • 1.6.7 SSL-Enhanced Telnet and FTP
      • 1.6.8 stunnel
      • 1.6.9 Firewalls
    • Summary
  • 2. Basic Client Use
    • A Running Example
    • Remote Terminal Sessions with ssh
      • 2.2.1 File Transfer with scp
    • Adding Complexity to the Example
      • 2.3.1 Known Hosts
      • 2.3.2 The Escape Character
    • Authentication by Cryptographic Key
      • 2.4.1 A Brief Introduction to Keys
      • 2.4.2 Generating Key Pairs with ssh-keygen
      • 2.4.3 Installing a Public Key on an SSH Server Machine
      • 2.4.4 If You Change Your Key
    • The SSH Agent
      • 2.5.1 Agents and Automation
      • 2.5.2 A More Complex Passphrase Problem
      • 2.5.3 Agent Forwarding
    • Connecting Without a Password or Passphrase
    • Miscellaneous Clients
      • 2.7.1 sftp
      • 2.7.2 slogin
    • Summary
  • 3. Inside SSH
    • Overview of Features
      • 3.1.1 Privacy (Encryption)
      • 3.1.2 Integrity
      • 3.1.3 Authentication
      • 3.1.4 Authorization
      • 3.1.5 Forwarding (Tunneling)
    • A Cryptography Primer
      • 3.2.1 How Secure Is Secure?
      • 3.2.2 Public-and Secret-Key Cryptography
      • 3.2.3 Hash Functions
    • The Architecture of an SSH System
    • Inside SSH-2
      • 3.4.1 Protocol Summary
      • 3.4.2 SSH Transport Layer Protocol (SSH-TRANS)
      • 3.4.3 SSH Authentication Protocol (SSH-AUTH)
      • 3.4.4 SSH Connection Protocol (SSH-CONN)
    • Inside SSH-1
    • Implementation Issues
      • 3.6.1 Host Keys
      • 3.6.2 Authorization in Hostbased Authentication
      • 3.6.3 SSH-1 Backward Compatibility
      • 3.6.4 Randomness
      • 3.6.5 Privilege Separation in OpenSSH
    • SSH and File Transfers (scp and sftp)
      • 3.7.1 What's in a Name?
      • 3.7.2 scp Details
      • 3.7.3 scp2/sftp Details
    • Algorithms Used by SSH
      • 3.8.1 Public-Key Algorithms
      • 3.8.2 Secret-Key Algorithms
      • 3.8.3 Hash Functions
      • 3.8.4 Compression Algorithms: zlib
    • Threats SSH Can Counter
      • 3.9.1 Eavesdropping
      • 3.9.2 Name Service and IP Spoofing
      • 3.9.3 Connection Hijacking
      • 3.9.4 Man-in-the-Middle Attacks
    • Threats SSH Doesn't Prevent
      • 3.10.1 Password Cracking
      • 3.10.2 IP and TCP Attacks
      • 3.10.3 Traffic Analysis
      • 3.10.4 Covert Channels
      • 3.10.5 Carelessness
    • Threats Caused by SSH
    • Summary
  • 4. Installation and Compile-Time Configuration
    • Overview
      • 4.1.1 Install the Prerequisites
      • 4.1.2 Obtain the Sources
      • 4.1.3 Verify the Signature
      • 4.1.4 Extract the Source Files
      • 4.1.5 Perform Compile-Time Configuration
      • 4.1.6 Compile Everything
      • 4.1.7 Install the Programs and Configuration Files
    • Installing OpenSSH
      • 4.2.1 Prerequisites
      • 4.2.2 Downloading and Extracting the Files
      • 4.2.3 Building and Installing
      • 4.2.4 Configuration Options
    • Installing Tectia
      • 4.3.1 Prerequisites
      • 4.3.2 Obtaining and Extracting the Files
      • 4.3.3 Verifying with md5sum
      • 4.3.4 Building and Installing
      • 4.3.5 Configuration Options
      • 4.3.6 SSH-1 Compatibility Support for Tectia
    • Software Inventory
    • Replacing r-Commands with SSH
      • 4.5.1 Concurrent Versions System (CVS)
      • 4.5.2 GNU Emacs
      • 4.5.3 Pine
      • 4.5.4 rsync, rdist
    • Summary
  • 5. Serverwide Configuration
    • Running the Server
      • 5.1.1 Running sshd as the Superuser
      • 5.1.2 Running sshd as an Ordinary User
    • Server Configuration: An Overview
      • 5.2.1 Server Configuration Files
      • 5.2.2 Checking Configuration Files
      • 5.2.3 Command-Line Options
      • 5.2.4 Changing the Configuration
      • 5.2.5 A Tricky Reconfiguration Example
    • Getting Ready: Initial Setup
      • 5.3.1 File Locations
      • 5.3.2 File Permissions
      • 5.3.3 TCP/IP Settings
      • 5.3.4 Key Regeneration
      • 5.3.5 Encryption Algorithms
      • 5.3.6 Integrity-Checking (MAC) Algorithms
      • 5.3.7 SSH Protocol Settings
      • 5.3.8 Compression
    • Authentication: Verifying Identities
      • 5.4.1 Authentication Syntax
      • 5.4.2 Password Authentication
      • 5.4.3 Public-Key Authentication
      • 5.4.4 Hostbased Authentication
      • 5.4.5 Keyboard-Interactive Authentication
      • 5.4.6 PGP Authentication
      • 5.4.7 Kerberos Authentication
      • 5.4.8 PAM Authentication
      • 5.4.9 Privilege Separation
      • 5.4.10 Selecting a Login Program
    • Access Control: Letting People In
      • 5.5.1 Account Access Control
      • 5.5.2 Group Access Control
      • 5.5.3 Hostname Access Control
      • 5.5.4 shosts Access Control
      • 5.5.5 Root Access Control
      • 5.5.6 External Access Control
      • 5.5.7 Restricting Directory Access with chroot
      • 5.5.8 Summary of Authentication and Access Control
    • User Logins and Accounts
      • 5.6.1 Welcome Messages for the User
      • 5.6.2 Setting Environment Variables
      • 5.6.3 Initialization Scripts
    • Forwarding
      • 5.7.1 Port Forwarding
      • 5.7.2 X Forwarding
      • 5.7.3 Agent Forwarding
    • Subsystems
    • Logging and Debugging
      • 5.9.1 OpenSSH Logging and Debugging
      • 5.9.2 Tectia Logging and Debugging
      • 5.9.3 Debugging Under inetd or xinetd
    • Compatibility Between SSH-1 and SSH-2 Servers
      • 5.10.1 Security Issues with Tectia's SSH-1 Compatibility Mode
    • Summary
  • 6. Key Management and Agents
    • What Is an Identity?
      • 6.1.1 OpenSSH Identities
      • 6.1.2 Tectia Identities
    • Creating an Identity
      • 6.2.1 Generating Keys for OpenSSH
      • 6.2.2 Generating Keys for Tectia
      • 6.2.3 Selecting a Passphrase
      • 6.2.4 Generating New Groups for Diffie-Hellman Key Exchange
    • SSH Agents
      • 6.3.1 Agents Do Not Expose Keys
      • 6.3.2 Starting an Agent
      • 6.3.3 Loading Keys with ssh-add
      • 6.3.4 Agents and Security
      • 6.3.5 Agent Forwarding
      • 6.3.6 Agent CPU Usage
      • 6.3.7 Debugging the Agent
    • Multiple Identities
      • 6.4.1 Switching Identities Manually
      • 6.4.2 Switching Identities with an Agent
      • 6.4.3 Tailoring Sessions Based on Identity
    • PGP Authentication in Tectia
    • Tectia External Keys
    • Summary
  • 7. Advanced Client Use
    • How to Configure Clients
      • 7.1.1 Command-Line Options
      • 7.1.2 Client Configuration Files
      • 7.1.3 Environment Variables
    • Precedence
    • Introduction to Verbose Mode
    • Client Configuration in Depth
      • 7.4.1 Remote Account Name
      • 7.4.2 User Identity
      • 7.4.3 Host Keys and Known-Hosts Databases
      • 7.4.4 SSH Protocol Settings
      • 7.4.5 TCP/IP Settings
      • 7.4.6 Making Connections
      • 7.4.7 Proxies and SOCKS
      • 7.4.8 Forwarding
      • 7.4.9 Encryption Algorithms
      • 7.4.10 Integrity-Checking (MAC) Algorithms
      • 7.4.11 Host Key Types
      • 7.4.12 Session Rekeying
      • 7.4.13 Authentication
      • 7.4.14 Data Compression
      • 7.4.15 Program Locations
      • 7.4.16 Subsystems
      • 7.4.17 Logging and Debugging
      • 7.4.18 Random Seeds
    • Secure Copy with scp
      • 7.5.1 Full Syntax of scp
      • 7.5.2 Handling of Wildcards
      • 7.5.3 Recursive Copy of Directories
      • 7.5.4 Preserving Permissions
      • 7.5.5 Automatic Removal of Original File
      • 7.5.6 Safety Features
      • 7.5.7 Batch Mode
      • 7.5.8 User Identity
      • 7.5.9 SSH Protocol Settings
      • 7.5.10 TCP/IP Settings
      • 7.5.11 Encryption Algorithms
      • 7.5.12 Controlling Bandwidth
      • 7.5.13 Data Compression
      • 7.5.14 File Conversion
      • 7.5.15 Optimizations
      • 7.5.16 Statistics Display
      • 7.5.17 Locating the ssh Executable
      • 7.5.18 Getting Help
      • 7.5.19 For Internal Use Only
      • 7.5.20 Further Configuration
    • Secure, Interactive Copy with sftp
      • 7.6.1 Interactive Commands
      • 7.6.2 Command-Line Options
    • Summary
  • 8. Per-Account Server Configuration
    • Limits of This Technique
      • 8.1.1 Overriding Serverwide Settings
      • 8.1.2 Authentication Issues
    • Public-Key-Based Configuration
      • 8.2.1 OpenSSH Authorization Files
      • 8.2.2 Tectia Authorization Files
      • 8.2.3 Forced Commands
      • 8.2.4 Restricting Access by Host or Domain
      • 8.2.5 Setting Environment Variables
      • 8.2.6 Setting Idle Timeout
      • 8.2.7 Disabling or Limiting Forwarding
      • 8.2.8 Disabling TTY Allocation
    • Hostbased Access Control
    • The User rc File
    • Summary
  • 9. Port Forwarding and X Forwarding
    • What Is Forwarding?
    • Port Forwarding
      • 9.2.1 Local Forwarding
      • 9.2.2 Trouble with Multiple Connections
      • 9.2.3 Comparing Local and Remote Port Forwarding
      • 9.2.4 Forwarding Off-Host
      • 9.2.5 Bypassing a Firewall
      • 9.2.6 Port Forwarding Without a Remote Login
      • 9.2.7 The Listening Port Number
      • 9.2.8 Choosing the Target Forwarding Address
      • 9.2.9 Termination
      • 9.2.10 Configuring Port Forwarding in the Server
      • 9.2.11 Protocol-Specific Forwarding: FTP
    • Dynamic Port Forwarding
      • 9.3.1. SOCKS v4, SOCKS v5, and Names
      • 9.3.2 Other Uses of Dynamic Forwarding
    • X Forwarding
      • 9.4.1 The X Window System
      • 9.4.2 How X Forwarding Works
      • 9.4.3 Enabling X Forwarding
      • 9.4.4 Configuring X Forwarding
      • 9.4.5 X Authentication
      • 9.4.6 Further Issues
    • Forwarding Security: TCP-Wrappers and libwrap
      • 9.5.1 TCP-Wrappers Configuration
      • 9.5.2 Notes About TCP-Wrappers
    • Summary
  • 10. A Recommended Setup
    • The Basics
    • Compile-Time Configuration
    • Serverwide Configuration
      • 10.3.1 Disable Other Means of Access
      • 10.3.2 sshd_config for OpenSSH
      • 10.3.3 sshd2_config for Tectia
    • Per-Account Configuration
    • Key Management
    • Client Configuration
    • Remote Home Directories (NFS, AFS)
      • 10.7.1 NFS Security Risks
      • 10.7.2 NFS Access Problems
      • 10.7.3 AFS Access Problems
    • Summary
  • 11. Case Studies
    • Unattended SSH: Batch or cron Jobs
      • 11.1.1 Password Authentication
      • 11.1.2 Public-Key Authentication
      • 11.1.3 Hostbased Authentication
      • 11.1.4 Kerberos
      • 11.1.5 General Precautions for Batch Jobs
      • 11.1.6 Recommendations
    • FTP and SSH
      • 11.2.1 FTP-Specific Tools for SSH
      • 11.2.2 Static Port Forwarding and FTP: A Study in Pain
      • 11.2.3 The FTP Protocol
      • 11.2.4 Forwarding the Control Connection
      • 11.2.5 FTP, Firewalls, and Passive Mode
      • 11.2.6 FTP and Network Address Translation (NAT)
      • 11.2.7 All About Data Connections
      • 11.2.8 Forwarding the Data Connection
    • Pine, IMAP, and SSH
      • 11.3.1 Securing IMAP Authentication
      • 11.3.2 Mail Relaying and News Access
      • 11.3.3 Using a Connection Script
    • Connecting Through a Gateway Host
      • 11.4.1 Making Transparent SSH Connections
      • 11.4.2 Using SCP Through a Gateway
      • 11.4.3 Another Approach: SSH-in-SSH (Port Forwarding)
      • 11.4.4 SSH-in-SSH with a Proxy Command (OpenSSH)
      • 11.4.5 Comparing the Techniques
    • Scalable Authentication for SSH
      • 11.5.1 Tectia with X.509 Certificates
      • 11.5.2 OpenSSH and Tectia with Kerberos
    • Tectia Extensions to Server Configuration Files
      • 11.6.1 Metaconfiguration
      • 11.6.2 Subconfiguration Files
      • 11.6.3 Quoted Values
    • Tectia Plugins
      • 11.7.1 A Plugin for Changing Expired Passwords
      • 11.7.2 A Plugin for Keyboard-Interactive Authentication
      • 11.7.3 A Plugin for External Authorization
  • 12. Troubleshooting and FAQ
    • Debug Messages: Your First Line of Defense
      • 12.1.1 Client Debugging
      • 12.1.2 Server Debugging
    • Problems and Solutions
      • 12.2.1 General Problems
      • 12.2.2 Authentication Problems
      • 12.2.3 Key and Agent Problems
      • 12.2.4 Server Problems
      • 12.2.5 Client Problems
    • Other SSH Resources
      • 12.3.1 Web Sites
      • 12.3.2 Usenet Newsgroups
  • 13. Overview of Other Implementations
    • Common Features
    • Covered Products
    • Other SSH Products
      • 13.3.1 BeOS
      • 13.3.2 Commodore Amiga
      • 13.3.3 GNU Emacs
      • 13.3.4 Java
      • 13.3.5 Macintosh OS 9
      • 13.3.6 Macintosh OS X
      • 13.3.7 Microsoft Windows
      • 13.3.8 Microsoft Windows CE (PocketPC)
      • 13.3.9 OS/2
      • 13.3.10 Palm OS
      • 13.3.11 Perl
      • 13.3.12 Unix Variants (Linux, OpenBSD, etc.)
      • 13.3.13 VMS
  • 14. OpenSSH for Windows
    • Installation
    • Using the SSH Clients
    • Setting Up the SSH Server
      • 14.3.1 Opening Remote Windows on the Desktop
    • Public-Key Authentication
      • 14.4.1 Running an Agent
    • Troubleshooting
    • Summary
  • 15. OpenSSH for Macintosh
    • Using the SSH Clients
    • Using the OpenSSH Server
      • 15.2.1 Enabling the Server
      • 15.2.2 Opening the Firewall
      • 15.2.3 Control by xinetd
      • 15.2.4 Server Configuration Details
      • 15.2.5 Kerberos Support
  • 16. Tectia for Windows
    • Obtaining and Installing
    • Basic Client Use
    • Key Management
    • Accession Lite
    • Advanced Client Use
    • Port Forwarding
    • Connector
      • 16.7.1 General Settings
      • 16.7.2 Servers for Outgoing SSH Connections
      • 16.7.3 Filter Rules for Dynamic Port Forwarding
      • 16.7.4 Configuration File
    • File Transfers
    • Command-Line Programs
    • Troubleshooting
    • Server
      • 16.11.1 Server Operation
      • 16.11.2 Server Configuration
      • 16.11.3 Commands and Interactive Sessions
      • 16.11.4 Authentication
      • 16.11.5 Access Control
      • 16.11.6 Forwarding
      • 16.11.7 SFTP Server
      • 16.11.8 Logging and Debugging
  • 17. SecureCRT and SecureFX for Windows
    • Obtaining and Installing
    • Basic Client Use
    • Key Management
      • 17.3.1 Key Generation Wizard
      • 17.3.2 Using Multiple Identities
      • 17.3.3 The SSH Agent
    • Advanced Client Use
      • 17.4.1 Mandatory Fields
      • 17.4.2 Data Compression
      • 17.4.3 Firewall Use
    • Forwarding
      • 17.5.1 Port Forwarding
      • 17.5.2 X Forwarding
    • Command-Line Client Programs
    • File Transfer
      • 17.7.1 The vcp and vsftp Commands
      • 17.7.2 Zmodem File Transfer
      • 17.7.3 SecureFX
    • Troubleshooting
      • 17.8.1 Authentication
      • 17.8.2 Forwarding
    • VShell
    • Summary
  • 18. PuTTY for Windows
    • Obtaining and Installing
    • Basic Client Use
      • 18.2.1 Plink, a Console Client
      • 18.2.2 Running Remote Commands
    • File Transfer
      • 18.3.1 File Transfer with PSCP
      • 18.3.2 File Transfer with PSFTP
    • Key Management
      • 18.4.1 Choosing a Key
      • 18.4.2 Pageant, an SSH Agent
    • Advanced Client Use
      • 18.5.1 Saved Sessions
      • 18.5.2 Host Keys
      • 18.5.3 Choosing a Protocol Version
      • 18.5.4 TCP/IP Settings
      • 18.5.5 Pseudo-Terminal Allocation
      • 18.5.6 Proxies and SOCKS
      • 18.5.7 Encryption Algorithms
      • 18.5.8 Authentication
      • 18.5.9 Compression
      • 18.5.10 Logging and Debugging
      • 18.5.11 Batch Jobs
    • Forwarding
      • 18.6.1 Forwarding with PuTTY
      • 18.6.2 Forwarding with Plink
    • Summary
  • A. OpenSSH 4.0 New Features
    • Server Features: sshd
      • Logging of Access Control Violations
      • AddressFamily Keyword
      • Password and Account Expiration Warnings
    • Client Features: ssh, scp, and sftp
      • KbdInteractiveDevices Keyword
      • More Control for Connection Sharing
      • Hashing of Hostnames
      • Port Forwarding
      • sftp Command-Line Features
    • ssh-keygen
      • Hashing Your Known Hosts File
      • Managing Hosts
  • B. Tectia Manpage for sshregex
    • Regex Syntax: Egrep Patterns
      • Escaped Tokens for Regex Syntax Egrep
    • Regex Syntax: ZSH_FILEGLOB (or Traditional) Patterns
    • Character Sets for Egrep and ZSH_FILEGLOB
    • Regex Syntax: SSH Patterns
      • Escaped Tokens for Regex Syntax SSH
      • Character Sets for Regex Syntax SSH
    • Authors
    • See Also
  • C. Tectia Module Names for Debugging
  • D. SSH-1 Features of OpenSSH and Tectia
    • OpenSSH Features
      • Serverwide Configuration
      • Client Configuration
      • Files
    • Tectia Features
      • Serverwide Configuration
      • Client Configuration
      • File Transfers
      • Key Management
      • Authentication Agent
  • E. SSH Quick Reference
    • Legend
    • sshd Options
    • sshd Keywords
    • ssh Options
    • scp Options
    • ssh and scp Keywords
    • ssh-keygen Options
    • ssh-agent Options
    • ssh-add Options
    • Identity and Authorization Files, OpenSSH
    • Identity and Authorization Files, Tectia
    • Environment Variables
  • Index
暂无相关搜索结果!
    展开/收起文章目录

    二维码

    手机扫一扫,轻松掌上学

    《SSH, the Secure Shell, 2nd Edit - Daniel J. Barrett;Richard E. Si》电子书下载

    请下载您需要的格式的电子书,随时随地,享受学习的乐趣!
    EPUB 电子书

    书签列表

      阅读记录

      阅读进度: 0.00% ( 0/0 ) 重置阅读进度