学习 SSH

ssh_config 与 sshd_config

ssh_config: configuration file for the ssh client on the host machine you are running. For example, if you want to ssh to another remote host machine, you use a SSH client. Every settings for this SSH client will be using ssh_config, such as port number, protocol version and encryption/MAC algorithms.

sshd_config: configuration file for the sshd daemon (the program that listens to any incoming connection request to the ssh port) on the host machine. That is to say, if someone wants to connect to your host machine via SSH, their SSH client settings must match your sshd_config settings in order to communicate with you, such as port number, version and so on.

--https://prasadlinuxblog.wordpress.com/2012/09/13/what-is-the-difference-between-ssh_config-and-sshd_config/

 

Host 在 SSH 中的作用

第一次使用 SSH 登陆服务器时，会有一个警告，要你进行选择。 Yes 之后会加入 ~/.ssh/known_hosts。

known_hosts 的作用：

The client may check that the server is a known one, and not some rogue server trying to pass off as the right one. SSH provides only a simple mechanism to verify the server's legitimacy: it remembers servers you've already connected to, in the ~/.ssh/known_hosts file on the client machine (there's also a system-wide file /etc/ssh/known_hosts). The first time you connect to a server, you need to check by some other means that the public key presented by the server is really the public key of the server you wanted to connect to. If you have the public key of the server you're about to connect to, you can add it to ~/.ssh/known_hosts on the client manually.

第一次连接未知的服务器，你需要通过公钥来确定服务器的正统性。当你确定后，已连接的服务器地址会加入到 known_hosts，之后就把这个地址视为可信任地址。

比如

The authenticity of host 'mint.phcomp.co.uk (78.32.209.33)' can't be established.
RSA key fingerprint is SHA256:jP0pfKJ9OAXt2F+LM7j3+BMalQ/2Koihl5eH/kli6A4.
Are you sure you want to continue connecting (yes/no)? 

 

那么，如何检查服务器指纹呢，看了 ssh-check-server-fingerprint 还是不明所以。所以暂时先不管了。

 

用户验证

The server only lets a remote user log in if that user can prove that they have the right to access that account. Depending on the server's configuration and the user's choice, the user may present one of several forms of credentials (the list below is not exhaustive).

• The user may present the password for the account that he is trying to log into; the server then verifies that the password is correct.

• The user may present a public key and prove that he possesses the private key associated with that public key. This is exactly the same method that is used to authenticate the server, but now the user is trying to prove their identity and the server is verifying them. The login attempt is accepted if the user proves that he knows the private key and the public key is in the account's authorization list (~/.ssh/authorized_keys on the server).

• Another type of method involves delegating part of the work of authenticating the user to the client machine. This happens in controlled environments such as enterprises, when many machines share the same accounts. The server authenticates the client machine by the same mechanism that is used the other way round, then relies on the client to authenticate the user.

 --来源：https://unix.stackexchange.com/questions/42643/ssh-key-based-authentication-known-hosts-vs-authorized-keys

常用的用户验证方式有：

• 使用账号、密码登陆；
• 使用公钥私钥验证；　　

通过 sshd_config 进行配置。

配置密码登陆方式

设置 sshd_config 的
PasswordAuthentication no

 

登陆命令

ssh user@host
输入密码

配置公钥验证方式

PubkeyAuthentication
Specifies whether public key authentication is allowed. The default is ''yes''. Note that this option applies to protocol version 2 only.

根据 https://kb.iu.edu/d/aews。

首先在你的机器与服务器上要安装好 SSH，这个不做赘述。然后，你要把你的公钥添加到服务器的对应用户的 ~/.ssh/authorized_keys 里面。

如果你的公钥名不是默认的，可以通过 ssh_config 修改，

For example, for connections to host2.somewhere.edu, to make SSH automatically invoke the private key host2_key, stored in the ~/.ssh/old_keys directory, create a ~/.ssh/config file with these lines included:

vim ~/.ssh/config
Host host2.somewhere.edu
    IdentityFile ~/.ssh/old_keys/host2_key

设置好之后，直接 ssh user@host 就可以了。

调试 ssh

1. 客户端调试

ssh -vvv git@github.com

是不是有一堆调试信息输出？！快去看看连接时候用的私钥对不对！

1. 服务端调试

/usr/sbin/sshd -d -p 2222

在客户端去连接这个新端口

ssh -vvv host -p 2222

此时两边都有日志输出

sshd -d 进入 debug 模式； -p 指定监听的端口号。

ssh -v

     -v      Verbose mode.  Causes ssh to print debugging messages about its

             tion, and configuration problems.  Multiple -v options increase

             the verbosity.  The maximum is 3.

来源：http://rockybean.info/2015/04/13/ssh-login-debug-method-and-problems

有时候日志报的错范围太大了，那就要根据经验来定位或者一个一个尝试了。

比如，我将 PubkeyAuthentication 设置为 no，然后连接报错

ssh_exchange_identification: Connection closed by remote host

这个错范围就大了。

MacOS 的 sshd_config 的问题

默认的 sshd_config 原文见：https://apple.stackexchange.com/questions/271948/setup-config-of-ssh-macos

我将 #PubkeyAuthentication yes 修改成 PubkeyAuthentication yes，然后使用 ssh 连接，就报错：

ssh_exchange_identification: Connection closed by remote host