Sei kugadzira uye kushandisa SSH pachiteshi? Danho nedanho gwaro

Kuchengeteka Shell, kana rakapfupikiswa sezvo SSH, ndiyo imwe zvemberi date kudzivirira michina nokubata. Kushandiswa hurumende yakadaro nomusi iwoyo router anobvumira kwete chete zvakavanzika kubva zvitange mashoko, asiwo rikurumidze kupanana omumasherufu. Zvisinei, haasi munhu wose anoziva kure sezvo kuvhura SSH chiteshi chengarava, uye nei izvi zvose zvakakodzera. Muchiitiko ichi zvakakodzera kupa tsananguro chinovaka.

Port SSH: chii uye nei tichifanira?

Sezvo tiri kutaura pamusoro akachengeteka, muchiitiko ichi, pasi SSH chengarava kunzwisiswa vakazvitsaurira mugero muchimiro mugero, izvo chinopa mashoko encryption.

The kupfuura chinyakare zano mugero uyu kuti pachena SSH-pachiteshi rinoshandiswa default kuti encrypt umboo panguva panobva uye Decryption pamusoro endpoint. Izvi zvinogona kutsanangurwa sezvinotevera: uchida kana kwete, zvitange motokari, kusiyana IPSec, encrypted nokugombedzerwa uye goho chinouraya pamusoro pomumbure, uye kugamuchirwa divi pamukova. Kuti decrypt mashoko chinopfuudzwa pamusoro mugero uyu, ari kugamuchira chinouraya anoshandisa kiyi chaiyo. Nemamwe mashoko, kupindira kuchinjwa kana zvisingaenderani kuvimbika Data chinopfuudzwa panguva imwe haagoni pasina kiyi.

Just kuzarura SSH-chengarava chero router kana nokushandisa zvakakodzera zviruva yakawedzerwa yeGmail.END_STRONG interacts zvakananga chete SSH-Server, kunoita kuti kushandisa zvose zviri ano samambure kuchengeteka hurongwa zvakazara. Tiri pano sei kushandisa chengarava kuti raakapiwa default kana tsika Kurongwa. parameters izvi zviri kushanda vangatarira zvakaoma, asi pasina kunzwisisa sangano kubatana kwakadaro hakuna kukwana.

Standard SSH chiteshi

Kana, zvirokwazvo, kwakavakirwa parameters vamwe router vanofanira kutanga kuona hurongwa, kworudzii-software richashandiswa simba kubatana ichi. Kutaura zvazviri, default SSH chengarava inogona zviruva zvakasiyana. Zvose zvinoenderana chii nzira rinoshandiswa panguva (zvakananga kubatana kuti Server, nekuisa mamwe yeGmail.END_STRONG chengarava vorega uye zvichingodaro. D.).

Somuenzaniso, kana nemhosva akashandisa Jabber, nokuti zvakarurama kubatana, encryption, uye mashoko kuchinjirwa chengarava 443 rinofanira kushandiswa, kunyange musimboti yakaitika mureza chiteshi 22.

Kuti aite kuti router kuti yavaive kuti imwe chirongwa kana dzinoona zvinhu zvakafanira kuti aite kuchiteshi vorega SSH. Chii? Ndicho chinangwa imwe kuwana chirongwa chete kuti anoshandisa Indaneti, pasinei yokuvira rikaparadzirwa dzakati Exchange Data (IPv4 kana IPv6).

zvekushandisa kururamiswa

Standard SSH chiteshi 22 haasi nguva dzose kushandiswa sezvo atova pachena. Zvisinei, pano zvakakodzera govera zvimwe zvainyanya uye pazviruva yaishandiswa panguva setup.

Sei encrypted date zvakavanzika dzakati kunosanganisira kushandiswa SSH sezvo evasingatombonamati zvokunze (muenzi) mushandisi pachiteshi? Asi chete nekuti tunneling rinoshandiswa kunobatsira kushandisa Yaunoti kure goko (SSH), kuti ndiwane mukana kuburikidza kure Login (slogin) kune chinouraya utariri, uye kushandisa kure kopi nzira (scp).

Uyezve, SSH-chengarava zvinogona kusashanda panyaya apo inodzidzisa zvinokosha kuuraya kure mumanyoro X Windows, izvo zviri nyore nyaya iri kuchinjwa mashoko kubva mumwe muchina mumwe, sezvo yave akati, aine kumanikidzwa date encryption. Mumamiriro ezvinhu akadaro, kupfuura zvakafanira achashandisa inobva AES algorithm. Uyu symmetric encryption algorithm, izvo pakutanga akanga inopiwa SSH michina. Uye kushandisa zvinogoneka kwete chete asi zvakakodzera.

History of nokuziva

The zvemichina akazviratidza kwenguva refu. Ngatisiyei parutivi mubvunzo sei kuti icing at SSH chengarava, uye pfungwa sei mabasa ose.

Kazhinji anoburuka kuti, kushandisa Marshal pahwaro Socks kana kushandisa VPN tunneling. Kana zvimwe-software chikumbiro unogona kushanda pamwe VPN, nani kusarudza pfungwa iyi. Chokwadi kuti zvinenge zvose zvinozivikanwa mapurogiramu nhasi vanoshandisa Internet motokari, asi VPN anogona kushanda, asi nyore hwokutiparadza configuration haasi. Izvi, sapamazuva zvakaitika Marshal servers, anobvumira kusiya kwokunze Kero chirwere kubva iyo pari anogadzirwa goho network, harimboonekwi. Ndizvo zvakaita Marshal kero iri nguva dzose kuchinja, uye VPN shanduro anoramba kuchinja pamwe Kuda kutamba imwe nharaunda, kunze chete kunodiwa kurambidza kuwana.

The chaizvo chete michina inopa SSH chengarava, yakazokudziridzwa muna 1995 muna University of Technology muFinland (SSH-1). Muna 1996, kuvandudzika akawedzerwa muchimiro SSH-2 dzakati, waiva chaizvo hwakapararira iri nzvimbo post-Soviet, kunyange nokuda ichi, uyewo dzimwe nyika dzokuMadokero kweEurope, dzimwe nguva zvakakodzera kuti vawane mvumo yokushandisa mugero uyu, uye kubva kuhurumende masangano.

The chikuru mukana kuvhura SSH-pachiteshi, kusiyana telnet kana rlogin, ndiyo kushandiswa digitaalinen vakasaina RSA kana DSA (kushandisa peya akazarurwa uye akavigwa kiyi). Uyezve, mumamiriro ezvinhu aya unogona kushandisa inonzi chechikamu kiyi kwakavakirwa Diffie-Hellman algorithm, unosanganisira kushandiswa munhu symmetric encryption goho, kunyange asina runosanganisirawo kusashandisa asymmetric encryption algorithms panguva Data yedzimudzangara uye Kugamuchirwa mumwe muchina.

Servers uye deko

On Windows kana Linux SSH-chengarava yakazaruka hakuna kuoma zvakadaro. The mubvunzo chete ndiko, kuti maturusi mutsa chinangwa ichi ichashandiswa.

Mupfungwa iyi zvakafanira kuteerera nyaya mashoko hutachiwana uye authentication. Chekutanga, kuti dzakati pachayo zvakakwana kudzivirirwa vanonzi Kufemba, ndoupiko unonyanya zvatinosiita "wiretapping" rwemotokari. SSH-1 kuva pangozi kurwiswa. Chipingaidzo mu muitiro tama mashoko ari muchimiro zano 'murume ari pakati "kwakava ayo. Information aigona kungoita gamha uye decipher zvikuru zvokutanga. Asi wechipiri version (SSH-2) kwave zvadzinoitwa kupindira mhando ichi, rinozivikanwa chechikamu hijacking, nemhaka chii chinonyanya akakurumbira.

kurambidzwa kuchengeteka

Kana kuchengetedzwa nekuda humboo zvitange uye kugamuchira, sangano kwokubatana hwakagadzwa nokushandiswa zvigadzirwa zvakadaro inobvumira vadzivise matambudziko anotevera:

• kuzivikanwa kiyi pahondo nokupfuuridzirwa danho, apo "Snapshot» fingapurindi;
• Rutsigiro Windows uye Unix-zvakadai gadziriro;
• kuzvitsinhanisa pamusoro IP uye DNS kero (spoofing);
• intercepting rakavhurika pasiwedhi kunetseka kuwana mashoko chiteshi.

Chaizvoizvo, wose sangano yakadaro hurongwa yakavakirwa panheyo "nemhosva-Server", kureva, pakutanga kwezvose kombiyuta yacho rokushandisa kuburikidza purogiramu inokosha kana kuwedzera muna panodana ari Server, hunokonzera runoenzanirana redirection.

tunneling

It anoenda pasina achiti Implementation kubatana uyu mhando ari mutyairi chaiyo inofanira kuiswa iri hurongwa.

Kazhinji, muna Windows anotsanangura hurongwa inovakwa kupinda chirongwa goko mutyairi Microsoft Teredo, inova rudzi chaivo godo achishandisa IPv6 mu network pakutsigira IPv4 chete. Tanera default adhaputa rinoshanda. Mune chiitiko kufoira chokuita nacho, unogona chete kuti hurongwa restart kana kuita shutdown uye restart mirayiro kubva murayiro kunyaradzana. Kuti deactivate mitsetse vakadaro anoshandiswa:

• netsh;
• inowanikwa teredo yakatarwa mamiriro akaremara;
• inowanikwa isatap akaisa mamiriro chirema.

Tapinda murayiro inofanira restart. Kuzodzosera dzinoita adapteri uye tarisa mamiriro vakaremara panzvimbo rakaita evoruzhinji mvumo, pashure iyo, zvakare, vanofanira restart yose hurongwa.

SSH-Server

Zvino ngationei kuti SSH chengarava inoshandiswa sezvo chinoumba, kutangira kubva anorimwa "nemhosva-Server". The default Kazhinji aishanda 22 maminitsi pachiteshi, asi, sezvataurwa pamusoro apa, unogona kushandiswa uye 443rd. The mubvunzo chete mune zvinodiwa zviri Server pachayo.

The inonyanya SSH-servers anonzi kuti zvinotevera:

• nokuti Windows: Tectia SSH Server, OpenSSH pamwe Cygwin, MobaSSH, KpyM Telnet / SSH Server, WinSSHD, copssh, freeSSHd;
• nokuti FreeBSD: OpenSSH;
• nokuti Linux: Tectia SSH Server, ssh, openssh-Server, lsh-Server, dropbear.

All of servers vakasununguka. Zvisinei, unogona kuwana uye akabhadhara mabasa anopa wakatokura nhanho okuchengeteka, izvo zvinokosha kuti sangano samambure kuwana uye mashoko makachengeteka mabhizimisi. Mari mabasa akadaro haina kukurukurwa. Asi vakawanda tinogona kutaura kuti zvingava isingadhuri, kunyange tichienzanisa kugadzwa-software anokosha kana "Hardware" firewall.

SSH-munhu anoda kubetserwa

Change SSH chiteshi anogona kuitwa pachishandiswa chirongwa nemhosva kana zvakakodzera pazviruva apo chiteshi chengarava vorega pamusoro router yenyu.

Zvisinei, kana iwe abata yeGmail.END_STRONG goko, zvinotevera Software zvinogona kushandiswa siyana gadziriro:

• Windows - SecureCRT, PuTTY \ Kitty, Axessh, ShellGuard, SSHWindows, ZOC, XShell, ProSSHD nezvimwewo..
• Mac Os X: iTerm2, vSSH, NiftyTelnet SSH;
• Linux uye BSD: lsh-nemhosva, kdessh, openssh-nemhosva, Vinagre, putty.

Authentication inobva kuruzhinji kiyi, uye kushandura chengarava

Zvino mashoko mashomanana nezvekuti ongororo uye kuisa Server. In nyore nyaya, unofanira kushandisa configuration file (sshd_config). Zvisinei, unogona kuita pasina izvozvo, somuenzaniso, kune zvirongwa zvakadai PuTTY. Change SSH chiteshi kubva default ukoshi (22) chero chose zvokutanga.

Chinhu chikuru - kuvhura chiteshi chengarava nhamba hakurevi kusapfuudza kukosha 65535 (yepamusoro zvengarava anongoti havapo zvakasikwa). Uyezve, tinofanira kuteerera vamwe akazaruka zvengarava kubudikidza default, izvo zvinogona kushandiswa nemakasitoma akafanana MySQL kana FTPD Databases. Kana iwe kuataura kuti SSH configuration Chokwadi, ivo chete kurega kushanda.

It rakaisirwa zviripo chete Jabber yeGmail.END_STRONG anofanira vachimhanya imwe masango uchishandisa SSH-Server Somuenzaniso, musi rakapotsa muchina. Uye vakawanda Server localhost vanofanira kurongera kukosha 4430 (panzvimbo 443, sezvataurwa pamusoro apa). configuration Izvi zvinogona kushandiswa kana kuwana huru faira jabber.example.com nemutemo kubva firewall.

Ukuwo, kuchinjwa zvengarava zvinogona pamusoro router achishandisa configuration kuti inowanikwa dzaro pakusikwa kunze nemitemo. In mhando dzakawanda mazano kuburikidza chiyamuro kero uchitanga 192,168 vaisanganisa pamwe 0.1 kana 1.1, asi routers tichibatanidza nezvaanogona ADSL-modems kufanana Mikrotik, magumo kero kunosanganisira kushandiswa 88.1.

Muchiitiko chino, kuumba mutemo mutsva, ipapo akaisa zvakafanira parameters Somuenzaniso, kuisa kwokunze kubatana dst-Nat, uyewo manually ushandiswe zvengarava sezvo vasiri pasi mukuru anoiswa uye chikamu Activism zvaunofarira (Action). Hapana zvakaoma pano. Chinhu chikuru - kuti kutaridzwa zvaida netsika anoiswa uye akaisa yakarurama chiteshi. By default, unogona kushandisa pachiteshi 22, asi kana mutengi anoshandisa rinokosha (dzimwe apa kuti yakasiyana hurongwa), mutengo inogona kuchinjwa pamadiro, asi zvokuti chete kuti parameter ichi hazvirevi kusapfuudza akataura kukosha, kupfuura izvo chengarava nhamba havatomborina kuwanika.

Kana iwe kumisa kwokubatana uyewo vanofanira kuteerera parameters wegungano racho nemhosva. Zvingangodarowo kuti racho zviruva vanofanira kutaridzwa shoma pakureba kiyi (512), kunyange default inowanzopiwa kuisa 768. Uyewo chinodiwa kugadza timeout kuti danda kusvika pamwero mumasekonzi 600 uye kure kuwana mvumo ne mudzi kodzero. Pashure nokushandisa mezviruva izvi, unofanira uyewo hamubvumiri kushandisa zvose authentication kodzero, zvimwe pane vaya inobva kushandiswa .rhost (asi zvinokosha chete kuti hurongwa vakuru).

Pakati pezvimwe zvinhu, kana inodzidzisa zita vakanyorwa munyika, kwete kufanana chinotaurwa panguva, inofanira kutaurwa zvakajeka kushandisa aishandisa ssh tenzi murayiro pakatanga mamwe parameters (vaya vanonzwisisa zviri pangozi).

Team ~ / .ssh / id_dsa anogona kushandiswa Kushandurwa kiyi uye encryption nzira (kana rsa). Kuumba paruzhinji kiyi rakashandiswa kutendeuka achishandisa mutsetse ~ / .ssh / identity.pub (asi kwete). Asi, sezvo tsika inoratidza nyore nzira yokushandisa mirayiro kufanana ssh-keygen. Pano musimboti nyaya ipfupi chete kune chokwadi, kuti kuwedzera kiyi iripo authentication Ezvemutauro (~ / .ssh / authorized_keys).

Asi isu Zvaringana. Kana iwe dzokera chengarava pazviruva SSH nyaya, sezvo yave pachena chinja SSH chengarava hakuna kuoma zvakadaro. Zvisinei, mune mamwe mamiriro ezvinhu, vanoti, vachafanira ziya, nokuti vanoda kufungawo tsika ose anokosha parameters. The vamwe configuration nyaya mamota pasi pasuo chero Server kana nemhosva chirongwa (kana anopiwa pakutanga), kana kuti kushandisa chiteshi chengarava vorega pamusoro router. Asi kunyange kana kwokuchinja chengarava 22, ari default, yakafanana 443rd, anofanira ainyatsonzwisisa kuti zano rakadaro hakuwanzoshandi, asi chete panyaya kugadzwa zvakafanana wedzera-mune Jabber (dzimwe analogs anogona Activate uye avo zvengarava, zvakasiyana mureza). Uyezve, vainyatsotarisirwa inofanira kupiwa parameter akagara SSH-nemhosva, izvo zvakananga dyidzana pamwe SSH-Server, kana zvechokwadi vachifunga kuti kushandisa magetsi kubatana.

Mamwe, kana chengarava vorega hauna inopiwa pakutanga (kunyange zviri zvinodiwa kuita zviito zvakadaro), mezviruva uye nzira nokuda kuwana Via SSH, haugoni kuchinja. Pane matambudziko paaisika kwakabatana, uye zvakare ayo kushandiswa, vose zvavo, haasi kutarisirwa (kana Chokwadi, haasi kushandiswa manually kugadzira ari configuration Server nezveBhaibheri uye nemhosva). Rakajairika kunze pakusikwa mitemo pamusoro router unokubvumira kugadzirisa chero matambudziko kana kudzivisa navo.