ssh_config 与 sshd_config

ssh_config: configuration file for the ssh client on the host machine you are running. For example, if you want to ssh to another remote host machine, you use a SSH client. Every settings for this SSH client will be using ssh_config, such as port number, protocol version and encryption/MAC algorithms.

sshd_config: configuration file for the sshd daemon (the program that listens to any incoming connection request to the ssh port) on the host machine. That is to say, if someone wants to connect to your host machine via SSH, their SSH client settings must match your sshd_config settings in order to communicate with you, such as port number, version and so on.

--https://prasadlinuxblog.wordpress.com/2012/09/13/what-is-the-difference-between-ssh_config-and-sshd_config/

Host 在 SSH 中的作用

第一次使用 SSH 登陆服务器时,会有一个警告,要你进行选择。 Yes 之后会加入 ~/.ssh/known_hosts。

known_hosts 的作用:

The client may check that the server is a known one, and not some rogue server trying to pass off as the right one. SSH provides only a simple mechanism to verify the server's legitimacy: it remembers servers you've already connected to, in the ~/.ssh/known_hosts file on the client machine (there's also a system-wide file /etc/ssh/known_hosts). The first time you connect to a server, you need to check by some other means that the public key presented by the server is really the public key of the server you wanted to connect to. If you have the public key of the server you're about to connect to, you can add it to ~/.ssh/known_hosts on the client manually.

第一次连接未知的服务器,你需要通过公钥来确定服务器的正统性。当你确定后,已连接的服务器地址会加入到 known_hosts,之后就把这个地址视为可信任地址。

比如

The authenticity of host 'mint.phcomp.co.uk (78.32.209.33)' can't be established.

RSA key fingerprint is SHA256:jP0pfKJ9OAXt2F+LM7j3+BMalQ/2Koihl5eH/kli6A4.

Are you sure you want to continue connecting (yes/no)?

那么,如何检查服务器指纹呢,看了 ssh-check-server-fingerprint 还是不明所以。所以暂时先不管了。

用户验证

The server only lets a remote user log in if that user can prove that they have the right to access that account. Depending on the server's configuration and the user's choice, the user may present one of several forms of credentials (the list below is not exhaustive).

  • The user may present the password for the account that he is trying to log into; the server then verifies that the password is correct.

  • The user may present a public key and prove that he possesses the private key associated with that public key. This is exactly the same method that is used to authenticate the server, but now the user is trying to prove their identity and the server is verifying them. The login attempt is accepted if the user proves that he knows the private key and the public key is in the account's authorization list (~/.ssh/authorized_keys on the server).

  • Another type of method involves delegating part of the work of authenticating the user to the client machine. This happens in controlled environments such as enterprises, when many machines share the same accounts. The server authenticates the client machine by the same mechanism that is used the other way round, then relies on the client to authenticate the user.

--来源:https://unix.stackexchange.com/questions/42643/ssh-key-based-authentication-known-hosts-vs-authorized-keys

常用的用户验证方式有:

  • 使用账号、密码登陆;
  • 使用公钥私钥验证;  

通过 sshd_config 进行配置。

配置密码登陆方式

设置 sshd_config 的
PasswordAuthentication no

登陆命令

ssh user@host

输入密码

配置公钥验证方式

PubkeyAuthentication
Specifies whether public key authentication is allowed. The default is ''yes''. Note that this option applies to protocol version 2 only.

根据 https://kb.iu.edu/d/aews

首先在你的机器与服务器上要安装好 SSH,这个不做赘述。然后,你要把你的公钥添加到服务器的对应用户的 ~/.ssh/authorized_keys 里面。

如果你的公钥名不是默认的,可以通过 ssh_config 修改,

For example, for connections to host2.somewhere.edu, to make SSH automatically invoke the private key host2_key, stored in the ~/.ssh/old_keys directory, create a ~/.ssh/config file with these lines included:

vim ~/.ssh/config

Host host2.somewhere.edu

    IdentityFile ~/.ssh/old_keys/host2_key

设置好之后,直接 ssh user@host 就可以了。

调试 ssh

  1. 客户端调试

ssh -vvv git@github.com

是不是有一堆调试信息输出?!快去看看连接时候用的私钥对不对!

  1. 服务端调试

/usr/sbin/sshd -d -p 2222

在客户端去连接这个新端口

ssh -vvv host -p 2222

此时两边都有日志输出

sshd -d 进入 debug 模式; -p 指定监听的端口号。

ssh -v

-v      Verbose mode.  Causes ssh to print debugging messages about its

tion, and configuration problems.  Multiple -v options increase

the verbosity.  The maximum is 3.

来源:http://rockybean.info/2015/04/13/ssh-login-debug-method-and-problems

有时候日志报的错范围太大了,那就要根据经验来定位或者一个一个尝试了。

比如,我将 PubkeyAuthentication 设置为 no,然后连接报错

ssh_exchange_identification: Connection closed by remote host

这个错范围就大了。

MacOS 的 sshd_config 的问题

默认的 sshd_config 原文见:https://apple.stackexchange.com/questions/271948/setup-config-of-ssh-macos

我将 #PubkeyAuthentication yes 修改成 PubkeyAuthentication yes,然后使用 ssh 连接,就报错:

ssh_exchange_identification: Connection closed by remote host

  

学习 SSH的更多相关文章

  1. 烂泥:学习ssh之ssh密钥随身携带

    本文由秀依林枫提供友情赞助,首发于烂泥行天下 在上一篇文章<烂泥:学习ssh之ssh无密码登陆>中,我们讲解了如何使用ssh密钥,免密码登陆服务器. 这篇文章我们再来讲解,如何把已经生成的 ...

  2. 烂泥:学习ssh之ssh无密码登陆

    本文由秀依林枫提供友情赞助,首发于烂泥行天下 最近一个月没有写过文章,主要是刚刚换的新工作.新公司服务器OS使用的是ubuntu server版,和以前熟悉的centos还是有很多不同的. 刚好这几天 ...

  3. 从0开始学习ssh之搭建环境

    ssh即struts+spring+Hibernate,从头开始学习这个框架. struts环境配置,首先在apps目录下找到struts2-blank-xxx.war这个文件,这是已经发布好的war ...

  4. 学习SSH框架

    1.SSH框架的认知 在做相关的java的网页的开发制作时,良好的层次分解是十分有比要的,所以我们在云涌第三方的框架之下来简化还有名了我们相关的网站的开发. SSH框架实则为Struct + spri ...

  5. 菜鸟学习SSH——目录

    菜鸟学习Struts--配置Struts环境 菜鸟学习Struts--简易计算器 菜鸟学习Struts--bean标签库 菜鸟学习Struts--Scope属性 菜鸟学习Struts--国际化 菜鸟学 ...

  6. 菜鸟学习SSH(一)——Struts实现简单登录(附源码)

    从今天开始,一起跟各位聊聊java的三大框架——SSH.先从Struts开始说起,Struts对MVC进行了很好的封装,使用Struts的目的是为了帮助我们减少在运用MVC设计模型来开发Web应用的时 ...

  7. Struts2学习-ssh框架

    SSH是 struts+spring+hibernate的一个集成框架,是目前比较流行的一种Web应用程序开源框架. http://www.cnblogs.com/laibin/p/5847111.h ...

  8. 从零开始学习SSH框架笔记之四 几个关键配置文件备忘(模板)

    不多说,直接上代码.关于注释我尽量写详细点. 1.web.xml <?xml version="1.0" encoding="UTF-8"?> &l ...

  9. 从0开始学习ssh之资源分类

    更目录下面,新建config用于放配置文件,新建test用于放置测试文件.src目录用于放置源代码.由于ssh是三层,因此新建三层包(dao,service,view).其中dao和service还有 ...

随机推荐

  1. Activity设置切换动画时黑屏问题的解决

    //当这么设置的时候.打开Acticity的时候会黑屏一下 overridePendingTransition(R.anim.activity_open,0); //改成例如以下代码 完美解决这个问题 ...

  2. 将python对象序列化成php能读取的格式(即能反序列化到对象)

    转载自:http://my.oschina.net/zuoan001/blog/94914 代码如下: #coding:utf-8 # vim: encoding=utf-8:ft=python:et ...

  3. 【MyBatis学习06】输入映射和输出映射

    在前面几篇博文的例子中也可以看到mybatis中输入映射和输出映射的身影,但是没有系统的总结一下,这篇博客主要对这两个东东做一个总结.我们知道mybatis中输入映射和输出映射可以是基本数据类型.ha ...

  4. mvc5整合Autofac

    本文中将使用 mvc5与webapi2进行对Autofac整合 准备工作: 1.vs2013 or vs2013+ 2.网络良好,nuget正常访问 好了需要的准备工作就这么多. ---------- ...

  5. jQuery Ajax 学习(转)

    Ajax全称:Asynchronous JavaScript and XML(异步的JavaScript和XML)特点:在不必刷新整个网页的情况下实现局部更新,带来更好的用户体验.因为XMLHttpR ...

  6. 论C++STL源代码中关于堆算法的那些事

    关于堆,我们肯定熟知的就是它排序的时间复杂度在几个排序算法里面算是比較靠上的O(nlogn)常常会拿来和高速排序和归并排序讨论,并且它还有个长处是它的空间复杂度为O(1), 可是STL中没有给我们提供 ...

  7. C++语言基础(2)-new和delete操作符

    在C语言中,动态分配内存用 malloc() 函数,释放内存用 free() 函数.如下所示: ); //分配10个int型的内存空间 free(p); //释放内存 在C++中,这两个函数仍然可以使 ...

  8. BZOJ 1260 CQOI2007 涂色paint 动态规划

    题目大意:给定一块木板,上面每一个位置有一个颜色,问最少刷几次能达到这个颜色序列 动态规划,能够先去重处理(事实上不是必需),令f[i][j]代表将i開始的j个位置刷成对应颜色序列的最小次数.然后状态 ...

  9. Doing Homework again(杭电1789)

    Doing Homework again Time Limit: 1000/1000 MS (Java/Others)    Memory Limit: 32768/32768 K (Java/Oth ...

  10. hadoop工作相关

    网站点击流日志分析,客户画像,推荐系统,bi系统