ݳsuAڭ̨ӻAiO@ܦΪuڡILiHڭ̧KzDC
LAKkKA}@ɳiHյnJADäӦnDNA]i|wʪDoI
ҥH~nSOjդ@UoӪNڡI
11.1.1 OݳsuA
Aڭ̨AѤ@UAOyݳsuAzH
oӪF𫍧\ରHڷQAAӤwgťLA@}ںWAAWAiHݭnùBLB
ƹPtơAunDOBCPUBRAMBwЦA[W@n@IdAåBsWںA
oDNѧAݭnAȤFCpGAݭns]woDAӦpnJDo
bash ӾaPiקOHNonzLsuAAȤFC
OIAqաAݳsuAbѧAѻݳzLrιϧΤ觋ӵnJtΡA
Abݪu@enJ Linux DHoiޱD (shell)AӵnJ᪺ާ@PıWNbtΫe@I
ҥHաAAMݭnݺALBƹBùCAunu@iH`su컷ݥDYiڡC
HӤHҡAثezQX Unix-Like DAoǥDbP@ӦaAGbnxWUBI
sn骺|}QoGAΪ̬Oݭni@B~]wɭԡAO_H@wn{ܡHMݭnA
unzLsuӥDWANiHiu@FIuNnbDeu@@몺Pr֡I
^_^IoNOݳsuAաI
ܦhH|Aڥ FTP ]nJbKXӵnJڡHPoӳ`ͨ쪺nJPH̤jPbo shell
i檺u@աI ssh/telnet/VNC 觋orιϧ shell iܦhtκzȡAPª
FTP i檺u@MPI
Au@ݭnϥΨ Linux jj{ysĶ\ɡAA@wݭn Linux aIӥB̦nOBtק֤@IDA
oӮɭԧAiHNAsdz̧֪@D}XӡA]w@UݳsuAAAǥͰաAΪ̬OsǪPաA
iHzLoL̶isu@AoӮɭԡAADNiHhHi Linux B⪺\աI
|ҨӻAPXs٦ajǪѮvBPǭ̲իؤF@զAŪO[cq (PC cluster)A
ثeڭ̦bӹqW] MM5 BModels3 jPŮ~ҦAnbo˪[cU]ƭȼҦ]A
DnNOҶqBOC|ϥΨӲչqnhHADjabb@ùeu@HMݭnաI
oɭԴNOݳsuAAȽdoI
O_C@s Internet WDӭn}ݳsu\OHäɵMA
٬OݭnwADӶiWAڭ̩UAPu@ӻG
b@ں}AȪAAѩ}Aȥi|nTAӻݳsu{siDA
iHi檺u@SӦhF(XGNbDeu@@I)A]Aݳsu{q`Ȱwֳtκ@̶}ӤwI
DnA_h Server Dٯuij}suAȩOI
HҡAڪDѤFڭ̬sǨϥ Mail P Internet W WWW AȡApG٥DʴѻݳsuܡA
U@p߳QJIAiN˸FI]Aȶ}yܤpztκzsiӡA
Lӷ IP @ߩסI\ϥλݳsu\OI
ҿתu@NOѺںAȪDAȴѤjqBOϥΪ̡C
JMѺںAȡAAٶ}suAFHOաIe쪺 PC cluster jqB⪺չqA
]iH٤u@A]Sѱ`AȹILnѵϥΪ̵nJvAoˤja~ΪB\ڡI
ɧANonw鷺AΪ̬OSwYǨӷ}L̨ϥΧAu@oI
11.1.2 ǥiѵnJH
ثeݳsuADnǡHpGHnJsuӤAWrPϧΤءG
- rXG telnet, rsh DAثeD`֥ΡF
- rKXG ssh DAwgNWz telnet, rsh X觋F
- ϧΤG Xdmcp, VNC, RDP `
brnJsuAADnHyXzǰeƪ telnet AAΥH[KNiƥ[KAǰe
SSH AIM telnet iH䴩ΤݳnhALѩOϥΩXӶǰeơAAƫܮeD즳ߤHh^I
ҥHӧڭ̳I~jahϥ SSH o@سsu觋
ܩϧΤsuAA²檺 Xdmcp (X Display Manager Control Protocol)A[] Xdmcp ²A
LΤݪn֡Ct~@ڥثeܱ`ϧγsuAANO VNC (Virtual Network Computing)A
zL VNC server/client nӶisCpGAQnϥ Windows ݮୱsuAӥ\ϥΪO RDP (Remote Desktop
Protocol)AAion[] RDP A~C
ϧΤ̤juIOyϧΡzڡILA]OzLϧΨӶǰeAǿ骺ƶq۷jA
ҥHtPwʳݦҶqC]Aڭ̶ȫijANϧΤݵnJA}b (LAN) NnFI
OyXzPy[Kzƫʥ]ǰeҦOH telnet ϥΩXNwHҿתXNOG
yڭ̪ƫʥ]bWǿɡAӸƫʥ]eƪl榡zA
]NOAAϥ telnet nJݥDɡAOonJbKXܡHAbKXOH쥻Ʈ榡ǿA
ҥHpGQ tcpdump ťn^ơA
AbKNiQѨաI
ҥHաAU@Aƫʥ]̭tHΥdơBKXBT{nTɡAO_ܦMIoH
]Aثeڭ̳q`ƱϥΥiHNoǦbW]ƥ[KNAHW[Ʀb
Internet WǰewʰڡI
ssh wAOzL ssh qDǿTɡAӰTbWwA]ƬO[KLAYϳQѨA
i]|DƤeA]TwCoN ssh oӳqTwNwI̷NqPI
ѩXǿ骺 telnet, rsh suAwgQ ssh NAåBb@ǹΤWwgܤ֬ݨ telnet P rsh FA
]brWۭ ssh ΡA]AH rsync ǥ ssh qDӶi沧aƴȵCܩϧΤh|
Xdmcp, VNC P RDP I]ܦhu@ϥΪ̻ݭnܥL̦bu@@᪺ϧΧe{A]o]OܭnOI
ѩeݳsuAjhOXAӥBw]ǸwDA]ӴN SSH oӨwӨNWzoǩNNC
SSH OOHS\H²檺ӻASSH O Secure SHell protocol
²g (wߵ{w)AiHzLƫʥ][KNANݶǿ骺ʥ][KAǿWA
]AưTMNwoIo SSH iHΨӨNw finger, R Shell (rcp, rlogin, rsh ), talk telnet
suҦCUڭ̱N²@U SSH suҦAӻ SSH ưT|wOI
SO`NGo SSH wAbw]AANѨӦA\G
- @ӴNO telnet ݳsuϥ shell AAYOU٪ ssh F
- t@ӴNO FTP AȪ sftp-server Iѧw FTP AȡC
11.2.1 su[KN²
Oyƥ[KzOH²檺ANONH̬ݪolqlơAgL@ǹBAoǸܦSNqýX
(ܤֹHӻ)AMAoөNNbWǿAӷϥΪ̷Qnd\oӸƮɡAAzLѱKBA
NoǩNNϱXlqlơCѩoǸƤwgQsBzLAҥHAYϸƦbںWQ cracker
ťѨAL̤]eNoXӭlƤeC
``A[KIOӤHPyܰաIpGAABͬwnϥΧĄqYدSOyA
oӻyuĄӦNqCĄHܮɡAb䪺Hť쪺uO@SNqnA]LťڡI
YϸHNAnUӡAunLDA̪SλyALNiAѧA̹ܪeoC
[ѱKB⪺PND`hAڭ̳o̤hQzװDAuڭ̤@ǥ[ѱKӤwC
ثe`ʥ][KNq`OǥѩҿתyD٪_tzӳBzC
DnOzL⤣@˪_Pp_ (Public and Private Key) զX@W@LG_ (key pair) A
Qγo_Ӷiƪ[ѱKu@Co_ͫӪOH
- _ (public key)GDnѦAѵΤݤUF
- p_ (private key)GΤݨo_AzLBHͤ@p_AANp_ǵAϥΡC
ҥHjaݪ줽_AOp_oOHBⲣͪAӥΤݲͨp_öi@BզX_A
ɦAPΤݨ䧡o_CƭniǰeɭԡAtη|ϥΤ_Ӷi[KAݦKXA
tη|ϥΨp_ӶiѱKCѩb Internet W]ƬO[KL᪺AҥHAƤeMNwաI
11.2-1B_Pp_biƶǿɪܷN
ƥ[KNu۷hA]UuIABtק֡AOwFwAO[K/ѱKtC
ثeb SSH ϥΤWADnOQ RSA/DSA/Diffie-Hellman I
ثe SSH wءAOO version 1 P version 2 A𫟺 V2 ѩ[WFsu˴A
iHקKsuQJcNXA] V1 ٭n[wCҥHoAкɶqϥ V2 YiAnϥ V1 oC
LOتA٬Oݭnp_[KtΪAoǤ_Pp_OpͪOHUڭ̴Nӽͤ@ͰաI
ڭ̥iHN ssh AݻPΤݪsuBJܷNUϡAܩBJpG
11.2-2Bssh AݻPΤݪsuBJܷN
- Aإߤ_G
C@Ұ sshd AȮɡAӪAȷ|Dʥh /etc/ssh/ssh_host* ɮסAYtέw˧ɡAѩSoǤ_ɮסA]
sshd |DʥhpXoǻݭn_ɮסAPɤ]|pXAۤvݭnp_(ΩĤBJ)F
- ΤݥDʳsunDG
YΤݷQnsu ssh AAhݭnϥξAΤݵ{ӳsuA]A ssh, pietty Τݵ{F
- Aǰe_ɵΤG
ΤݪnDAAKNĤ@ӨBJo_ɮǰeΤݨϥ (OXǰe)F
- ΤݰO/A_ƤHpp_G
YΤݲĤ@s즹AAh|N_ưOΤݪϥΪ̮aؿ ~/.ssh/known_hosts
CYOwgOLӦA_ơAhΤݷ|h惡쪺PeOO_tCY_ơA
h}lpp_ơF
- ^Ǩp_ƨAG
zLe@ӨBJo_i[KANosupұop_ƥ[KǰeAA
ɥѥΤݶǰeAݪƬO[KIӦAݫhzLۤvp_ӶiѱKCɪ[KӬOVA
YѥΤݥ[KeӪƥuAѱKAAeXhƥΤݬOѱKA]èSѱKp_C
]e 1~4 BJbAeΤݳoӤVAӳOXǰeF
- Ap_A}lV[ѱKsuG
AoΤݪp_A~OzL_tζiV[ѱKF
bWz 4 BJAΤݪp_OHBⲣͩsuAҥHAosuPUsup_iN|@˰աI
~bΤݪϥΪ̮aؿU ~/.ssh/known_hosts |OgsuLD public
key AΥHT{ڭ̬OsWTAC
|
DG
pͷsAݪ ssh _PAۤvϥΪp_H
(G`NADnbwg`B@AWA]i|yLΤݪxZI)
G
ѩAѪ_Pۤvp_m /etc/ssh/ssh_host* A]AiHo˰G
[root@www ~]# rm /etc/ssh/ssh_host* <==R_
[root@www ~]# /etc/init.d/sshd restart
b sshd: [ Tw ]
b SSH1 RSA D_: [ Tw ] <==UTӨBJsͪ_I
b SSH2 RSA D_: [ Tw ]
b SSH2 DSA D_: [ Tw ]
bҰ sshd: [ Tw ]
[root@www ~]# date; ll /etc/ssh/ssh_host*
Mon Jul 25 11:36:12 CST 2011
-rw-------. 1 root root 668 Jul 25 11:35 /etc/ssh/ssh_host_dsa_key
-rw-r--r--. 1 root root 590 Jul 25 11:35 /etc/ssh/ssh_host_dsa_key.pub
-rw-------. 1 root root 963 Jul 25 11:35 /etc/ssh/ssh_host_key
-rw-r--r--. 1 root root 627 Jul 25 11:35 /etc/ssh/ssh_host_key.pub
-rw-------. 1 root root 1675 Jul 25 11:35 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Jul 25 11:35 /etc/ssh/ssh_host_rsa_key.pub
# ݤ@UWXPɮתإ߮ɶAإߪs_Bp_tΡI
|
|
11.2.2 Ұ SSH A
ƹWAbڭ̨ϥΪ Linux tηAw]Nwgt SSH ҦݭnnFIo]tFiHͱKXw
OpenSSL nP
OpenSSH n (1)AҥHOAnҰ SSH
uO²FINLҰʴNOFI~Abثe Linux Distributions
AOw]Ұ SSH AҥH@I·СA]Υh]wALNwgҰʤFI
zIuOn֡LצpAڭ٬Oo@oӱҰʪ觋aIҰʴNOH
SSH daemon A²٬ sshd ӱҰʪAҥHAʥiHo˱ҰʡG
[root@www ~]# /etc/init.d/sshd restart
[root@www ~]# netstat -tlnp | grep ssh
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::22 :::* LISTEN 1539/sshd
|
ݭn`NOASSH ѤF shell ڭ̨ϥΡAYO ssh protocol DnتAPɥ紣ѤF@Ӹw
FTP server AYO ssh-ftp server ڭ̷O FTP ӨϥΡIҥHAo sshd iHPɴ
shell P ftp IӥBO[cb port 22 WOIҥHAUڭ̴NӴ@A˥
Client ݳsW Server ݩOHPɡApH FTP AȨӳsW Server åBϥ FTP \OH
11.2.3 ssh Τݳsu{ -
Linux Τ
pGAΤݬO Linux ܡAߧAFAw]pUAAtΤwgUҦOAiHwB~nI
UNӤФ@UoǫOaI
SSH b client ݨϥΪO ssh oӫOAoӫOiHwsu (version1, version2)A
٥iHwDW ssh port (W ssh port 22)CLA@몺ΪkiHϥΩU觋G
[root@www ~]# ssh [-f] [-o Ѽƶ] [-p DWf] [b@]IP [O]
ﶵPѼơG
-f GݭntX᭱ [O] AnJݥDoe@ӫOLhӤwF
-o ѼƶءGDnѼƶئG
ConnectTimeout= GsuݪơAֵݪɶ
StrictHostKeyChecking=[yes|no|ask]Gw]O askAYn public key
Dʥ[J known_hosts AhiH]w no YiC
-p GpGA sshd AȱҰʦbDWf (22)AݨϥΦءF
[O] GnJݥDAoeOLhCP -f NqӬۦPC
# 1. sunJDk (HnJ)G
[root@www ~]# ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is eb:12:07:84:b9:3b:3f:e4:ad:ba:f1:85:41:fc:18:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.
root@127.0.0.1's password: <==bo̿J root KXYiI
Last login: Mon Jul 25 11:36:06 2011 from 192.168.1.101
[root@www ~]# exit <==}o ssh su
# ѩ ssh ᭱S[WbA]w]ϥηebӵnJݦA
|
@ϥ ssh nJݥDA|gy ssh b@DIP z榡A
NOAϥθӥDYbnJNCOܦhBͳwgbAYϥΡy ssh DIP z榡C
pPWdұpCn`NApGgbܡA|HaݹqbӹյnJݡC
]NOApGݻPݨ㦳ۦPbAgb]SYApWdҡCOAFHߺD۷QA
٬O@}lNϥ email 觋ӵnJݥDAo˪欰ߺDnաI
WX{TA}Y RSA ᭱NOݦA_XApGTwӫXSDAANonJ
yes ӱNӫXgJA_O (~/.ssh/known_hosts)AHKӤӦATʤΡC
`NOng yes A¿J Y y O|Q~A
ѩӥD_wgQOA]ӭƨϥ ssh nJDɡAN|X{oӫXܤFC
# 2. ϥ student bnJ
[root@www ~]# ssh student@127.0.0.1
student@127.0.0.1's password:
[student@www ~]$ exit
# ѩ[JbA] student FIt~A] 127.0.0.1 nJLA
# ҥHN|AX{ܧAnW[D_ToI
# 3. nJDLOߨ}觋G
[root@www ~]# ssh student@127.0.0.1 find / &> ~/find1.log
student@localhost's password:
# ɧA|o{edFHoO]WYO|yAAwgnJݥDA
# O檺O|]A]A|bݷCpwtΦۤv]H
# 4. PWDۦPAODۤv]ӫOAAߨ^ݥD~u@G
[root@www ~]# ssh -f student@127.0.0.1 find / &> ~/find1.log
# ɧA|ߨnX 127.0.0.1 A find O|ۤvbݦA]I
|
WzdҷA 4 ӽdҳ̦ΡIpGAQnݥDiOApG[W -f ѼơA
A|ݹDANAXsuAoXzC]A[W -f Nܭn]A|wݥDۤv]A
ӤݭnbŪŵݡCҦpGyssh -f root@some_IP shutdown -h now zOoC
# 5. R known_hosts Asϥ root su쥻AB۰ʥ[W_O
[root@www ~]# rm ~/.ssh/known_hosts
[root@www ~]# ssh -o StrictHostKeyChecking=no root@localhost
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
root@localhost's password:
# pWҥܡA|ݧA yes no աI|gJ ~/.ssh/known_hosts I
|
Wұ``ϥ ssh suPǪqhݥLSXAɭԷ|g script Ӷi浪װC
ɦpGCxqbDʥ[W_ɰOAonJy yes zA|֦I[Wo StrictHostKeyChecking=no
NܦUաIL|߰ݦ۰ʥ[JD_ɮפA@ϥΪUjA{}ӻA
oNiNܤΤFI
AnJݦAɡA|Dʪα쪺A public key h ~/.ssh/known_hosts L_A
Mi橳Uʧ@G
- Y_|OAh߰ݨϥΪ̬O_OCYnO (dҤ^ yes ӨBJ) hgJ ~/.ssh/known_hosts
B~nJu@FYO (^ no) hgJɮסAåB}nJu@F
- Y쪺_wOAhOO_ۦPAYۦPh~nJʧ@FYۦPAhX{ĵiTA
B}nJʧ@CoOΤݪۧګO@\AקKAAOQOH˪C
MA ssh q`i|ܡADOApGOեΪDA]``bswˡAA_֩wg`PA
GupܡAANLk~nJFIHڭ̨Ӽ@UoӦ欰aIALHաI
|
DG
Asw˫A]AϥάۦP IP AyۦP IP A_PAͪDPѨMDH
G
QΫe@p`L觋AR즳tΤ_AsҰ ssh A_sG
rm /etc/ssh/ssh_host*
/etc/init.d/sshd restart
M᭫sϥΩU觋Ӷisuʧ@G
[root@www ~]# ssh root@localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ <==NiDAiD
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
a7:2e:58:51:9f:1b:02:64:56:ea:cb:9c:92:5e:79:f9.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1 <==_᭱ƦrNODƦ渹
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
|
WzX{~TASr骺abiDAG/root/.ssh/known_hosts 1 A̭_Po쪺GPA
ܥiQFIHSYաIЧAϥ vim /root/.ssh/known_hosts AñN 1 (_ : ᭱ƦrNOF)
RAAs ssh LAtΤS|sݧAnn[W_oINo²I ^_^
|
ssh OnJݦAiu@ApGAuOQnqݦAUΤWɮשOH
NOϥ ssh աAӥnϥ sftp scpCoӫO]Oϥ ssh qD (port 22)AuO
FTP Pƻsʧ@ӤwCڭ̥ͽ sftp AoӫOΪkP ssh ܬۦAuO ssh OΦbnJ sftp
bW/UɮצӤwC
[root@www ~]# sftp student@localhost
Connecting to localhost...
student@localhost's password: <== o̽пJKXڡI
sftp> exit <== o̴NObݧAJ ftp OaFI
|
iJ sftp ANb@ FTP ҦUާ@kSˤFIUڭ̴Nӽͤ@͡A
sftp oӤUϥΫOaI
| wﻷAD (Server) 欰 |
| ܴؿ /etc/test ΨLؿ |
cd /etc/test
cd PATH |
| CXثeҦbؿUɦW |
ls
dir |
| إߥؿ |
mkdir directory |
| Rؿ |
rmdir directory |
| ܥثeҦbؿ |
pwd |
| ɮשΥؿs |
chgrp groupname PATH |
| ɮשΥؿ֦ |
chown username PATH |
| ɮשΥؿv |
chmod 644 PATH
𫟺A644 PvI^hݰ¦gI |
| إ߳s |
ln oldname newname |
| RɮשΥؿ |
rm PATH |
| ɮשΥؿW |
rename oldname newname |
| }ݥD |
exit (or) bye (or) quit |
| w糧 (Client) 欰([W l, L pg ) |
| ܴؿ쥻 PATH |
lcd PATH |
| CXثeҦbؿUɦW |
lls |
| bإߥؿ |
lmkdir |
| ܥثeҦbؿ |
lpwd |
| wƤW/U欰 |
| NɮץѥWǨ컷ݥD |
put [ؿɮ] []
put [ؿɮ]
pGOoخ榡Ahɮ|mثeݥDؿUI |
| NɮץѻݥDU^ |
get [ݥDؿɮ] []
get [ݥDؿɮ]
YOoخ榡Ahɮ|mbثeҦbؿIiHϥθUΦrAҦpG
get *
get *.rpm
OiH榡I |
NӨA sftp b Linux UApGҼ{ϧΤALwgiHN
FTP FOI]Ҧ\ೣwg[\աI]AbҼ{ϧΤ FTP nɡAiH
FTP AȡAӧH sftp-server Ӵ FTP AȧaI ^_^
|
DG
] localhost ݦAABAW student oӨϥΪ̡CAQn (1)N /etc/hosts WǨ student aؿA
(2)N student .bashrc ƻs쥻 /tmp UAӦpzL sftp FH
G
[root@www ~]# sftp student@localhost
sftp> lls /etc/hosts <==ݬݥSoɮ
/etc/hosts
sftp> put /etc/hosts <==ܡANWǧaI
Uploading /etc/hosts to /home/student/hosts
/etc/hosts 100% 243 0.2KB/s 00:00
sftp> ls <==SWǦ\HݻݥؿUɦW
hosts
sftp> ls -a <==SɩOH
. .. .bash_history .bash_logout
.bash_profile .bashrc .mozilla hosts
sftt> lcd /tmp <==ؿ /tmp
sftp> lpwd <==uOiT{ӤwI
Local working directory: /tmp
sftp> get .bashrc <==SDNUaI
Fetching /home/student/.bashrc to .bashrc
/home/student/.bashrc 100% 124 0.1KB/s 00:00
sftp> lls -a <==ݥaɮɦW
. .font-unix keyring-rNd7qX .X11-unix
.. .gdm_socket lost+found scim-panel-socket:0-root
.bashrc .ICE-unix mapping-root .X0-lock
sftp> exit <==}aI
|
|
pGAwϥΤri FTP ǿA٥iHzLϧΤӳs sftp-server I
AiHQΤGQ@ FTP A쪺 Filezilla ӶisuաI
p@ӡAPAɮǿNKhFaI
q`ϥ sftp O]iणDAWɦWɮצsbApGwgDAWɮɦWFA
²檺ɮǿhOzL scp oӫOI²檺 scp ΪkpUG
[root@www ~]# scp [-pr] [-l tv] file [b@]D:ؿW <==W
[root@www ~]# scp [-pr] [-l tv] [b@]D:file ؿW <==U
ﶵPѼơG
-p GOd쥻ɮתvơF
-r GƻsӷؿɡAiHƻsӥؿ (tlؿ)
-l GiHǿ骺tסA쬰 Kbits/s AҦp [-l 800] Nǿt 100Kbytes/s
# 1. N /etc/hosts* ƻs 127.0.0.1 W student aؿ
[root@www ~]# scp /etc/hosts* student@127.0.0.1:~
student@127.0.0.1's password: <==J student KX
hosts 100% 207 0.2KB/s 00:00
hosts.allow 100% 161 0.2KB/s 00:00
hosts.deny 100% 347 0.3KB/s 00:00
# ɦW i eq(bytes) ǿt Ѿlɶ
# AiHJӬݡAX{TANqpWҥܡC
# 2. N 127.0.0.1 oݥD /etc/bashrc ƻs쥻 /tmp U
[root@www ~]# scp student@127.0.0.1:/etc/bashrc /tmp
|
WǩΤUIOӫ_ (:) oIsb_᭱NOݥDɮסC
]ApG_beANNOqݥDUUӡApG_bAhNƤWǰաI
ӦpGQnƻsؿܡAiH[W -r ﶵI
|
DG
]ɮɦW /root/dd_10mb_file Aoɮצ 10 MB ojC]AQnWǨ 127.0.0.1 /tmp UhA
ӥBAb 127.0.0.1 W root oӱbϥvCѩWe_QA]AuQnO 100Kbyes/s ǿq@ʧ@A
ӦpUFOH
G
ѩw]sboɮסA]ڭ̱oϥ dd ӫإߤ@ӤjɮסG
dd if=/dev/zero of=/root/dd_10mb_file bs=1M count=10
إߧAѩOWǸơA[ -l ﶵAӳtvΪO bit Aনeq bytes ݭnW 8 A]ONnoˤUFG
scp -l 800 /root/dd_10mb_file root@127.0.0.1:/tmp
|
11.2.4 ssh Τݳsu{ -
Windows Τ
P Linux POAw] Windows èS ssh Τݵ{A]Ҧ{onULĤTn~C
`nDn pietty, psftp filezilla CUNڭ̨ӽͽͳoXӳnaC
b Linux UQns SSH AAiHQ ssh oӫOAb Windows
@~tΩUNonϥ pietty putty oӪNAo̪UIаѦ (2)G
b putty xWܦhniHϥΪA]A putty/pscp/psftp CL̤OF ssh/scp/sftp
oTӫONOFCӳRΪ pietty hOxWLwͮھ putty ҧ睊ӦCѩ pietty F㪺ۮe putty
~AٴѤFP㪺rsXAbܦnΩOAҥHUNH pietty ӧ@oCbAU pietty
AɮסAN|X{pUeoG
11.2-3Bpietty ҰʵeܷN
bWϤbY 1 aжgDW٩Ϊ̬O IP AbY 2 Mȥ SSH @AܩbY 3
aAwX{˦A]iHק@ pietty ҳ]wȡAҥHOܿաI
YSDAUysuzAN|X{pUݵnJPJb/KƪeG
11.2-4Bpietty nJPϥεeܷN
oӹϥܷ|AHObDeu@aIӥBWY٦iHHɽվrΡBrBrsXnҰѼơC
רOrsXDAɭԧA|o{}ɮɡAMe|ýXӤO`ܡA
NOsXDCnѨMoӰDɡAAncOUTӸytsXƭnۦP~G
- rɮץbsɮɩҬD諸ytF
- Linux { (p bash n) ҨϥΪyt (i LANG ܼƽվ)F
- pietty ҨϥΪytC
ڭ̪D Linux sXiHzL LANG oܼƨӽվAӦpվ pietty sXOHAiHzL
11.2-4 CyﶵzӳBzApUҥܡG
11.2-5Bվ pietty ytsX觋 (P)
byﶵzyrsXz̭iHD big5 (cp950) Ϊ̬O unicode (utf8) sXAŦXA Linux
PɮשxsƮ榡ArN OK աI ^_^IpGQn@ӳ]wɡAiHܹ 11.2-5 WY̩UӡyԲӳ]wzءA
N|X{pUϥܡC𫟺nOyLkƦrQnͮġzɡA
iHӤUϪܨӱҰʼƦr䪺\G
![pietty nҸԲӳ]wAPLkƦr](/linux_server/0310telnetssh//centos6_pietty-04.gif "pietty nҸԲӳ]wAPLkƦr")
11.2-6Bpietty nҸԲӳ]wAPLkƦr
NWϤbY 2 ҫӶؤĿ_ӥBUyApplyzAALkƦr~`ϥΩOA_hkƦr|OýXաC
AӡAAiHվ pietty bOЦơAo˷ƤӦhɡAA¥iHվ㱲bӬd\eơC]wkpUG
11.2-7BվeiHOЪơAiΤ^hݸhee
վ㧹oDZ`ΪƫAAӳoO̭nGyAnH@Ӫ SSH tknJHzeLAڭ̹w]OH
version2 ӵnJAҥHo̧ڭ̥iHվ㬰 2 ӶءIo˨CnJ|H version 2 ҦnJDFI
![]wnJAɨϥΪ ssh tk](/linux_server/0310telnetssh//centos6_pietty-06.gif "]wnJAɨϥΪ ssh tk")
11.2-8B]wnJAɨϥΪ ssh tk
pietty ϥλP]wy{NOoˡIp@ӡAANiHb Windows WH SSH wAnJݪ Linux
DPIKaI ^_^ IpGQn䴩ܡAثe pietty wg䴩աIAiHJILݭnק@UrA
11.2-5 yﶵzyrzN|X{pUϥܡG
11.2-9Bܤ媺rλPsX
N(1)r]wөB(2)r]wyBig5zAp@ӡAA pietty
N䴩媺JoI
Wڭ̧@odz]wȳOb̰ڡHIOb Windows nɷڡIAiHb Windows
tηAby}lz-->yzAX{خؤJyregeditzA
|X{@ӤjCЦb䪺eܡy
HKEY_CURRENT_USER --> Software --> SimonTatham --> PuTTY --> SessionszA
NiHݨA]woI ^_^I oˡA]NiHxsA]wo
b putty xW] psftp o{Co@{Ihbϥ sftp-serverCϥΪ觋iHI
psftp oɮסALҰʡAh|X{UϼˡG
psftp: no hostname specified; use "open host.name" to connect
psftp>
|
oӮɭԥiHJAnsWhDW١AҦpڪϰ줺 192.168.100.254 oDG
psftp: no hostname specified; use "open host.name" to connect
psftp> open 192.168.100.254
login as: root
root@192.168.100.254's password:
Remote working directory is /root
psftp> <== o̴NbݧAJ FTP OFI
|
Io˴NnJDաI²aIMLϥΤ觋e쪺 sftp @˭I[oϥΧaI
SSH ҴѪ sftp \uQί¤r psftp ӳsuܡHSϧΤnOHIMI
NOD`Ϊ Filezilla oIFilezilla OϧΤ@ FTP ΤݳnAϥΤWD`KA
ܩԲӪw˻Pϥάy{аѦҲĤGQ@ vsftpd I
11.2.5 sshd Aӳ]w
WAҦ sshd AԲӳ]wb /etc/ssh/sshd_config
̭ILAC Linux distribution w]]wӬۦPAҥHڭ̦nAѤ@Uӳ]wȪNq~nI
PɽЪ`NAbw]ɮפAunOw]X{BQѪ]w
(]wȫe[ #)AYyw]ȡIzAAiH̾ڥӭק諸C
[root@www ~]# vim /etc/ssh/sshd_config
# 1. SSH Server ]wA]tϥΪ port աAHΨϥΪKXt觋
# Port 22
# SSH w]ϥ 22 oportA]iHϥΦhportAYƨϥ port oӳ]wءI
# ҦpQn} sshd b 22 P 443 Ahh[@椺eGy Port 443 z
# M᭫sҰ sshd o˴NnFILAijק port number աI
Protocol 2
# ܪ SSH wAiHO 1 ]iHO 2 ACentOS 5.x w]OȤ䴩 V2C
# pGQn䴩ª V1 ANonϥΡy Protocol 2,1 z~C
# ListenAddress 0.0.0.0
# ťDdI|ӨҤlӻApGA IPAOO 192.168.1.100
# 192.168.100.254A]AuQn 192.168.1.100 iHť sshd ANo˼gG
# y ListenAddress 192.168.1.100 zw]ȬOťҦ SSH nD
# PidFile /var/run/sshd.pid
# iHm SSHD o PID ɮסIWzw]
# LoginGraceTime 2m
# ϥΪ̳sW SSH server A|X{JKXeAbӵeA
# bh[ɶS\sW SSH server Nj_uIYLhw]ɶI
# Compression delayed
# wɶ}lϥYƼҦiǿC yes, no PnJ~NY (delayed)
# 2. D Private Key mɮסAw]ϥΤUɮקYiI
# HostKey /etc/ssh/ssh_host_key # SSH version 1 ϥΪp_
# HostKey /etc/ssh/ssh_host_rsa_key # SSH version 2 ϥΪ RSA p_
# HostKey /etc/ssh/ssh_host_dsa_key # SSH version 2 ϥΪ DSA p_
# ٰOoڭ̦bD SSH suy{̭ͨ쪺Ao̴NO Host Key
# 3. nɪTƩmP daemon W١I
SyslogFacility AUTHPRIV
# Hϥ SSH nJtΪɭԡASSH |OTAoӸTnOb daemon name
# UHw]OH AUTH ӳ]wAYO /var/log/secure ̭IHѰOFI
# ^ Linux ¦h½@UCLiΪ daemon name GDAEMON,USER,AUTH,
# LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5,
# LogLevel INFO
# nOšIKKITIP˪AѰOFN^hѦҡI
# 4. w]wءInI
# 4.1 nJ]w
# PermitRootLogin yes
# O_\ root nJIw]O\AOij]w noI
# StrictModes yes
# O_ sshd hˬdϥΪ̮aؿάɮתvơA
# oOFߨϥΪ̱NYǭnɮתv]Ai|ɭP@ǰDҭPC
# ҦpϥΪ̪ ~.ssh/ v]ɡAYǯSpU|\ΤnJ
# PubkeyAuthentication yes
# AuthorizedKeysFile .ssh/authorized_keys
# O_\ΤۦϥΦ諸_tζinJ欰AȰw version 2C
# ܩۻs_ƴNmϥΪ̮aؿU .ssh/authorized_keys
PasswordAuthentication yes
# KXҷMOݭnIҥHo̼g yes oI
# PermitEmptyPasswords no
# YW@pG]w yes ܡAo@N̦n]w no A
# oӶئbO_\HŪKXnJIM\I
# 4.2 {ҳ
# RhostsAuthentication no
# tΤϥ .rhostsA]Ȩϥ .rhostsӤwFAҥHo̤@wn]w no
# IgnoreRhosts yes
# O_ϥ ~/.ssh/.rhosts Ӱ{ҡIMOI
# RhostsRSAAuthentication no #
# oӿﶵOM version 1 ΪAϥ rhosts ɮצb /etc/hosts.equiv
# tX RSA t觋Ӷi{ҡInϥΰڡI
# HostbasedAuthentication no
# oӶػPWALO version 2 ϥΪI
# IgnoreUserKnownHosts no
# O_aؿ ~/.ssh/known_hosts oɮשҰODeH
# MnAҥHo̴NO no աI
ChallengeResponseAuthentication no
# \KX{ҡIҥHA login.conf Ww{Ҥ觋AiAΡI
# ثeڭ̤wϥ PAM Ҳz{ҡA]oӿﶵiH]w no I
UsePAM yes
# Q PAM zϥΪ̻{ҦܦhnBAiHOPzC
# ҥHo̧ڭ̫ijAϥ UsePAM B ChallengeResponseAuthentication ]w no
@
# 4.3 P Kerberos ѼƳ]wI]ڭ̨S Kerberos DAҥHUγ]wI
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTicketCleanup yes
# KerberosTgtPassing no
@
# 4.4 UOb X-Window UϥΪ]wI
X11Forwarding yes
# X11DisplayOffset 10
# X11UseLocalhost yes
# nO X11Forwarding ءALiHƳzL ssh qDӶǰeI
# b᭱i ssh ϥΤk|ͨC
# 4.5 nJ᪺ءG
# PrintMotd yes
# nJO_ܥX@ǸTOHҦpWnJɶBaIAw]O yes
# YOCLX /etc/motd oɮתeCOApGFwAiHҼ{אּ no I
# PrintLastLog yes
# ܤWnJTIiHڡIw]]O yes I
# TCPKeepAlive yes
# FsuAA|@ǰe TCP ʥ]ΤǥHP_觋_@sbsuC
# LApGsuɤѾȮɰAȴXA]|su_I
# boӱpUA@ݦASSHiHߨ訚DIӤ|͵{Ǫo͡I
# pGAθѾ``íwAiH]w no աI
UsePrivilegeSeparation yes
# O_ϥvC{ǨӴѨϥΪ̾ާ@Cڭ̪D sshd Ұʦb port 22 A
# ]Ұʪ{ǬOݩ root C student nJAoӳ]w
# | sshd ͤ@ݩ sutdent sshd {ǨӨϥΡAtθw
MaxStartups 10
# Pɤ\Xө|nJsueHڭ̳sW SSH AO|JKXɡA
# oӮɭԴNOڭ̩ҿתsueաIboӳsueAFO@DA
# ҥHݭn]w̤jȡAw]̦hQӳsueAӤwgإ߳supboQӷ
# 4.6 ϥΪ̩ת]wءG
DenyUsers *
# ]wתϥΪ̦W١ApGOϥΪ̡ANOקaI
# YOϥΪ̡AiHNӱbJIҦpUCI
DenyUsers test
DenyGroups test
# P DenyUsers ۦPIȩ״XӸsզӤwI
# 5. SFTP AȻPL]wءI
Subsystem sftp /usr/lib/ssh/sftp-server
# UseDNS yes
# @ӻAFnP_ΤݨӷO`XkA]|ϥ DNS hϬdΤݪDW
# LpGObsAoس]w no |suFtפ֡C
|
WACentOS w] sshd AȤwgOwFAL٤IijA
(1)N root nJvF (2)N ssh ]w 2 CL]wȴNЧA̷Ӧۤvߦnӳ]wFC
q`ijiHKקաIt~ApGAקLWoɮ(/etc/ssh/sshd_config)ANݭnsҰʤ@
sshd o daemon ~IYOG
11.2.6 s@αKXiߧYnJ ssh Τ
Aγ\wgQFAJM ssh iHϥ scp ӶiƻsܡAگणN scp Om crontab AȤA
ڭ̪tγzL scp bIUۦwiƻsPƥOHpAOGyw]pU\ʧ@zI
ƻOH]w]pUAAnzLݵnJAP scp ʪJKX~ڡI crontab S|AݤJKXA
ҥHӵ{ǴN|@dӵLkb crontab 榨\I
Hڭ̭noӦnΪƻsuܡHMOաIڭ̥iHzL_{ҨtΨӳBzI
JM SSH iHϥΪ_tΨӤơAåBѨϥΪ̸ƪ[K\AiiQγo Key
NѨϥΪ̦ۤviJDAӤݭnJKXOHInDNIڭ̥iHN Client ͪ Key L Server AҥHA
H Client nJ Server ɡAѩ̦b SSH nsuTǻANwgL Key FA
]AiHߧYiJƶǿ馉AӤݭnAJKXOIb@WBJiHOG
- Τݫإߨ_GQ@QAb_tΤAO_n٬Op_nH
MOp_nI]p_~OѱKڡIҥHoAo_ͷMobo_suΤݫظm~CQΪO
ssh-keygen oөROF
- Τݩmnp_ɮGN Private Key b Client WaؿAY $HOME/.ssh/ A
åBon`NvI
- N_mAݪTؿPɦWhG̫AN Public Key
b@ӧAQnΨӵnJAݪY User aؿ .ssh/ ̭{ɮקYiӵ{ǡC
OnܧxˤlABJu²Aڭ̨̧ǨӶi@~nFI]epUAӶi檺BJhpUϡG
- Server www.centos.vbird o 192.168.100.254 DAϥΪb dmtsai F
- Client clientlinux.centos.vbird o 192.168.100.10 vbirdtsai oӱbA
ӱbnΨӵnJ 192.168.100.254 oD dmtsai bC
11.2-10Bs@ݭnKX ssh by{
إߪk²Ab clientlinux.centos.vbird oDWH vbirdtsai ӫإߨ_ͧYiC
LAݭn`NOAڭ̦hرKXtkApGwStkAhw]H RSA tkӳBzG
[vbirdtsai@clientlinux ~]$ ssh-keygen [-t rsa|dsa] <==i rsa dsa
[vbirdtsai@clientlinux ~]$ ssh-keygen <==ιw]kإߪ_
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vbirdtsai/.ssh/id_rsa): <== enter
Created directory '/home/vbirdtsai/.ssh'. <==ؿYsbh|Dʫإ
Enter passphrase (empty for no passphrase): <== Enter KX
Enter same passphrase again: <==AJ@ Enter aI
Your identification has been saved in /home/vbirdtsai/.ssh/id_rsa. <==p_
Your public key has been saved in /home/vbirdtsai/.ssh/id_rsa.pub. <==_
The key fingerprint is:
0f:d3:e7:1a:1c:bd:5c:03:f1:19:f1:22:df:9b:cc:08 vbirdtsai@clientlinux.centos.vbird
[vbirdtsai@clientlinux ~]$ ls -ld ~/.ssh; ls -l ~/.ssh
drwx------. 2 vbirdtsai vbirdtsai 4096 2011-07-25 12:58 /home/vbirdtsai/.ssh
-rw-------. 1 vbirdtsai vbirdtsai 1675 2011-07-25 12:58 id_rsa <==p_
-rw-r--r--. 1 vbirdtsai vbirdtsai 416 2011-07-25 12:58 id_rsa.pub <==_
|
Ъ`NWAڪO vbirdtsai AҥHڰ ssh-keygen ɡA~|bڪaؿU .ssh/
oӥؿ̭ͩһݭn Keys AOOp_ (id_rsa) P_ (id_rsa.pub)C
~/.ssh/ ؿnO 700 v~It~@ӭnSO`NNO id_rsa
ɮvաILnO -rw------- Bݩ vbirdtsai
ۤv~I_hbӪ_諸L{Ai|QPwMIӵLk\Hp_ɮתӹFsuC
Aإߨp_w]vPɦWmmOTAAunˬdLSDYiC
]ڭ̭nnJ www.centos.vbird OH dmtsai A]ڭ̴NonNWӨBJإߪ_ (id_rsa.pub)
WǨAW dmtsai Τ~CpWǩOH²檺kMNOϥ scp I
[vbirdtsai@clientlinux ~]$ scp ~/.ssh/id_rsa.pub dmtsai@192.168.100.254:~
# WǨ dmtsai aؿUYiC
|
ٰOo sshd_config ̭ͨ쪺 AuthorizedKeysFile
oӳ]wȧaHӳ]wȴNObw_ӭnmɦWoIҥHAڭ̥nAݪ dmtsai oӥΤᨭUA
NWǪ id_rsa.pub ƪ[ authorized_keys oɮפ~C@kIoˡG
# 1. إ ~/.ssh ɮסA`Nvݭn 700 I
[dmtsai@www ~]$ ls -ld .ssh
ls: .ssh: S@ɮשΥؿ
# ѩiOsتΤA]oӥؿsbCsb~@Uإߥؿ欰
[dmtsai@www ~]$ mkdir .ssh; chmod 700 .ssh
[dmtsai@www ~]$ ls -ld .ssh
drwx------. 2 dmtsai dmtsai 4096 Jul 25 13:06 .ssh
# v]wAȥO 700 BݩϥΪ̥HbPsդ~I
# 2. N_ɮפƨϥ cat s authorized_keys
[dmtsai@www ~]$ ls -l *pub
-rw-r--r--. 1 dmtsai dmtsai 416 Jul 25 13:05 id_rsa.pub <==T꦳sb
[dmtsai@www ~]$ cat id_rsa.pub >> .ssh/authorized_keys
[dmtsai@www ~]$ chmod 644 .ssh/authorized_keys
[dmtsai@www ~]$ ls -l .ssh
-rw-r--r--. 1 dmtsai dmtsai 416 Jul 25 13:07 authorized_keys
# oɮתv]wANonO 644 ~iHIiHdVFI
|
o˴Ndw_toIHAq clientlinux.centos.vbird vbirdtsai nJ www.centos.vbird dmtsai ΤɡA
NݭnKXoI|ҨӻAAiHo˴լݬoG
|
DG
zLWzרҽmߦ\AЦb clientlinux vbirdtsai ANtΪ /etc/hosts* ɮƻs www.centos.vbird dmtsai Τ᪺aؿC
G
[vbirdtsai@clientlinux ~]$ scp /etc/hosts* dmtsai@192.168.100.254:~
hosts 100% 187 0.2KB/s 00:00
hosts.allow 100% 161 0.2KB/s 00:00
hosts.deny 100% 347 0.3KB/s 00:00
# A|o{A쥻|X{ӱKXܸƤ|X{FI
[vbirdtsai@clientlinux ~]$ ssh dmtsai@192.168.100.254 "ls -l"
-rw-r--r--. 1 dmtsai dmtsai 196 2011-07-25 13:09 hosts
-rw-r--r--. 1 dmtsai dmtsai 370 2011-07-25 13:09 hosts.allow
-rw-r--r--. 1 dmtsai dmtsai 460 2011-07-25 13:09 hosts.deny
-rw-r--r--. 1 dmtsai dmtsai 416 2011-07-25 13:05 id_rsa.pub
# T꦳ƻshFIܥXTݸƭI
|
|
²檺BJaIoˤ@ӡAϥ ssh ΤݫONiHݱKXFILצpAbإߪ_tΪBJAnOoOG
- Client s@X Public & Private o keysAB Private ݩ ~/.ssh/ F
- Server n Public Key ABmϥΪ̮aؿU ~/.ssh/authorized_keysAPɥؿv (.ssh/) O 700
ɮvh 644 APɮת֦̻PsճPӱbkX~C
ӡAAٷQnnJLDɡAunNA public key (NO id_rsa.pub oɮ) L
copy LDWhAåBsWYb ~/.ssh/authorized_keys oɮפII\I
11.2.7 ²w]w
ѹ껡AjaQySSH OӦwAȡzҴFFI
sshd äwI½} openssh LhvӬݡAT꦳ܦhHOQ ssh {|}ӨoݥD root
vAi@B±𫍧DIҥHoNܡA]OܦwաI
sshd ҿתywzOy sshd ƬO[KLAҥHLƦb Internet
WǻɬOwCܩ sshd oӪAȥNO˦wFIҥHGyDnAnN
sshd Internet }inJvAɶq]bXӤpd IP ΥDW٧YiIoܭnI
nFAw]w譱ASȱo`NOHMOաIڭ̥iHijXӶاaIOiHѩUoT譱ӶiG
- An饻]wjơG/etc/ssh/sshd_config
- TCP wrapper ϥΡG/etc/hosts.allow, /etc/hosts.deny
- iptables ϥΡG iptables.rule, iptables.allow
An饻]wjơG/etc/ssh/sshd_config
@ӨAoɮתw]شNwgܧƤFIҥHAƹWOӻݭnʥLI
OApGAǨϥΪ̤譱U{AiHo˭ץ@ǰDOI
- T root oӱbϥ sshd AȡF
- T nossh oӸsժΤϥ sshd AȡF
- T testssh oӥΤϥ sshd AȡF
FWzb~ALΤhiH`ϥΨtΡC{b]Atθ̭wg sshnot1, sshnot2, sshnot3 [J nossh sաA
Pɨt٦ testssh, student bCbBzЦۦѦҰ¦gӳ]wAUȬOCX[IG
# 1. [@UһݭnbO_sbOH
[root@www ~]# for user in sshnot1 sshnot2 sshnot3 testssh student; do \
> id $user | cut -d ' ' -f1-3 ; done
uid=507(sshnot1) gid=509(sshnot1) groups=509(sshnot1),508(nossh)
uid=508(sshnot2) gid=510(sshnot2) groups=510(sshnot2),508(nossh)
uid=509(sshnot3) gid=511(sshnot3) groups=511(sshnot3),508(nossh)
uid=511(testssh) gid=513(testssh) groups=513(testssh)
uid=505(student) gid=506(student) groups=506(student)
# YWzbäsbAtΡAЦۤvظmXӡIUID/GID PP]SYI
# 2. ק sshd_config åBsҰ sshd aI
[root@www ~]# vim /etc/ssh/sshd_config
PermitRootLogin no <==b 39 AЮѥBק令o
DenyGroups nossh <==UoiH[bɮת̫᭱
DenyUsers testssh
[root@www ~]# /etc/init.d/sshd restart
# 3. ջP[bnJpaI
[root@www ~]# ssh root@localhost <==ýпJTKX
[root@www ~]# tail /var/log/secure
Jul 25 13:14:05 www sshd[2039]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=root
# A|o{X{oӿ~TAӤOKXJ~ӤwC
[root@www ~]# ssh sshnot1@localhost <==ýпJTKX
[root@www ~]# tail /var/log/secure
Jul 25 13:15:53 www sshd[2061]: User sshnot1 from localhost not allowed because
a group is listed in DenyGroups
[root@www ~]# ssh testssh@localhost <==ýпJTKX
[root@www ~]# tail /var/log/secure
Jul 25 13:17:16 www sshd[2074]: User testssh from localhost not allowed
because listed in DenyUsers
|
qWGӬݡAAN|o{APnJb|ͤ@˪nɵGC]AAѬOLkQϥ ssh
nJY@DɡAOoӦAWhˬdݬݵnɡAwN|QAѨMDoIbڭ̪վWA٬O root nJI
/etc/hosts.allow /etc/hosts.deny
|ҨӻAA sshd uQHΰϺDӷnJܡANo˧@G
[root@www ~]# vim /etc/hosts.allow
sshd: 127.0.0.1 192.168.1.0/255.255.255.0 192.168.100.0/255.255.255.0
[root@www ~]# vim /etc/hosts.deny
sshd : ALL
|
hXhO@]ܦnIҥH]iHϥ iptables I
ѦҡGĤEBP NAT Aڸ}{AAӦb iptables.rule
N port 22 \AMA iptables.allow ̭sWoG
[root@www ~]# vim /usr/local/virus/iptables/iptables.allow
iptables -A INPUT -i $EXTIF -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $EXTIF -s 192.168.100.0/24 -p tcp --dport 22 -j ACCEPT
[root@www ~]# /usr/local/virus/iptables/iptables.rule
|
WzkBzApGA٬O@վAOonN]w٭^I̫A
yI~jaAn} SSH nJvҦ Internet WDz
oܭn]pGiH ssh iJADA...ӦMIF
Ҽ{@ӱpApGA Linux DDnOΨӧ@ϧγBzɡAӥBPɦhHݭnΨ쨺ӥ\A
@ Linux O_@ȯണѤ@ӤHBzӳnOHKKIi@wI] Linux
۷uq X Window System ڡI{bNӽͽͲĤ@ӹϧΤݳsuAaI
11.3.1 X Window Server/Client
[cPU
ѩڭ Linux ϥΪϧΤOҿת X-Window System FAoNOxAثeb Linux
WY}oϧΤnAXGOϥγo X [cӳBzAҥHoAAND X Window աI
ڭ̦b¦gĤTGQ|wgL X Window աA
]o̥u|@²檺СAHKjaAѬڭ̪nOow˻P]wI
X Window System bB@L{AS]ƤPӤ X Server P X Client ص{ǡAMO X Server/Client A
OL@ΫoPD Server/Client [cjӻ X Server/Client oص{ǩҭtdȥG
- X ServerG oյ{ǥDntdOùeøsPC
X Server iHӦ X client ƾڡANoǼƾøse{ϭbùWC
~Aڭ̲ʷƹBIơBLJƵA]|zL X Server ӶǹF X Client ݡAӥ
X Client ӥ[HBXøsơF
- X ClientG oյ{ǥDntdOƪBC
X Client b X Server ǨӪƫ (ҦpʷƹBI icon ʧ@)A|gѥBӱoƹӭnpʡB
IGӭnX{˪ơBLJGӭnpe{AMNoǵGi X
Server ALۦhøsùWC
``}A X server NOeA X client NO⮳eeaCAone (znҦiܪw)
eaQk (pXӪøϼƾ) ~øseWI
ѩC@ X client OWߦsb{ǡA]bϧܷ|oͤ@|ϪD (Q@UC@ X client O@ӫܦۧڪeaA
Cӵeaӻ{𫍧sbAU۪beW@eA̫᪺G|OpH)C]AӴN@կS X client
bizҦL X client {Ao`ުNNNO Window ManagerI
- Window Manager (WM)GO@ձҦ X client z{AæPɴѨҦpu@CB
IୱBୱBjpBʻP|ܵCWindow manager
DnѤ@ǤjpשҶ}oӨӡA` GNOME, KDE, XFCE
JM X Window System O Linux W@յ{ApҰʪOHϥΪ̦bnJtΫAnۤvҰ
X server {AMAҰʭӧO Window manager AYLݨDAAҰʨLB~ X client
NOFCo·СIҥHF²ƱҰʭӤHϧΤBJA٦ҿת Display Manager (DM) oNI
- Display Manager (DM)GѨϥΪ̵nJeHϥΪ̥iHǥѹϧΤnJC
bϥΪ̵nJAizL display manager \hIsL Window manager AϥΪ̦bϧΤnJL{ܱo²C
ѩ DM ]OҰʤ@ӵݿJbKXϧθơA] DM |Dʥh@ X Server MbWYJݿJeNOFC
bثesX Linux distributions Aq`ҰʹϧΤϥΪ̵nJ觋AO Display Manager {A
ӵ{|DʸJ@ X Server {AMAѤ@ӵݿJbKX{AAھڨϥΪ̪ܥhҰʩһݭn
Window Manager {A̫NѨϥΪ̪ާ@ WM ӪϧΤoC
|
DG
b CentOS 6.x AYw] init 5 pUA̲ױҰʹϧΤO@{H
G
R /etc/init/* ɮסA|o{ɮתeOoˡG
[root@www ~]# cat /etc/init/prefdm.conf
start on stopped rc RUNLEVEL=5
stop on starting rc RUNLEVEL=[!5]
console output
respawn
respawn limit 10 120
exec /etc/X11/prefdm -nodaemon
AiHR /etc/X11/prefdm eANo{ӦҰʪNO@ X display manager {FI
|
|
DG
nJ init 5 CentOS 6.x eA tty1 hd\@U X server Oѭ@{ҳH
G
ڭ̥iHzL pstree [{ǶʳIPɪ`NAw] CentOS 6.x X server {W٬ Xorg C
[root@www ~]# pstree -p
init(1)-+-NetworkManager(1086)
....(ٲ)....
|-gdm-binary(2642)---gdm-simple-slav(2661)-+-Xorg(2663)
| |-gdm-session-wor(2746)
....(᭱ٲ)....
|
ѤWzƨӬݡAgdm-binary iH Xorg IPzAڭ̤]|Dѻ{ҪϧεeӬO gdm-session ҴѪI
|
X Window System ΦbW觋G XDMCP
X server, X client bP@DWɭԡAAiHܻPҰʤ@ӧ㪺 X Window SystemC
OpGAQnzLoӾbWҰ X OHɧAobΤݱҰʤ@ X server NϧΤøϩһݭnw˸mtmnA
åBҰʤ@ X server `f (q`O port 6000)AMAѦAݪ X client oøϼƾڡAANøsoC
zLoӾAAiHb@Ұ X server nJAIӥBާA@~tάOԣOINqNUϡA
p@ӡAANiHoAҴѪϧΤҰաI
11.3-1BX server/client [c
OpGAOϥγ̲ªkbΤݦۤvҰ X server AMbiDAN X client {@Ӥ@ӪJ^ӡA
NӲ֤HFaIڭ̤eWOLiH display manager ӺzϥΪ̪nJPҰ X ܡHAणണѤ@AȡA
ڭ̪zLA display manager Nѧڭ̵nJ{һPJۤvܪ window manager ܡAo˴NӴΤFI
FܡHMiHڡINOzL Xdmcp (X display manager control protocol) (3) աI
Xdmcp Ұʫ|bA udp 177 }lťAMΤݪ X server suA port 177 A
ڭ̪ Xdmcp N|bΤݪ X server WϥΪ̿JbKϧΤ{oIANzLo Xdmcp
hJAҴѪ Window Manager X client oIANoϧΤݳsuAI٧aI
ɭԷ|X{hϥΪ̳sJAo X pOHHҤlӻAǦ@ Linux biƭȼA
LXGO NetCDF ɮסAڭ̥ϥ PAVE o@MnhBzoǸơCOڭ̦TӤHPɳ|ϥΨ쨺ӥ\A
Linux DOb[ḓAnڭbӤppŶeyۡzާ@qAiuOQHڡ
oӮɭԡAڭ̴N|[]ϧΤݵnJAAڭ̥iHyhHPɥHϧΤnJ
Linux DzӾާ@ڭ̦ۤv{ǡIܴΡAOܡI
11.3.2 ]w gdm XDMCP A
JMOҿת Xdmcp wAO_NۻP X display manager OHSաI Xdmcp wO DM {ҴѪC
ڭ̪ CentOS w] DM GNOME oӭpeҴѪ gdm I]AAQnҰ Xdmcp AȡANonw gdm oӵ{ӳ]woC
o gdm ]wƳmb /etc/gdm/ ؿUAӧڭ̩ҭnק諸]wɨȬO@ /etc/gdm/custom.conf
(4) ɮצӤwC
X11 Ѫ display manager xdm AӵۦW KDE P GNOME ]ۤv display manager z{ǡAOO kdm P
gdm CAiHzLT̤@̪ display manager ]wɨӱҰ xdmcp oӨwO
LA]ڭ̦w˪ǬOyBasic serverzAҥHܦhϧΤnèSQw˰_ӡC]Ab@ Xdmcp
eAڭ̱ow˹ϧΤ~Iϥ yum groupinstall Ӧw˧aI
# ˬdݬݻP X nsզǡH
[root@www ~]# yum grouplist
Desktop
Desktop Platform
X Window System
# oTӺO̭nؤFIonw˰_Ӥ~Igdm Ob Destop I
[root@www ~]# yum groupinstall "Desktop" "Desktop Platform" \
> "X Window System"
|
Wi槹A{b~}ldw custom.conf աIӸժݬݡI
[root@www ~]# vim /etc/gdm/custom.conf
[security] <==bPw譱TAjhnƩy
AllowRemoteRoot=yes <==xdmcp w]\ root nJAoγoӶؤ~H root nJ
DisallowTCP=false <==oӶئb\Τݨϥ TCP 觋su xdmcp
[xdmcp] <==NOoӤp`I@oI
Enable=true <==Ұ xdmcp ̭noI
# WzSr骺NOAonۤvsWeoI
[root@www ~]# init 5
# WzoӫO| X ϧεeApGTwnϥ gdmArunlevel oվ 5 ~n
# GupܡANonվ /etc/inittab oI
[root@www ~]# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 4557/Xorg
tcp 0 0 :::6000 :::* LISTEN 4557/Xorg
udp 0 0 0.0.0.0:177 0.0.0.0:* 4536/gdm-binary
# Wz port 6000 O DisallowTCP=false رҰʪAport 177 ~Oڭ̭n
|
Wzʧ@Ob runlevel 3 UҰʪApGAOb runlevel 5 UɡA]A]iHQΡy
init 3 && init 5 zӭsҰʹϧΤCpGAOb runlevel 3 UåBƱܧ runlevel 5
OHSӦpҰ port 177 ڡHpGOo˪ܡAAiHo˱Ұ xdmcp աG
[root@www ~]# init 3
[root@www ~]# runlevel
5 3 <==䪺Oe@ runlevelAk䪺OثeA]ثeO runlevel 3
[root@www ~]# gdm <==o˴NҰ xdmcp oI
[root@www ~]# vim /etc/rc.d/rc.local
/usr/sbin/gdm
|
{bADpbP runlevel Ұ xdmcp FaHpGO runlevel 5 A]b /etc/inittab Nwg۰ʱҰ gdm FA
ҥHAunQҰ runlevel 5 YiCpGAOb runlevel 3 ܡA]o gdm N|QtΪҰʬy{ҰʡA
Aunۤvb /etc/rc.d/rc.local ̭wҰʥLoIoAѩIHLAJMAnϥ
xdmcp FAҥHijzҰʦb runlevel 5 YiIUӡAAon}ΤݹA port 177 su~I
ЦۦקAWhA} udp port 177 aIo̰]Aϥγ}AAo˧@NnFG
[root@www ~]# vim /usr/local/virus/iptables/iptables.rule
iptables -A INPUT -p UDP -i $EXTIF --dport 177 --sport 1024:65534 \
-s 192.168.100.0/24 -j ACCEPT #xdmcp
# `NISIOϥ UDP fHΥ[Jӷ IP 쪺ޡI
[root@www ~]# /usr/local/virus/iptables/iptables.rule
[root@www ~]# iptables-save | grep 177
-A INPUT -s 192.168.100.0/24 -i eth0 -p udp -m udp --sport 1024:65534 --dport 177 -j ACCEPT
# T꦳} port 177 AӥBO udp fIn`NoӶءC
|
11.3.3 Τtά Linux
nJ觋
ѩ Linux NO X server ѨӪA]ϥ Linux nJݪϧΦAO²檺աI
O]Ұ X 觋PӤwƺرҰʤ觋AUڭ̴Nӱ`Ұʤ觋G
pGAΤݤwgb runlevel 5 FA]Awg@ X ҡAoҪܲݾN٬y :0 zC
b CentOS 6.x ҤApG쥻NO runlevel 5 ҡAoӹϧΤ :0 Ob tty1
ݾաIpGO runlevel 3 ҰʹϧΤANOb tty7 Iѩwg@ X FA]Anbt~ݾҰʥt@ X
~Iӷs X N٬ :1 Aq`Nb tty7 tty8 աI] X server n X client nv~A
ҥHAob}ӦۦA X client ơC
~AMAbΤݬOHDʪ觋sA udp port 177 AOA X
client o|DʪsAΤݪ X serverA]AAn}ӦۦAݥDʹA TCP port 6001 (]O :1 )
su~INӹ갵ݬݡG
# 1. X client ǨӪơGb X Window eҥ shell JG
[root@clientlinux ~]# xhost + 192.168.100.254
192.168.100.254 being added to access control list
# `NIAOΤݡIB]ڭ诊 Linux D IP 192.168.100.254
# 2. }l樾A]ڭ̱Ұ port 6001 AҥHAbΤݳo˧@G
[root@clientlinux ~]# vim /usr/local/virus/iptables/iptables.allow
iptables -A INPUT -i $EXTIF -s 192.168.100.0/24 -p tcp --dport 6001 -j ACCEPT
[root@clientlinux ~]# /usr/local/virus/iptables/iptables.rule
[root@clientlinux ~]# iptables-save
-A INPUT -s 192.168.100.0/24 -p tcp -m tcp --dport 6001 -j ACCEPT
# nݨWo@~I
# 3. br (Ҧp tty1) UJpUOG
[root@clientlinux ~]# X -query 192.168.100.254 :1
# iJ X Window oI
|
pG@QܡAAb clientlinux.centos.vbird N|ݨpUe(`NDW)G
11.3-2BbΤݳsW Xdmcp \e
bWϤJTbPKXAAb tty8 (:1) N|ӵoIApGQn^쥻A
N^ tty7 (:0) Yi\I(b runlevel 5 ɡA:0 b tty1 A :1 b tty7 I)Qn tty8
ӦpOnHAb tty8 nXաA]nXAtη|s}@ӵݵnJeAA٬OSkCAon^Ұ
X tty1 MU [ctrl]-c _suYiI
pG``b tty7, tty8 ӥhܡAӷ|ѰO쩳bӤFAרOAୱ@Ҥ@ˮɡA
NP_FCSkb tty7 Ұʥt@ӵӸJݦAϧΤOHiHANzL Xnest aI
oOݭnb X ҤUϥγI²ΪkpUG
[root@www ~]# Xnest -query DW -geometry ѪR :1
ﶵPѼơG
-query G᭱ xdmcp ADW٩ IP o
-geometry G᭱eѪRסAҦp 1024x768 800x600 ѪR
# ھڤWzơAϥ 800x600 sW 192.168.100.254 DG
[root@www ~]# yum install xorg-x11-server-Xnest
[root@www ~]# Xnest -query 192.168.100.254 -geometry 640x480 :1
|
pG@QܡAAN|b tty7 X ҤUݨpUe (UeOwgnJpI)
11.3-3BbΤݪ X QsW Xdmcp e
@}lϥܷ|P 11.3-2 @ˡANOX{JbKeApGJTbKA
N|X{WzϥܤFCJӬݤ@UeݾYAAN|o{TOⳡDୱOIo˦SδΡH ^_^I
no X N²hFIUAΪ̬O_ Xnest {YiC
11.3.4 Τtά Windows
nJ觋G Xming
NpPWY쪺Aϥ xdmcp i|ҰʦhӤPfAɭP]wWxZǡCS²@IϧΤs觋H
٦ܦhաAbo̧ڭ̥@Ӥ²檺ANO VNC (Virtual Network Computing) oNաI(6)
11.4.1 w] VNC AGϥ
twm window manager
VNC server |bAݱҰʤ@ӺťΤnDfA@fXb 5901 ~ 5910 CΤݱҰ X server su 5901 A
VNC server AN@w]wn X client zLoӳsuǻΤݤWA̲״NbΤܦAϧΤFC
Lݭn`NOAw] VNC server OWߴѵy@z@ӥΤݨӳsuA]Anϥ VNC ɡA
AsuAhҰ VNC server YiCҥHA@ӻA VNC server OϥΤʱҰʪAMϥΧA
AN VNC server YiCӧ@k²IAiHo˧@G
[root@www ~]# vncserver [:X] [-geometry ѪR] [options]
[root@www ~]# vncserver [-kill :X]
ﶵPѼơG
:X GNON VNC server }bӰfApGO :1 hN VNC 5901 f
-geometry GNOѪRסAҦp 1024x768 800x600
options GL X ﶵAҦp -query localhost
-kill GNwgҰʪ VNC fRI̾ڨC
[root@www ~]# yum install tigervnc-server
# oӬOnAnA`Nn骺WٳIPePI
# N VNC server Ұʦb 5903 f
[root@www ~]# vncserver :3
You will require a password to access your desktops.
Password: <==J VNC suKXAoOإ VNC ɩһݭn
Verify: <==AJ@ۦPKX
xauth: creating new authority file /root/.Xauthority
New 'www.centos.vbird:3 (root)' desktop is www.centos.vbird:3
Creating default startup script /root/.vnc/xstartup
Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/www.centos.vbird:3.log
[root@www ~]# netstat -tulnp | grep X
tcp 0 0 0.0.0.0:5903 0.0.0.0:* LISTEN 4361/Xvnc
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1755/Xorg
tcp 0 0 0.0.0.0:6003 0.0.0.0:* LISTEN 4361/Xvnc
tcp 0 0 :::6000 :::* LISTEN 1755/Xorg
tcp 0 0 :::6003 :::* LISTEN 4361/Xvnc
# wgҰʩһݭnfoI
|
bWzOާ@AAnDXӶجOG
- KXܤֻݭnӦr
- ̾ڨϥ vncserver ANإߪKXmӱbaؿUCҦpWzOϥ root A]KXɷ|b
/root/.vnc/passwd oɮפOYɮפwgsbAh|X{إ߱KXeC
- Τݳsu\AAN|ǰe /root/.vnc/startx X client ΤݳI
pGAQnק VNC KXOH²ANϥ vncpasswd aI
[root@www ~]# ls -l /root/.vnc/passwd
-rw-------. 1 root root 8 Jul 26 15:08 /root/.vnc/passwd
[root@www ~]# vncpasswd
Password: <==NOo̶}lJsKXڡI
Verify:
[root@www ~]# ls -l /root/.vnc/passwd
-rw-------. 1 root root 8 Jul 26 15:15 /root/.vnc/passwd
# ݧaIɶsIoɮתeʹLoI
|
UӶ}l 5903 oӰfsuWhaI]wpi|} 11 VNC fAҥHܤ@f} 11 ӰfaI
[root@www ~]# vim /usr/local/virus/iptables/iptables.allow
iptables -A INPUT -i $EXTIF -s 192.168.100.0/24 -p tcp --dport 5900:5910 -j ACCEPT
[root@www ~]# /usr/local/virus/iptables/iptables.rule
[root@www ~]# iptables-save
-A INPUT -s 192.168.100.0/24 -i eth0 -p tcp -m tcp --dport 5900:5910 -j ACCEPT
# nݱoWo~ OK I
|
11.4.2 VNC Τݳsun
P xdmcp աA VNC Τݦb Linux tΤWw]nAOb Windows tΤWhnB~w˨LnC
ڭ̥ӽͽ Linux VNC ΤnaI
Φb Linux Τݪ VNC {ANO vncviewerCuOAoӳnw]SwˡAҥHAonϥ yum
w˧AӳsuaIL@˭n`NAAݪ@˭n]wIM}lbΤݪϧΤW橳UơG
[root@clientlinux ~]# yum install tigervnc
[root@clientlinux ~]# vncviewer 192.168.10.254:3
# oӫOФ@w@wnbϧΤW~IܭnIOѤFI
|
11.4-1Bb Linux Τݰ vncviewer {ǥܷN
bWϷJ𫍧 root VNC suKXAЪ`NAO VNC suKXAӤO root nJKXI
o̬OtܦhI]ѩҰ VNC O root A]o̤~ϥ root VNC suKXC
ҥHAܦhɨAڭ̳OijϥΤ@먭ӱҰ VNC server աIAJT VNC suKXA
|X{pUϥoG
11.4-2Bb Linux Τݰ vncviewer {ǥܷN
PHe VNC server jtAb CentOS 6.x Atigervnc-server
oMn|Dʪ̾ڦAݪϧΤnJ觋TϧܤAӤOHe˵@ twm ӤwI
o˧ڭ̴NiHٱonק@ǦS]wɤFIuOΡI
su\AЦbΤo vncviewer suA]Uӧڭ̭ndzƥ
Windows suA port 5903 oI
Windows UiΪ vnc client n餣֡AOxO realvnc oaqX~ GNU ۥѳnI
AiHbUsU²檺AOοۥѳn骩I(ȤUΦw˪ viewer ӤwI)
vnc-viewer nAMN|ݨpUeG
11.4-3BWindows Real VNC ΤݳsuܷN
pWϩҥܡAAb server W IP:port ƧYiAMUyOKzaI
11.4-4BWindows Real VNC ΤݳsuܷN
ѩ VNC server ݭnȬOsu VNC KXӤwA]WϤ Username iHζAѹ껡Aoӵ{]|A
IUyOKzYiIUӴN|X{TeoI
11.4-5BWindows Real VNC ΤݳsuܷN
11.4.3 VNC ft Xdmcp e
pG]YǯS]AAonϥ VNC ӷft xdmcp XɡANbAzLUOӳBzYiI
n`NAAnwgҰʤF xdmcp FIӥBAڭ̩Uϥ student ӱҰʳo VNC aI
# 1. nTw xdmcp wgҰʤF~iHG
[root@www ~]# netstat -tlunp | grep 177
udp 0 0 0.0.0.0:177 0.0.0.0:* 1734/gdm-binary
# OK IT꦳ҰʪաIpGSݨ 177 ܡA^ 11.3 hBzBz
# 2. studentAåBҰ VNC server b :5
[root@www ~]# su - student
[student@www ~]$ vncserver :5 -query localhost
You will require a password to access your desktops.
Password:
Verify:
xauth: creating new authority file /home/student/.Xauthority
New 'www.centos.vbird:5 (student)' desktop is www.centos.vbird:5
Creating default startup script /home/student/.vnc/xstartup
Starting applications specified in /home/student/.vnc/xstartup
Log file is /home/student/.vnc/www.centos.vbird:5.log
# 3. xstartup Ұʤe
[student@www ~]$ vim /home/student/.vnc/xstartup
....(eٲ)....
#xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#twm &
# NoɮתeA[W # ѱ
# 4. sҰ vncserver I
[student@www ~]$ vncserver -kill :5
[student@www ~]$ vncserver :5 -query localhost
|
UШϥ root [J 5905 fWhAMۦϥ Linux
vncviewer Windows RealVNC ӳsuAAN|o{pUeG
11.4-6BzL VNC qDo xdmcp e
ڭ̳o VNC su{ǬO student AOڭ̫oiHzL xdmcp nJ\ӵnJ root I
]bAW Xvnc {ǬO student ֦Ao˷|nաIAѩIH
11.4.4 }NҰ VNC server k
Ъ`NAAnN vncserver OgJb /etc/rc.d/rc.local A_hi| localhost LknJDC
ӦpA VNC server b@}NҰʦӤnnJOOHiHAOAonק@U]wɡC
ڭ̩Uϥ student Ұ VNC serverAӱҰʪ觋ϥ xdmcp nJeAҰʪfNwb 5901 nFC
Aӳo˧@G
[root@www ~]# vim /etc/sysconfig/vncservers
VNCSERVERS="1:student"
VNCSERVERARGS[1]="-query localhost"
# Wz檺 1 NOӰf 5901 In`NI
[root@www ~]# /etc/init.d/vncserver restart
[root@www ~]# chkconfig vncserver on
|
n²aIo˨C}NdwA VNC server oI
11.4.5 PB VNC GiHzLϥܦPBо
t~AǪBͤ@w|ıo_ǡANOAƻڪ VNC A server / client ݵeäOPBO?
oO] Linux Ѧh VNC server Ao̬OUۿWߪAҥHMN|P tty7 ePBFC
OpGAQnP Linux tty7 PBܡAiHQ VNC X X Server ϥΪҲըӥ[H]wYiC
ϥγoӼҲզƻnBڡHNOiHӹϧΤb server/client O@˪A
ҥHApGAQnЧABͧAOp]wANiHzLoӾӳBzAABͦbݴNDA@B@Bi檺L{I
o˫ܤaIԲӪ@kiHѦҩUsG
ڭ̤]ӹ갵@Ua (b CentOS 6.x èS xorg.conf oӳ]wɳIҥHApGAnϥγoǸƪܡA
ȱonۦϥ X -configure hظm xorg.conf AA /etc/X11/ hAM~諸]wI)G
[root@www ~]# yum install tigervnc-server-module
[root@www ~]# vim /etc/X11/xorg.conf
Section "Screen"
Identifier "Screen0"
Device "Videocard0"
DefaultDepth 24
# VBird
Option "passwordFile" "/home/student/.vnc/passwd"
SubSection "Display"
Viewport 0 0
Depth 24
EndSubSection
EndSection
# VBird
Section "Module"
Load "vnc"
EndSection
# ]A vnc KXɮשmb /home/student/.vnc/passwd YA
# oӮɭԴNonNKXɤeg Screen o section F
[root@www ~]# init 3 ; init 5
[root@www ~]# netstat -tlunp | grep X
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 7445/Xorg
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 7445/Xorg
tcp 0 0 :::6000 :::* LISTEN 7445/Xorg
# `NݳIoX port Ұʪ PID @˳IҥH|Ұʤ@ port 5900 oI
|
AiHϥΡy vncviewer 192.168.100.254 zӳsuYiAݭn[W :0 fC
MAiHݤ@UΤݻPAݪϧΤAA|o{̲ʷƹɡA̪e|PBB@I
D`OIuLoӰʧ@٬Ou\@ VNC suAҦΤݳs port 5900 AouOӥiFI
ϥΤWϧΤsuA@ӰDAFsuP~AWY Xdmcp P VNC hWAƳS[KC
]Wʧ@jhȾAXϰB@AnsW Internet nCpGAuQnzL[K觋B@ VNCA
ionzLU@p`Ф~nBzGCڭ̪D Windows ݮୱ (Remote Desktop Procotol, RDP, 7)
O㦳su[K\AҥHAणb Linux Wˤ@ RDP Server OHOiHANO XRDP A (8)C
ܥiOAڭ̪ CentOS 6.x w]èS XRDP AApGA쪺ܡAiHۦsĶ xrdp nA
Fedora |Ѫ RHEL B~npe (9)AAiH쩳UshAG
٬Oıo yum OnFA]쪺 CentOS 6.x x86_64 }AN]wb yum ]wɤANiHϥ yum
wˤFG
[root@www ~]# vim /etc/yum.repos.d/fedora_epel.repo
[epel]
name=CentOS-$releasever - Epel
baseurl=http://download.fedora.redhat.com/pub/epel/6/x86_64/
gpgcheck=0
enabled=1
[root@www ~]# yum clean all
[root@www ~]# yum install xrdp
|
o˴Nw˦nF xrdp nFAۤUӴNon}lӳ]woIѹ껡Ab@몺DWw˦no xrdp
AAڥݭnվ]wɡAOdn]wɴNnFAMҰʥAåB]w}ҰʡAӥunλݳsusoDA
tδN|Ұ 5910~5920 HW VNC fAMANzL RDP wo VNC eA̫NnJtoI
[root@www ~]# /etc/init.d/xrdp start
[root@www ~]# chkconfig xrdp on
[root@www ~]# netstat | grep xrdp
tcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN 6615/xrdp-sesman
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 6611/xrdp
# ݮୱfO 3389 AO xrdp |As쥻 3350 h@ VNC suC
# O|sueAä|_ʥ VNC fNOFC
|
pGAOϥ Windows tΡAzLy}lz-->y{z-->yε{z-->yݮୱsuzA
bX{eJo xrdp A IP ApGQsWN|X{pUeG
11.5-1BsWA XRDP AȫA|X{suT
11.5-2BsWA XRDP AȫA|X{suT
JTbKXAKKIdwIeNX{oIpGAٷQni@BA xrdp ]wɡAШ /etc/xrdp/
ؿU@@AMAzL man hݬݬ]wɸTANzѳ]woIչLAέק]wA
ϥλݮୱNwgܶZoI ^_^
LAn`NOA] xrdp ̲|۰ʱҥ VNC A]A٬Onw tigervnc-server ~I
_h xrdp ٬OLkB@I
ƹW ssh uܦnΡIAƦܤݭnҰʬƻ xdmcp, vnc, xrdp AȡAϥ ssh [KqDNbΤݱҰʹϧΤI
~Aڭ̪DܦhAȳOS[KAणNoǪAȳzL ssh qDӥ[KOHKKIMOiHI
boӳ`Aڭ̴Nӽͽͤ@ ssh iΧaI
11.6.1 Ұ ssh bDWf (D port 22)
qe`̭ڭ̴NgLA sshd oӪAȨäOܦwAҥHܦh ISP bJfBNwgN port 22
FIno@OHoO]ܦhzèSwin update AӥBFKASܶ}ߪN
port 22 @ɶ}Cѩܦh cracker |ϥαy{ñ Internet f|}Ao port 22
NO@ӫܱ`QyfաIFoӰDAҥH ISP AAN port 22 Io]OFӰϺnI
uOAoبS ssh N֭nUhHAF port 22 YhFISku@ڡI
HSYAڭ̥iHN ssh }bDWfCp@ӡA cracker |yӰfAӧA
ISP SSӰfi歭AANϥ ssh oIܴΧaINӸլݬݡCڭ̩UN ssh }b port 22
port 23 լݬ (Ъ`NA port 23 QϥγI)C
]w ssh b port 22 23 Ӱf]w觋
[root@www ~]# vim /etc/ssh/sshd_config
Port 22
Port 23 <==`NIn Port ]w~I
[root@www ~]# /etc/init.d/sshd restart
|
Oo@ CentOS oN SSH Wd port ȯҰʩ 22 ӤwAҥHɷ|X{@ SELinux ~IHSYA
ھ setroubleshoot ܡAڭ̥nۦwq@ SELinux WhҲդ~ISOHٺ²I
y{Oo˪G
# 1. /var/log/audit/audit.log XP ssh AVC TAରaҲ
[root@www ~]# cat /var/log/audit/audit.log | grep AVC | grep ssh | \
> audit2allow -m sshlocal > sshlocal.te <==ɦWnO .te ~
[root@www ~]# grep sshd_t /var/log/audit/audit.log | \
> audit2allow -M sshlocal <==sshlocal NOإߪ .te ɦW
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i sshlocal.pp <==oӫO|sĶXoӭn .pp ҲաI
# 2. NoӼҲոJtΪ SELinux zI
[root@www ~]# semodule -i sshlocal.pp
# 3. AsҰ sshd åB[faI
[root@www ~]# /etc/init.d/sshd restart
[root@www ~]# netstat -tlunp | grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7322/sshd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 7322/sshd
tcp 0 0 :::22 :::* LISTEN 7322/sshd
tcp 0 0 :::23 :::* LISTEN 7322/sshd
|
S²Io˧ANϥ port 22 port 23 suA sshd AȳI
ѩw] ssh, scp, sftp Os port 22 ApϥγoǫOsu port 23 OH
ڭ̨ϥ ssh mߦnFG
[root@www ~]# ssh -p 23 root@localhost
root@localhost's password:
Last login: Tue Jul 26 14:07:41 2011 from 192.168.1.101
[root@www ~]# netstat -tnp | grep 23
tcp 0 0 ::1:23 ::1:56645 ESTABLISHED 7327/2
tcp 0 0 ::1:56645 ::1:23 ESTABLISHED 7326/ssh
# ]OVA]ۤvsۤv (localhost)AN|ⰦsuI
|
oˡAANL@ ISP Ϊ̬O cracker yFI`N@UAnN port }bYǬJfWA
ҦpA}b port 80 ܡAANSkҰʥ` WWW AȰաI`N`NI
11.6.2 H rsync iPB𫏆ƥ
ڭ̴b¦gĤTĤGQYͨ Linux ƥA
ӽgб`ΪƥOA]A tar, dd, cp ALɨåкAҥHӫܴΪuSСA
NOoӦanͨ쪺 rsync աIo rsync iH@@Ӭ۷ΪaƴtΪƥOI
] rsync iHFy (mirror) z\OI
rsync ̦OQnN rcp oӫOA] rsync ǿ骺tק֡AӥBLbǿɡA
iH糧aݻPݥDƻsɮפeAӶȽƻsݦtɮצӤwAҥHǿ骺ɶN۹諸CܦhI
~A rsync ǿ觋ܤ֥iHzLTؤ觋ӹB@G
- bWB@AΪkNP cp XG@Ҥ@ˡAҦpG
rsync -av /etc /tmp (N /etc/ Ƴƥ /tmp/etc )
- zL rsh ssh qDb server / client iƶǿAҦpG
rsync -av -e ssh user@rsh.server:/etc /tmp (N rsh.server /etc ƥ쥻aD /tmp )
- zL rsync ѪA (daemon) ӶǿA rsync DݭnҰ 873 portG
1. Anb server ݱҰ rsync A /etc/xinetd.d/rsync YiF
2. As /etc/rsyncd.conf ]wɡF
3. A]wn client ݳsuKXơF
4. b client ݥiHQΡGrsync -av user@hostname::/dir/path /local/path
TضǿҦtbS_ (:) ӤwAaݶǿ餣ݭn_AzL ssh rsh ɡANonQΤ@ӫ_ (:)A
pGOzL rsync daemon ܡANonӫ_ (::) AӤzѰաI]aݳBz²A
ӧڭ̪tΥӴN ssh AȡAҥHAUNЧQ rsync zL ssh ӳƥʧ@C
LAbe̥Ӭݬ rsync ykaI
[root@www ~]# rsync [-avrlptgoD] [-e ssh] [user@host:/dir] [/local/path]
ﶵPѼơG
-v G[ҦAiHCXhTA]A𫏆ɪɮɦWF
-q GP -v ۤϡAwRҦAL`TAܿ~TF
-r GjƻsIiHwyؿzӳBzIܭnI
-u Gȧs (update)AYؼɮsAhOdsɮפ|л\F
-l GƻssɪݩʡAӫDsؼЭlɮפeF
-p GƻsɡAsPݩ (permission) ]OsܡI
-g GOslɮת֦sաF
-o GOslɮת֦HF
-D GOslɮת˸mݩ (device)
-t GOslɮתɶѼơF
-I Gsɶ (mtime) ݩʡAɮפW|ֳtF
-z GbƶǿɡA[WYѼơI
-e GϥΪqDwAҦpϥ ssh qDAh -e ssh
-a G۷ -rlptgoD AҥHo -a O̱`ΪѼƤFI
hаѦ man rsync ѻI
# 1. N /etc Ƴƥ /tmp UG
[root@www ~]# rsync -av /etc /tmp
....(eٲ)....
sent 21979554 bytes received 25934 bytes 4000997.82 bytes/sec
total size is 21877999 speedup is 0.99
[root@www ~]# ll -d /tmp/etc /etc
drwxr-xr-x. 106 root root 12288 Jul 26 16:10 /etc
drwxr-xr-x. 106 root root 12288 Jul 26 16:10 /tmp/etc <==@Iӥؿ@ˡI
# Ĥ@B@ɷ|[ɶA]إ߹IpGAƥOH
[root@www ~]# rsync -av /etc /tmp
sent 55716 bytes received 240 bytes 111912.00 bytes/sec
total size is 21877999 speedup is 390.99
# @U⦸ rsync ǿPƶqAAN|o{ߨN]FI
# ǿ骺Ƥ]ܤ֡I]AAȦtɮ|QƻsC
# 2. Q student nJ clientlinux.centos.vbird Naؿƻs쥻 /tmp
[root@www ~]# rsync -av -e ssh student@192.168.100.10:~ /tmp
student@192.168.100.10's password: <==JD student KX
receiving file list ... done
student/
student/.bash_logout
....(ٲ)....
sent 110 bytes received 697 bytes 124.15 bytes/sec
total size is 333 speedup is 0.41
[root@www ~]# ll -d /tmp/student
drwx------. 4 student student 4096 Jul 26 16:52 /tmp/student
# @Io˴NnƥաI²aI
|
AiHQΤWdҤGӰƥ script ѦҡILn`NOA] rsync OzL ssh
ӶǿƪAҥHAiHw student oӳås@XKαKXnJ ssh _I
p@өᲧaƴtδN۰ʪH crontab ӶiƥFI²zI
KKX ssh bڭ̦bWYwgLFAg shell script O]OnIQ rsync
ӶiAƥu@aI ^_^Iܩh rsync ΪkiHѦҥ᭱ҦCXѦҺ(10)I
|
DG
b clientlinux.centos.vbird (192.168.100.10) WAϥ vbirdtsai إߤ@}Ao}iHbCѪ 2:00am
DʪH rsync tX ssh o www.centos.vbird (192.168.100.254) /etc, /root, /home Tӥؿ𫏆 clientlinux.centos.vbird
/backups/ UC
G
ѩnzL ssh qDABnϥ crontab Ҧu@Ƶ{A]֩wnϥΪ_tΪKKXbCڭ̦b 11.2.6 p`wgL@kA
vbirdtsai wgF_Pp_ɮסA]nAϥ ssh-keygen FAN_ɮƻs www.centos.vbird /root/.ssh/ UYiC
ڧ@kiHOo˪G
# 1. b clientlinux.centos.vbird N_ɽƻs www.centos.vbird root
[vbirdtsia@clientlinux ~]$ scp ~/.ssh/id_rsa.pub root@192.168.100.254:~
# 2. b www.centos.vbird W root ظmn authorized_keys
[root@www ~]# ls -ld id_rsa.pub .ssh
-rw-r--r--. 1 root root 416 Jul 26 16:59 id_rsa.pub <==_
drwx------. 2 root root 4096 Jul 25 11:44 .ssh <== ssh ؿ
[root@www ~]# cat id_rsa.pub >> ~/.ssh/authorized_keys
[root@www ~]# chmod 644 ~/.ssh/authorized_keys
# 3. b clientlinux.centos.vbird Wg script ôհG
[vbirdtsai@clientlinux ~]$ mkdir ~/bin ; vim ~/bin/backup_www.sh
#!/bin/bash
localdir=/backups
remotedir="/etc /root /home"
remoteip="192.168.100.254"
[ -d ${localdir} ] || mkdir ${localdir}
for dir in ${remotedir}
do
rsync -av -e ssh root@${remoteip}:${dir} ${localdir}
done
[vbirdtsai@clientlinux ~]$ chmod 755 ~/bin/backup_www.sh
[vbirdtsai@clientlinux ~]$ ~/bin/backup_www.sh
# WbհաIĤ@եi|ѡA]ѰO /backups ݭn root
# v~إߡCҥHAбzAH root h mkdir setfacl aI
# 4. إ crontab u@
[vbirdtsai@clientlinux ~]$ crontab -e
0 2 * * * /home/vbirdtsai/bin/backup_www.sh
|
|
11.6.3 zL ssh qD[K쥻L[KA
{bڭ̪D ssh oӳqDiH[KAӥBAڭ̧D rsync w]wgiHzL ssh qDӶi[KHi𫏆ǿC
JMpALAȯणzLo ssh iƥ[KӶǰeTOHMiHIܴΩOoӥ\I
nй갵eAڭ̥ιϥܨӽͤ@U@kC
]AWҰʤF VNC AȦb port 5901 AΤݫhϥ vncviewer nsuAW port 5901 NOFC
{bڭ̦bΤݹqWҰʤ@ 5911 fAMAzLaݪ ssh suA sshd hAӦA sshd
AhsA VNC port 5901 CӳsuϥܦpUҥܡG
11.6-1BzLaݪ ssh [Ksu컷ݪAܷN
]AwgzLWzUӤp`إߦnA (www.centos.vbird) W VNC port 5901 AӥΤݫhSҰʥ VNC fC
AӦpzL ssh Ӷi[KOH²AAiHbΤݹq (clientlinux.centos.vbird) 橳UOG
[root@clientlinux ~]# ssh -L af:127.0.0.1:ݰf [-N] ݥD
ﶵPѼơG
-N GȱҰʳsuqDAnJ sshd A
afGNO} 127.0.0.1 W@Ӻťf
ݰfGwsu᭱ݥD sshd Asshd ӳsӰfiǿ
# 1. bΤݱҰʩһݭnfi檺O
[root@clientlinux ~]# ssh -L 5911:127.0.0.1:5901 -N 192.168.100.254
root@192.168.100.254's password:
<==nJݶȬO}Ҥ@ӺťfAҥHʧ@
# 2. bΤݦbt@ӲݾլݬݡAoӰʧ@ݭn@AuOd\Ӥw
[root@clientlinux ~]# netstat -tnlp| grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1330/sshd
tcp 0 0 127.0.0.1:5911 0.0.0.0:* LISTEN 3347/ssh
tcp 0 0 :::22 :::* LISTEN 1330/sshd
[root@clientlinux ~]# netstat -tnap| grep ssh
tcp 0 0 192.168.100.10:55490 192.168.100.254:22 ESTABLISHED 3347/ssh
# bΤݱҰ 5911 fO ssh ҰʪAP@ PID ]su컷ݳI
|
UӧANiHbΤ (192.168.100.10, clientlinux.centos.vbird) ϥΡy vncviewer localhost:5911 zӳsuA
Oӳsuo|s www.centos.vbird (192.168.100.254) D port 5901 I۫HܡH
AF VNC suA www.centos.vbird DW@@NDFG
# 3. bAݴլݬݡAoӰʧ@ݭn@AuOd\Ӥw
[root@www ~]# netstat -tnp | grep ssh
tcp 0 0 127.0.0.1:59442 127.0.0.1:5901 ESTABLISHED 7623/sshd: root
tcp 0 0 192.168.100.254:22 192.168.100.10:55490 ESTABLISHED 7623/sshd: root
# 㪺ݨ port 22 {ǦPɳsu port 5901 I
|
poӳsuOH VNC AMAN clientlinux.centos.vbird Ĥ@Ӱʧ@ (ssh -L ...)
U [ctrl]-c N_oӥ[KqDoIo˷|ϥΤFܡHAiHNoӰʧ@ΦbAȤWI
11.6.4 H ssh qDtX X server ǻϧΤ
qe@Ӥp`ڭ̪D ssh iHi{[KǻAY ssh qDաIiiHΦb X WOH
NOAگणणnҰʬƻܽANOb즳Uϥ ssh qDANکһݭnAWϧΤǹLӴNnFH
OiHIΤ@ Windows W Xming X server @dҦnFCӰʧ@Oo˪G
- b Windows WҰ XLaunchAó]wnsu www.centos.vbird TF
- Ұ Xming {A|o@ xterm {Aӵ{O www.centos.vbird {F
- }lb xterm W X nAN|b Windows ୱWoI
ڭ̴N}lӳBz@U Xming oӵ{aIҰ XLaunch X{UϼҼˡG
11.6-2BҰ XLaunch {-ܼҦ
OoWϤn Multiple windows |}GIMUyU@Bz|X{UϡG
![]w XLaunch {-ܳsu觋](/linux_server/0310telnetssh//centos6_xming_ssh_2.gif "]w XLaunch {-ܳsu觋")
11.6-3B]w XLaunch {-ܳsu觋
ڭ̭nҰʤ@{AåBO}b ssh/putty ni ssh qDإ߳IMU@BaC
![]w XLaunch {-]wݳsuѼ](/linux_server/0310telnetssh//centos6_xming_ssh_3.gif "]w XLaunch {-]wݳsuѼ")
11.6-4B]w XLaunch {-]wݳsuѼ
Xming |DʪҰʤ@ putty {Asi sshd AAҥHo̱on]wnbKXTC
o̰]A sshd | root nJA]ǫϥ root vI
![]w XLaunch {-O_䴩ƻsKW\](/linux_server/0310telnetssh//centos6_xming_ssh_4.gif "]w XLaunch {-O_䴩ƻsKW\")
11.6-5B]w XLaunch {-O_䴩ƻsKW\
ϥιw]ȧaIU@BC
![]w XLaunch {-]w](/linux_server/0310telnetssh//centos6_xming_ssh_5.gif "]w XLaunch {-]w")
11.6-6B]w XLaunch {-]w
²Io˴N]wFIЫUAAN|ݨ Windows ୱMX{pUϥܤFI
11.6-7BWindows ୱX{ X client {
Wo{NO xterm o X ݾ{CAiHbWJOAӫO|ǰe Linux server A
MANAn檺ϧθƳzL ssh qDǰeثe Windows W Xming AA Linux
αҰ VNC, X, xrdp AȡIun sshd NdwFINOo²IҦpJXӹC{A
A Windows (ݤu@CNDF) N|X{o˪pG
ƹWAڭ̪ basic server wˤ觋èSAw xterm IҥHAAonۤvw xterm ~I
yum install xterm Nw˦nաIMWʧ@AӤ@ANiH\oIөUϥܸ̭nA
]OݭnAۤvw˪I ^_^
11.6-8BWindows ୱX{ X client {
