boӳ`AAڭ̭nAѤ@UAOyݳsuAzHoӪF𫍧\ରHڷQAzӤwgťLA@Ө}nҷA@} Internet WAA򥻤WALiHݭnܥdBùBLBƹtơIun򥻪DOBCPUBRAMBwЦA[W@n@IdAåBsW Internet IIznޱoDɭԡAunzLsuiӡAMiקYiIKIҥHoAoӮɭԥD۵MݭnP]ưաI
@
HӤHҡAثe޲zjCBKk Unix-Like DAoǥDbP@ӦaAGbnxWUBIsM󪺺|}QoGAΪ̬Oݭni@B~]wɭԡA O_H@wn{ܡHMݭnA unzLsuӥDWANiHiu@FIuNnbùeu@@몺Pr֡I^_^IoNOݳsuAաIݳsuA\M٤upI|ӨҤlӻGzu@ݭnϥΨ Linux jjsĶ\ɡAz@wݭn Linux aIӥB̦nOBtק֤@IDAoӮɭԱziHNzsdz̧֪@D}XӡA]w@UݳsuAAzǥͰաAΪ̬OsǪPաAiHzLoL̶isu@AoӮɭԡAzDNiHhHi Linux B⪺\աI
@
b@ɸ̡Aѩu Unix AӥBӤHq٤y檺ɭԡAQnϥΤjDӶiƭȵ{B(bڭ̤u{ɡA`ϥ Fortran o@{yAܩ C yhָI)ANݭnVǮճӽФu@bAåBHݳsu{siDAHϥ Unix 귽Ӷiڭ̪ƭȼҦBIҥHաAӻݳsuA]wA򥻤WAtκ޲zOܭnIרju@ Unix-Like DAѩܦhHݭnϥΨL CPU B֤ߥ\AΪ̬OLsĶ{( compiler )ӶiBAoɪݳsuNέnաI
@
O_C@sW Internet WDӭn}񻷺ݳsu\OHäɵMA٬OݭnwzDӶiWAڭ̩UAPu@ӻG
@
• A( Server )su{G

b@}ںAȪAAѩ}񪺪Aȥi|nTAӻݳsu{siDAiHi檺u@SӦhF(XGNbDeu@@I)A]ںݳsu{q`Ȱwֳtκ@̶}ӤwIDnA_h Server Dٯuij}suAȩOIHҡAڪDѤFڭ̬sǨϥ Mail P Internet W WWW AȡApG٥DʴѻݳsuܡAU@p߳QJIAiN˸FI]Aȶ}yܤpztκ޲zsiӡALӷ IP @ߩסI\ϥλݳsu\OI
@
• u@( Workstation )su{G

ܩu@pNAӤ@ˤFIu@``Ȱw鷺XӨϥΪ̶}ӤwAq`OƱsW Internet աIӥBҿתu@۵MNOΨӰuIҦp𫟺@ Linux NOMΨӶijƭȼҦpΡIoӮɭԪݳsuAiNonhHҰʤFI]u@jjB\iHܦhH@PϥΥLpOIӥB]iHKCqonw compiler ~ҡInDAYǤu{Ϊ compiler OQ
@
ثeݳsuADnǩOHثe̱`ݳsuADnHyXzǰeƪ telnet AAΥH[K޳Niʥ][KӶǰe SSH AIM telnet iH䴩 client ݪnhALѩLOϥΩXӶǰeơAܮeD즳ߤHh^IҥHӧڭ̳I~jahϥ SSH o@سsu觋Aӱ˱ telnet oӤwNNoIUڭ̴NOӽͤ@ͳoسsuAaI
@
nFA򤰻OyXzOH telnet ϥΩXNwHҿתXNOGڭ̪ƫʥ]bWy«ɡAӸƫʥ]eƪl榡AҦpڭ̦b telnet UFOPKXA|H ASCII 榡ǰeDݡAӥDݴNǥѳoǸƨӤUFOCnFAQ@QApGoǸƫʥ]bgLY broadcast Ϊ̬O Router ɡAQߤHhhALN|㪺ozƳIҥHաAU@zƫʥ]̭tHΥdơBKXBT{nTɡAO_ܦMIoHI]Aثeڭ̳q`ƱϥΥiHNoǦbW]ƥ[K޳NAHW[Ʀb Internet WǰewʰڡI

D telnet OܡHxINOs BBS uܡHIKKISILT]O BBS n@ӦAաILo̧ڭ̼Ȥ BBS I telnet iHOv۷y[ݳsuAIӥB䴩Ln]۷hIҦpW netterm N䴩LաIsu᪺ɭ]}GAb client ݪǿPJ]SDI۷ΡILAL̳·ЪaNO.....wӤwա
@
Uڭ̽ͤ@ͫҰʻPϥ telnet AaI


---

telnet AGwˡBҰʻPA
@
wˡG
pҥ Telnet oӦnΪAOHAM@wnwoIѩ~ӥѩ telnet OHXbǿ骺DAҥHbs Linux WAwgN telnet oӦAưbyoWz~A]NOAܦh Linux distributions w]Ow telnet ALAbCӥDn Linux distributions ٬O telnet MbзIҥHznX쪩СAåBw˦nLANiHաIpT{O_wgwˤF telnet OH²檺kNOϥγ̼sxQϥΪ RPM աI
@

[root@test root]# rpm -qa | grep telnet telnet-server-krb5-1.2.5-1mdk telnet-client-krb5-1.2.5-1mdk # WO Mandrake 9.0 dҡFΩUO Red Hat 7.2 d telnet-0.17-20 telnet-server-0.17-20

@
ݭnSOdNOApGn telnet suAȡAq`ݭnw˨ RPM G
@
1. @ӬO telnet-client ( telnet)AoӮM󴣨ѪO telnet Τݪsu{F
2. t@ӬO telnet-server MAoӤ~Ou Telnet server nI
@
ҥHApGztΤW䤣쵥@Un]w telnet ]wɡA֩wNOSw telnet աIЮXzФAM mount A򪺦w˥LaI_hNLkiU@B]wաI ^_^
@
ҰʻPG
ٰOoy Linux pе -- ¦Dz߽gz̭y{ѪA ( daemon )zӳ`aIHnOo super daemon IHSաAڭ̪ telnet NOb super daemon U@AȦӤwIөNNNOW xinetd oI( GbYªMW]ϥ inetd AҰʪ觋IӤ@ˡALtjաIuno򥻪`ѡAN|DoIҥH~|njaŪ Linux ¦g աI ) Ұʪ觋NOG
@
(1)N xinetd ̭ telnet ض}ҡAM
(2)sҰʤ@ xinetd N\աI
@
p} telnet ةOH²AӤ觋G
@
1. ϥ ntsysv chkconfigG

ٰOopU ( Red Hat ) ̭ ntsysv oӦnΪFܡHFAb Red Hat Uo@ӦnΪ]wuAziHϥ ntsysv X{AN telnet Ŀ_ӡAMU OK }YioI
@
2. ϥ vi ק /etc/xinetd.d/telnet oɮסG

pGO Red Hat Linux tΩOH򥻤WA ntsysv ]uOק /etc/xinetd.d oӥؿUƦӤwAҥHڭ̷MiHʦۤvקLաI

[root@test root]# vi /etc/xinetd.d/telnet # default: on # description: The telnet server serves telnet sessions; it uses \ #       unencrypted username/password pairs for authentication. service telnet {       disable = yes<==NOo̡AN yes 令 no YiI         flags           = REUSE         socket_type     = stream         wait            = no         user            = root         server          = /usr/sbin/in.telnetd         log_on_failure  += USERID }

ݨFSIHunN disable (N) ܦ no A]NOAYO}ҰաI
@
]w}ҤA۵MNOnҰʰաA责 telnet Ob xinetd UAҥH۵MunsҰ xinetd NN xinetd Y]wsŪiAҥH]wҰʪ telnet ۵M]NiHQҰʰաIӱҰʪ觋]ؤ觋A𫟺 service oӫOȤ䴩b Red Hat P Mandrake UAҥHq`٬OH /etc/rc.d/init.d U scripts ҰʪDnkաI
@

k@GȤ䴩 Red Hat Mandrake tΡG [root@test root]# service xinetd restart Stopping xinetd:                                           [  OK  ] Starting xinetd:                                           [  OK  ] kGGΪҰʤ觋G [root@test root]# /etc/rc.d/init.d/xinetd restart Stopping xinetd:                                           [  OK  ] Starting xinetd:                                           [  OK  ] # `NGYǪèS restart ﶵAoӮɭԴNݭnG # stop A start oI

@
nݦSҰʪAȩOHݡH]²աAٰOoڭ̦beX쪺y Linux port su z@ܡHϥ netstat NiHաI
@

[root@test root]# netstat -tl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 *:ssh                   *:*                     LISTEN tcp        0      0 *:telnet                *:*                     LISTEN

@
ݨFܡHSA telnet NOҰʪذաI( o̦Ҥ@ӰDA port AȦW٦b@ɮ׸̭dߨ쪺OHbC@ Linux tγɮIѰOFrIHA^eݬ Linux port su AM vi hݬݨ@ɮתeaI ^_^ )npOHINuO²աINN𫍧BJA@AӱN]wܤ@UYiIBJpUաI
@

step 1: ק@U /etc/xinetd.d/telnet ɮסG [root@test root]# vi /etc/xinetd.d/telnet # default: on # description: The telnet server serves telnet sessions; it uses \ #       unencrypted username/password pairs for authentication. service telnet {       disable = no<==NOo̡AN no 令 yes YiI         flags           = REUSE         socket_type     = stream         wait            = no         user            = root         server          = /usr/sbin/in.telnetd         log_on_failure  += USERID } step 2: sҰ xinet YiG [root@test root]# /etc/rc.d/init.d/xinetd restart

@
o˴NաI²aI
@


---

telnet ΤݡGnΪsun
@
W쪺ObAݪ]wӤwIbȤݦnΪniHsW Server OH̱`쪺ӴNO netterm oӹjWsunFaIڷQAunL BBS jooӳn~IҥHo̴NFIt~AثeXGҦ@~tγѤF telnet oӵ{Aoӵ{iHNsW telnet server OIҦpznb Linux WsWۤv telnet AAiHo˰G
@

[root@test root]# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Red Hat Linux release 7.2 (Enigma) Kernel 2.4.18 on an i586 login: test <==Jb Password: <==JKXЪ`NIKXä|bùWܥ󪺦r Last login: Thu Oct  3 11:59:29 from test_inside   <==ܤWnJ} You have new mail.  <==ۤWnJHӡAO_HcsHIH [test@test test]$  <==o̴NiJF telnet su{ǷFI [test@test test]$ exit  <==}o telnet nJI

@
o˴NsuiӰաI²aIb Windows ҩUOHP˪A]OiHϥ telnet {su Linux telnet server ̭ӡISDաIiḨdzo˰G
@
1. U Windows y}lz
2. yz
3. bX{J ytelnet your.IP.or.hostnamez
@
o˴NiHiJ Linux ҤFIܤKaIMաIz]iHϥ netterm oӫܴΪsunӳsuAo̧ڭ̴NܽdաIpGQnb Linux ׺ݾݨ줤OHIIoNݭn JMCCE oӮM󪺤䴩FIаѦҡGLinux `ΫOФ׺ݾ夶C
@


---

telnet wʡGiptables, TCP_Wrappers, «ij,
@
telnet oӦAKkKA`O@ӤӦnsuѨMA]LO@ӥHyXzǿ骺wAOyXzOH²檺Azϥ telnet ɭԡAz`O|bùWJƧaIH²檺ҤlANOz`OnnJ telnet DeaIz`OݭnJbPKXaHDzƫ~iT{IoӮɭԡAzƴN|gL telnet oӨwӶǿDWAoӶǿɭԪư򥻤WOS[KLA]NO ASCII XNNIp@ӪܡAunߤHhbY router Ihťzʥ]AӥBNӸƫʥ]UӡAiŪu@AIzbPKXNQFIҥHU@AOHNiHQαzbPKXFܦMI藍OܦMII~A telnet ѩӦѵPFAܦhbȵ{wggF}Ѫ觋AҥHҰʤA]ܦMIաI]bOijnҥ telnet ILצpAǪBͥѩ³n骺YA٬OݭnϥΨ telnet ӳsuAڭ̴N@ǰ򥻪`NƶnFI
@
• H]wɨӳWdsu IP G

ƹWA xinetd o super daemon Ѫdz\O@IFAziHwzDh(鷺Hι~I)ӴѤPO@ŪIIUCX@ӽdҡALAhTЦA^y Linux pе -- ¦Dz߽gzhd\@Uy{ѪA z@̭Բӳ]waI

[root@test root]# vi /etc/xinetd.d/telnet # This file had been modified by VBird 2002/11/04 # First is about inside the network service telnet {         disable         = no         bind            = 192.168.1.2         only_from       = 192.168.1.0/24          # Wo满ȴѤI         instance        = UNLIMITED         nice            = 0         flags           = REUSE         socket_type     = stream         wait            = no         user            = root         server          = /usr/sbin/telnetd         server_args     = -a none         log_on_failure  += USERID } # Second is about the outside domain's settings service telnet {         disable         = no         bind            = 140.116.142.196         only_from       = 140.116.0.0/16         no_access       = 140.116.32.{10,26}          # WoT]w~Y檺         instance        = 10         umask           = 022         nice            = 10         flags           = REUSE         socket_type     = stream         wait            = no         user            = root         server          = /usr/sbin/telnetd         server_args     = -a none         log_on_failure  += USERID }

@
• root ઽH telnet sWDG

JM telnet OܦwA۵Mw]pUNOLk\ root H telnet nJ Linux DIOAƹWA telnet uOQΤ@ǸwӨ root nJӤwҥHoApzTwzҰw(ҦpzDèSsW Internet )AåBQn} root H telnet nJ Linux DܡAЪN /etc/securetty ɦWYiI

[root@test root]# mv /etc/securetty /etc/securetty.bak

oˤ@ӡAroot NiHnJաILA۷ijo˰IOܦwաI~Az]iHǥѭק pam ҲըӹFP˪\Iק /etc/pam.d/login oɮתĤG]wYiG

[root @test /root]# vi /etc/pam.d/login #%PAM-1.0 #auth       required     /lib/security/pam_securetty.so  # NWo@[W # ѱI auth       required     /lib/security/pam_stack.so service=system-auth auth       required     /lib/security/pam_nologin.so account    required     /lib/security/pam_stack.so service=system-auth password   required     /lib/security/pam_stack.so service=system-auth session    required     /lib/security/pam_stack.so service=system-auth session    optional     /lib/security/pam_console.so

p@ӡA root NiHiJ Linux DFILA٬OijpI
@
• [W iptablesG

w telnet [] iptables O@ӦnDNIpGzwgѦҤFe`쪺y²[]z@AåBϥθ̭ scripts ܡA򤣥ξ telnet աI򥻤WAL쥻Nȹ鷺} telnet A~OLksWz telnet IOAYOzۤv]wFۤvAQnw 192.168.0.0/24 oӺA 61.xxx.xxx.xxx o IP i telnet }OHiHW[oXbz iptables Wh(Ъ`NG𪺳WhǬOܭnIҥHA^Yݬ ²[] @OnI)

/sbin/iptables -A INPUT -p tcp -i eth0 -s 192.168.0.0/24 --dport 23 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 -s 61.xxx.xxx.xxx --dport 23 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0                   --dport 23 -j DROP

WWhAĤ@BGOwӷ IP Ӷ} port 23 YO telnet wաIӳ̫@hONLҦӷAQnsW telnet suʥ]ᱼNIˡI²aI
@
• [W /etc/hosts.allow(deny) G

𪺾OVhVnIû]hաIo̤]iHϥ TCP_Wrappers OIO}F 192.168.0.0/24 oӺqAOpGzuQn𫟺 192.168.0.1 ~ 192.168.0.5 iJOHӨL IP un@gsuAN|QO IP AH root dߩOHiHo˰G

[root@test root]# vi /etc/hosts.allow in.telnetd: 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5: allow [root@test root]# vi /etc/hosts.deny in.telnetd : ALL : spawn (/bin/echo Security notice from host `/bin/hostname`; \  /bin/echo; /usr/sbin/safe_finger @%h ) | \  /bin/mail -s "%d -%h security" root@localhost & \  : twist ( /bin/echo -e "\n\nWARNING connectin not allowed. Your attempt has been logged. \n\n\nĵiz|\nJAzsuN|QAåB@H᪺Ѧ\n\n ". )

ԲӪ TCP_Wrappers ΪkаѦ ²[] @oI
@
• ijƶG

uA telnet uOܦwI²ӻyMIzŪAȡAҥHɶqnҰʥLաG
1. DnɡAnҰ telnet ApGuݭnҰ telnet A]ЦbҰʨåBϥΧAߧYNLI
2. pGTwunҰ telnet ɡAнTwnsudAϥ iptables ӳ]wsuϰF
3. [W TCP_Wrappers UA[j𪺥\I
4. Hɪ`Nnɮ׸̭ login ƶIåBn root H telnet nJ Linux DI

JM telnet OܦwAڤSݭnHݳsuAȨӾޱڪ Linux DAӫrIH̦nkMNOHwsuרӸѨMsuDoIӦpѨMo˪DOHo]աAϥ SSH YiC SSH OOHLS\H²檺ӻASSH O Secure SHell protocol ²gALiHgѱNsuʥ][K޳NAӶiƪǻA]AƷMNwoIo SSH iHΨӨN Internet Ww finger, R Shell (rcp, rlogin, rsh O), talk telnet suҦCUڭ̱N²@U SSH suҦAӻ SSH |wOI
@
SO`NGo SSH wAbw]AANѨӦA\G
@
1. @ӴNO telnet ݳsuϥ shell AAYOU٪ ssh F
2. t@ӴNO FTP AȪ sftp-server Iѧw FTP AȡC
@


---

su[K޳N²G
@
򥻤WA[K޳Nq`Oǥѩҿתy@綠_Pp_zYyPublic and Private keyszӶi[KPѱKʧ@IpUϩҥܡA SSH ADҰʸӪAȤADݷ|ͤ@䤽_AӨӤHqz ( client )AbiP server suɡAiHǥ Client Hۦ沣ͪp_Ӵ server suΡA]iHǥ server Ѫp_ӶisuIoӻPisuɿܪ[KA@Uڭ̦AI @
@
bWϥܤAڭ̥iHDAƥ Server ݶǰe Client ݮɡAoǸƷ|gLy_, Public KeyzӶi[K欰AҥHAbǿ骺L{AoǸƥOgL[KA]AYϳoǸƦb~QIɡAn}ѳoǥ[KơA٬OonOWn@qɶC򵥳oǸgL_[Kƶǰe Client ݤANiHǥѩҿתyp_, Private KeyzӶiѱKʧ@Cݭn`NOAoǤ_Pp_bC@qW@ˡAҥHAzP Server suLHӻAOh}ѪOIoǤ_Pp_Op󲣥ͪOHUڭ̨ӽͤ@ͥثe SSH تsuҦoI

• SSH protocol version 1G

C@DiHϥ RSA [K觋Ӳͤ@ 1024-bit RSA Key Ao RSA [K觋ADnNOΨӲͤ_Pp_tkIo version 1 ӳsu[KBJiH²檺oݡG
1. C SSH daemon (sshd) ҰʮɡAN|ͤ@ 768-bit _(κ٬ server key)sb Server F
2. Y client ݪݨDǰeӮɡA Server N|No@䤽_ǵ client A Client ǥѤ糧 RSA [K觋ӽT{o@䤽_F
3. b Client o 768-bit server key AClient ۤv]|Hͤ@ 256-bit p_(host key)AåBH[K觋N server key P host key X@䧹㪺 Key AåBNo Key ]ǰe server F
4. AServer P Client bosuANHo@ 1024-bit Key ӶiƪǻI
MաA] Client ݨC 256-bit Key OHAҥHzosuPUsu Key iN|@˰աI
@
• SSH protocol version 2G

P version 1 POAb version 2 NA server key FAҥHA Client ݳsu Server ݮɡA̱Nǥ Diffie-Hellman key t觋Ӳͤ@Ӥɪ Key A̱Nǥ Blowfish t觋iPBѱKʧ@I
@
C@ sshd ѳoӪsuAӨMwoؼҦsuANݭnb client ݳsuɿܳsuҦ~T{Cثew]pUA|۰ʨϥ version 2 suҦIӥѩڭ̪suƤAgLFo Public P Private Key [KBѱKʧ@AҥHbǰeL{AMNwhoI(Gثeϥ SSH ӳsuɡAijϥ version 2 tkI)
@


---

Ұ ssh AȡG
@
ƹWAbڭ̨ϥΪ Linux tηAw]Nwgt SSH ҦݭnMFIo]tFiHͱKXw OpenSSL MP OpenSSH MAҥHOAnҰ SSH uO²FINLҰʴNOFI~Abثe Linux Distributions AOw]Ұ SSH AҥH@I·СA]Υh]wALNwgҰʤFIzIuOn֡LצpAڭ٬Oo@oӱҰʪ觋aIҰʴNOH SSH daemon A²٬ sshd ӱҰʪAҥHAʥiHo˱ҰʡG
@

[root@test root]# /etc/rc.d/init.d/sshd start [root@test root]# service sshd start [root@test root]# netstat -tl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 *:ssh                   *:*                     LISTEN

@
Wؤ觋iHʱҰ sshd oӪAȡIMϥ netstat -tl ݬݯणݨ ssh AȦbťOIHpGX{FW@rANܱz SSH wgTҰoIouO²FaISAOLNOo²
@
ڭnpb}ɭԴNҰʳo sshd OHpGO Red Hat tΡAiHϥ ntsysv o{A Mandrake iHϥ chkconfig oӵ{Iܩ OpenLinux hiH /etc/sysconfig/daemons hݬݳI
@
oӤ觋ȾAXbwg OpenSSH Linux Distributions ApGH Red Hat 6.x ҡALèSw]ϥ SSH HOߡAiHѦҤ@UUoӳegLAԲӪϥ tarball w˪BJOI

ϥ Tarbal w SSH HΤɯ SSH i|J쪺D
(http://vbird.org.cn/linux_server/0310telnetssh/0310telnetssh-2.php)

ݭn`NOA SSH ѤF shell ڭ̨ϥΡAYO ssh protocol DnتAPɥ紣ѤF@Ӹw FTP server AYO ssh-ftp server ڭ̷O FTP ӨϥΡIҥHAo sshd iHPɴ shell P ftp IӥBO[cb port 22 WOIҥHAUڭ̴NӴ@A˥ Client ݳsW Server ݩOHPɡApH FTP AȨӳsW Server åBϥ FTP \OH
@


---

ssh ΤݳsuG
@
ѩ Linux P Windows oӥΤݪ Client sunä@ˡAҥHڭ̤ӳӻG

• Linux ΤG ssh

b Linux Τݤ譱Aڭ̥DnH ssh i@suAӥH sftp i FTP ϥγsuIO²pUG
@

ssh @suϥΤ觋G [root@test root]# ssh user@hostname [root@test root]# ssh -l test test.linux.org Connecting to test.linux.org... The authenticity of host 'test.linux.org (192.168.1.100)' can't be established. RSA key fingerprint is 46:cf:06:6a:ad:ba:e2:85:cc:d9:c4:8d:15:bb:f3:ec. Are you sure you want to continue connecting (yes/no)? yes <==пJ yes I Warning: Permanently added 'test.linux.org,192.168.1.100' (RSA) to the list of known hosts. test@test.linux.org's password:    <==пJ test oӨϥΪ̪KXI

@
o̽ЯSOdNOApGHy ssh hostname zoӫOӳsiJ hostname oӥDɡAhiJ hostname oӥDybW١zN|OثezҦboҷϥΪ̱bIHWҡA]ڬOH root bAҥHpGڰFy ssh host.domain.name zɡA host.domain.name oDAN|H root ڶiKXT{nJʧ@I]AFקKo˪·СAq`ڳOH²檺 e-mail gkӵnJ𫍧DAҦpyssh user@hostname zYܡAڬOH user oӱbhnJ hostname oDNCMA]iHϥ -l username o˪ΦӮѼgInJDALҦ欰b Linux DSˡҥHAuO²aI ^_^ o˴NiHF컷ݱޥDتFI~Abw]pUA SSH Oy\zH root nJzIIOnְաI~AЯSOdNOAzns𫍧DɡApGOsA Server |ݱzAzsu Key |QإߡAnn Server ǨӪ Key Aëإ߰_suOHIoӮɭԽСyȥnJ yes ӤO y YzAo˵{~|I
@
~A] ssh o{w]|NDݪ public key OUӡAmb /home/youraccount/.ssh/known_hosts AHQӪsuΡCLAѧڭ̭su[KQAiHo{b SSH Ds}A Public Key |۰ʪsAҥHAz SSH DgLs}Aӱz Client AH ssh o{suɡAN|o{pU~G
@

[root@test root]# ssh user@hostname @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 6e:1a:60:d0:ee:d0:7c:91:df:94:de:09:35:7b:08:ba. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:8 RSA host key for hostname has changed and you have requested strict checking. Host key verification failed.

@
oӿ~TbiDzAWҵn SSH D Keys wgQLF(̥i઺]NOs}աI)AҥHLk~nJIoӮɭԫH²ڡIiJzaؿ ~/.ssh ̭As@U known_hosts ANsDW٪ Key LANiHssuաI
@
pϥ SSH FTP \OH]OܮeաINOϥ sftp o{YiIӵnJ觋P ssh ۦPAOϥ sftp -l username hostname Ϊ̪H sftp user@hosname ӮѼgI椧|UҼˡG
@

sftp @suϥΤ觋G [root@test root]# sftp test@test.linux.org test@test.linux.org's password:    <==пJ test oӨϥΪ̪KXI sftp>  <==ݱzJOI

@
iJ sftp ANb@ FTP ҦUާ@kSˤFIUڭ̴Nӽͤ@͡A sftp oӤUϥΫOaI
@

wﻷD(Server)欰
ܴؿ /etc/test ΨLؿ	cd /etc/test cd PATH
CXثeҦbؿUɮשΥؿ	ls dir
إߥؿ	mkdir directory
Rؿ	rmdir directory
ܥثeҦbؿ	pwd
ɮשΥؿs	chgrp groupname PATH
ɮשΥؿ֦	chown username PATH
ɮשΥؿv	chmod 644 PATH 𫟺A644 PvI^hݰ¦gI
إ߳s	ln oldname newname
RɮשΥؿ	rm PATH
ɮשΥؿW	rename oldname newname
}ݥD	exit bye
w糧(Client)欰([W l, L pg )
ܴؿ쥻 PATH	lcd PATH
CXثeҦbؿUɦW	lls
bإߥؿ	lmkdir
ܥثeҦbؿ	lpwd
ɮ׶ǿ
NɮץѥWǨ컷ݥD	put [ؿɮ] [] put [ؿɮ] pGOoخ榡Ahɮ׷|mثeݥDؿUI
NɮץѻݥDU^	get [ݥDؿɮ] [] get [ݥDؿɮ] YOoخ榡Ahɮ׷|mbثeҦbؿIiHϥθUΦrAҦpG get * get *.rpm OiH榡I

@
NӨA sftp b Linux UApGҼ{ϧΤALwgiHN FTP FOI]Ҧ\ೣwg[\աI]AbҼ{ϧΤ FTP nɡAiH FTP AȡAӧH sftp-server Ӵ FTP AȧaI ^_^

• Windows ΤG

b Linux Uwg ssh FApGb Windows UOHӫHIoӥiHϥ putty osunOAL]OKOnIo觋iHѦҩUG

xGhttp://www.chiark.greenend.org.uk/~sgtatham/putty/
Ghttp://beta.wsl.sinica.edu.tw/~ylchang/putty/

nFAnoXӵ{OHun putty.exe psftp.exe o{NFIOΨӵnJ shell FTP OI

• puttyG

b Windows UA檺ϥܦIUoˡG

oӮɭԽЪ`NAѩڭ̤wNTwXӥDIPOUӡAҥHbo̧ڭ̻ݭni@ǰ򥻪]w~IbWϤAڭ̻ݭngG
(1)HostName(or IP address) @A
(2)Saved Sessions ӦnOWrA
(3)åB SSH ӿﶵ~I
Hڪϰ줺ҡAڥiHgoӼҼˡG

ФdUOoAgA@wnUk䪺ySavezAo˱z]w~|QOUӳIۤUӡAڭ̭n]wOCnJɭԡA|iOءAҥHAziHb䪺eWUyLoggingzMNk䪺yAlways append to the end of itzAoˤ~|CnJɭԡAtγnݱz@AO_ݭnOI

ۤUӡAڭ٥iHվ putty ùjpOIHUϬҡAڳ]wڪnJe 40 P 100 ӦrIo˪e_DzΪ 24 * 80 njhAݰ_Ӥ]ΪANOF㨺򨺭 1000 ܧڪb 1000 檺AiHKکedߩOI

վ㧹FùjpAAӳoO̭nGyznH@Ӫ SSH tknJHIzeLAڭ̹w]OH version2 ӵnJAҥHo̧ڭ̥iHվ㬰 2 ӶءIo˨CnJ|H version 2 ҦnJDFI

nFAwg]wFAAӷMSOnOoIҥHЦ^ySessionz]w̭AAU@ySavezAoӮɭԦbjخشN|X{zJOW١AMAHnnJ SSH DɡANLIU test.linux.org (NOzۦ]wW)ANiHiJzI諸DoI

putty jPWy{NOoˡIp@ӡAzNiHb Windows WH SSH wAnJݪ Linux DPIKaI ^_^ IpG٭nL]wANק Saved Sessions P HostName oӶءAMAL Save AKKINSh@ӳ]wȤFIӥB٬O𫍧]wȬۦPIܮe]wաIpGQn䴩ܡAثe putty wg䴩աIziHJILݭnק@UrAܥeywindowzءAÿܡyAppearancez]weA]wG

bX{WخؤAܥkĤGӶؤyChangezhקrܡG

N(1)r]wө(2)r]wyBig5zAp@ӡAz putty N䴩媺JoI ^_^

• psftpG

o@{IhObH sftp suW Server Csu觋iHI psftp oɮסALҰʡAh|X{UϼˡG

psftp: no hostname specified; use "open host.name" to connect psftp>

oӮɭԥiHJznsWhDW١AҦpڪϰ줺 test.linux.org oӥDG

psftp: no hostname specified; use "open host.name" to connect psftp> open test.linux.org login as: test Using username "test". test@test.linux.org's password: Remote working directory is /home/test psftp>

Io˴NnJDաI²aIMLϥΤ觋e쪺 sftp @˭I[oϥΧaI
@


---


Բӳ]w sshd A
@
򥻤WAҦ ssh ]wb /etc/ssh/sshd_config ̭ILAC Linux distribution w]]wӬۦPAҥHڭ̦nAѤ@Uӳ]wȪNq~nI
 

# 1. SSH Server ]wA]tϥΪ port աAHΨϥΪKXt觋 Port 22@@@@@@@@@@# SSH w]ϥ 22 o portAz]iHϥΦh port I @@@@@@@@@@@@@ # Yƨϥ port oӳ]wاYiI Protocol 2,1@@@@@@@ # ܪ SSH wAiHO 1 ]iHO 2 A @@@@@@@@@@@@@ # pGnPɤ䴩̡ANnϥ 2,1 oӤjFI #ListenAddress 0.0.0.0@@ # ťDdI|ӨҤlӻApGz IPA @@@@@@@@@@@@@ # OO 192.168.0.100 192.168.2.20 AuQn @@@@@@@@@@@@@ # } 192.168.0.100 ɡANiHgpPU˦G ListenAddress 192.168.0.100          # uťӦ 192.168.0.100 o IP SSHsuC @@@@@@@@@@@@@@@@@@ # pGϥγ]wܡAhw]Ҧ SSH PidFile /var/run/sshd.pid@@@@@@# iHm SSHD o PID ɮסICw] LoginGraceTime 600@@@@ # ϥΪ̳sW SSH server A|X{JKXeA @@@@@@@@@@@@@ # bӵeAbh[ɶS\sW SSH server A @@@@@@@@@@@@@ # N_uIɶI Compression yes@@@@@@# O_iHϥYOHMiHoI @ # 2. D Private Key mɮסAw]ϥΤUɮקYiI HostKey /etc/ssh/ssh_host_key@@@@# SSH version 1 ϥΪp_ HostKey /etc/ssh/ssh_host_rsa_key@@# SSH version 2 ϥΪ RSA p_ HostKey /etc/ssh/ssh_host_dsa_key@@# SSH version 2 ϥΪ DSA p_ # 2.1 version 1 @dz]wI KeyRegenerationInterval 3600@ @@@# ѫesuiHDA version 1 |ϥ  @@@@@@@@@@@@@@@@@@ # server Public Key ApGo Public  @@@@@@@@@@@@@@@@@@ # Key QܡAZJHҥHݭnCj@qɶ @@@@@@@@@@@@@@@@@@ # ӭsإߤ@Io̪ɶI ServerKeyBits 768 @@@@@@@@@ # SIoӴNO Server key סI # 3. nɪTƩmP daemon W١I SyslogFacility AUTH@@@@@@@@@# Hϥ SSH nJtΪɭԡASSH|O @@@@@@@@@@@@@@@@@@ # TAoӸTnOb daemon name UH @@@@@@@@@@@@@@@@@@ # w]OH AUTH ӳ]wAYO /var/log/secure @@@@@@@@@@@@@@@@@@ # ̭IHѰOFI^ Linux ¦h½@U @@@@@@@@@@@@@@@@@@ # LiΪ daemon name GDAEMON,USER,AUTH, @@@@@@@@@@@@@@@@@@ # LOCAL0,LOCAL1,LOCAL2,LOCAL3,LOCAL4,LOCAL5, LogLevel INFO@@@@@@@@@@@@# nOšIKKITI @@@@@@@@@@@@@@@@@@ # P˪AѰOFN^hѦҡI # 4. w]wءInI # 4.1 nJ]w PermitRootLogin no@@ @@# O_\ root nJIw]O\AOij]w noI UserLogin no@@@@@@@ # b SSH UӴN login oӵ{nJI StrictModes yes@@@@@@# ϥΪ̪ host key ܤAServer NsuA @@@@@@@@@@@@@ # iH׳차{I #RSAAuthentication yes@@ # O_ϥίª RSA {ҡIHȰw version 1 I PubkeyAuthentication yes@ # O_\ Public Key HM\աIu version 2 AuthorizedKeysFile      .ssh/authorized_keys @@@@@@@@@@@@@ # WoӦb]wYnϥΤݭnKXnJbɡA򨺭 @@@@@@@@@@@@@ # bsɮשҦbɦWI # 4.2 {ҳ RhostsAuthentication no@@# tΤϥ .rhosts A]Ȩϥ .rhosts @@@@@@@@@@@@@ # wFAҥHo̤@wn]w no I IgnoreRhosts yes@@@@@ # O_ϥ ~/.ssh/.rhosts Ӱ{ҡIMOI RhostsRSAAuthentication no # oӿﶵOM version 1 ΪAϥ rhosts ɮצb @@@@@@@@@@@@@ # /etc/hosts.equivtX RSA t觋Ӷi{ҡInϥ HostbasedAuthentication no # oӶػPWALO version 2 ϥΪI IgnoreUserKnownHosts no@@# O_aؿ ~/.ssh/known_hosts oɮשҰO @@@@@@@@@@@@@ # DeHMnAҥHo̴NO no աI PasswordAuthentication yes # KXҷMOݭnIҥHo̼g yes oI PermitEmptyPasswords no@@# YW@pG]w yes ܡAo@N̦n]w @@@@@@@@@@@@@ # no AoӶئbO_\HŪKXnJIM\I ChallengeResponseAuthentication yes  # Dԥ󪺱KX{ҡIҥHA login.conf  @@@@@@@@@@@@@@@@@@ # Ww{Ҥ觋AiAΡI #PAMAuthenticationViaKbdInt yes      # O_ҥΨL PAM ҲաIҥγoӼҲձN| @@@@@@@@@@@@@@@@@@ # ɭP PasswordAuthentication ]wġI @ # 4.3 P Kerberos ѼƳ]wI]ڭ̨S Kerberos DAҥHUγ]wI #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosTgtPassing no @ # 4.4 UOb X-Window UϥΪ]wI X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes # 4.5 nJ᪺ءG PrintMotd no              # nJO_ܥX@ǸTOHҦpWnJɶBaI @@@@@@@@@@@@@# Aw]O yes AOApGFwAiHҼ{אּ no I PrintLastLog yes@@@@@# ܤWnJTIiHڡIw]]O yes I KeepAlive yes@@@@@@ # @ӨApG]woتܡA SSH Server |ǰe @@@@@@@@@@@@@# KeepAlive T Client ݡAHTO̪su`I @@@@@@@@@@@@@# boӱpUA@ݦA SSH iHߨ訚DIӤ| @@@@@@@@@@@@@# ͵{Ǫo͡I UsePrivilegeSeparation yes # ϥΪ̪v]wءIN]w yes aI MaxStartups 10@@@@@@# Pɤ\Xө|nJsueHڭ̳sW SSH A @@@@@@@@@@@@@# O|JKXɡAoӮɭԴNOڭ̩ҿתsueաI @@@@@@@@@@@@@# boӳsueAFO@DAҥHݭn]w̤jȡA @@@@@@@@@@@@@# w]̦hQӳsueAӤwgإ߳supboQӷ # 4.6 ϥΪ̩ת]wءG DenyUsers *@@@@@@@ # ]wתϥΪ̦W١ApGOϥΪ̡ANO @@@@@@@@@@@@@# קaIYOϥΪ̡AiHNӱbJIҦpUCI DenyUsers test DenyGroups test@@@@@ # P DenyUsers ۦPIȩ״XӸsզӤwI # 5. SFTP AȪ]wءI Subsystem       sftp    /usr/lib/ssh/sftp-server

@
򥻤WAbztΤAyDnA_hФn /etc/ssh/sshd_config oɮת]wȡIz]w]pUq`OYK SSH O@FA]AiHݭnʥLIWȬObjaAѨCӲӶ@ǰ򥻤eӤwIݭn`NO̫@ApGz@N} SFTP ܡAN̫@ѱYiI
@
t~ApGzקLWoɮ(/etc/ssh/sshd_config)ANݭnsҰʤ@ sshd o daemon ~IYOG
/etc/rc.d/init.d/sshd restart
@


---

s@αKXiߧYnJ ssh ΤG
@
xIJM SSH iHϥ Key ӤơAåBѨϥΪ̸ƪ[K\AiiQγo Key NѨϥΪ̦ۤviJDAӤݭnJKXOHInDNIڭ̥iHN Client ͪ Key L Server AҥHAH Client nJ Server ɡAѩ̦b SSH nsuTǻANwgL Key FA]AiHߧYiJƶǿ馉AӤݭnAJKXOIb@WBJiHOG

1. Ab Client Wإ Public Key Private Key o_͡AQΪO ssh-keygen oөROF
2. AӡAN Private Key b Client WaؿAY $HOME/.ssh/ AåBקvȦ User iŪAF
3. ̫AN Public Key b@ӱzQnΨӵnJD Server ݪY User aؿ .ssh/ ̭{ɮקYiӵ{ǡC

OnܧxˤlABJu²Aڭ̨̧ǨӶi@~nFI
]eG
a. Server test.linux.org o 192.168.0.2 DAϥΪ User test oӱbF
b. Client test2.linux.org o 192.168.0.100  PC test2 oӱbALnΨӵnJ 192.168.0.2 oD test oӱbC
]NOAڦb 192.168.0.100 o test2 AOڷQH test nJ 192.168.0.2 oDAåBƱ椣nϥαKXIo˥iHAѤjeFܡHnFAڭ̴N@B@Bӧ@aI

1. b Client ݫإ Public P Private Key G

إߪkuO²줣Ib 192.168.0.100 o Client WAH test2 oӱbAϥ ssh-keygen oӫOӶi Key ͧYiILAݭn`NOA version 1 P version 2 ϥΪKXt觋PA~A version 2 ѨӱKXt⪺kAڭ̳o̶Ȱw version 2 RSA oӺtki满I

[test2@test2 test2]$ ssh-keygen -t rsa  <==oӨBJb Keys Generating public/private rsa key pair. Enter file in which to save the key (/home/test2/.ssh/id_rsa): Enter passphrase (empty for no passphrase): <==o̫ Enter Enter same passphrase again:            <==A@ Enter Your identification has been saved in /home/test2/.ssh/id_rsa. <==oOp_ Your public key has been saved in /home/test2/.ssh/id_rsa.pub.<==oO_ The key fingerprint is: c4:ae:d9:02:d1:ba:06:5d:07:e6:92:e6:6a:c8:14:ba test2@test2.linux.org `NG -t OyϥΦرKXt觋Hzѩڭ̨ϥ RSA A ҥHJ -t rsa Yiإߨ Keys I ~Aإߪ Keys mbaؿU .ssh oӥؿI ݤ@Uo Keys aI [test2 @test2 test2]$ ll ~/.ssh total 12 -rw-------    1 test2    test2         887 Nov 12 22:36 id_rsa -rw-r--r--    1 test2    test2         233 Nov 12 22:36 id_rsa.pub -rw-r--r--    1 test2    test2         222 Oct 31 11:20 known_hosts

Ъ`NWAڪO test2 AҥHڰ ssh-keygen ɡA~|bڪaؿU .ssh/ oӥؿ̭ͩһݭn Keys AOOp_(id_rsa)P_(id_rsa.pub)Ct~@ӭnSO`NNO id_rsa ɮvաILnO -rw------- ~nI_heQHaDFAz Keys Ni~FHҥHЯSOdNLvI򨺭 id_rsa.pub hOy_IzoɮץnQm Server ݤ~I
@
2. b Client ݩmp_G

bw]󤤡Aڭ̪p_ݭnmbaؿU .ssh ̭ApGO version 2 RSA tkANݭnmb $HOME/.ssh/id_rsa IxInϥ ssh-keygen NOwgͦboӥؿUFAҥH۵MNݭnhվLFIHڪ test2.linux.org ӬݡAڪɮ״N|mb /home/test2/.ssh/id_rsa oɮ״NOp_աI
@
3. b Server ݩmiHnJ_G

JMڭ̭n test2 iHH test oӱbnJ test.linux.org oDAoD۵MݭnO test2 public key oI諸IҥHڭ̥ݭnN Client ݫإߪ id_rsa.pub ɮ׵L test.linux.org Y test oӨϥΪ̪aؿUIpGzٰOoW sshd_config oɮת]wܡAӴNOoyAuthorizedKeysFilezoӳ]waIOIbQnJDYӱbAL_mɮצWٹw]NOoӶةҰOIӥLw]ɦWNO authorized_keys oɮצWٰաIӫ򰵩OH

1. b Client ݥH sftp N_ test WhI [test2@test2 test2]$ cd ~/.ssh             <==ؿ [test2@test2 .ssh]$ sftp test@test.linux.org<==sDW Connecting to test.linux.org... test@test.linux.org's password:                <==J test KX sftp> put id_rsa.pub                        <==N_ Server WhI Uploading id_rsa.pub to /home/test/id_rsa.pub sftp> exit 2. Server WAN_s authorized_keys ɮפI [test@test test]$ cd ~/.ssh [test@test .ssh]$ cat ../id_rsa.pub >> authorized_keys

Ъ`NWIѩ authorized_keys iHOs۷h_eA]AiHϥ >> 觋ӱN Client ݪ_sWɮפIIo@B@A test2 NiHb test2.linux.org H

[test2@test2 test2]$ ssh test@test.linux.org

o˴NiHݭnJKXoIOЪ`NA test H test2 nJ test2.linux.org I

²檺BJaIoˤ@ӡANiHݱKXFILצpAznOoOA Server ݭnO Public Keys A Client ݪhO Private Keys IhӡAzٷQnnJLDɡAunNz public key ( NO id_rsa.pub oɮ )L copy LDWhAåBsWYb .ssh/authorized_keys oɮפII\I
@


---

w]wG
@
nFAw]w譱ASȱo`NOHMOաIڭ̥iHijXӶاaIOiHѡG

• /etc/ssh/sshd_config
• /etc/hosts.allow, /etc/hosts.deny
• iptables

oT譱ӵۤiIUڭ̴N@aI

• /etc/ssh/sshd_config

@ӨAoɮתw]شNwgܧƤFIҥHAƹWOӻݭnʥLIOApGzǨϥΪ̤譱U{AiHo˭ץ@ǰDOI

• T root nJGɭԡA\ root Hݳsu觋nJA|O@ӦnDNIҥHoZijjaN root nJvaIҥHAiHק /etc/ssh/sshd_config oɮתeG

[root@test root]# vi /etc/ssh/sshd_config PermitRootLogin no      <==NL令 no աI [root@test root]# /etc/rc.d/init.d/sshd restart

p@ӡAH root NH ssh nJoIo٬OnաI ^_^
@
• \YӸsյnJGǯSpAڭ̷QnϥΪ̥uϥ sendmail, pop3, ftp AOƱLiHݳsuiӡAziHo˰G

1. NoǨϥΪ̳kǦbY@ӯSsդUAҦp nossh oӸsզnFF
2. b /etc/ssh/sshd_config [Jo@GyDenyGroups   nosshz
3. sҰ sshd G /etc/rc.d/init.d/sshd restart
o˴NOKաI
@
• \YӨϥΪ̵nJG DenyGroups Aϥ DenyUsers YiIѦ sshd_config ]wI

• /etc/hosts.allow /etc/hosts.deny G

oF]O²檺աIѦҡG ²[] @oIMA²檺kNOG

[root@test /root]# vi /etc/hosts.allow sshd: 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5: allow [root@test /root]# vi /etc/hosts.deny sshd : ALL : spawn (/bin/echo Security notice from host `/bin/hostname`; \  /bin/echo; /usr/sbin/safe_finger @%h ) | \  /bin/mail -s "%d -%h security" root@localhost & \  : twist ( /bin/echo -e "\n\nWARNING connectin not allowed. Your attempt has been logged. \n\n\nĵiz|\nJAzsuN|QAåB@H᪺Ѧ\n\n ". )

@
• iptables

hXhO@]ܦnIҥH]iHϥ iptables IѦҡG²[] @oI

򥻤WA SSH ZwAun root nJvADӴN|p@IաIҥHAMiHγ]w iptables AOijwXӺ]w@U /etc/hosts.allow P /etc/hosts.deny I[ooI

• OpenSSH xGhttp://www.openssh.com/
• OpenSSL xGhttp://www.openssl.org/
• putty xGhttp://www.chiark.greenend.org.uk/~sgtatham/putty/
• putty Ghttp://beta.wsl.sinica.edu.tw/~ylchang/putty/
• pputty Ghttp://www.csie.ntu.edu.tw/~piaip/prjs/pputty/

• Telnet P SSH OݳsuAAڭ̳|˨ϥ SSH קKϥ Telnet OH]bH
• йջ SSH b Server P Client ݳsuɪʥ][KF
• а SSH ]wɬO@ӡHpGڭnק root Lkϥ SSH suiJڪ SSH DAӦp]wHSApGn badbird oӨϥΪ̵LknJ SSH DAӦp]wH
• b Linux WAw] Telnet P SSH AϥΪf(port number)Uh֡H
• pGo{ڵLkb Client ݨϥ ssh {nJڪ Linux DAO Linux Do@`Ai઺]H(Bknown_hosts...)
• JM ssh Owƫʥ]ǰe觋AڴNiHb Internet W}ڪ Linux D SSH AȤFܡHIлzܪת]I

eѦҸѵ