Solaris 10(sparc)
pkginfo –l | grep ssh;pkginfo –l SUNWsshdr;pkgchk –v SUNWsshdr;
ssh,sshd,sftp,ssh-agent;
ssh_config;sshd_config;
ssh-keygen,sshd;
/etc/ssh/*;/usr/lib/ssh/*;/usr/bin/ssh*;/$HOME/.ssh/*;
whatis ssh-keygen;man ssh-keygen;
1.ssh server 软件是否已安装及软件信息
# pkginfo -l | grep ssh
PKGINST: SUNWsshcu
PKGINST: SUNWsshdr
PKGINST: SUNWsshdu
PKGINST: SUNWsshr
PKGINST: SUNWsshu
#
# pkginfo -l SUNWsshcu
PKGINST: SUNWsshcu
NAME: SSH Common, (Usr)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol common Utilities
PSTAMP: on10ptchfeat20071025112509
INSTDATE: Dec 25 2009 15:19
HOTLINE: Please contact your local service provider
STATUS: 全部安装
FILES: 7 个已安装的路径名
4 个共享的路径名
4 目录
3 可执行文件
1 setuid/setgid可执行文件
782 个已使用的块(近似)
# pkginfo -l SUNWsshdr
PKGINST: SUNWsshdr
NAME: SSH Server, (Root)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol Server
PSTAMP: on10ptchfeat20080228002300
INSTDATE: Dec 25 2009 15:19
HOTLINE: Please contact your local service provider
STATUS: 全部安装
FILES: 12 个已安装的路径名
9 个共享的路径名
9 目录
1 可执行文件
20 个已使用的块(近似)
# pkginfo -l SUNWsshdu
PKGINST: SUNWsshdu
NAME: SSH Server, (Usr)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol Server
PSTAMP: on10ptchfeat20071025112510
INSTDATE: Dec 25 2009 15:19
HOTLINE: Please contact your local service provider
STATUS: 全部安装
FILES: 5 个已安装的路径名
3 个共享的路径名
3 目录
2 可执行文件
772 个已使用的块(近似)
# pkginfo -l SUNWsshr
PKGINST: SUNWsshr
NAME: SSH Client and utilities, (Root)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol Client and associated Utilities
PSTAMP: gaget20050121155950
INSTDATE: Dec 25 2009 15:19
HOTLINE: Please contact your local service provider
STATUS: 全部安装
FILES: 4 个已安装的路径名
2 个共享的路径名
2 目录
175 个已使用的块(近似)
# pkginfo -l SUNWsshu
PKGINST: SUNWsshu
NAME: SSH Client and utilities, (Usr)
CATEGORY: system
ARCH: sparc
VERSION: 11.10.0,REV=2005.01.21.15.53
BASEDIR: /
VENDOR: Sun Microsystems, Inc.
DESC: Secure Shell protocol Client and associated Utilities
PSTAMP: on10ptchfeat20071025112511
INSTDATE: Dec 25 2009 15:19
HOTLINE: Please contact your local service provider
STATUS: 全部安装
FILES: 11 个已安装的路径名
4 个共享的路径名
4 目录
7 可执行文件
1081 个已使用的块(近似)
2.ssh server/client 进程状态
3.与ssh server相关的文件(程序/配置文件/命令)
# pkgchk -v SUNWsshcu
/usr
/usr/bin
/usr/bin/ssh-keygen
/usr/bin/ssh-keyscan
/usr/lib
/usr/lib/ssh
/usr/lib/ssh/ssh-keysign
#
# pkgchk -v SUNWsshdr
/etc
/etc/ssh
/etc/ssh/sshd_config
/lib
/lib/svc
/lib/svc/method
/lib/svc/method/sshd
/var
/var/svc
/var/svc/manifest
/var/svc/manifest/network
/var/svc/manifest/network/ssh.xml
#
#
# pkgchk -v SUNWsshdu
/usr
/usr/lib
/usr/lib/ssh
/usr/lib/ssh/sftp-server
/usr/lib/ssh/sshd
#
# pkgchk -v SUNWsshr
/etc
/etc/ssh
/etc/ssh/moduli
/etc/ssh/ssh_config
#
# pkgchk -v SUNWsshu
/usr
/usr/bin
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/lib
/usr/lib/ssh
/usr/lib/ssh/ssh-http-proxy-connect
/usr/lib/ssh/ssh-socks5-proxy-connect
#
#
5.man 内容
# whatis ssh
ssh ssh (1) - secure shell client (remote login program)
#
# whatis sshd
sshd sshd (1m) - secure shell daemon
#
# whatis ssh-keygen
ssh-keygen ssh-keygen (1) - authentication key generation
#
# whatis ssh-keyscan
ssh-keyscan ssh-keyscan (1) - gather public ssh host keys of a number of hosts
#
# whatis ssh-keysign
ssh-keysign ssh-keysign (1m) - ssh helper program for host-based authentication
#
# whatis sshd_config
sshd_config sshd_config (4) - sshd configuration file
#
# whatis ssh_config
ssh_config ssh_config (4) - ssh configuration file
#
# whatis ssh-add
ssh-add ssh-add (1) - add RSA or DSA identities to the authentication agent
#
# whatis ssh-agent
ssh-agent ssh-agent (1) - authentication agent
#
# whatis sftp-server
sftp-server sftp-server (1m) - SFTP server subsystem
#
# whatis sftp
sftp sftp (1) - secure file transfer program
# whatis ssh-http-proxy-connect
ssh-http-proxy-connect ssh-http-proxy-connect (1) - Secure Shell proxy for HTTP
#
# whatis ssh-socks5-proxy-connect
ssh-socks5-proxy-connect ssh-socks5-proxy-connect (1) - Secure Shell proxy for SOCKS5
# man sshd
NAME
sshd - secure shell daemon
SYNOPSIS
sshd [-deiqtD46] [-b bits] [-f config_file]
[-g login_grace_time] [-h host_key_file]
[-k key_gen_time] [-p port] [-V client_protocol_id]
DESCRIPTION
The sshd (Secure Shell daemon) is the daemon program for
ssh(1). Together these programs replace rlogin and rsh, and
provide secure encrypted communications between two
untrusted hosts over an insecure network. The programs are
intended to be as easy to install and use as possible.
sshd is the daemon that listens for connections from
clients. It forks a new daemon for each incoming connection.
The forked daemons handle key exchange, encryption, authen-
tication, command execution, and data exchange.
This implementation of sshd supports both SSH protocol ver-
sions 1 and 2 simultaneously. Because of security weaknesses
in the v1 protocol, sites should run only v2, if possible.
In the default configuration, only protocol v2 is enabled
for the server. To enable v1 and v2 simultaneously, see the
instructions in sshd_config(4).
Support for v1 is provided to help sites with existing ssh
v1 clients and servers to transition to v2. v1 might not be
supported in a future release.
SSH Protocol Version 1
Each host has a host-specific RSA key (normally 1024 bits)
used to identify the host. Additionally, when the daemon
starts, it generates a server RSA key (normally 768 bits).
This key is normally regenerated every hour if it has been
used, and is never stored on disk.
Whenever a client connects the daemon responds with its pub-
lic host and server keys. The client compares the RSA host
key against its own database to verify that it has not
……
#
# man -s 4 sshd_config
NAME
sshd_config - sshd configuration file
SYNOPSIS
/etc/ssh/sshd_config
DESCRIPTION
The sshd(1M) daemon reads configuration data from
/etc/ssh/sshd_config (or the file specified with sshd -f on
the command line). The file contains keyword-value pairs,
one per line. A line starting with a hash mark (#) and empty
lines are interpreted as comments.
The sshd_config file supports the keywords listed below.
Unless otherwise noted, keywords and their arguments are
case-insensitive.
AllowGroups
This keyword can be followed by a number of group names,
separated by spaces. If specified, login is allowed only
for users whose primary group matches one of the pat-
terns. Asterisk (*) and question mark (?) can be used as
wildcards in the patterns. Only group names are valid; a
numerical group ID is not recognized. By default, login
is allowed regardless of the primary group.
AllowTcpForwarding
Specifies whether TCP forwarding is permitted. The
default is yes. Note that disabling TCP forwarding does
not improve security unless users are also denied shell
access, as they can always install their own forwarders.
AllowUsers
This keyword can be followed by a number of user names,
separated by spaces. If specified, login is allowed only
for user names that match one of the patterns. Asterisk
(*) and question mark (?) can be used as wildcards in
the patterns. Only user names are valid; a numerical
user ID is not recognized. By default login is allowed
regardless of the user name.
If a specified pattern takes the form user@host then
user and host are checked separately, restricting logins
to particular users from particular hosts.
AuthorizedKeysFile
Specifies the file that contains the public keys that
can be used for user authentication. AuthorizedKeysFile
can contain tokens of the form %T, which are substituted
during connection set-up. The following tokens are
defined: %% is replaced by a literal %, %h is replaced
by the home directory of the user being authenticated
and %u is replaced by the username of that user. After
expansion, AuthorizedKeysFile is taken to be an absolute
path or one relative to the user's home directory. The
default is .ssh/authorized_keys.
Banner
In some jurisdictions, sending a warning message before
authentication can be relevant for getting legal protec-
tion. The contents of the specified file are sent to the
remote user before authentication is allowed. This
option is only available for protocol version 2. By
default, no banner is displayed.
Ciphers
Specifies the ciphers allowed for protocol version 2.
Multiple ciphers must be comma-separated. The default is
aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc.
ClientAliveCountMax
Sets the number of client alive messages (see Clien-
tAliveInterval, below) that can be sent without sshd
receiving any messages back from the client. If this
threshold is reached while client alive messages are
being sent, sshd disconnects the client, terminating the
session. It is important to note that the use of client
alive messages is very different from KeepAlive (see
below). The client alive messages are sent through the
encrypted channel and therefore are not spoofable. The
TCP keepalive option enabled by KeepAlive is spoofable.
The client alive mechanism is valuable when a client or
server depend on knowing when a connection has become
inactive.
The default value is 3. If ClientAliveInterval (below)
is set to 15, and ClientAliveCountMax is left at the
default, unresponsive ssh clients are disconnected after
approximately 45 seconds.
ClientAliveInterval
Sets a timeout interval in seconds after which, if no
data has been received from the client, sshd sends a
message through the encrypted channel to request a
response from the client. The default is 0, indicating
that these messages are not sent to the client. This
option applies only to protocol version 2.
Compression
Controls whether the server allows the client to nego-
tiate the use of compression. The default is yes.
DenyGroups
Can be followed by a number of group names, separated by
spaces. Users whose primary group matches one of the
patterns are not allowed to log in. Asterisk (*) and
question mark (?) can be used as wildcards in the pat-
terns. Only group names are valid; a numerical group ID
is not recognized. By default, login is allowed regard-
less of the primary group.
DenyUsers
Can be followed by a number of user names, separated by
spaces. Login is disallowed for user names that match
one of the patterns. Asterisk (*) and question mark (?)
can be used as wildcards in the patterns. Only user
names are valid; a numerical user ID is not recognized.
By default, login is allowed regardless of the user
name.
If a specified pattern takes the form muser@mhost then
user and 4mhost are checked separately, disallowing logins
to particular users from particular hosts.
GatewayPorts
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. By default, sshd binds
remote port forwardings to the loopback address. This
prevents other remote hosts from connecting to forwarded
ports. GatewayPorts can be used to specify that sshd
should bind remote port forwardings to the wildcard
address, thus allowing remote hosts to connect to for-
warded ports. The argument must be yes or no. The
default is no.
GSSAPIAuthentication
Enables/disables GSS-API user authentication. The
default is yes.
Currently sshd authorizes client user principals to user
accounts as follows: if the principal name matches the
requested user account, then the principal is author-
ized. Otherwise, GSS-API authentication fails.
GSSAPIKeyExchange
Enables/disables GSS-API-authenticated key exchanges.
The default is yes.
This option also enables the use of the GSS-API to
authenticate the user to server after the key exchange.
Note that GSS-API key exchange can succeed but the sub-
sequent authentication using the GSS-API fail if the
server does not authorize the user's GSS principal name
to the target user account.
Currently sshd authorizes client user principals to user
accounts as follows: if the principal name matches the
requested user account, then the principal is author-
ized. Otherwise, GSS-API authentication fails.
GSSAPIStoreDelegatedCredentials
Enables/disables the use of delegated GSS-API creden-
tials on the server-side. The default is yes.
Specifically, this option, when enabled, causes the Note - sshd does not take any steps to explicitly destroy HostbasedAuthentication Specifies whether to try rhosts-based authentication HostbasedUsesNameFromPacketOnly Controls which hostname is searched for in the files Setting this parameter to no disables host-based authen- HostKey Specifies the file containing the private host key used IgnoreRhosts Specifies that .rhosts and .shosts files are not used in IgnoreUserKnownHosts Specifies whether sshd should ignore the user's KbdInteractiveAuthentication Specifies whether authentication by means of the KeepAlive Specifies whether the system should send keepalive mes- The default is yes (to send keepalives), and the server To disable keepalives, the value should be set to no in KeyRegenerationInterval In protocol version 1, the ephemeral server key is ListenAddress Specifies what local address sshd should listen on. The ListenAddress host|IPv4_addr|IPv6_addr If port is not specified, sshd listens on the address LoginGraceTime The server disconnects after this time (in seconds) if LogLevel Gives the verbosity level that is used when logging mes- LookupClientHostnames Specifies whether or not to lookup the names of client's MACs Specifies the available MAC (message authentication MaxStartups Alternatively, random early drop can be enabled by PasswordAuthentication Specifies whether password authentication is allowed. PermitEmptyPasswords When password authentication is allowed, it specifies PermitRootLogin Specifies whether the root can log in using ssh(1). The In Solaris, the default /etc/ssh/sshd_config file is The without-password and forced-commands-only settings PermitUserEnvironment Specifies whether a user's ~/.ssh/environment on the Environment setting from a relevant entry in Author- PidFile Allows you to specify an alternative to Specifies the port number that sshd listens on. The PrintLastLog Specifies whether sshd should display the date and time PrintMotd Specifies whether sshd should display the contents of Protocol Specifies the protocol versions sshd should support in PubkeyAuthentication Specifies whether public key authentication is allowed. RhostsAuthentication Specifies whether authentication using rhosts or RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentica- RSAAuthentication Specifies whether pure RSA authentication is allowed. ServerKeyBits Defines the number of bits in the ephemeral protocol StrictModes (???) Specifies whether sshd should check file modes and own- Configures an external subsystem (for example, a file SyslogFacility Gives the facility code that is used when logging mes- VerifyReverseMapping Specifies whether sshd should try to verify the remote X11DisplayOffset Specifies the first display number available for sshd's X11Forwarding Specifies whether X11 forwarding is permitted. The When X11 forwarding is enabled, there can be additional Note that disabling X11 forwarding does not prevent X11UseLocalhost Specifies whether sshd should bind the X11 forwarding XAuthLocation Specifies the location of the xauth(1) program. The Time Formats s | S seconds m | M minutes h | H hours d | D days w | weeks Each element of the sequence is added together to calculate 600 600 seconds (10 minutes) 10m 10 minutes 1h30m 1 hour, 30 minutes (90 minutes) FILES ATTRIBUTES ____________________________________________________________ SEE ALSO AUTHORS 6./etc/ssh/sshd_config文件 # # cd /usr/bin # more /etc/ssh/sshd_config # Protocol versions supported # Uncomment ONLY ONE of the following Protocol statements. # Only v2 (recommended) # Both v1 and v2 (not recommended) # Only v1 (not recommended) # Listen port (the IANA registered port number for ssh is 22) # The default listen address is all interfaces, this may need to be changed # IPv4 only # Port forwarding # If port forwarding is enabled, specify if the server can bind to INADDR_ANY. # X11 tunneling options # The maximum number of concurrent unauthenticated connections to sshd. # Banner to be printed before authentication starts. # Should sshd print the /etc/motd file and check for mail. # KeepAlive specifies whether keep alive messages are sent to the client. # Syslog facility and level # # Host private key files # Default Encryption algorithms and Message Authentication codes # Length of the server key # sshd regenerates the key every KeyRegenerationInterval seconds. # Ensure secure permissions on users .ssh directory. # Length of time in seconds before a client that hasn't completed # Maximum number of retries for authentication # Are logins to accounts with empty passwords allowed. # To disable tunneled clear text passwords, change PasswordAuthentication to no. # Use PAM via keyboard interactive method for authentication. # Are root logins permitted using sshd. # sftp subsystem # SSH protocol v1 specific options # Should sshd use .rhosts and .shosts for password less authentication. # Rhosts RSA Authentication # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. # Is pure RSA authentication allowed.
6.ssh server配置步骤
6.1使用口令认证
step1:检查ssh服务
# # svcs -x ssh step2: vi /etc/ssh/sshd_config,允许root登录,启用密码认证; # To disable tunneled clear text passwords, change PasswordAuthentication to no. # Are root logins permitted using sshd. step3:重启ssh server # svcadm refresh ssh
step4:从本机和远程ssh连接测试
# 口令: # who 使用putty ssh连接 login as: root step5:使用非root账户ssh登录 useradd –u 100 -d /export/home/user1 user1 passwd user1 # $ who
6.2 使用密钥认证 step1: # ssh-keygen -t rsa -b 1024 (生成服务器端的公钥和私钥对,服务器端的公钥不需要发布给客户端主机,它在通信的第二阶段传递给客户端) # more /etc/passwd | grep root step2: ssh客户端(putty windows平台)配置 使用puttygen生成密钥对,将公钥文件分发(ftp)到$HOME/.ssh目录下
step3: login as: root
server to store delegated GSS-API credentials in the
user's default GSS-API credential store (which for the
Kerberos V mechanism means /tmp/krb5cc_
stored delegated GSS-API credentials upon logout. It
is the responsibility of PAM modules to destroy
credentials associated with a session.
with public key authentication. The argument must be yes
or no. The default is no. This option applies to proto-
col version 2 only and is similar to RhostsRSAAuthenti-
cation. See sshd(1M) for guidelines on setting up host-
based authentication.
~/.shosts, /etc/shosts.equiv, and /etc/hosts.equiv. If
this parameter is set to yes, the server uses the name
the client claimed for itself and signed with that
host's key. If set to no, the default, the server uses
the name to which the client's IP address resolves.
tication when using NAT or when the client gets to the
server indirectly through a port-forwarding firewall.
by SSH. The default is /etc/ssh/ssh_host_key for proto-
col version 1, and /etc/ssh/ssh_host_rsa_key and
/etc/ssh/ssh_host_dsa_key for protocol version 2. Note
that sshd refuses to use a file if it is group/world-
accessible. It is possible to have multiple host key
files. rsa1 keys are used for version 1 and dsa or rsa
are used for version 2 of the SSH protocol.
authentication. /etc/hosts.equiv and /etc/shosts.equiv
are still used. The default is yes. This parameter
applies to both protocol versions 1 and 2.
$HOME/.ssh/known_hosts during RhostsRSAAuthentication.
The default is no. This parameter applies to both proto-
col versions 1 and 2.
"keyboard-interactive" authentication method (and PAM)
is allowed. Defaults to yes. (Deprecated: this parameter
can only be set to yes.)
sages to the other side. If they are sent, death of the
connection or crash of one of the machines is properly
noticed. However, this means that connections die if the
route is down temporarily, which can be an annoyance. On
the other hand, if keepalives are not sent, sessions can
hang indefinitely on the server, leaving ghost users and
consuming server resources.
notices if the network goes down or the client host
reboots. This avoids infinitely hanging sessions.
both the server and the client configuration files.
automatically regenerated after this many seconds (if it
has been used). The purpose of regeneration is to
prevent decrypting captured sessions by later breaking
into the machine and stealing the keys. The key is never
stored anywhere. If the value is 0, the key is never
regenerated. The default is 3600 (seconds).
following forms can be used:
ListenAddress host|IPv4_addr:port
ListenAddress [host|IPv6_addr]:port
and all prior Port options specified. The default is to
listen on all local addresses. Multiple ListenAddress
options are permitted. Additionally, any Port options
must precede this option for non-port qualified
addresses.
The default is to listen on all local addresses. Multi-
ple options of this type are permitted. Additionally,
the Ports options must precede this option.
the user has not successfully logged in. If the value is
0, there is no time limit. The default is 120 (seconds).
sages from sshd. The possible values are: QUIET, FATAL,
ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
The default is INFO. DEBUG2 and DEBUG3 each specify
higher levels of debugging output. Logging with level
DEBUG violates the privacy of users and is not recom-
mended.
addresses. Defaults to yes.
code) algorithms. The MAC algorithm is used in protocol
version 2 for data integrity protection. Multiple algo-
rithms must be comma-separated. The default is hmac-
md5,hmac-sha1,hmac-sha1-96,hmac-md5-96.
Specifies the maximum number of concurrent unauthenti-
cated connections to the sshd daemon. Additional connec-
tions are dropped until authentication succeeds or the
LoginGraceTime expires for a connection. The default is
10.
specifying the three colon-separated values
this example, sshd refuse connection attempts with a
probability of rate/100 (30% in our example) if there
are currently 10 (from the start field) unauthenticated
connections. The probabillity increases linearly and all
connection attempts are refused if the number of unau-
thenticated connections reaches full (60 in our exam-
ple).
The default is yes. Note that this option applies to
both protocol versions 1 and 2.
whether the server allows login to accounts with empty
password strings. In /etc/default/login, if PA×××EQ is
not set, or PA×××EQ=YES, then the default is no; if
PA×××EQ=NO, then the default is yes.
argument must be yes, without-password, forced-
commands-only, or no. without-password means that root
cannot be authenticated using the "password" or
"keyboard-interactive" methods (see description of
KbdInteractiveAuthentication above). forced-commands-
lickey" (for SSHv2, or RSA, for SSHv1) and only if the
matching authorized_keys entry for root has a
command=<cmd> option.
shipped with PermitRootLogin set to no. If unset by the
administrator, then CONSOLE parameter from
/etc/default/login supplies the default value as fol-
lows: if the CONSOLE parameter is not commented out (it
can even be empty, that is, "CONSOLE="), then without-
password is used as default value. If CONSOLE is com-
mented out, then the default for PermitRootLogin is yes.
are useful for, for example, performing remote adminis-
tration and backups using trusted public keys for
authentication of the remote client, without allowing
access to the root account using passwords.
server side and environment options in the Author-
izedKeysFile file are processed by sshd. The default is
no. Enabling environment processing can enable users to
bypass access restrictions in some configurations using
mechanisms such as LD_PRELOAD.
izedKeysFile file is processed only if the user was
authenticated using the public key authentication
method. Of the two files used, values of variables set
in ~/.ssh/environment are of higher priority.
/var/run/sshd.pid, the default file for storing the PID
of the sshd listening for connections. See sshd(1M).
Port
default is 22. Multiple options of this type are permit-
ted. See also ListenAddress.
when the user last logged in. The default is yes.
/etc/motd when a user logs in interactively. (On some
systems it is also displayed by the shell or a shell
startup file, such as /etc/profile.) The default is yes.
order of preference. The possible values are 1 and 2.
Multiple versions must be comma-separated. The default
is 2,1. This means that ssh tries version 2 and falls
back to version 1 if version 2 is not available.
The default is yes. Note that this option applies to
protocol version 2 only.
/etc/hosts.equiv files is sufficient. Normally, this
method should not be permitted because it is insecure.
RhostsRSAAuthentication should be used instead, because
it performs RSA-based host authentication in addition to
normal rhosts or /etc/hosts.equiv authentication. The
default is no. Note that this parameter applies only to
protocol version 1.
tion together with successful RSA host authentication is
allowed. The default is no. Note that this parameter
applies only to protocol version 1.
The default is yes. Note that this option applies to
protocol version 1 only.
version 1 server key. The minimum value is 512, and the
default is 768.
ership of the user's files and home directory before
accepting login. This is normally desirable because
novices sometimes accidentally leave their directory or
files world-writable. The default is yes.
transfer daemon). Arguments should be a subsystem name
and a command to execute upon subsystem request. The
command sftp-server(1M) implements the sftp file
transfer subsystem. By default, no subsystems are
defined. Note that this option applies to protocol ver-
sion 2 only.
sages from sshd. The possible values are: DAEMON, USER,
AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5,
LOCAL6, and LOCAL7. The default is AUTH.
host name and check that the resolved host name for the
remote IP address maps back to the very same IP address.
(A yes setting means "verify".) Setting this parameter
to no can be useful where DNS servers might be down and
thus cause sshd to spend much time trying to resolve the
client's IP address to a name. This feature is useful
for Internet-facing servers. The default is no.
X11 forwarding. This prevents sshd from interfering with
real X11 servers. The default is 10.
default is yes. Note that disabling X11 forwarding does
not improve security in any way, as users can always
install their own forwarders.
exposure to the server and to client displays if the
sshd proxy display is configured to listen on the wild-
card address (see X11UseLocalhost below). However, this
is not the default. Additionally, the authentication
spoofing and authentication data verification and sub-
stitution occur on the client side. The security risk of
using X11 forwarding is that the client's X11 display
server can be exposed to attack when the ssh client
requests forwarding (see the warnings for ForwardX11 in
ssh_config(4)). A system administrator who wants to pro-
tect clients that expose themselves to attack by unwit-
tingly requesting X11 forwarding, should specify a
``no'' setting.
users from forwarding X11 traffic, as users can always
install their own forwarders.
server to the loopback address or to the wildcard
address. By default, sshd binds the forwarding server to
the loopback address and sets the hostname part of the
DISPLAY environment variable to ``localhost''. This
prevents remote hosts from connecting to the proxy
display. However, some older X11 clients might not func-
tion with this configuration. X11UseLocalhost can be set
to no to specify that the forwarding server should be
bound to the wildcard address. The argument must be yes
or no. The default is yes.
default is /usr/X/bin/xauth.
sshd command-line arguments and configuration file options
that specify time can be expressed using a sequence of the
form: time[qualifier,] where time is a positive integer
value and qualifier is one of the following:
the total time value. For example:
/etc/ssh/sshd_config Contains configuration data for
sshd. This file should be writable
by root only, but it is recommended
(though not necessary) that it be
world-readable.
See attributes(5) for descriptions of the following attri-
butes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWsshu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
login(1), sshd(1M), ssh_config(4), attributes(5), kerberos(5)
OpenSSH is a derivative of the original and free ssh 1.2.12
release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus
Friedl, Niels Provos, Theo de Raadt, and Dug Song removed
many bugs, re-added recent features, and created OpenSSH.
Markus Friedl contributed the support for SSH protocol ver-
sions 1.5 and 2.0. Niels Provos and Markus Friedl contri-
buted support for privilege separation.
# cd /etc/ssh
#
# ls -l
-rw-r--r-- 1 root sys 88301 2005 1月 22 moduli
-rw-r--r-- 1 root sys 861 2005 1月 22 ssh_config
-rw-r--r-- 1 root sys 5202 2005 1月 22 sshd_config
-rw------- 1 root root 668 12月 25日 15:40 ssh_host_dsa_key
-rw-r--r-- 1 root root 600 12月 25日 15:40 ssh_host_dsa_key.pub
-rw------- 1 root root 887 12月 25日 15:40 ssh_host_rsa_key
-rw-r--r-- 1 root root 220 12月 25日 15:40 ssh_host_rsa_key.pub
#
#
# cd /usr/lib/ssh
# ls -l
-r-xr-xr-x 1 root bin 44172 2007 10月 30 sftp-server
-r-xr-xr-x 1 root bin 350624 2007 10月 30 sshd
-r-xr-xr-x 1 root bin 10268 2007 10月 30 ssh-http-proxy-connect
-r-sr-xr-x 1 root bin 156104 2007 10月 30 ssh-keysign
-r-xr-xr-x 1 root bin 10244 2007 10月 30 ssh-socks5-proxy-connect
#
# ls -l ssh*
-r-xr-xr-x 1 root bin 257280 2007 10月 30 ssh
-r-xr-xr-x 1 root bin 87724 2007 8月 17 ssh-add
-r-xr-xr-x 1 root bin 70912 2005 1月 23 ssh-agent
-r-xr-xr-x 1 root bin 87856 2007 11月 17 ssh-keygen
-r-xr-xr-x 1 root bin 156072 2007 8月 17 ssh-keyscan
#
# ident "@(#)sshd_config 1.8 04/05/10 SMI"
#
# Configuration file for sshd(1m)
#
# The sshd shipped in this release of Solaris has support for major versions
# 1 and 2. It is recommended due to security weaknesses in the v1 protocol
# that sites run only v2 if possible. Support for v1 is provided to help sites
# with existing ssh v1 clients/servers to transition.
# Support for v1 may not be available in a future release of Solaris.
#
# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
# do not already exist, RSA1 keys for protocol v1 are not automatically created.
Protocol 2
#Protocol 2,1
#Protocol 1
Port 22
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::
AllowTcpForwarding no
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60
#Banner /etc/issue
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes
SyslogFacility auth
LogLevel info
# Authentication configuration
#
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Ciphers aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
#MACS hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
# Default 768, Minimum 512
ServerKeyBits 768
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600
StrictModes yes
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries 6
MaxAuthTriesLog 3
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).
PermitEmptyPasswords no
PasswordAuthentication yes
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin no
Subsystem sftp /usr/lib/ssh/sftp-server
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh. Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.
IgnoreRhosts yes
RhostsAuthentication no
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no
#IgnoreUserKnownHosts yes
# Default is yes
RSAAuthentication yes
# svcs -a | grep ssh
online 0:17:07 svc:/network/ssh:default
svc:/network/ssh:default (SSH server)
状态:online 自 2009年12月29日 星期二 00时17分07秒 开始
参见:sshd(1M)
参见:/var/svc/log/network-ssh:default.log
影响:无。
# svcs -l ssh
fmri svc:/network/ssh:default
名称 SSH server
启用 是
状态 online
next_state none
state_time 2009年12月29日 星期二 00时17分07秒
logfile /var/svc/log/network-ssh:default.log
重启程序 svc:/system/svc/restarter:default
contract_id 126
dependency require_all/none svc:/system/filesystem/local (online)
dependency optional_all/none svc:/system/filesystem/autofs (online)
dependency require_all/none svc:/network/loopback (online)
dependency require_all/none svc:/network/physical (online)
dependency require_all/none svc:/system/cryptosvc (online)
dependency require_all/none svc:/system/utmp (online)
dependency require_all/restart file://localhost/etc/ssh/sshd_config (online)
PasswordAuthentication yes
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin yes
# svcadm restart ssh
# ssh localhost /为何未提示输入用户名?/ 或者 ssh root@localhost 或者ssh –l root localhost
Last login: Tue Dec 29 00:18:56 2009 from 116.226.73.116
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
#
root pts/2 12月 28日 23:18 (116.226.73.116)
root pts/1 12月 29日 00:43 (localhost)
Using keyboard-interactive authentication.
口令:
Last login: Tue Dec 29 00:43:40 2009 from localhost
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
#
# ssh user1@localhost
口令:
Last login: Tue Dec 29 00:52:57 2009 from localhost
Could not chdir to home directory /home/user1: 无此文件或目录
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$
root pts/2 12月 28日 23:18 (116.226.73.116)
user1 pts/1 12月 29日 00:52 (localhost)
产生公共/私有 rsa 密钥对。
输入要存储密钥的文件 (//.ssh/id_rsa):
请输入口令(空白表示没有口令):
再次输入同一 passphrase:
您的标识已经存储在 //.ssh/id_rsa 中。
您的公共密钥已经存储在 //.ssh/id_rsa.pub 中。
密钥指纹为:
4f:d2:db:99:64:bc:3c:d1:5d:e9:84:42:77:d2:14:8b root@b1500
root:x:0:0:Super-User:/:/sbin/sh
#
# cd /.ssh
# ls -a
. .. id_rsa id_rsa.pub known_hosts
Server refused our key (?????)
Using keyboard-interactive authentication.