% ./configure \ --prefix=/usr/local/openssh \ --sysconfdir=/etc/ssh \ --with-zlib=/usr/local \ --with-tcp-wrappers=/usr \ --with-ssl-dir=/usr/local/openssl % make # make install
rootのssh接続を拒否する
PermitRootLogin no
パスワードが設定されていないアカウントを拒否する
PermitEmptyPasswords no
rhosts認証関係の設定
RhostsAuthentication no RhostsRSAAuthentication no IgnoreRhosts yes
host$ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:RKbymBUosufI1qYrrAyS8UO8ipl4RHWWXReFuYNmRsE user@host The key's randomart image is: +---[RSA 4096]----+ | ..oooo.o=. | |. . o +=. E.o | | o o.oo .. . . | |..o * . = o | |o=+ o . S+ . | |.Bo+ | |*.* | |B*.. | |X+. | +----[SHA256]-----+
rt-host$ cat id_dsa.pub > ~/.ssh/authorized_keys2
-----BEGIN DSA PRIVATE KEY----- MIIBvAIBAAKBgQDY+NZIVE5aQ+U8l381s841vnQI/aAIymGE1nYVVjaHOWcWQu8C M61b14aMrsa1HmLAJyeIZHsG7119W3nJw2A6bIwFLEDoE48UHYZMYqlMuPWAg6Gw BVFgyGUgQAlK18pDcvZrajq10pzkMtzLgVRjui+/ZLdqe/nz/VrdcG2x/QIVAIHv k8Hrosq/hybk9b4/upd9/+lFAoGBALHn30L8MMIQtJjR16v9dY0/lfKAN74v5kiD 5zCTrx8ssEPynlXU7BJttqX1AGONqUkK1YNzLDsdUKtNO8gLsxfK9w6Fp9wAo8Mi 75Rrl4bEvg5SR6Vh2vn7y9SiSWYQNKbiz5rbpAN2Z0XrODK/1sADYGbUutXn5KZ1 ethcy25VAoGBAIQgdwpEDxhHgb0XPy8l2SDd7T8bIauTdPSyeqYWKpmnMaYtZ0kY 9jhP7nqBX1xUnRBgA6R8+7sssZHzSq8cuEEQlA7aDBHRKWzO3yP2R/QfyO46TfMM 6gQx1eMFB1ayNseo4QL6rYZLQjbWRfoBvpbHFnzt2MxGfKUn8q5AWPh/AhRF3fFF AVp3F5qnGPSUnitCrtO2YQ== -----END DSA PRIVATE KEY-----
ssh-dss AAAAB3NzaC1kc3MAAACBANj41khUTlpD5TyXfzWzzjW+dAj9oAjKYYTWdhVWNoc5ZxZC7wIz rVvXhoyuxrUeYsAnJ4hkewbvXX1becnDYDpsjAUsQOgTjxQdhkxiqUy49YCDobAFUWDIZSBACUrXykNy 9mtqOrXSnOQy3MuBVGO6L79kt2p7+fP9Wt1wbbH9AAAAFQCB75PB66LKv4cm5PW+P7qXff/pRQAAAIEA seffQvwwwhC0mNHXq/11jT+V8oA3vi/mSIPnMJOvHyywQ/KeVdTsEm22pfUAY42pSQrVg3MsOx1Qq007 yAuzF8r3DoWn3ACjwyLvlGuXhsS+DlJHpWHa+fvL1KJJZhA0puLPmtukA3ZnRes4Mr/WwANgZtS61efk pnV62FzLblUAAACBAIQgdwpEDxhHgb0XPy8l2SDd7T8bIauTdPSyeqYWKpmnMaYtZ0kY9jhP7nqBX1xU nRBgA6R8+7sssZHzSq8cuEEQlA7aDBHRKWzO3yP2R/QfyO46TfMM6gQx1eMFB1ayNseo4QL6rYZLQjbW RfoBvpbHFnzt2MxGfKUn8q5AWPh/ user@home
# ssh [option]
オプション | 意味 | 説明 |
-f filename | file | 設定ファイル |
-T | test | 拡張テスト モードで実行 |
-t | test | テスト モードで実行 |
# sshd -T -f /dev/null port 22 addressfamily any listenaddress [::]:22 listenaddress 0.0.0.0:22 usepam no logingracetime 120 <snip> ipqos af21 cs1 rekeylimit 0 0 permitopen any permitlisten any permituserenvironment no
# sshd -T
# ssh [option] [username@]hostname[:port] [command]
オプション | 意味 | 説明 |
-l | login name | ユーザー名を指定する username@hostname でも指定可能 |
-p | port | ポート番号を指定する hostname:port でも指定可能 |
-t | tty | tty を強制的に割り当てる 対話形式の操作が可能になる (sudo のパスワード入力など) |
-o | option | ssh_config で設定可能なオプションを使用する |
-N | do not execute | リモート ホストでコマンドを実行しない (プロンプトを返さない) |
-f | fork | バックグラウンドで実行する |
-Q query_option | query | |
-T |
# ssh -L local_port:remote_host:remote_port relay_host
# ssh -Q cipher 3des-cbc OpenSSH 6.7でデフォルト無効 aes128-cbc OpenSSH 6.7でデフォルト無効 aes192-cbc OpenSSH 6.7でデフォルト無効 aes256-cbc OpenSSH 6.7でデフォルト無効 rijndael-cbc@lysator.liu.se OpenSSH 6.7でデフォルト無効 aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com
# ssh -Q cipher-auth aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com
# ssh -Q kex diffie-hellman-group1-sha1 OpenSSH 6.7でデフォルト無効 diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 OpenSSH 6.7でデフォルト無効 diffie-hellman-group-exchange-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 curve25519-sha256 curve25519-sha256@libssh.org sntrup4591761x25519-sha512@tinyssh.org
# ssh -Q kex-gss gss-gex-sha1- gss-group1-sha1- gss-group14-sha1- gss-group14-sha256- gss-group16-sha512- gss-nistp256-sha256- gss-curve25519-sha256-
# ssh -Q key ssh-ed25519 ssh-ed25519-cert-v01@openssh.com ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com
# ssh -Q key-cert ssh-ed25519-cert-v01@openssh.com ssh-rsa-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com
# ssh -Q key-plain [root@dev-ickw-stg01 log]# ssh -Q key-plain ssh-ed25519 ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
# ssh -Q mac hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512 hmac-md5 hmac-md5-96 umac-64@openssh.com umac-128@openssh.com hmac-sha1-etm@openssh.com hmac-sha1-96-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com hmac-md5-etm@openssh.com hmac-md5-96-etm@openssh.com umac-64-etm@openssh.com umac-128-etm@openssh.com
# ssh -Q sig ssh-ed25519 OpenSSH 6.5~ ssh-rsa 非推奨 デフォルト無効化予定 rsa-sha2-256 OpenSSH 7.2~ rsa-sha2-512 OpenSSH 7.2~ ssh-dss OpenSSH 7.0でデフォルト無効に ecdsa-sha2-nistp256 OpenSSH 5.7~ ecdsa-sha2-nistp384 OpenSSH 5.7~ ecdsa-sha2-nistp521 OpenSSH 5.7~
# scp [option] org_file copy_file
# sftp [option] username@hostname
# ssh-keygen option
オプション | 意味 | 備考 |
-b bits | bits | キーペアの鍵長 |
-f filename | file | ファイル名 |
-t type | type | 公開鍵認証アルゴリズム dsa, ecdsa, ed25519, rsa |
-C comments | comments | |
-m | 鍵フォーマット (PEM, PKCS8, RFC4716) デフォルトは OpenSSH 独自形式 (OpenSSH 7.8~) | |