由 fleedib 在 01-17-2003 09:55 发表:
SSH_HOWTO中文文档。
前日配置代理,望用ssh进行远程管理,
小弟对其配置虽有过经验却不很熟悉。
所以配置后,为了深化对其的了解程度,故找了几篇文档。
发现sshd也许太过简单,HowTo文档好像没什么通用的。
介绍mac上进行ssh Howto配置的实例不少。。
所以昨日闲余,译了这篇文档。小弟英文水平不高,难免出现笑话盼望各位大虾见谅。
1
2
3
4
5* * *
6
7
8_由 fleedib 在 01-17-2003 10:02 发表:_
9
10
11
12**SSH Howto 中英对译版(Part 1)**
13
14
15
16
17
18SSH Howto
19
20
21
22Herman Oosthuysen (赫尔曼.扼斯鲍森)
23
24
25
26July 2002 (2002年7月)
27
28
29
30System:Mandrake 8.1 系统:曼得瑞克 8.1(linux)
31
32
33
34
35
36General 概要
37
38The Secure Shell, is an incredibly powerful utility. It allows you to completely control one Unix machine from another. You can not only transfer files between computers securely, but you can execute programs remotely, with the screen display forwarded to the local machine, all the while being completely safe from eavesdroppers.
39
40[ 安全壳,是一个难以置信地强大的工具。它允许你从一台Unix主机完全控另外一台。你只是不能在两台主机间安全的传递文件,但是你能远程的执行程序,用一个屏的显示传递到本地的主机,始终安全的回避掉窃听者(获取有效信息)。]
41
42
43
44In effect, ssh makes your keyboard and monitor independent from the box it is connected to. You can be at home and work as if you are at your office, or the other way around. This is the ultimate telecommuting solution in one application and has been part of Unix for decades. While this sounds complex to a MS Windows user, working on multiple computers from a single terminal is as natural on a Unix system, as a penquin takes to water...
45
46[ 安全壳有把你的键盘以及监视器封装起来(加密)建立连接的效果。你可以在家里像你在办公室里那样地工作,或者任何其他的地点。这是十年来远程办公解决方案的最终目标,并且已经以一个应用程序的形式存在于部分Unix系统中了。虽然这对于一个微软 Windows 用户听起来有些复杂,从一个终端工作在多台计算机上对于Unix系统是十分简单的事情,好像Penquin 适应水那样…. ]
47
48
49
50When running applications on multiple machines, it can be difficult to remember what is running where, but KDE on Linux features multiple desktops (virtual screens). I usually use the first screens for the local machine and the last screens for the distant machine, to help keep my wits together.
51
52[ 当在若干台机器上运行应用程序的时候,很难记住在哪运行的什么,但是Linux下的KDE的特性中的多重桌面(虚拟屏幕)。为了便于我的记忆,我经常为了本地机器而使用第一个屏幕,并且为远端的机器使用最后的一个屏幕。]
53
54Installing and running the secure shell, should be dead simple. If it isn't, then you either have an old version or mis-matched versions at the two sites, or more likely you have a firewall or TCP Wrappers problem, preventing a connection from being established.
55
56[ 安装并且运行安全壳通常是一件相当简单的事情。如果不是那样,那么要么是你是用了一个老的系统版本,要么是版本间存在着不匹配的问题,更多出现的在你的(Firewall)防火墙或者(TCP)访问控制协议地限制问题,禁止连接到目标连接。 ]
57
58Note that there are many ssh versions: ssh1, ssh2 and openssh. That is apart from the commercial versions of ssh - ssh2 is preferred.
59
60[ 关于安全壳的日志中有多种安全壳版本 Versions(版本): ssh1(安全壳版本1),ssh2(安全壳版本2),以及openssh开放安全壳。(openssh)是从商业版本的安全壳中分离出来的安全壳版本——安全壳版本2是首选! ]
61
62
63
64Other howto guides explain how to get a connection up, but fail to give any trouble-shooting advice. Figuring out why it won't work can be a harrowing experience with secure systems, since NOT telling you what is wrong, is also a security requirement, since you don't want to make it easy for an intruder. This guide tries to fill this gap.
65
66
67
68[ 另外一些HOWTO(怎么样做文档)至于怎样指导/解释怎么样建立一个连接,但是这里将给出一些关于故障排除的建议。定义出为什么它不工作当成一个使用安全系统的惨痛的经验,以后不用告诉你哪里出了错误,那也是安全的需求,从此你别想让入侵者对它感到容易。这篇指南可以可靠地填补上这些缺口。]
69
70
71
72Configuration 配置
73
74Do not change the default configuration files ssh_config or sshd_config until you have the basic setup working and even then, the default is probably OK for a home user, but not for a corporate user. See Batting Down the Hatches below.
75
76[ 不要修改ssh_config或者 sshd_config地默认地配置直到你有基础的调整工作(经历),这个默认配置对于家庭用户来说或许还不错,但是对于法人团体来讲就不是一个好的主意了。见下文中的堵住缺口(Batting down the hatches) ]
77
78
79
80Use the Control Centre, Services and stop the sshd daemon (or do killall sshd).
81
82[ 使用 控制中心->服务,并且停止sshd 守护进程(或者杀掉所有的sshd进程。) ]
83
84
85
86You must have the same user name on both systems, the server and the remote system. This keeps it easy.
87
88[ 你必须在两个系统间有相同的用户名(译者补充:此处所指为用户的登陆id相同。),这里指的是服务器以及远端系统间。这使得配置(过程)简单化。]
89
90Logged in as the required user, generate a set of RSA keys:
91
92[ 使用你需要使用安全壳的用户进行登陆,生成一个RAS(加密算法)的密钥。]
93
94.ssh-keygen -b 2048 -t rsa (译者注:生成基于RSA加密算法的长度为2048 位的密匙。)
95
96.accept the defaults - don't enter a file name ( 接受默认不输入文件名字。译者补充,可以指定输入。)
97
98.Passphrase: "whatever" (译者注:密码保护引号中的为密码内容。用于判断用户是否有使用密钥的权力。)
99
100
101
102The following keys are generated in directory ~/.ssh:
103
104[ 下列各项密匙已经生成在~/.ssh目录中。译者注:~/为unix系统中用户家路径的宏。]
105
106.id_rsa (译注:这个为使用默认生成采用RSA加密算法的私有密匙的文件名。)
107
108.id_rsa.pub (译注:这个为使用默认生成采用RSA加密算法的公有密匙的文件名。)
109
110
111
112Copy the public key to authorized_keys to give you permission to log into the server from its own terminal: [复制这个公有密匙文件id_rsa.pub 成为文件authorized_keys给予它正确地登陆进入你的服务器的权限从它的终端中。]
113
114
115
116.cd ~/.ssh (译补:进入~/.ssh目录。)
117
118.cp id_rsa.pub authorized_keys (制作authorized_keys 文件为rsa.pub的副本。)
119
120
121
122
123* * *
124
125
126_由 fleedib 在 01-17-2003 10:19 发表:_
127
128
129
130**SHH_HowTo 中英对译(part 2)**
131
132
133
134
135
136Test 测试
137
138
139
140Find your server IP address using ifconfig:
141
142[ 使用命令ifconfig 获得你的服务器ip地址。 ]
143
144
145
146./sbin/ifconfig -a
147
148
149
150Restart sshd from Control Centre, Services. (or killall sshd and run it again).
151
152[ 重新启动你的sshd服务从控制中心->服务。(或者杀掉所有sshd的进程,并且再次运行它们。) ]
153
154Try to log into the server from its own terminal. If it doesn't work here, it won't work remotely:
155
156[ 尝试从服务器它自己的终端登陆到自身。如果它不能工作,那么在远端也将如此。 ]
157
158
159
160.ssh www.xxx.yyy.zzz (ssh 后面的为你的服务器自己的ip地址。)
161
162.Enter passphrase for key '/home/user/.ssh/id_rsa': 'whatever' (输入你的密匙保护口令。)
163
164
165
166If all went well, you'll be asked for your passphrase and after that you'll get a message like: Last login: time and date.
167
168[ 如果一切都很正常,你将被询问过你的密匙保护口令以后取得像这样的信息:Last login:time and date 上次登陆的时间和日期。 ]
169
170
171
172The very first time, you'll get a message like: Warning: Permanently added www.xxx.yyy.zzz to the list of known hosts.
173
174[ 如果第一次这样做(译补:每次使用ssh到以前未曾尝试连接到的主机的时候,know_list列表中没有目标主机信息时候)你将看到这样的信息:永久地增加地址 www.xxx.yyy.zzz 到已知主机列表。]
175
176
177
178After this, you'll get a new shell prompt and the shell will work as usual, except that it is now a ssh session. Type exit, to get back to a normal session.
179
180[ 在这之后,你将得到一个新的壳的提示符并且可以像以往那样地工作。只不过现在它是一个安全壳的对话。]
181
182
183
184Bubble, Bubble, Toil and Trouble 假设出现的辛苦/问题
185
186If sshd is dead or unreachable, you will get the message: ssh: Connect to www.xxx.yyy.zzz port 22: Connection refused.
187
188[ 如果安全壳守护进程不能工作或者(连接)不可到达,你将获得这样的信息:ssh:连接到 www.xxx.yyy.zzz 端口22连接被刷新。]
189
190
191
192On a server with two ethernet cards, sshd will by default listen on both ethernet interfaces, on port 22. This is usually what you want.
193
194[ 在一个服务器上使用两个以太网卡,安全壳守护进程将默认地在端口22监听每一块以太网卡。这通常是你所希望的。 ]
195
196
197
198If you can't log in using the one IP address, try the other one.
199
200[ 如果你不能登陆进这其中的一个IP地址,试试另一个。]
201
202If the local interface works, but the external interface doesn't, the trouble lies with your firewall.
203
204[ 如果本地的接口工作了,但是外部的接口不能工作,这个故障出现在你的防火墙上。 ]
205
206Ensure that port 22 is open for TCP and UDP traffic:
207
208[ 却保段口22 是开启状态,并且准许TCP 以及 UDP协议地通行:]
209
210
211
212.iptables –L
213
214will tell you what the firewall is doing. If required, modify the file /etc/rc.d/rc.firewall.
215
216
217
218[ 命令iptables –L 将告诉你防火墙正在进行何种操作。如果需要,修改位于/etc/rc.d/rc.firewall 的文件。]
219
220
221
222Add someting like the following rules: [color][ 增加一些像接下来做的那样的规则。 ][/color]
223
224
225
226.iptables -A INPUT -i www.xxx.yyy.zzz -p tcp --dport 22 -j ACCEPT
227
228.iptables -A INPUT -i www.xxx.yyy.zzz -p udp --dport 22 -j ACCEPT
229
230
231
232to poke a hole for port 22 in the firewall. [ 在防火墙为端口22打开缺口。]
233
234
235
236Restart the firewall and try to log in again: [ 重新启动防火墙,并且再次尝试连接。 ]
237
238
239
240./rc.firewall
241
242
243
244Confirm that the new rules are OK with iptables -L as before.
245
246[ 在那以前使用命令iptables –L 确定新的规则的生效。]
247
248
249
250TCP Wrappers 访问控制协议的封装
251
252TCP Wrappers presents another layer of firewalling which you may have to reckon with.
253
254[ TCP 封装为另一个层提供(防火墙过滤)可能你不得不自己去认真核对。]
255
256
257
258If you have poked a hole in the iptables firewall and ssh still doesn't want to connect, edit the file /etc/hosts.allow and add the following line:
259
260
261
262[ 如果你已经在防火墙上穿出个洞,并且安全壳依然不想连接,编辑位于/etc/hosts.allow 的文件在其中增加下面的一行. ]
263
264.sshd: ALL
265
266Now try again. This should be the last issue.
267
268[ 现在再试一次。这将是最后的问题。 ]
269
270
271
272Key Distribution 密匙发布
273
274
275
276Once you can log in from the local terminal using the external ethernet interface IP address, generate and distribute the public keys so that the server has all the remote public keys in its authorized_keys file and try to log in from the remote.
277
278[ 一旦你能从本地的终端使用外部的以太网接口的IP地址登陆,生成以及发布你的公共秘匙所以服务器有全部的公共密匙在文件authorized_keys 并且尝试从远处登陆。]
279
280RSA keys of 2048 bits are recommended. This is secure as of the time of writing and should remain secure for the next five years or so, given the current rate of computer progress.
281
282[ 基于RSA2048位加密算法的密匙是被推荐的。在给出当前计算机的发展状况的估计,从写这篇文章的时候起并且持续5年这将是安全的。]
283
284Note that each public key is a single line, a very long one. Do not use an editor that will truncate or wrap the lines - vi to the rescue... well, I use gedit, do not use kate.
285
286[ 注:每一个公共的密匙都是非常长的一行。不要使用一个editor编辑器,那将截去或者扭曲行(使行信息发生变化) – vi可以援救(修复)….好了,我使用gedit,不要使用kate。]
287
288
289
290The ssh system only use the RSA public and private keys to authenticate the remote machines (to ensure that only valid users log in). Session keys for data transfer are generated automatically at regular intervals. The default encryption method used for data transfer is the Blowfish algorithm by Bruce Schneier, which is still known to be secure as of writing. The result is a very fast and secure link.
291
292[ 安全壳系统只通过使用基于RSA加密算法的公共密匙以及私有密匙来鉴别远端主机(确保有效的用户登陆进入)。在正确地审核之后自动地建立使用了密匙加密为了数据传输对话。这默认地数据传输地加密算法是Bruce Schneier(布鲁斯.斯奈叶尔)所写的Blowfish(河豚)算法,那是个知名的安全作品。提供了安全并且十分快速的连接。]
293
294
295
296Secure File Transfer Protocol 安全文件传输协议
297
298
299
300Ssh2 offers sftp as a Subsystem. This is configured in the file /etc/ssh/sshd_config. The default install of the program sftp-server is in /usr/lib/ssh, but the program should be in the user path, to allow sshd to execute it. Look at the last line of the /etc/ssh/sshd_config file and modify it to read:
301
302[ 安全壳版本2 建议使用sftp 作为一个子系统,这个配置文件位于/etc/ssh/sshd_config.默认的sftp-server(安全文件传输服务器)安装在/usr/lib/ssh中,但是这个程序将在用户的路径中为了安全壳的守护进程可以执行它。看位于/etc/ssh/sshd_config 文件的最后一行,读它并修改它。 ]
303
304
305
306.Subsystem sftp /usr/bin/sftp-server (位于/etc/ssh/sshd_config的最后一行内容根据实际情况进行修改)
307
308
309
310and make a link to it from /usr/bin: (并且为它(sftp-server)在/usr/bin中创建一链接)
311
312
313
314.cd /usr/bin /*进入/usr/bin目录*/
315
316.ln -s /usr/lib/ssh/sftp-server sftp-server /*为sftp-server在/usr/bin中创建链接*/
317
318
319
320Now, you can use the sftp program or the gftp GUI program for secure ftp transfers. The gftp GUI program is recommended.
321
322[ 现在你能使用安全文件传输程序(sftp)或者图形文件传输程序(gftp GUI)进行安全的文件传输了。这个(gftp GUI) 图形用户接口文件传输程序是被推荐使用的。 ]
323
324
325
326Windows Clients Windows节点
327
328Windows users can use the PuTTY program available from
329
330http://www.chiark.greenend.org.uk/~sgtatham/putty/
331
332for secure ftp or telnet access.
333
334PuTTY is text based and runs in a DOS box - nothing fancy, but it gets the job done. It consists of a collection of small programs, to do telnet (not useful to windoze users), ftp (for file transfer) and key generation (for authentication).
335
336[ Windows 用户为了安全的文件传输或者安全的telnet访问可以使用PuTTY程序,可以在
337
338http://www.chiark.greenend.org.uk/~sgtatham/putty/ 中获得。PuTTY是一个运行于Dos下基于文本的平常的程序,但是它可以胜任这项工作。它由一些小的征集程序组成,为了telnet(对于windows用户不是很有用),ftp(为了文件传输。)以及密匙生成(为了(身份)鉴定/审核)。]
339
340Basically, once you made and distributed your keys, you only need to run psftp. RSA keys of 2048 bits in size are recommended.
341
342[ 基本上,一旦你制作并且发布了你的密匙,你只需要运行psftp.基于RSA加密算法的2048位加密密钥匙是被推荐的。]
343
344
345
346Why PuTTY? Because it can be used to repair broken windows... ;-)
347
348[ 为什么用PuTTY?因为它能于修补坏了的Windows。:-) ]
349
350
351
352A Google search should yield many other possibilities, but it is best to start off with a simple client until you have your keys and IP addresses under control. Also, PuTTY is free of charge, while more fancy programs are anything but.
353
354[ 一个 Google 搜索将提供更多的其他可能性,但是它对于一个简单的节点来说是最好的出发点。直到你有了可被你控制的密匙以及IP地址。同样,PuTTY是可以自由更改,虽然没有什么更多奇特的程序。]
355
356
357
358The usual FTP commands work with PuTTY. Here is a brief list of the most frequently used commands:
359
360[ 通常的FTP命令使用PuTTY来工作。这儿是一个最为经常使用的一个命令:]
361
362
363
364.psftp www.xxx.yyy.zzz
365
366.dir
367
368.ls
369
370.cd directoryname
371
372.put filename
373
374.get filename
375
376.quit
377
378
379
380If you only need to do occational file transfers, a simple FTP client like this is OK.
381
382[ 如果你只需要去做一些像这样的文件传输,像这样的一个简单的FTP 客户端程序就不错。]
383
384
385
386Batting Down the Hatches 堵住缺口
387
388
389
390Once you are confident that the syst