Indlela ulungiselele futhi usebenzise ssh ethekwini? Step by step Umhlahlandlela

Vikela Shell, noma esifushanisiwe njengoba ssh, ke ingenye eziphambili kakhulu ubuchwepheshe yokuvikela idatha ekudluliselweni. Ukusetshenziswa umbuso ezifana ku-router efanayo ivumela nje kuphela ubumfihlo bokwaziswa ngocansi, kodwa futhi ukuze kusheshiswe exchange of amaphakethe. Nokho, akubona bonke uyazi kufike ukuvula imbobo ssh, futhi kungani konke lokhu kuyadingeka. Kulokhu-ke kubalulekile ukuba anike incazelo ezakhayo.

Port-SSH: kuyini futhi kungani siyidinga?

Njengoba sikhuluma zokuphepha, kulesi simo, ngaphansi port ssh ziqondwe isiteshi ozinikele ngesimo emhubheni, esinikela ukubethelwa kwedatha.

Isikimu bakudala kakhulu kwalo mhubhe wukuthi evulekile-SSH-port isetshenziswa ngokuzenzakalelayo ukuze kuvikelwe ukwaziswa emthonjeni nencazelo phezu endpoint. Lokhu kungachazwa kanje: ukuthi uyayithanda noma cha, ngocansi womgwaqo, ngokungafani IPSec, ibethelwe ngaphansi kokucindezelwa kanye okukhipha esibulalayo inethiwekhi, futhi ukwamukelwa uhlangothi emnyango. Ukuqhaqha Imininingwane ngocansi kulesi siteshi, esibulalayo ethola isebenzisa ukhiye ekhethekile. Ngamanye amazwi, ukuze angenele ukudluliswa noma bahlehle ubuqotho idatha ngocansi okwamanje omunye bengayi ngaphandle ukhiye.

ukuvula nje ssh-port kunoma iyiphi router noma ngokusebenzisa amasethingi esifanele amaklayenti ezengeziwe kuwuthinta ngqo ssh-iseva, ikuvumela ukuba asebenzise ngokugcwele zonke izici wezokuvikela wesimanje inethiwekhi izinhlelo. Silapha sendlela ukusebenzisa port ukuthi enikezwe izilungiselelo ezizenzakalelayo noma isiko. Lezi nemingcele e isicelo kungabukeka nzima, kodwa ngaphandle kuvisisa inhlangano uxhumano ezifana akwanele.

Standard ssh port

Uma ngempela sisekelwe kwemigomo yimiphi router kufanele kuqala ukuthola ncamashí ukuhlelwa, onjani isofthiwe izosetshenziselwa isebenze le isixhumanisi. Eqinisweni, ngokuzenzakalela ssh port ungaba izilungiselelo ezihlukile. Konke kuncike kulokho indlela esetshenziswa okwamanje (ukuxhumana kwiseva, kokufaka ezengeziwe amaklayenti port ukudlulisa nokunye. D.).

Ngokwesibonelo, uma iklayenti esetshenziswa Jabber, ngokuxhumana lesifanele, ukubethela, nedatha ukudluliswa port 443 izosetshenziselwa, nakuba samuntu lihlelwe port ejwayelekile 22.

Ukuze usethe kabusha router ekwabiweni ngoba uhlelo oluthile noma ukucubungula izimo ezidingekayo ukwenza port ukudlulisa ssh. Kuyini lokhu? Kuyinto ngenhloso ukufinyelela ethile uhlelo olulodwa esebenzisa uxhumano lwe-Inthanethi, kungakhathaliseki ukuthi iyiphi kulungiselelwa zamanje olandelwayo exchange idatha (IPv4 noma IPv6).

ukulungisiswa lobuchwepheshe

Standard ssh port 22 alisetshenziswa njalo njengoba kakade kwase ecacile. Nokho, lapha kubalulekile ukwaba ezinye izici nezilungiselelo esetshenziswa phakathi nokuhlela.

Kungani ebethelwe idatha imfihlo olandelwayo kuhilela ukusetshenziswa ssh njengoba luyingxenye yangaphandle (isivakashi) port msebenzisi? Kodwa kuphela ngoba mhubhe sisetshenziswa ivumela ukusetshenziswa okuthiwa igobolondo akude (ssh), ukufinyelela ekuphathweni esibulalayo ngokusebenzisa ngemvume kude (slogin), uphinde usebenzise akude inqubo ikhophi (SCP).

Ngaphezu kwalokho, ssh-port isebenze esimweni lapho umsebenzisi kuyadingeka ukuze amaskriphthi akude X-Windows, okuyinto esimweni elula ukudluliselwa kolwazi kusukela umshini eyodwa kuya kwenye, njengoba kuye kwashiwo, nge ophoqelelwe ukubethela idatha. Ezimweni ezinjalo, afanele kakhulu sebenzisa esekelwe AES algorithm. Lena lesinesitfombe-sibuko ukubethela algorithm, okuyinto ekuqaleni enikeziwe e-SSH ubuchwepheshe. Futhi sebenzisa kungenzeka nje kuphela kodwa kudingekile.

History of the Ukuqaphela

Ubuchwepheshe ubonakele isikhathi eside. Ake ushiye eceleni umbuzo zendlela yokwenza Uqweqwe ssh port, futhi ugxile yonke imisebenzi kanjani.

Ngokuvamile kuziwa phansi, ukusebenzisa ummeleli ngesisekelo Amasokisi noma sebenzisa i-VPN mhubhe. Uma kwenzeka abanye isicelo software ungasebenza ngezinhlelo-VPN, kangcono ukhetha le ndlela. Iqiniso lokuthi izinhlelo cishe zonke ezaziwayo namuhla zisebenzisa traffic Inthanethi, i-VPN ingasebenza, kodwa ukumiswa ewachitha kalula akuyona. Lokhu, njengoba kwaba njalo endabeni ka-amaseva proxy, evumela ukuhamba ikheli sangaphandle esibulalayo kusuka lapho okwamanje akhiqizwa inethiwekhi okukhipha, engaziwa. Lokho kunjalo ngekheli le-proxy sishintsha njalo, futhi i-VPN okufushane uhlala ingashintshiwe nge nenkanuko edlulele wesifunda ezithile, ngaphandle kwalowo lapho kukhona kuvinjelwe ukufinyelela.

Ubuchwepheshe kakhulu esifanayo enikeza ssh port, yasungulwa ngo-1995 e-University of Technology e-Finland (ssh-1). Ngo-1996, ngcono zengezwe ngesimo uphrothokholi ssh-2, okuyinto kwaba ngempela kwandile esikhaleni post-Soviet, nakuba salokhu, kanye kwamanye amazwe eNtshonalanga Yurophu, kwesinye isikhathi kuqakathekile ukuthola imvume yokusebenzisa le emhubheni, bese kusuka ejenti kahulumeni.

Inzuzo enkulu ukuvula ssh-port, kunokusebenza Telnet noma rlogin, ukusetshenziswa nesignesha digital RSA noma DSA (ukusetshenziswa yebhangqa ovulekile futhi ukhiye wangcwatshwa). Ngaphezu kwalokho, kulesi simo ungasebenzisa okuthiwa session ukhiye esekelwe Diffie-Hellman algorithm, okubandakanya ukusetshenziswa lesinesitfombe-sibuko ukubethela okukhipha, nakuba ayengazi ayakwenqabela ukusetshenziswa quin ukubethela ubuchule obuphezulu ngesikhathi idatha ukuwudlulisa reception ngomunye umshini.

Amaseva kanye igobolondo

Ku-Windows noma i-Linux ssh-port evulekile akunzima kangako. Umbuto ukutsi, onjani amathuluzi le njongo zizosetshenziswa.

Ngalo mqondo kubalulekile ukuba banake udaba kolwazi ukuwudlulisa ubuqiniso. Okokuqala, i-protocol ngokwayo ngokwanele ivikelwe ukuhogela okuthiwa, okuyinto evamile kakhulu "wiretapping" traffic. Ssh-1 wazibonakalisa kungahlaseleka. Impambaniso inqubo ukuthumela idatha ngesimo iqhinga lokuphamba "indoda phakathi" unemiphumela yayo. Imininingwane lokkhu nokunciphisa kanye wokufunda ngempela aphansi. Kodwa inguqulo yesibili (ssh-2) Uye waba banawo lo kohlobo oluthile, olwaziwa nge-session nokuduna izimoto, ukuphangwa sibonga yini ethandwa kakhulu.

uvala yezokuphepha

Ngokuqondene nokuvikeleka maqondana idatha ngocansi futhi wathola, inhlangano uxhumano iqiniswe ukusetshenziswa kwalo buchwepheshe ivumela ukugwema izinkinga ezilandelayo:

• ukhiye ukuhlonza umkhosi ngaleso isinyathelo ukudluliswa, lapho "isifinyezo» zeminwe;
• Ukusekela i-Windows kanye nezinhlelo Unix-like;
• esikhundleni IP ne-DNS amakheli (ubuqili);
• abaphuca iphasiwedi okukhululekile ukufinyelela ngokomzimba kuze isiteshi idatha.

Empeleni, wonke inhlangano njalo kwesimiso esinjalo yakhiwe phezu kwesimiso "amaklayenti-server", okungukuthi, okokuqala ikhompyutha yomsebenzisi ngokusebenzisa isimiso esikhethekile noma amakholi ungeze ku-server, okuthela Ukuqondisa kabusha okuhambisanayo.

mhubhe

Nakanjani ukuthi ukuqaliswa uxhumano ngale ndlela e umshayeli ekhethekile kumele ukufakwa ohlelweni.

Ngokuvamile, kumasistimu Windows-based yakhelwe ku umshayeli Uhlelo igobolondo Microsoft Teredo, okuyinto uhlobo virtual ukulingisa izindlela IPv6 kumanethiwekhi asekelayo IPv4 kuphela. Umhubhe okuzenzakalelayo adaptha iyasebenza. Esimweni ukwehluleka ehambisana nayo, ungavele wenze ukuqalisa phansi uhlelo noma ukuvala shaqa futhi kabusha imiyalo kusukela console umyalo. Ukuyekisa asetshenziswa imigqa enjalo:

• netsh;
• esibonakalayo isimo teredo isethi zikhutshaziwe;
• esibonakalayo isatap setha isimo zikhutshaziwe.

Ngemuva kokufaka umyalo Kufanele uqale kabusha. Ukuze uphinde unike amandla i-adaptha hlola isimo ekhubazekile esikhundleni sohlelo inikwe amandla amarejista imvume, ngemva kwalokho, futhi, kufanele uqale kabusha lonke uhlelo.

Ssh-iseva

Manje ake sibone ukuthi echwebeni ssh isetshenziswa njengoba nje nengaphakathi kusukela isikimu "amaklayenti-server". Okuzenzakalelayo livame imizuzu 22 Imbobo, kodwa, njengoba kushiwo ngenhla, ingasetshenziswa kanye 443rd. Umbuzo kuphela preference iseva uqobo.

Okuvame kakhulu ssh-amaseva ubhekwa okulandelayo:

• -Windows: Tectia ssh Server, OpenSSH nge Cygwin, MobaSSH, KpyM Telnet / ssh Server, WinSSHD, copssh, freeSSHd;
• I-FreeBSD: OpenSSH;
• ye-Linux: Tectia ssh Server, ssh, openssh-iseva, lsh-iseva, dropbear.

Zonke amaseva amahhala. Nokho, ungathola futhi ikhokhelwe namasevisi ahlinzeke amazinga nakakhulu zokuphepha, okuyinto ebalulekile enhlanganweni lokufinyelela wenethiwekhi nolwazi nokuvikeleka amabhizinisi. Izindleko amasevisi esinjalo kuxoxwa. Kodwa ngokuvamile singasho ukuthi azibizi kakhulu, ngisho uma ziqhathaniswa ukufakwa isofthiwe ekhethekile noma "hardware" lokuvikela.

Ssh-iklayenti

Guqula ssh port zingenziwa ngesisekelo uhlelo iklayenti noma izilungiselelo elifanele lapho port ukudlulisa kumzila wakho.

Yize kunjalo, uma uthinte igobolondo iklayenti, imikhiqizo ezilandelayo isofthiwe ingasetshenziswa izinhlelo ezihlukahlukene:

• Windows - SecureCRT, Putty \ Kitty, Axessh, ShellGuard, SSHWindows, ZOC, XShell, ProSSHD njll;..
• Mac OS X: iTerm2, vSSH, NiftyTelnet ssh;
• Linux ne-BSD: lsh-iklayenti, kdessh, openssh-iklayenti, Vinagre, putty.

Ukugunyaza kusekelwe ukhiye womphakathi, futhi ushintshe echwebeni

Manje amagama ambalwa mayelana indlela yokuqinisekisa abeke iseva. Endabeni elula, kufanele usebenzise ifayela ukumisa (sshd_config). Nokho, ungenza ngaphandle kwalo, isibonelo, esimweni izinhlelo ezifana Putty. Guqula ssh port kusukela inani elimisiwe (22) noma yiluphi olunye kuyinto aphansi ngokuphelele.

Into esemqoka - ukuze uvule inombolo port ingeqi ukubaluleka 65535 (izimbobo ephakeme nje abekho imvelo). Ngaphezu kwalokho, kufanele sinake ezinye izimbobo evulekile ngokuzenzakalela, angasetshenziswa by amaklayenti like MySQL noma FTPD yolwazi. Uma usho kubo ngoba ssh ukucushwa Yiqiniso, bona nje ukuyeka ukusebenza.

Kuyaphawuleka ukuthi Jabber iklayenti efanayo kumele egijima imvelo efanayo usebenzisa ssh-iseva, isibonelo, kwi ewumshini. Futhi iseva kakhulu localhost uzodinga ukwabela Inani 4430 (esikhundleni 443, njengoba kushiwo ngenhla). Lokhu kulungiselela engasetshenziswa uma ukufinyelela jabber.example.com kufayela elikhulu ivinjiwe ngohlelo lokuvikela.

Ngakolunye uhlangothi, amatheku ukudluliselwa kungaba ku-router usebenzisa ukucushwa kwe isikhombimsebenzisi yayo nge ukudalwa okuhlukile nemithetho. Ngo izinhlobo eziningi okokufaka ngokusebenzisa amakheli okokufaka oqala 192,168 kulekelelwa 0.1 noma 1.1, kodwa imizila ngokuhlanganisa amakhono ADSL-modems like Mikrotik, ikheli sokuphela kuhilela ukusetshenziswa 88,1.

Kulokhu, ukwakha umthetho omusha ke usethe nemingcele ezidingekayo, isibonelo, ukufaka uxhumano zangaphandle DST-nat, kanye nezimbobo ngesandla ebekiwe awekho ngaphansi izilungiselelo jikelele futhi esigabeni Zokulwisana izintandokazi (Action). Lutho futhi nzima lapha. Into esemqoka - ukuze ucacise namagugu adingekayo izilungiselelo bese usetha echwebeni lesifanele. Ngokuzenzakalelayo, ungasebenzisa port 22, kodwa uma ikhasimende isebenzisa ekhethekile (ezinye ngenhla izimiso ezihlukile), ukubaluleka kungashintshwa ezinqumela, kodwa kuphela ukuze lokhu ipharamitha ingeqi ukubaluleka limenyezelwe, ngenhla okuyinto port izinombolo nje azitholakali.

Uma usetha ukuxhumana futhi kufanele sinake kwemigomo uhlelo iklayenti. Kungenzeka ukuthi kuzilungiselelo zayo kufanele ucacise obuphelele ubuncane ukhiye (512), nakuba okuzenzakalelayo ijwayele ukusethwa 768. Libuye efiselekayo usethe sokuvala ukuze ungene ku ezingeni imizuzwana 600 esikude imvume yokufinyelela ngamalungelo impande. Ngemva kokuzisebenzisa izilungiselelo, udinga futhi avumele ukusetshenziswa wonke amalungelo ubuqiniso, ngaphandle kwalezo esekelwe .rhost ukusetshenziswa (kodwa kuyadingeka kuphela uhlelo abaqondisi).

Phakathi kwezinye izinto, uma igama lomsebenzisi bhalisiwe ohlelweni, ayifani owethulwa okwamanje, kufanele icaciswe ngokucacile usebenzisa umsebenzisi ssh master umyalo lapho umuntu eba imingcele engeziwe (kulabo baqonde ukuthi lisengozini).

Ithimba ~ / .ssh / id_dsa ingasetshenziswa tingucuko ukhiye bese indlela ukubethela (noma rsa). Ukudala ukhiye womphakathi esetshenziswa ukuguqulwa usebenzisa lo layini ~ / .ssh / identity.pub (kodwa hhayi ngempela). Kodwa, njengoba umkhuba imibukiso, indlela elula ukusebenzisa imiyalo efana ssh-keygen. Lapha okushiwo udaba kuyehla kuphela yokuthi, ukwengeza isihluthulelo etholakalayo ubuqiniso amathuluzi (~ / .ssh / authorized_keys).

Kodwa thina Seledlulise amalawulo. Uma uya emuva udaba izilungiselelo port ssh, njengoba bekulokhu kucace ushintsho ssh port akunzima kangako. Nokho, kwezinye izimo, abantu bathi, kuyodingeka ujuluke, ngoba isidingo inake wonke amagugu nemingcele ukhiye. Zonke ezinye inkinga ukucushwa yangempela emnyango yiluphi uhlelo iseva noma ikhasimende (uma kunikezwe ekuqaleni), noma ukusebenzisa port ukudlulisa ku-router. Kodwa ngisho uma ushintsho echwebeni 22, okuzenzakalelayo, kuya 443rd esifanayo, kufanele kahle ukuthi isikimu enjalo akusebenzi njalo, kodwa kuphela uma ufaka efanayo isengezo e Jabber (nezinye analogs kusebenze nezimbobo abafanele, it ihlukile ejwayelekile). Ngaphezu kwalokho, ukunakekelwa okukhethekile kufanele inikwe ipharamitha ukubeka ssh-iklayenti, okuzokwenza ngqo uxhumane ssh-iseva, uma ngempela kufanele ukusebenzisa uxhumano zamanje.

Ngokuqondene nazo zonke ezinye, uma ukudlulisa port singanikezwanga ekuqaleni (nakuba kuyinto efiselekayo ukwenza izenzo ezinjalo), izilungiselelo ongakhetha sokufinyelela nge ssh, awukwazi ukushintsha. Kukhona izinkinga uma udala uxhumano, kanye nokusebenzisa kwayo eminye, ngokuvamile, is akulindelekile (ngaphandle-ke, ngeke sisetshenziswe ngesandla ulungiselele iseva ezisekelwe ukucushwa nekhasimende). Okukhishwayo ezivamile ngokudalwa lwemithetho router ikuvumela ukulungisa izinkinga noma sizigweme.