OpenSSH

安装

Windows

SSH客户端和服务器在Windows上安装都很复杂又麻烦,是本教程重点。

通过设置面板安装OpenSSH

需Windows Server 2019和Windows 10 1809

设置-应用-应用和功能-管理可选功能

查看是否有OpenSSH客户端,如果没有,则选择上方的添加功能。

注意:如果安装OpenSSH服务器,则会创建并启用名字为"OpenSSH-Server-In-TCP"的防火墙规则,这将会允许通过22端口的SSH进站流量。

通过PowerShell安装OpenSSH

以管理员身份启动PowerShell。查看是否有可用的OpenSSH功能:

1
2
3
4
5
6
7
8

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

# This should return the following output:

Name  : OpenSSH.Client~~~~0.0.1.0
State : NotPresent
Name  : OpenSSH.Server~~~~0.0.1.0
State : NotPresent

安装OpenSSH客户端或服务器

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

# Both of these should return the following output:

Path          :
Online        : True
RestartNeeded : False

卸载OpenSSH

  1. 设置-应用-应用和功能-管理可选功能

选择OpenSSH客户端或服务器,选择卸载

  1. 通过PowerShell卸载OpenSSH
1
2
3
4
5

# Uninstall the OpenSSH Client
Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Uninstall the OpenSSH Server
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

如果卸载时正在使用OpenSSH,那么可能需要重启Windows才能移除OpenSSH

SSH服务器的初始配置

在Windows上初次使用OpenSSH,以管理员身份启动PowerShell,运行如下命令以启动SSHD服务

1
2
3
4
5
6

Start-Service sshd
# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'
# Confirm the Firewall rule is configured. It should be created automatically by setup. 
Get-NetFirewallRule -Name *ssh*
# There should be a firewall rule named "OpenSSH-Server-In-TCP", which should be enabled

或者打开服务,设置“OpenSSH SSH Server“为自启动。

如果连接远程Windows服务器或者虚拟机,则可添加本地key到authorized_keys。当连接当Windows用户为普通用户时,使用如下命令:

1

scp .ssh/id_rsa.pub username@hostname:C:/Users/Username/.ssh/authorized_keys

若为管理员组的用户:

1

scp .ssh/id_rsa.pub username@hostname:C:/ProgramData/ssh/administrators_authorized_keys

前往Windows服务器: 以管理员身份运行powershell:get-ExecutionPolicy,显示Restricted,表示状态是禁止的;执行:set-ExecutionPolicy RemoteSigned

将如下命令保存为脚本并执行:

1
2
3
4
5
6
7

$acl = Get-Acl C:\ProgramData\ssh\administrators_authorized_keys
$acl.SetAccessRuleProtection($true, $false)
$administratorsRule = New-Object system.security.accesscontrol.filesystemaccessrule("Administrators","FullControl","Allow")
$systemRule = New-Object system.security.accesscontrol.filesystemaccessrule("SYSTEM","FullControl","Allow")
$acl.SetAccessRule($administratorsRule)
$acl.SetAccessRule($systemRule)
$acl | Set-Acl

解决vscode连接Windows服务器timeout问题,添加如下设置:

1
2
3
4

"remote.SSH.useLocalServer": false,
"remote.SSH.remotePlatform": {
    "192.168.4.132": "windows"
} // Only if the remote is Windows

Windows ssh服务设置目录:%programdata%/ssh/

修复authorized_keys权限

1

ssh --% username@hostname powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission C:\Users\user1\.ssh\authorized_keys

初次使用SSH

在Windows上安装OpenSSH服务器后,在任意安装了SSH客户端的Windows的PowerShell中运行如下命令测试

1

Ssh username@servername

初次连接任意服务器会有如下类似消息

The authenticity of host 'servername (10.00.00.001)' can't be established.
ECDSA key fingerprint is SHA256:(<a large string>).
Are you sure you want to continue connecting (yes/no)?

必须回答yes或no,回答yes会将服务器添加到本地系统的已知ssh hosts列表

一旦连接后,会看到如下类似的命令行提示

domain\username@SERVERNAME C:\Users\username>

Linux

1

sudo apt install openssh-client openssh-server

可以通过ssh status确认是否启动:

1

ssh status

允许root用户远程登陆

不推荐。可以通过编辑/etc/ssh/sshd_config,将PermitRootLogin改为yes。

远程操作

ssh

1

ssh	[-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J destination] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination [command]

scp

sftp

Key管理

ssh-add

ssh-keysign

ssh-keyscan

ssh-keygen

身份验证密钥的生成,管理和转换

概要

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

ssh-keygen	[-q] [-b bits] [-C comment] [-f output_keyfile] [-m format] [-N new_passphrase] [-t dsa | ecdsa | ed25519 | rsa]

ssh-keygen	-p [-f keyfile] [-m format] [-N new_passphrase] [-P old_passphrase]

ssh-keygen	-i [-f input_keyfile] [-m key_format]

ssh-keygen	-e [-f input_keyfile] [-m key_format]

ssh-keygen	-y [-f input_keyfile]

ssh-keygen	-c [-C comment] [-f keyfile] [-P passphrase]

ssh-keygen	-l [-v] [-E fingerprint_hash] [-f input_keyfile]

ssh-keygen	-B [-f input_keyfile]

ssh-keygen	-D pkcs11

ssh-keygen	-F hostname [-lv] [-f known_hosts_file]

ssh-keygen	-H [-f known_hosts_file]

ssh-keygen	-R hostname [-f known_hosts_file]

ssh-keygen	-r hostname [-g] [-f input_keyfile]

ssh-keygen	-G output_file [-v] [-b bits] [-M memory] [-S start_point]

ssh-keygen	-f input_file -T output_file [-v] [-a rounds] [-J num_lines] [-j start_line] [-K checkpt] [-W generator]

ssh-keygen	-I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] [-n principals] [-O option] [-V validity_interval] [-z serial_number] file ...

ssh-keygen	-L [-f input_keyfile]

ssh-keygen	-A [-f prefix_path]

ssh-keygen	-k -f krl_file [-u] [-s ca_public] [-z version_number] file ...

ssh-keygen	-Q -f krl_file file ...

ssh-keygen	-Y check-novalidate -n namespace -s signature_file

ssh-keygen	-Y sign -f key_file -n namespace file ...

ssh-keygen	-Y verify -f allowed_signers_file -I signer_identity -n namespace -s signature_file [-r revocation_file]

服务端

sshd

sftp-server

ssh-agent