Product SiteDocumentation Site

9.2. 遠端登入

管理者需要遠端連結電腦。伺服器,放在固定的空間內,擁有自己的鍵盤與螢幕 — 但可以經由網路連結進來。

9.2.1. 安全遠程登入:SSH

SSH (Secure SHell) 通信協定係以安全與可靠考量。以 SSH 連線是安全的:夥伴需認證且資料交換經過加密。
SSH 有兩個檔案傳輸服務。scp 是命令列工具,用起來像是 cp,除了對方機器的路徑加上機器的前置名稱,以及冒號。
$ scp file machine:/tmp/
sftp 是互動式命令,類似 ftp。在單一程序中,sftp 可以同時傳輸多個檔案,且可以操作遠端的檔案 (刪除、重新命令、改變授權等)。
Debian 使用 OpenSSH,由 OpenBSD 計畫 (以 BSD 核心為基礎的自由作業系統,以安全性著稱) 維護的自由版本 SSH 且是芬蘭and fork of the original SSH software developed by the SSH Communications Security Corp 公司發展的 SSH 原版的分歧版本。該公司以自由軟體精神發展 SSH,但後來改變為專屬授權。OpenBSD 計畫另起爐灶發展 OpenSSH 維持 SSH 的自由軟體版本。
OpenSSH is split into two packages: the client part is in the openssh-client package, and the server is in the openssh-server package. The ssh meta-package depends on both parts and facilitates installation of both (apt install ssh), while the task-ssh-server, often chosen during the initial installation, depends on the server package only.

9.2.1.1. 金鑰認證

以 SSH 登入時,遠端伺服器要求密碼認證使用者。在此條件下不能自動連結,也不能經常登入 SSH。所以 SSH 提供金鑰認證系統。
The user generates a key pair on the client machine with ssh-keygen -t rsa; the so generated public key is stored in ~/.ssh/id_rsa.pub, while the corresponding private key is stored in ~/.ssh/id_rsa. The user can then use ssh-copy-id server to add their public key to the ~/.ssh/authorized_keys file on the server, or, if SSH access hasn't been enabled yet, they have to ask the administrator to add their key manually.
If the private key was not protected with a “passphrase” at the time of its creation, all subsequent logins on the server will work without a password. Otherwise, the private key must be decrypted each time by entering the passphrase. Fortunately, ssh-agent allows us to keep private keys in memory to not have to regularly re-enter the password. For this, you simply use ssh-add (once per work session) provided that the session is already associated with a functional instance of ssh-agent. Debian activates it by default in graphical sessions, but this can be deactivated by changing /etc/X11/Xsession.options and commenting out use-ssh-agent. For a console session, you can manually start the agent with eval $(ssh-agent).

9.2.1.2. Cert-Based Authentication

SSH keys cannot just be protected by a password (or not). An often unknown feature is that they can also be signed via certificate, both the host as well as the client keys. This approach comes with several advantages. Instead of maintaining an authorized_keys file per user as described in the previous section, the SSH server can be configured to trust all client keys signed by the same certificate (see also 節 10.2.2, “公鑰基礎設施:easy-rsa) by using the TrustedUserCAKeys and HostCertificate directives in /etc/ssh/sshd_config.
TrustedUserCAKeys /etc/ssh/ssh_users_ca.pub

HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
Vice-versa the clients can also be configured to trust the host key signed by the same authority, making it easier to maintain the known_hosts file (even system wide via /etc/ssh/known_hosts).
@cert-authority *.falcot.com ssh-rsa AAAA[..]
Both, public key and certificate authentication, can be used alongside each other.

9.2.1.3. 使用遠端 X11 應用程式

SSH 通信協定可以使用圖形資料 (“X11” 程序,取材自 Unix 常用的圖形系統之名);伺服器開啟專用通道給該等資料。特別的是,遠端執行圖形的問題可以顯示在本地螢幕的 X.org 伺服器,整個程序 (輸入與顯示) 是安全的。因為此功能允許遠端應用程式與在地系統互動,預設是不行的。指明 X11Forwarding yes 於伺服器的組態檔 (/etc/ssh/sshd_config) 內。最後,使用者必須加入 -X 選項於 ssh 命令列。

9.2.1.4. 新增埠映射的加密通道

它的 -R-L 選項允許 ssh 在兩個機器間新增 “加密通道”,把在地 TCP 埠 (見專欄 基本 TCP/UDP) 映射至遠端機器或反之。
ssh -L 8000:server:25 intermediary中介 主機建立 SSH 程序並聽在地埠 8000 (見 圖形 9.3, “以 SSH 轉送在地埠”)。建立在這個埠的任何連結,ssh 將從 中介 電腦建立連結至 伺服器 的埠號 25,而且把兩個連結綁在一起。
ssh -R 8000:server:25 intermediary 也建立一個 SSH 程序至 中介 電腦,但在該機器以 ssh 聆聽埠號 8000 (見 圖形 9.4, “以 SSH 轉送遠端埠”)。建立在該埠的連結將啟動 ssh 開啟本地機器埠號 25 的 伺服器,而且把兩個連結綁在一起。
這兩個案例裡,都連結至 伺服器 主機的埠號 25,以 SSH 通道連結在地機器與 中介 機器。在第一個案例裡,在 “公共” 網路裡,入口是在地埠 8000,資料移向 中介 機器後再流向 伺服器。在第二個案例裡,入口與出口的通道相反;入口是 中介 機器的埠號 8000,出口是在地主機,且資料直接流向 伺服器。實務上,伺服器是在地機器或中介機器。SSH 保證兩者的安全連結。
以 SSH 轉送在地埠

圖形 9.3. 以 SSH 轉送在地埠

以 SSH 轉送遠端埠

圖形 9.4. 以 SSH 轉送遠端埠

9.2.2. 使用遠端圖形桌面

虛擬網路計算 (Virtual Network Computing, VNC) 可以近用遠端圖形桌面。
此工具常使用在技術支援;管理者可以看到使用者面對的錯誤,不必到現場就能告知正確的運作。
First, the user must authorize sharing their session. The GNOME graphical desktop environment includes that option via SettingsSharing (contrary to previous versions of Debian, where the user had to install and run vino). For this to work network-manager must be managing the network used (e.g. enable the managed mode for devices handled by ifupdown in /etc/NetworkManager/NetworkManager.conf). KDE Plasma still requires using krfb to allow sharing an existing session over VNC. For other graphical desktop environments, the x11vnc or tightvncserver commands (from the Debian packages of the same name) or tigervncserver (tigervnc-standalone-server) serve the same purpose and provide the vnc-server virtual package; you can make either of them available to the user with an explicit menu or desktop entry.
When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has vinagre and remmina for that, while the KDE project provides krdc (in the menu at KInternetRemote Desktop Client). There are other VNC clients that use the command line, such as xtightvncviewer from the homonym package or xtigervncviewer from the tigervnc-viewer Debian package. Once connected, the administrator can see what is going on, work on the machine remotely, and show the user how to proceed.