document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity
d50b1719c1
TranslateProject/published/201401/Tunnel SSH Connections Over SSL Using 'Stunnel' On Debian 7 Ubuntu 13.10.md
wxy 1ee2fc7cbe renamed: 10 Lesser Known Useful Linux Commands- Part V.md -> 201401/10 Lesser Known Useful Linux Commands- Part V.md 
renamed:    10 Useful Chaining Operators in Linux with Practical Examples.md -> 201401/10 Useful Chaining Operators in Linux with Practical Examples.md
	renamed:    10 basic examples of linux netstat command.md -> 201401/10 basic examples of linux netstat command.md
	renamed:    12 Advanced Commands For Linux Server Admins!.md -> 201401/12 Advanced Commands For Linux Server Admins!.md
	renamed:    14 New Linux Distros That Were Introduced In 2013.md -> 201401/14 New Linux Distros That Were Introduced In 2013.md
	renamed:    15 Basic MySQL Interview Questions for Database Administrators.md -> 201401/15 Basic MySQL Interview Questions for Database Administrators.md
	renamed:    "2013\357\274\232The Golden Year for Linux \342\200\223 10 Biggest Linux Achievements.md" -> "201401/2013\357\274\232The Golden Year for Linux \342\200\223 10 Biggest Linux Achievements.md"
	renamed:    2014--The year of the Linux car.md -> 201401/2014--The year of the Linux car.md
	renamed:    5 Things To Love And Hate About Ubuntu 13.10.md -> 201401/5 Things To Love And Hate About Ubuntu 13.10.md
	renamed:    8 Interesting Linux Tips And Tricks!.md -> 201401/8 Interesting Linux Tips And Tricks!.md
	renamed:    CentOS 6.5 desktop installation guide with screenshots.md -> 201401/CentOS 6.5 desktop installation guide with screenshots.md
	renamed:    "Command Line Basics \342\200\223 watch.md" -> "201401/Command Line Basics \342\200\223 watch.md"
	renamed:    Configure Your Browser To Use Tor On Ubuntu or Debian or Linux Mint.md -> 201401/Configure Your Browser To Use Tor On Ubuntu or Debian or Linux Mint.md
	renamed:    Daily Ubuntu Tips - Mount Partitions In Ubuntu From Your Desktop GUI.md -> 201401/Daily Ubuntu Tips - Mount Partitions In Ubuntu From Your Desktop GUI.md
	renamed:    "Daily Ubuntu Tips \342\200\223 Do Nothing When Laptop Lid Is Closed.md" -> "201401/Daily Ubuntu Tips \342\200\223 Do Nothing When Laptop Lid Is Closed.md"
	renamed:    "Daily Ubuntu Tips \342\200\224 Install VMware Workstation In Ubuntu.md" -> "201401/Daily Ubuntu Tips \342\200\224 Install VMware Workstation In Ubuntu.md"
	renamed:    "Daily Ubuntu Tips \342\200\224 Windows Disk Management Equivalent In Ubuntu.md" -> "201401/Daily Ubuntu Tips \342\200\224 Windows Disk Management Equivalent In Ubuntu.md"
	renamed:    "Gnu--toward the post-scarcity world \342\200\223 the Free Software Column.md" -> "201401/Gnu--toward the post-scarcity world \342\200\223 the Free Software Column.md"
	renamed:    How to Dual Boot Ubuntu and Windows Properly.md -> 201401/How to Dual Boot Ubuntu and Windows Properly.md
	renamed:    "How to Install and Configure UFW \342\200\223 An Un-complicated FireWall in Debian or Ubuntu.md" -> "201401/How to Install and Configure UFW \342\200\223 An Un-complicated FireWall in Debian or Ubuntu.md"
	renamed:    How to Upgrade to GNOME 3.10 in Ubuntu 13.10.md -> 201401/How to Upgrade to GNOME 3.10 in Ubuntu 13.10.md
	renamed:    How to install and configure Nagios on Linux.md -> 201401/How to install and configure Nagios on Linux.md
	renamed:    How to set password policy on Linux.md -> 201401/How to set password policy on Linux.md
	renamed:    How to stitch photos together on Linux.md -> 201401/How to stitch photos together on Linux.md
	renamed:    How to upgrade MySQL server on Debian or Ubuntu.md -> 201401/How to upgrade MySQL server on Debian or Ubuntu.md
	renamed:    Juju ice-cream icon design.md -> 201401/Juju ice-cream icon design.md
	renamed:    Linus Torvalds Releases Last Linux Kernel 3.13 RC for 2013.md -> 201401/Linus Torvalds Releases Last Linux Kernel 3.13 RC for 2013.md
	renamed:    Linus Torvalds Says All Contributor License Agreements Are Broken.md -> 201401/Linus Torvalds Says All Contributor License Agreements Are Broken.md
	renamed:    Linux free Command - Display Free and used Memory in the System.md -> 201401/Linux free Command - Display Free and used Memory in the System.md
	renamed:    Linux id Command - Print user ID and group ID information.md -> 201401/Linux id Command - Print user ID and group ID information.md
	renamed:    Linux is Everywhere. We show you exactly where.md -> 201401/Linux is Everywhere. We show you exactly where.md
	renamed:    Linux lsusb Command to Print information about USB on System.md -> 201401/Linux lsusb Command to Print information about USB on System.md
	renamed:    Linux vmstat Command - Tool to Report Virtual Memory Statistics.md -> 201401/Linux vmstat Command - Tool to Report Virtual Memory Statistics.md
	renamed:    "Linux who command \342\200\223 Displays who is on the system.md" -> "201401/Linux who command \342\200\223 Displays who is on the system.md"
	renamed:    "Move Dropbox\342\200\231s Folder To An External Drive In Ubuntu.md" -> "201401/Move Dropbox\342\200\231s Folder To An External Drive In Ubuntu.md"
	renamed:    New Ubuntu 14.04 Icons Are Drop-Dead Gorgeous, Might Not Arrive in Desktop Version.md -> 201401/New Ubuntu 14.04 Icons Are Drop-Dead Gorgeous, Might Not Arrive in Desktop Version.md
	renamed:    Our Top 10 Linux Applications of 2013.md -> 201401/Our Top 10 Linux Applications of 2013.md
	renamed:    Setup your personal Cloud server in minutes using ownCloud On RHEL, CentOS, Scientific Linux 6.5.md -> 201401/Setup your personal Cloud server in minutes using ownCloud On RHEL, CentOS, Scientific Linux 6.5.md
	renamed:    Software May Be Eating The World, But Open Source Software Is Eating Itself.md -> 201401/Software May Be Eating The World, But Open Source Software Is Eating Itself.md
	renamed:    The Debian Administrator's Handbook updated for Debian 7 Wheezy published and freely available for download.md -> 201401/The Debian Administrator's Handbook updated for Debian 7 Wheezy published and freely available for download.md
	renamed:    The Fedora Project Will No Longer Name Its Linux Distributions.md -> 201401/The Fedora Project Will No Longer Name Its Linux Distributions.md
	renamed:    The Genius Of Linux Is Community, Not Technology.md -> 201401/The Genius Of Linux Is Community, Not Technology.md
	renamed:    Top 10 Linux Distros For Hackers!.md -> 201401/Top 10 Linux Distros For Hackers!.md
	renamed:    Tunnel SSH Connections Over SSL Using 'Stunnel' On Debian 7  Ubuntu 13.10.md -> 201401/Tunnel SSH Connections Over SSL Using 'Stunnel' On Debian 7  Ubuntu 13.10.md
	renamed:    Ubuntu Stores Your Wi-Fi Passwords By Default!.md -> 201401/Ubuntu Stores Your Wi-Fi Passwords By Default!.md
	renamed:    Ubuntu Will Reach True Convergence Before Microsoft, Says Shuttleworth.md -> 201401/Ubuntu Will Reach True Convergence Before Microsoft, Says Shuttleworth.md
	renamed:    Understanding Linux cd Command with Examples.md -> 201401/Understanding Linux cd Command with Examples.md
	renamed:    look--Linux Command To Verify Spellings And Display Lines Beginning With A String.md -> 201401/look--Linux Command To Verify Spellings And Display Lines Beginning With A String.md
2014-02-03 20:55:51 +08:00

251 lines
9.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

在Debian 7/Ubuntu 13.10 上使用隧道封装SSH连接
================================================================================
**隧道** 被设计用于远端客户端和本地(可通过inetd启动)或远端服务器间的SSL加密封装。它可以用于为inetd进程增加SSL功能像POP2译注POP2这个服务还有人用么POP3和IMAP服务而不必改变程序代码。隧道使用OpenSSL库用于加密因此它支持任何被编译进库的加密算法。简而言之隧道可以使任何一个不安全的端口变得安全加密。
在本篇中我会描述如何通过SSL水稻封装SSH。这个步骤非常简单。你需要在你的客户端PC和远程PC都已经安装运行了sshd。
我正在使用下面提到的两个系统。
远程系统:
操作系统: Debian 7
IP 地址: 192.168.1.200/24
客户端(本地) 系统:
操作系统: Ubuntu 13.04 desktop
IP 地址: 192.168.1.100/24
#### 配置远程系统 ####
让我们在远程Debian 7服务器上安装stunnel包。
# apt-get install stunnel4
现在让我们像下面那样创建一个SSL证书。
# openssl genrsa 1024 > stunnel.key
示例输出:
Generating RSA private key, 1024 bit long modulus
............................................++++++
...................++++++
e is 65537 (0x10001)
# openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt
你会被询问若干个问题如国家、州、公司细节等。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Tamilnadu
Locality Name (eg, city) []:Erode
Organization Name (eg, company) [Internet Widgits Pty Ltd]:unixmen
Organizational Unit Name (eg, section) []:Technical
Common Name (e.g. server FQDN or YOUR name) []:server.unixmen.com
Email Address []:sk@unixmen.com
# cat stunnel.crt stunnel.key > stunnel.pem
# mv stunnel.pem /etc/stunnel/
现在我们需要配置stunnel来将 **443(https)**隧道到**22(ssh)**。这可以通过在**/etc/stunnel/**目录下创建**stunnel.conf**文件来实现:
# vi /etc/stunnel/stunnel.conf
并加入下面的行:
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
[ssh]
accept = 192.168.1.200:443
connect = 127.0.0.1:22
上面的几行说明了stunnel在哪里寻找证书文件和哪里接收和转发ssh链接。在本例中stunnel会接收来自443端口的流量并会转发给22端口。
保存并关闭文件。
现在让我们启用stunnel服务。要这么做编辑文件 **/etc/default/stunnel4**:
# vi /etc/default/stunnel4
改变行从 **ENABLED = 0****1**
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
接着使用命令启用stunnel服务:
# service stunnel4 start
#### 配置本地系统 ####
用这个命令安装stunnel:
$ sudo apt-get install stunnel4
我们需要远程系统上相同的证书文件(stunnel.pem)。复制远程系统上的 **stunnel.pem**文件到我们本地系统中并在相同的位置保存(也就是 /etc/stunnel)。
**/etc/stunnel/**目录下创建新的文件**stunnel.conf**
$ sudo vi /etc/stunnel/stunnel.conf
加入下面的行:
pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
client=yes
[ssh]
accept=443
connect=192.168.1.200:443
保存并关闭文件。这里的192.168.1.200是我们的远程系统IP。
现在让我们启用stunnel服务。要这么做编辑文件**/etc/default/stunnel4**:
$ sudo vi /etc/default/stunnel4
改变行从 **ENABLED = 0****1**.
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
接着使用命令启用stunnel服务:
$ sudo service stunnel4 start
#### 测试SSH连接 ####
现在这样已经很好了,你可以使用命令连接到你的远程机器上了:
$ ssh sk@localhost -v -p 443
示例输出:
OpenSSH_6.1p1 Debian-4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 443.
debug1: Connection established.
debug1: identity file /home/sk/.ssh/id_rsa type -1
debug1: identity file /home/sk/.ssh/id_rsa-cert type -1
debug1: identity file /home/sk/.ssh/id_dsa type -1
debug1: identity file /home/sk/.ssh/id_dsa-cert type -1
debug1: identity file /home/sk/.ssh/id_ecdsa type -1
debug1: identity file /home/sk/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4
debug1: match: OpenSSH_6.0p1 Debian-4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 78:05:ba:1b:73:02:75:86:10:33:8c:0f:21:61:d4:de
debug1: Host '[localhost]:443' is known and matches the ECDSA host key.
debug1: Found key in /home/sk/.ssh/known_hosts:12
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sk/.ssh/id_rsa
debug1: Trying private key: /home/sk/.ssh/id_dsa
debug1: Trying private key: /home/sk/.ssh/id_ecdsa
debug1: Next authentication method: password
sk@localhost's password: # ## Enter your remote system user password
debug1: Authentication succeeded (password).
Authenticated to localhost ([127.0.0.1]:443).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_PAPER = en_IN.UTF-8
debug1: Sending env LC_ADDRESS = en_IN.UTF-8
debug1: Sending env LC_MONETARY = en_IN.UTF-8
debug1: Sending env LC_NUMERIC = en_IN.UTF-8
debug1: Sending env LC_TELEPHONE = en_IN.UTF-8
debug1: Sending env LC_IDENTIFICATION = en_IN.UTF-8
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending env LC_MEASUREMENT = en_IN.UTF-8
debug1: Sending env LC_TIME = en_IN.UTF-8
debug1: Sending env LC_NAME = en_IN.UTF-8
Linux server 3.2.0-4-486 #1 Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Dec 30 15:12:22 2013 from localhost
sk@server:~$
或者你可以简单地使用下面的命令:
$ ssh -p 443 sk@localhost
示例输出:
sk@localhost's password:
Linux server 3.2.0-4-486 #1 Debian 3.2.51-1 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Dec 30 15:22:08 2013 from localhost
sk@server:~$
现在你可以用ssh连接到你的远程机器上了但是所有的流量通过SSL隧道。
你已经完成了即使ssh的默认端口被防火墙阻止了你仍然可以使用SSH到你的远程系统。
参考链接:
- **[stunnel 主页][1]**
--------------------------------------------------------------------------------
via: http://www.unixmen.com/tunnel-ssh-connections-ssl-using-stunnel-debian-7-ubuntu-13-10/
译者:[geekpi](https://github.com/geekpi) 校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:https://www.stunnel.org/index.html
Reference in New Issue View Git Blame Copy Permalink