１．環境

Ubuntu Server 16.04.3 LTS

Microsoft Windows 10 Home (64bit)

CYGWIN_NT-10.0 2.9.0(0.318/5/3) 2017-09-12 10:18 x86_64 Cygwin

 

Ubuntu Serverは「」で構築したものである．

２．WindowsにCygwinをインストール

「」で記載したインストール方法をそのまま用いた．

OpenSSHのインストールだけ忘れないように．

３．とりあえずパスワード認証でログインしてみる

「」でサーバー側にOpenSSH Serverはインストール済みである．

デフォルトでパスワード認証は有効になっているので，とりあえずこれでリモートログインする．

${CygwinUser}@${CygwinHost} ~
$ uname -a
CYGWIN_NT-10.0 {CygwinHost} 2.9.0(0.318/5/3) 2017-09-12 10:18 x86_64 Cygwin

${CygwinUser}@${CygwinHost} ~
$ ssh ${ServerUser}@${ServerIP}
${ServerUser}@${ServerIP}'s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-87-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

113 個のパッケージがアップデート可能です。
56 個のアップデートはセキュリティアップデートです。


Last login: Sat Feb  3 15:53:48 2018 from 10.8.143.29

おぉ，最新版をインストールしたばかりなのに，大量のアップデートが．

適当に更新する．

 

更新後は念のため再起動．

リモートで再起動に失敗すると何もできなくなるので，祈りながらEnterを押す．

${ServerUser}@${ServerHost}:~$ sudo apt update
# - 略 -

${ServerUser}@${ServerHost}:~$ sudo apt upgrade
# - 略 -

${ServerUser}@${ServerHost}:~$ sudo reboot

４．公開鍵認証用の設定

鍵を生成

適当にRSAで鍵をつくる．

このサーバーはSubversion用サーバーとなるので，鍵の名前にsvnをつけた．

${CygwinUser}@${CygwinHost} ~
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/${CygwinUser}/.ssh/id_rsa): /home/${CygwinUser}/.ssh/id_rsa_svn
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/${CygwinUser}/.ssh/id_rsa_svn.
Your public key has been saved in /home/${CygwinUser}/.ssh/id_rsa_svn.pub.
The key fingerprint is:
SHA256:******************************************* ${CygwinUser}@${CygwinHost}
The key's randomart image is:
+---[RSA 2048]----+
|      略         |
+----[SHA256]-----+

公開鍵をサーバーに送信

公開鍵をscpでサーバーに送信．

${CygwinUser}@${CygwinHost} ~
$ scp -P 22 ~/.ssh/id_rsa_svn.pub ${ServerUser}@${ServerIP}:~/.ssh/id_rsa_svn.pub
${ServerUser}@${ServerIP}'s password:
scp: /home/${ServerUser}/.ssh/id_rsa_svn.pub: No such file or directory

え？ そんなディレクトリないって...？

 

はぁ，一度SSHログインしてディレクトリつくりますよ...．

念のために，~/.ssh/のパーミッションも変えておくか．

${CygwinUser}@${CygwinHost} ~
$ ssh ${ServerUser}@${ServerIP}
${ServerUser}@${ServerIP}'s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 個のパッケージがアップデート可能です。
0 個のアップデートはセキュリティアップデートです。


Last login: Sun Feb  4 02:56:02 2018 from 10.8.143.29
${ServerUser}@${ServerHost}:~$ ls -lah
total 28K
drwxr-xr-x 3 ${ServerUser} ${ServerUser} 4.0K  2月  2 00:56 .
drwxr-xr-x 3 root          root          4.0K  2月  1 04:21 ..
-rw------- 1 ${ServerUser} ${ServerUser} 1.5K  2月  4 03:05 .bash_history
-rw-r--r-- 1 ${ServerUser} ${ServerUser}  220  2月  1 04:21 .bash_logout
-rw-r--r-- 1 ${ServerUser} ${ServerUser} 3.7K  2月  1 04:21 .bashrc
drwx------ 2 ${ServerUser} ${ServerUser} 4.0K  2月  1 21:38 .cache
-rw-r--r-- 1 ${ServerUser} ${ServerUser}  655  2月  1 04:21 .profile
-rw-r--r-- 1 ${ServerUser} ${ServerUser}    0  2月  1 21:43 .sudo_as_admin_successful
${ServerUser}@${ServerHost}:~$ mkdir .ssh
${ServerUser}@${ServerHost}:~$ ls -lah
total 32K
drwxr-xr-x 4 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:24 .
drwxr-xr-x 3 root          root          4.0K  2月  1 04:21 ..
-rw------- 1 ${ServerUser} ${ServerUser} 1.5K  2月  4 03:05 .bash_history
-rw-r--r-- 1 ${ServerUser} ${ServerUser}  220  2月  1 04:21 .bash_logout
-rw-r--r-- 1 ${ServerUser} ${ServerUser} 3.7K  2月  1 04:21 .bashrc
drwx------ 2 ${ServerUser} ${ServerUser} 4.0K  2月  1 21:38 .cache
-rw-r--r-- 1 ${ServerUser} ${ServerUser}  655  2月  1 04:21 .profile
drwxrwxr-x 2 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:24 .ssh
-rw-r--r-- 1 ${ServerUser} ${ServerUser}    0  2月  1 21:43 .sudo_as_admin_successful
${ServerUser}@${ServerHost}:~$ chmod 700 ./.ssh/
${ServerUser}@${ServerHost}:~$ ls -lah
total 32K
drwxr-xr-x 4 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:24 .
drwxr-xr-x 3 root          root          4.0K  2月  1 04:21 ..
-rw------- 1 ${ServerUser} ${ServerUser} 1.5K  2月  4 03:05 .bash_history
-rw-r--r-- 1 ${ServerUser} ${ServerUser}  220  2月  1 04:21 .bash_logout
-rw-r--r-- 1 ${ServerUser} ${ServerUser} 3.7K  2月  1 04:21 .bashrc
drwx------ 2 ${ServerUser} ${ServerUser} 4.0K  2月  1 21:38 .cache
-rw-r--r-- 1 ${ServerUser} ${ServerUser}  655  2月  1 04:21 .profile
drwx------ 2 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:24 .ssh
-rw-r--r-- 1 ${ServerUser} ${ServerUser}    0  2月  1 21:43 .sudo_as_admin_successful
${ServerUser}@${ServerHost}:~$ exit
logout
Connection to ${ServerIP} closed.

${CygwinUser}@${CygwinHost} ~
$ scp -P 22 ~/.ssh/id_rsa_svn.pub ${ServerUser}@${ServerIP}:~/.ssh/id_rsa_svn.pub
${ServerUser}@${ServerIP}'s password:
id_rsa_svn.pub                                      100%  398    32.6KB/s   00:00

公開鍵の設定

authorized_keysを作って，さらにパーミッションも設定．

${ServerUser}@${ServerHost}:~$ cd .ssh/
${ServerUser}@${ServerHost}:~/.ssh$ ls -lha
total 12K
drwx------ 2 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:28 .
drwxr-xr-x 4 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:24 ..
-rw-r--r-- 1 ${ServerUser} ${ServerUser}  398  2月  4 03:28 id_rsa_svn.pub
${ServerUser}@${ServerHost}:~/.ssh$ cat id_rsa_svn.pub >> authorized_keys
${ServerUser}@${ServerHost}:~/.ssh$ chmod 600 *
${ServerUser}@${ServerHost}:~/.ssh$ la -lha
total 16K
drwx------ 2 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:37 .
drwxr-xr-x 4 ${ServerUser} ${ServerUser} 4.0K  2月  4 03:24 ..
-rw------- 1 ${ServerUser} ${ServerUser}  398  2月  4 03:37 authorized_keys
-rw------- 1 ${ServerUser} ${ServerUser}  398  2月  4 03:28 id_rsa_svn.pub

接続確認

以下でつながればOK．

${CygwinUser}@${CygwinHost} ~
$ ssh -i .ssh/id_rsa_svn -p 22 ${ServerUser}@${ServerIP}
Enter passphrase for key '.ssh/id_rsa_svn':

５．SSHのセキュリティ強化

ssh_configを編集して，セキュリティ強化のための設定を行っていく．

設定ファイルのバックアップ

${ServerUser}@${ServerHost}:~$ cd /etc/ssh/
${ServerUser}@${ServerHost}:/etc/ssh$ sudo cp sshd_config sshd_config.backup

設定ファイルの編集

編集後のssh_configは以下．

5行目でPort番号をシフトさせ，28行目でrootログインを禁止，52行目でパスワード認証を禁止にした．

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port ${port}
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

デフォルトとの差分表示と構文チェックは以下．

${ServerUser}@${ServerHost}:/etc/ssh$ diff sshd_config sshd_config.backup
5c5
< Port ${port}
---
> Port 22
28c28
< PermitRootLogin no
---
> PermitRootLogin prohibit-password
52c52
< PasswordAuthentication no
---
> #PasswordAuthentication yes
${ServerUser}@${ServerHost}:/etc/ssh$ sudo sshd -t

SSHデーモンの再起動

設定を反映させるために，sshdを再起動．

${ServerUser}@${ServerHost}:/etc/ssh$ sudo /etc/init.d/ssh restart
[ ok ] Restarting ssh (via systemctl): ssh.service.

６．Cygwinのconfig設定

これまでの設定で，

${CygwinUser}@${CygwinHost} ~
$ ssh -i .ssh/id_rsa_svn -p ${port} ${ServerUser}@${ServerIP}

とすればログイン可能になる．

しかし，上のコマンドを毎回打つのはめんどくさいので，Cygwinの~/.ssh/configを作成する．

# svn server
Host svn_server
    HostName ${ip or host name}
    User ${username}
    IdentityFile ~/.ssh/id_rsa_svn
    Port ${port}

上のような~/.ssh/configを作成し，適当にパーミッションを設定する．

${CygwinUser}@${CygwinHost} ~
$ chmod 600 ./.ssh/config

${CygwinUser}@${CygwinHost} ~
$ ls -lha ./.ssh/
合計 15K
drwx------+ 1 ${CygwinUser} なし    0 2月   4 18:37 .
drwxr-xr-x+ 1 ${CygwinUser} なし    0 2月   3 15:52 ..
-rw-------  1 ${CygwinUser} なし  138 2月   4 18:38 config
-rw-------  1 ${CygwinUser} なし 1.8K 2月   4 03:08 id_rsa_svn
-rw-r--r--  1 ${CygwinUser} なし  398 2月   4 03:08 id_rsa_svn.pub
-rw-r--r--  1 ${CygwinUser} なし  173 2月   3 15:52 known_hosts

${CygwinUser}@${CygwinHost} ~
$ ssh svn_server

するとこのように，$ ssh svn_serverでSSH接続可能となる．

関連記事