未分類
30 1 月 2020

Virmach 安装 Windows 开启 SSH

zxxx 大佬有话说 : 2019-12-12 10:12:36

Virmach 安装 Windows 开启 SSH

本帖最后由 zxxx 于 2019-12-12 19:05 编辑

安装 Windows 2012 R2

1. 发工单重新安装 Windows 系统:提供 IP 和 机房位置。
2. 通过控制面板使用 VNC 连接,设置 Administrator 密码。
3. 使用远程桌面连接,配置区域,语言,更新系统。

下载 SSH 文件

https://github.com/PowerShell/Win32-OpenSSH/releases/download/v8.0.0.0p1-Beta/OpenSSH-Win64.zip

解压 SSH 文件

C:Program FilesOpenSSH

https://i.loli.net/2019/12/12/aiUtYwmqA1ePS8h.png

修改系统环境变量 PATH

添加 C:Program FilesOpenSSH

https://i.loli.net/2019/12/12/KPcqZU3wrHtEgbD.png

安装 SSH

用管理员身份运行“命令提示符”

https://i.loli.net/2019/12/12/dhWxoqZjmLiACYU.png

C:Program FilesOpenSSH>powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
SetServiceObjectSecurity SUCCESS
ChangeServiceConfig2 SUCCESS
ChangeServiceConfig2 SUCCESS
sshd and ssh-agent services successfully installed

生成主机密钥

C:Program FilesOpenSSH> mkdir C:ProgramDatassh

C:Program FilesOpenSSH>ssh-keygen.exe -A
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519

修复权限

C:Program FilesOpenSSH> Powershell.exe -ExecutionPolicy Bypass -Command ". .FixUserFilePermissions.ps1 -Confirm:$false"
   Done.

C:Program FilesOpenSSH> Powershell.exe -ExecutionPolicy Bypass -Command ". .FixHostFilePermissions.ps1 -Confirm:$false"
[*] C:ProgramDatasshsshd_config
Inheritance is removed from ‘C:ProgramDatasshsshd_config’.
‘BUILTINUsers’ has no more access to ‘C:ProgramDatasshsshd_config’.
      Repaired permissions

[*] C:ProgramDatasshssh_host_dsa_key
      looks good

[*] C:ProgramDatasshssh_host_dsa_key.pub
      looks good

[*] C:ProgramDatasshssh_host_ecdsa_key
      looks good

[*] C:ProgramDatasshssh_host_ecdsa_key.pub
      looks good

[*] C:ProgramDatasshssh_host_ed25519_key
      looks good

[*] C:ProgramDatasshssh_host_ed25519_key.pub
      looks good

[*] C:ProgramDatasshssh_host_rsa_key
      looks good

[*] C:ProgramDatasshssh_host_rsa_key.pub
      looks good

启动 PowerShell

C:Program FilesOpenSSH>powershell
Windows PowerShell
Copyright (C) 2014 Microsoft Corporation. All rights reserved.
配置防火墙

PS C:Program FilesOpenSSH> New-NetFirewallRule -Name sshd -DisplayName ‘OpenSSH SSH Server’ -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Name                  : sshd
DisplayName         : OpenSSH SSH Server
Description         :
DisplayGroup          :
Group               :
Enabled               : True
Profile               : Any
Platform            : {}
Direction             : Inbound
Action                : Allow
EdgeTraversalPolicy   : Block
LooseSourceMapping    : False
LocalOnlyMapping      : False
Owner               :
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus   : NotApplicable
PolicyStoreSource   : PersistentStore
PolicyStoreSourceType : Local

https://i.loli.net/2019/12/12/3den1aRulKmwpIE.png

配置并启动 SSH 服务

PS C:Program FilesOpenSSH> Set-Service -Name sshd -StartupType "Automatic"
PS C:Program FilesOpenSSH> Start-Service sshd

https://i.loli.net/2019/12/12/EOGL6WXjo7JpFd3.png

通过“口令验证”连接

https://i.loli.net/2019/12/12/lywdH72vZ6Eejrk.png

Microsoft Windows                                                                                           
(c) 2013 Microsoft Corporation. All rights reserved.
administrator@WINDOWS C:UsersAdministrator>

https://i.loli.net/2019/12/12/XCqgksVWZhxcv8E.png

6531306 大佬有话说 : 2019-12-12 13:12:36

没有 windows选项的 可以发工单 要求改windows?

zzk 大佬有话说 : 2019-12-12 14:46:08

大佬这个思路好,这样避免被查,爽歪歪!

zxxx 大佬有话说 : 2019-12-12 10:14:05

SSH 配置文件

%PROGRAMDATA%sshsshd_config

C:ProgramDatasshsshd_config

# This is the sshd server system-wide configuration file.See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# GSSAPI options
#GSSAPIAuthentication no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftpsftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

ccf 大佬有话说 : 2019-12-12 10:14:09

没必要吧,商家真要查也不是扫描22的…

lastfree 大佬有话说 : 2019-12-12 10:14:25

:lol
大佬会玩。ZSBD

zxxx 大佬有话说 : 2019-12-12 10:17:12

本帖最后由 zxxx 于 2019-12-13 00:33 编辑

生成密钥对

保存在 C:UsersAdministrator/.ssh/ 文件夹

administrator@WINDOWS C:UsersAdministrator>ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (C:UsersAdministrator/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:UsersAdministrator/.ssh/id_rsa.
Your public key has been saved in C:UsersAdministrator/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:lrzGP92rQ/3CXwI60m4c8Iq+PD37UiT5qO2sU7GD8u0 administrator@Windows
The key’s randomart image is:
+——-+
|               |
|               |
|         .       |
|       .=..      |
|       .SX..   |
|    . .o=o=….|
|   o B==++ o…|
|   .*oB++.o +.o|
|   .=BE*+..o.+.|
+———+

administrator@WINDOWS C:UsersAdministrator>dir .ssh
Volume in drive C has no label.
Volume Serial Number is 6CCF-4599

Directory of C:UsersAdministrator.ssh

12/12/201912:43 AM    <DIR>          .
12/12/201912:43 AM    <DIR>          ..
12/11/201911:48 PM             3,389 id_rsa
12/11/201911:48 PM               748 id_rsa.pub
               3 File(s)          7,526 bytes
               2 Dir(s)52,833,697,792 bytes free

连接 SFTP,下载密钥对

新建文件夹 Z:.ssh 【输入 .ssh. 】

https://www.hostloc.com/forum.php?mod=attachment&aid=MTI5MTM5fGYyNDU1NWU2fDE1NzYxNDI2NDF8NDExNDZ8NjIxNDU5&noupdate=yes

sftp> lcd z:.ssh
sftp>get ~/.ssh/*
Downloading id_rsa from /C:/Users/Administrator/.ssh/id_rsa
100% 3KB      3KB/s 00:00:01
/C:/Users/Administrator/.ssh/id_rsa: 3389 bytes transferred in 1 seconds (3389 bytes/s)
Downloading id_rsa.pub from /C:/Users/Administrator/.ssh/id_rsa.pub
100% 748 bytes    748 bytes/s 00:00:01
/C:/Users/Administrator/.ssh/id_rsa.pub: 748 bytes transferred in 1 seconds (748 bytes/s)

删除密钥对

sftp> rm ~/.ssh/id_rsa*
Removing /C:/Users/Administrator/.ssh/id_rsa
Removing /C:/Users/Administrator/.ssh/id_rsa.pub
sftp>

使用 PuTTY Key Generator 转换私钥添加口令,保存 authorized_keys

https://www.hostloc.com/forum.php?mod=attachment&aid=MTI5MTQxfGJmMTM2MGIxfDE1NzYxNjgwMzV8NDExNDZ8NjIxNDU5&noupdate=yes

https://www.hostloc.com/forum.php?mod=attachment&aid=MTI5MzE1fDQyNDA3MzAwfDE1NzYxNjgwMzV8NDExNDZ8NjIxNDU5&noupdate=yes

https://www.hostloc.com/forum.php?mod=attachment&aid=MTI5MTQyfGEzNDIwZWM3fDE1NzYxNjgwMzV8NDExNDZ8NjIxNDU5&noupdate=yes

https://www.hostloc.com/forum.php?mod=attachment&aid=MTI5MTQzfDNiYzdkNGJkfDE1NzYxNjgwMzV8NDExNDZ8NjIxNDU5&noupdate=yes

https://www.hostloc.com/forum.php?mod=attachment&aid=MTI5MTQ0fDljODlkMTA1fDE1NzYxNjgwMzV8NDExNDZ8NjIxNDU5&noupdate=yes

https://www.hostloc.com/forum.php?
mod=attachment&aid=MTI5MzE2fDg4OWNlYzc5fDE1NzYxNjgwMzV8NDExNDZ8NjIxNDU5&noupdate=yes

https://www.hostloc.com/forum.php?mod=attachment&aid=MTI5MTQ1fDdjNWUyOGIxfDE1NzYxNjgwMzV8NDExNDZ8NjIxNDU5&noupdate=yes

新建文件 C:UsersAdministrator.sshauthorized_keys 内容为

ssh-rsa AAAAB3NzaC1yc2EAA……………………….QZ3WIHkbtIaQ==

修改 sshd_config 文件

去掉 #PubkeyAuthentication yes 前面的 # 变为

PubkeyAuthentication yes

将最后两个注释

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

https://i.loli.net/2019/12/12/eUnuYdAwWBLOtyi.png

重新启动 SSH 服务
PS C:Program FilesOpenSSH> Restart-Service -Name sshd, ssh-agent -Force

现在可以使用SSH密钥登录连接了

# This is the sshd server system-wide configuration file.See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile        .ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# GSSAPI options
#GSSAPIAuthentication no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem        sftp        sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#        AllowTcpForwarding no
#        PermitTTY no
#        ForceCommand cvs server

#Match Group administrators
#       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

voleta 大佬有话说 : 2019-12-12 10:19:17

不卡吗

zxxx 大佬有话说 : 2019-12-12 10:23:11

voleta 大佬有话说 : 2019-12-12 10:19
不卡吗

使用加速器,还可以接受。

yeshang 大佬有话说 : 2019-12-12 13:15:41

装win可以dd 开ssh是干嘛呢