2017年7月3日月曜日

windows 2012R2에서 sshd서버 구축하기

Windows 서버에서는 ssh를 이용하기 위해서는 ssh서버를 구축하지 해야만 합니다. 이것을 구축하게 되면 Zabbix또는 Job Arranger에서 Agentless를 이용할 수 있게됩니다. 여기서는 sshd서버 v0.0.17.0을 기준으로 하겠습니다.
언제나 화면 켑쳐가 일본어 인 부분은 양해해 주시길 바라겠습니다.

1.Win32-OpenSSH Download

https://github.com/PowerShell/Win32-OpenSSH/releases
  에서 OpenSSH-Win64.zip을 Download합니다.

2.Windows Server에 설치

2.1 OpenSSH-Win64폴더를 작성

Download한 OpenSSH-Win64.zip파일을 적당한 장소에서 해동 합니다.
저의 경우에는 C:\tmp에 만들 었습니다.


2.2 인스톨 합니다.

해동한 폴데에서 install-sshd.ps1을 Powershell로 인스톨 합니다.
C:\tmp\OpenSSH-Win64>powershell install-sshd.ps1
install-sshd.ps1 : 用語 'install-sshd.ps1' は、コマンドレット、関数、スクリプト
 ファイル、または操作可能なプログラムの名前として認識されません。名前が正しく記
述されていることを確認し、パスが含まれている場合はそのパスが正しいことを確認し
てから、再試行してください。
発生場所 行:1 文字:1
+ install-sshd.ps1
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (install-sshd.ps1:String) [], Co
   mmandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
C:\tmp\OpenSSH-Win64>
이런 경우에는
https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
을 참조해서 인스톨 해주십시요.
C:\tmp\OpenSSH-Win64>powershell -ExecutionPolicy Bypass -File install-sshd.ps1
[SC] SetServiceObjectSecurity SUCCESS
[SC] ChangeServiceConfig SUCCESS
[SC] ChangeServiceConfig2 SUCCESS
sshd and ssh-agent services successfully installed

C:\tmp\OpenSSH-Win64>.\ssh-keygen.exe -A
.\ssh-keygen.exe: generating new host keys: RSA DSA ECDSA ED25519


C:\tmp\OpenSSH-Win64>powershell -ExecutionPolicy Bypass -File FixHostFilePermiss
ions.ps1
  [*] C:\tmp\OpenSSH-Win64\sshd_config

'BUILTIN\Users' should not have access to 'C:\tmp\OpenSSH-Win64\sshd_config'..
Shall I remove this access?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'BUILTIN\Users' has no more access to 'C:\tmp\OpenSSH-Win64\sshd_config'.
'NT SERVICE\sshd' now has Read access to 'C:\tmp\OpenSSH-Win64\sshd_config'.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_dsa_key

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_dsa_key'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_dsa_key'.
'WORK1\Administrator' has no more access to 'C:\tmp\OpenSSH-Win64\ssh_host_dsa_k
ey'.
'NT SERVICE\sshd' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_dsa_key'
.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_dsa_key.pub

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_dsa_key.pub'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_dsa_key.pub'.
'WORK1\Administrator' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_dsa_
key.pub'.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_ecdsa_key

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_ecdsa_key'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_ecdsa_key'.
'WORK1\Administrator' has no more access to 'C:\tmp\OpenSSH-Win64\ssh_host_ecdsa
_key'.
'NT SERVICE\sshd' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_ecdsa_ke
y'.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_ecdsa_key.pub

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_ecdsa_key.pub'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_ecdsa_key.pub'.
'WORK1\Administrator' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_ecds
a_key.pub'.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_ed25519_key

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_ed25519_key'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_ed25519_key'.
'WORK1\Administrator' has no more access to 'C:\tmp\OpenSSH-Win64\ssh_host_ed255
19_key'.
'NT SERVICE\sshd' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_ed25519_
key'.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_ed25519_key.pub

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_ed25519_key.pub'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_ed25519_key.pub'.

'WORK1\Administrator' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_ed25
519_key.pub'.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_rsa_key

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_rsa_key'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_rsa_key'.
'WORK1\Administrator' has no more access to 'C:\tmp\OpenSSH-Win64\ssh_host_rsa_k
ey'.
'NT SERVICE\sshd' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_rsa_key'
.
      Repaired permissions

  [*] C:\tmp\OpenSSH-Win64\ssh_host_rsa_key.pub

Current owner: 'WORK1\Administrator'. 'NT AUTHORITY\SYSTEM' should own
'C:\tmp\OpenSSH-Win64\ssh_host_rsa_key.pub'.
Shall I set the file owner?
[Y] はい(Y)  [A] すべて続行(A)  [N] いいえ(N)  [L] すべて無視(L)  [S] 中断(S)
[?] ヘルプ(既定値は "Y"): A
'NT AUTHORITY\SYSTEM' now owns 'C:\tmp\OpenSSH-Win64\ssh_host_rsa_key.pub'.
'WORK1\Administrator' now has Read access to 'C:\tmp\OpenSSH-Win64\ssh_host_rsa_
key.pub'.
      Repaired permissions
   Done.
C:\tmp\OpenSSH-Win64>



위의 명령어를 정리해 보면,
 1.powershell -ExecutionPolicy Bypass -File install-sshd.ps1
 2..\ssh-keygen.exe -A
 3.powershell -ExecutionPolicy Bypass -File FixHostFilePermissions.ps1
   질문에 대해서  A를 입력합니다.
   4. powershell New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName sshd
   Firewall을 개방합니다.

2.3 sshd_config을 편집합니다.

마지막 부분에
PidFile C:/tmp/OpenSSH-Win64/sshd.pid 추가 합니다.
위의 내용은 pid파일을 작성할 장소를 설정하는 것입니다.
물론 sshd.pid파일을 쓸수 있는 권한이 있어야 합니다.
sshd를 실행하고 나서 log파일을 보면 
error: Couldn't create pid file "./sshd.pid": Permission denied
이런 에러가 일어 나면. 폴더와 파일을 쓰는 패스가 맞지 않은 것이므로
만듯이 sshd프로세스가 pid파일을 쓸수 있는 장소를 선택해 주시길 바라겠습니다.

2.4 Windows의 서버스에서 실행

위의 인스톨이 완료되면 서비스 항목에서 밑의 그림과 같이 보일 것입니다.
그럼 sshd를 보고 실행 해 주시길 바라겠습니다.

3.Linux Server에서 접속

[root@localhost ~]# ssh Administrator@parkssh
The authenticity of host 'parkssh (192.168.xxx.xxx)' can't be established.
ECDSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'parkssh' (ECDSA) to the list of known hosts.
Administrator@parkssh's password: 

Microsoft Windows [Version 6.3.9600]                                         (c) 2013 Microsoft Corporation. All rights reserved.                         
Administrator@WORK1 C:\Users\Administrator>dir                                ドライブ C のボリューム ラベルがありません。                                 ボリューム シリアル番号は 6AC7-8328 です                                    
 C:\Users\Administrator のディレクトリ                                       
2017/07/02  10:57    <DIR>          .                                        2017/07/02  10:57    <DIR>          ..                                       2017/07/02  10:58    <DIR>          .ssh                                     2017/03/18  18:50    <DIR>          .VirtualBox                              2017/03/02  20:54    <DIR>          Contacts                                 2017/03/02  20:54    <DIR>          Desktop                                  2017/07/02  18:04    <DIR>          Documents                                2017/06/28  22:19    <DIR>          Downloads                                2017/03/02  20:54    <DIR>          Favorites                                2017/03/02  20:54    <DIR>          Links                                    2017/03/02  20:54    <DIR>          Music                                    2017/03/02  20:54    <DIR>          Pictures                                 2017/03/02  20:54    <DIR>          Saved Games                              2017/03/02  20:54    <DIR>          Searches                                 2017/03/02  20:54    <DIR>          Videos                                   2017/03/18  12:34    <DIR>          VirtualBox VMs                                          0 個のファイル                   0 バイト                                   16 個のディレクトリ  49,632,653,312 バイトの空き領域           
Administrator@WORK1 C:\Users\Administrator>                                  

접속이 되었습니다.
이것으로, Zabbix와 Job Arranger에서 사용할수 있는 sshd를 설치 하였습니다.

참조 ERROR대응

1.
Linux에서 접속 했는데 에러가 나는 경우
[root@localhost ~]# ssh Administrator@parkssh
Read from socket failed: Connection reset by peer
[root@localhost ~]#
または
windows のC:\tmp\OpenSSH-Win64\logs\sshd.log 로그에
fatal: sshd_hostkey_sign: ssh_agent_sign failed: agent refused operation
에 있는 경우에는 
powershell -ExecutionPolicy Bypass -File FixHostFilePermissions.ps1
명령어 실행이 필요합니다. 명령어를 정리한 부분을 참조해 주세요.

2.
[root@localhost ~]# ssh Administrator@parkssh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
ECDSA host key for 192.168.xxx.xxx has changed and you have requested strict Host key verification failed.
가 일어는 난 경우는 
Linux서버의 .ssh/known_hosts 파일을 삭제해 주세요.

이상입니다.



0 件のコメント: