目次
ネットワーク接続を確立した(5章ネットワークの設定参照)あとで、各種のネットワークアプリケーションを実行できます。
多くのウエッブブラウザパッケージがハイパーテキスト転送プロトコル(HTTP)を使って遠隔コンテントにアクセスするために存在します。
表6.1 ウェッブブラウザのリスト。
パッケージ | popcon | サイズ | 説明 |
---|---|---|---|
iceweasel |
V:35, I:56 | 3908 | ウエッブブラウザ (X) (非商標化されたMozilla Firefox) |
iceape-browser |
V:2, I:4 | NOT_FOUND | ウエッブブラウザ (X) (非商標化されたMozillaブラウザ、bug#505565というセキュリティ問題で削除済)。 |
epiphany-browser |
V:8, I:41 | 32 | ウエッブブラウザ (X) (GNOME HIG準拠ブラウザ、Epiphany) |
galeon |
V:1.3, I:2 | 1748 | ウエッブブラウザ (X) (GNOMEブラウザ、GaleonはEpiphanyで継承されました) |
konqueror |
V:11, I:20 | 3652 | ウエッブブラウザ (X) (KDEブラウザ、Konqueror) |
w3m
|
V:23, I:85 | 1968 | ウエッブブラウザ(テキスト)(w3m) |
lynx
|
V:2, I:25 | 48 | , , |
elinks |
V:2, I:6 | 1452 | , , |
links
|
V:3, I:9 | 1372 | , , |
links2 |
V:1.0, I:4 | 3280 | , , |
次に示す特別のURL文字列を使うと一部のブラウザでその設定値を確認する事ができます。
about:
"
about:config
"
about:plugins
"
Debianは、Java (ソフトウエアプラットフォーム)やFlashのみならず、MPEGやMPEG2やMPEG4やDivXやWindows Media Video (.wmv)やQuickTime (.mov)やMP3 (.mp3)やOgg/VorbisファイルやDVDsやVCDs等を取り扱えるブラウザのプラグインコンポーネントを提供します。Debianではnon-freeのブラウザプラグインパッケージをcontribかnon-freeのコンポーネントのブラウザプラグインとしてインストールできます。
表6.2 ブラウザプラグインのリスト。
パッケージ | popcon | サイズ | コンポーネント | 説明 |
---|---|---|---|---|
icedtea-gcjwebplugin |
V:0.6, I:0.8 | 204 | main | Java plugin using Hotspot JIT |
sun-java6-plugin |
I:9 | 52 | non-free | Java plugin for Sun's Java SE 6 (i386 only) |
swfdec-mozilla |
V:11, I:23 | 244 | main | Flash plugin based on libswfdec |
mozilla-plugin-gnash |
V:0.5, I:1.8 | 108 | main | Flash plugin based on Gnash |
flashplugin-nonfree |
V:1.4, I:10 | 128 | contrib | Flash plugin helper to install Adobe Flash Player (i386, amd64 only) |
mozilla-bonobo |
V:0.16, I:0.4 | 168 | main | Mozilla plugin support for GNOME Bonobo components |
mozilla-plugin-vlc |
V:3, I:5 | 160 | main | Multimedia plugin based on VLC media player |
totem-mozilla |
V:21, I:41 | 268 | main | Multimedia plugin based on GNOME's Totem media player |
gecko-mediaplayer |
V:0.19, I:0.2 | 680 | main | Multimedia plugin based on (GNOME) MPlayer |
nspluginwrapper |
V:1.9, I:3 | 472 | contrib | A wrapper to run i386 Netscape plugins on amd64 architecture |
![]() |
ティップ |
---|---|
上記のDebianパッケージを使うのが遥に簡単であるとはいえ、今でもブラウザのプラグインは"*.so"をプラグインディレクトリ(例えば" |
Some web sites refuse to be connected based on the user-agent string of your browser. You can work around this situation by spoofing the user-agent string. For exaple, you can do this by adding:
user_pref{"general.useragent.override","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"};
into user configuration files such as
"~/.gnome2/epiphany/mozilla/epiphany/user.js
" or
"~/.mozilla/firefox/*.default/user.js
". Alternatively,
you can add and reset this variable by typing
"about:config
" into URL and right clicking its display
contents.
![]() |
注意 |
---|---|
Spoofed user-agent string may cause bad side effects with Java. |
![]() |
注意 |
---|---|
If you are to set up the mail server to exchange mail directly with the Internet, you should be better than reading this elementary document. |
In order to contain spam (unwanted and unsolicited e-mail) problems, many ISPs which provide consumer grade Internet connection are implementing counter measures:
When configuring your mail system or resolving mail delivery problems, you must consider these new limitations.
In light of these hostile Internet situation and limitations, some independent Internet mail ISPs such as Yahoo.com and Gmail.com offer the secure mail service which can be connected from anywhere on the Internet using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) :
![]() |
注意 |
---|---|
It is not realistic to run SMTP server on consumer grade network to send
mail directly to the remote host reliably. They are very likely to be
rejected. You must use some smarthost services offered by your connection
ISP or independent mail ISPs. For the simplicity, I will assume that the
smarthost is located at " |
表6.3 List of popular mail system for workstation.
パッケージ | popcon | サイズ | 機能 |
---|---|---|---|
exim4-daemon-light |
V:61, I:67 | 928 | Exim4 mail transport agent (MTA: Debian default) |
exim4-base |
V:63, I:69 | 1660 | Exim4 documentation (text) and common files |
exim4-doc-html |
I:0.8 | 5756 | Exim4 documentation (html) |
exim4-doc-info |
I:0.4 | 596 | Exim4 documentation (info) |
postfix |
V:16, I:18 | 3436 | Postfix mail transport agent (MTA: alternative) |
postfix-doc |
I:2 | 3332 | Postfix documentation (html+text) |
sasl2-bin |
V:1.9, I:5 | 448 | Cyrus SASL API implementation (supplement postfix for SMTP-AUTH) |
cyrus-sasl2-doc |
I:3 | 284 | Cyrus SASL - documentation |
fetchmail |
V:2, I:6 | 1812 | Remote mail retrieval and forwarding utility |
procmail |
V:18, I:86 | 360 | Mail filter utility |
mutt
|
V:22, I:83 | 5772 |
Mail user agent (MUA) to read/write the mail usually used with
vim
|
The choice between exim4-*
and postfix
packages is really up to you.
Although the popcon vote count of exim4 looks several times popular than that of postfix, this does not mean postfix is not popular with Debian developers. The Debian server system uses both exim4 and postfix. The mail header analysis of mailing list postings from prominent Debian developers also indicate both of these MTAs are as popular.
The exim4-*
packages are known to have very small memory
consumption and very flexible for its configuration. The
postfix
package is known to be compact, fast, simple, and
secure. Both come with ample documentation and are as good in quality and
license.
The most simple mail configuration is that the mail is sent to the ISP's
smarthost and received from ISP's POP3 server by the MUA itself. This type
of configuration is popular with full featured GUI based mail user agent
(MUA) such as icedove
(1),
evolution
(1), etc.. If you need to filter mail by their
types, you use MUA's filtering function. For this case, the local mail
transport agent (MTA) need to do local delivery only.
The alternative mail configuration is that the mail is sent via local MTA to
the ISP's smarthost and received from ISP's POP3 by
fetchmail
(1) to the local mailbox. If you need to filter
mail by their types, you use procmail
(1) to filter mail
into separate mailboxes. This type of configuration is popular with simple
console based MUA such as mutt
(1),
gnus
(1), etc., although this is possible with any
MUAs. For this case, the local MTA need to do both smarthost delivery and
local delivery.
For Internet via smarthost, you (re)configure exim4-*
packages as follows:
$ sudo /etc/init.d/exim4 stop $ sudo dpkg-reconfigure exim4-conf
Reply to "Keep number of DNS-queries minimal (Dial-on-Demand)?" as:
$ sudo vim /etc/exim4/passwd.client
$ cat /etc/exim4/passwd.client ^smtp.*\.hostname\.dom:username@hostname.dom:password $ sudo /etc/init.d/exim4 start
The host name in "/etc/exim4/passwd.client
" should not be
the alias. You check the real host name with:
$ host smtp.hostname.dom smtp.hostname.dom is an alias for smtp99.hostname.dom. smtp99.hostname.dom has address 123.234.123.89
I use regex in "/etc/exim4/passwd.client
" to work around
the alias issue so even if the ISP moves host pointed by the alias, SMTP
AUTH will likely be working.
![]() |
注意 |
---|---|
You must execute |
![]() |
注意 |
---|---|
Starting |
![]() |
注意 |
---|---|
Please read the official guide at:
" |
![]() |
ティップ |
---|---|
Local customization file
" |
For Internet via smarthost, you should first read postfix documentation and key manual pages:
表6.4 List of important postfix manual pages
コマンド | 機能 |
---|---|
postfix (1)
|
Postfix control program |
postconf (1)
|
Postfixの設定ユーティリティ |
postconf (5)
|
Postfix configuration parameters |
postmap (1)
|
Postfix lookup table maintenance |
postalias (1)
|
Postfix alias database maintenance |
You (re)configure postfix
and
sasl2-bin
packages as follows:
$ sudo /etc/init.d/postfix stop $ sudo dpkg-reconfigure postfix
[smtp.hostname.dom]:587
"
$ sudo postconf -e 'smtp_sender_dependent_authentication = yes' $ sudo postconf -e 'smtp_sasl_auth_enable = yes' $ sudo postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd' $ sudo postconf -e 'smtp_sasl_type = cyrus' $ sudo vim /etc/postfix/sasl_passwd
$ cat /etc/postfix/sasl_passwd [smtp.hostname.dom]:587 username:password $ sudo postmap hush:/etc/postfix/sasl_passwd $ sudo /etc/init.d/postfix start
Here the use of "[
" and "]
" in the
dpkg-reconfigure dialogue and "/etc/postfix/sasl_passwd
"
ensures not to check MX record but directly use exact hostname specified.
Read more for "Enabling SASL authentication in the Postfix SMTP client" in
"usr/share/doc/postfix/html/SASL_README.html
".
There are a few mail address configuration files for mail transport, delivery and user agents.
表6.5 List of mail address related configuration files.
ファイル | 機能 | application |
---|---|---|
/etc/mailname
|
default host name for (outgoing) mail |
Debian specific, mailname (5)
|
/etc/email-addresses
|
host name spoofing for outgoing mail |
exim (8) specific,
exim4-config_files (5)
|
/etc/postfix/generic
|
host name spoofing for outgoing mail |
postfix (1) specific, activated after
postmap (1) command execution.
|
/etc/aliases
|
account name alias for incoming mail |
general, activated after newaliases (1) command execution.
|
The mailname in the
"/etc/mailname
" file is usually a fully qualified domain
name (FQDN) that resolves to one of the host's IP addresses. The mobile
workstation which does not have a hostname with resolvable IP address, set
this mailname to the value of
"hostname -f
". (This is safe choice and works for both
exim4-*
and postfix
.)
![]() |
ティップ |
---|---|
The contents of " |
When setting the mailname to
"hostname -f
", the spoofing of the source mail address
via MTA can be realized by:
/etc/email-addresses
" file for
exim4
(8) as explained in the
exim4-config_files
(5), and
/etc/postfix/generic
" file for
postfix
(1) as explained in the
generic
(5).
For postfix
, the following extra steps are needed:
# postmap hash:/etc/postfix/generic # postconf -e 'smtp_generic_maps = hash:/etc/postfix/generic' # postfix reload
You check filters using:
exim
(8) with -brw, -bf, -bF, -bV, …
options.
postmap
(1) with -q
option.
![]() |
ティップ |
---|---|
Exim comes with several utility programs such as
|
There are several basic MTA operations. Some may be performed via
sendmail
(1) compatibility interface.
表6.6 List of basic MTA operation.
eximコマンド | postfix command | 説明 |
---|---|---|
sendmail
|
sendmail
|
Read mail from standard input and arrange for
delivery. (-bm )
|
mailq
|
mailq
|
List the mail queue with status and queue ID. (-bp )
|
newaliases
|
newaliases
|
Initialize alias database. (-I )
|
exim4 -q
|
postqueue -f
|
flush waiting mail (-q )
|
exim4 -qf
|
postsuper -r ALL deferred; postqueue -f
|
flush all mail |
exim4 -qff
|
postsuper -r ALL; postqueue -f
|
flush even frozen mail |
exim4 -Mg queue_id
|
postsuper -h queue_id
|
freeze one message by its queue ID |
exim4 -Mrm queue_id
|
postsuper -d queue_id
|
remove one message by its queue ID |
--- |
postsuper -d ALL
|
remove all messages |
For the script in "/etc/ppp/ip-up.d/*
", "flush all mail"
may be good idea.
Use mutt
as the mail user agent (MUA) in combination with
vim
. Customize with "~/.muttrc
"; for
example:
# use visual mode and "gq" to reformat quotes set editor="vim -c 'set tw=72 et ft=mail'" # # header weeding taken from the manual (Sven's Draconian header weeding) # ignore * unignore from: date subject to cc unignore user-agent x-mailer hdr_order from subject to cc date user-agent x-mailer set hostname=spoof.example.org set from="First Last <username@example.org>" ....
Add the following to "/etc/mailcap
" or
"~/.mailcap
" to display HTML mail and MS Word attachments
inline:
text/html; lynx -force_html %s; needsterminal; application/msword; /usr/bin/antiword '%s'; copiousoutput; description="Microsoft Word Text"; nametemplate=%s.doc
You need to manually deliver mails to the sorted mailboxes in your home
directory from "/var/mail/<username>
" if your home
directory became full and procmail
(1) failed. After
making disk space in the home directory, run:
# /etc/init.d/${MAILDAEMON} stop # formail -s procmail </var/mail/<username> # /etc/init.d/${MAILDAEMON} start
For mail system programs, there are many alternatives developed with different priority. Here is the overview.
There are many choices for MTA (mail transfer agent).
表6.7 List of MTA.
パッケージ | popcon | サイズ | capability |
---|---|---|---|
exim4-daemon-light |
V:61, I:67 | 928 | full |
postfix |
V:16, I:18 | 3436 | full (security) |
exim4-daemon-heavy |
V:1.8, I:2 | 1040 | full (flexible) |
sendmail-bin |
V:2, I:2 | 2080 | full (only if you are already familiar) |
nullmailer |
V:0.6, I:0.8 | 452 | strip down, no local mail |
ssmtp
|
V:0.9, I:1.4 | 0 | strip down, no local mail |
nbsmtp |
V:0.2, I:0.2 | 120 | ? |
courier-mta |
V:0.2, I:0.2 | 4000 | very full (web interface etc.) |
xmail
|
V:0.19, I:0.2 | 824 | light |
masqmail |
V:0.04, I:0.06 | 556 | light |
esmtp
|
V:0.11, I:0.2 | 156 | light |
esmtp-run |
V:0.08, I:0.12 | 8 |
light (sendmail compatibility extension to esmtp )
|
msmtp
|
V:0.2, I:0.6 | 324 | light |
msmtp-mta |
V:0.08, I:0.12 | 32 |
light (sendmail compatibility extension to msmtp )
|
If you subscribe to Debian related mailing list, it may be a good idea to
use such MUA as mutt
and gnus
which
are the de facto standard for the participant and known to behave as
expected.
表6.8 List of MUA.
パッケージ | popcon | サイズ | タイプ |
---|---|---|---|
iceweasel |
V:35, I:56 | 3908 | X GUI (unbranded Mozilla Firefox) |
evolution |
V:23, I:41 | 10200 | X GUI (part of a groupware suite) |
icedove |
V:11, I:15 | 38108 | X GUI (unbranded Mozilla Thunderbird) |
mutt
|
V:22, I:83 | 5772 |
character terminal probably with vim
|
gnus
|
V:0.04, I:0.5 | 6272 |
character terminal under (x)emacs
|
Although fetchmail
(1) has been de facto standard for the
remote mail retrieval on GNU/Linux, the authour likes
getmail
(1) now. If you want to reject mail before
downloading to save bandwidth, mailfilter
or
mpop
may be useful. Whichever mail retriever utilities
are used, it is good idea to configure system to deliver retrieved mails to
MDA, such as maildrop
, via pipe.
表6.9 List of remote mail retrieval and forward utilities.
パッケージ | popcon | サイズ | capability |
---|---|---|---|
fetchmail |
V:2, I:6 | 1812 | mail retriever (POP3, APOP, IMAP) (old) |
getmail4 |
V:0.3, I:0.7 | 632 | mail retriever (POP3, IMAP4, and SDPS) (simple, secure, and reliable) |
mailfilter |
V:0.01, I:0.07 | 352 | mail retriever (POP3) with with regex filtering capability |
mpop
|
V:0.01, I:0.06 | 364 | mail retriever (POP3) and MDA with filtering capability |
getmail
(1) configuration is described in getmail documentation. Here is my set
up to access multiple POP3 accounts as user:
/usr/local/bin/getmails
" as:
#!/bin/sh set -e rcfiles="/usr/bin/getmail" for file in $HOME/.getmail/config/* ; do rcfiles="$rcfiles --rcfile $file" done exec $rcfiles $@
$ sudo chmod 755 /usr/local/bin/getmails $ mkdir -m 0700 $HOME/.getmail $ mkdir -m 0700 $HOME/.getmail/config $ mkdir -m 0700 $HOME/.getmail/log
$HOME/.getmail/config/pop3_name
" for each POP3 acconts
as:
[retriever] type = SimplePOP3SSLRetriever server = pop.example.com username = pop3_name@example.com password = secret [destination] type = MDA_external path = /usr/bin/maildrop unixfrom = True 'Spam' [options] verbose = 0 delete = True delivered_to = False message_log = ~/.getmail/log/pop3_name.log
$ chmod 0600 $HOME/.getmail/config/*
/usr/local/bin/getmails
" to run every 15
minutes with cron
(8) by executing "sudo crontab
-e -u <user_name>
" and adding following entry:
5,20,35,50 * * * * /usr/local/bin/getmails --quiet
![]() |
ティップ |
---|---|
Problems of POP3 access may not come from |
Most MTA programs, such as postfix
and
exim4
, function as MDA (mail delivery agent). There are
specialized MDA with filtering capabilities.
Although procmail
(1) has been de facto standard for MDA
with filter on GNU/Linux, authour likes maildrop
(1) now.
Whichever filtering utilities are used, it is good idea to configure system
to deliver filtered mails to a qmail-style
Maildir.
表6.10 フィルタ付きのMDAのリスト。
パッケージ | popcon | サイズ | 説明 |
---|---|---|---|
procmail |
V:18, I:86 | 360 | MDA with filter (old) |
mailagent |
V:0.5, I:6 | 1688 | MDA with perl filter |
maildrop |
V:0.3, I:0.8 | 1040 | MDA with structured filtering language |
maildrop
(1) configuration is described in maildropfilter documentation.
Here is a configuration example for "$HOME/.mailfilter
":
logfile $HOME/.maildroplog # clearly bad looking mails: drop them into X-trash and exit if ( /^X-Advertisement/ ||\ /^Subject:.*BUSINESS PROPOSAL/ ||\ /^Subject:.*URGENT.*ASISSTANCE/ ||\ /^Subject: *I NEED YOUR ASSISTANCE/ ) to "$HOME/Maildir/X-trash/" # Delivering mailinglist messages if ( /^Precedence:.*list/ ||\ /^Precedence:.*bulk/ ||\ /^List-/ ||\ /^X-Distribution:.*bulk/ ) { if ( /^Resent-Sender.*debian-user-request@lists.debian.org/) to "$HOME/Maildir/debian-user/" if ( /^Resent-Sender.*debian-devel-request@lists.debian.org/) to "$HOME/Maildir/debian-devel/" if ( /^Resent-Sender.*debian-announce-request@lists.debian.org/) to "$HOME/Maildir/debian-announce/" to "$HOME/Maildir/mailing-list/" } to "$HOME/Maildir/Inbox/" exit
![]() |
警告 |
---|---|
Unlike |
Equivalent configurartion can be done with procmail
(1)
with "$HOME/.procmailrc
" as:
MAILDIR=$HOME/Maildir DEFAULT=$MAILDIR/Inbox/ LOGFILE=$MAILDIR/Maillog # clearly bad looking mails: drop them into X-trash and exit :0 * 1^0 ^X-Advertisement * 1^0 ^Subject:.*BUSINESS PROPOSAL * 1^0 ^Subject:.*URGENT.*ASISSTANCE * 1^0 ^Subject: *I NEED YOUR ASSISTANCE X-trash/ # Delivering mailinglist messages :0 * 1^0 ^Precedence:.*list * 1^0 ^Precedence:.*bulk * 1^0 ^List- * 1^0 ^X-Distribution:.*bulk { :0 * 1^0 ^Return-path:.*debian-devel-admin@debian.or.jp jp-debian-devel/ :0 * ^Resent-Sender.*debian-user-request@lists.debian.org debian-user/ :0 * ^Resent-Sender.*debian-devel-request@lists.debian.org debian-devel/ :0 * ^Resent-Sender.*debian-announce-request@lists.debian.org debian-announce :0 mailing-list/ } :0 Inbox/
If you are to run a private server on LAN, you may consider to run POP3 / IMAP4 server for delivering mail to LAN clients.
表6.11 List of POP3/IMAP4 servers.
パッケージ | popcon | サイズ | タイプ | 説明 |
---|---|---|---|---|
qpopper |
V:1.2, I:5 | 644 | POP3 | 拡張Qualcommバージョン |
courier-pop |
V:1.4, I:2 | 232 | POP3 | support only the maildir format |
ipopd
|
V:0.12, I:0.2 | 204 | POP3 | formerly part of the University of Washington IMAP package |
cyrus-pop3d-2.2 |
V:0.16, I:0.3 | 856 | POP3 | part of the Cyrus IMAPd suite |
xmail
|
V:0.19, I:0.2 | 824 | POP3 | ESMTP/POP3 mail server |
courier-imap |
V:3, I:4 | 1604 | IMAP | This provides access to email stored in Maildirs |
uw-imapd |
V:1.2, I:5 | 272 | IMAP | the University of Washington IMAP |
cyrus-imapd-2.2 |
V:0.5, I:0.7 | 2636 | IMAP | part of the Cyrus IMAPd suite |
In the old Unix-like system, the BSD Line printer daemon was the standard. Since the standard print out format of the free software is PostScript on the Unix like system, some filter system was used along with Ghostscript to enable printing to the non-PostScript printer.
Recently, Common UNIX Printing System (CUPS) is the new de facto standard. The CUPS uses Internet Printing Protocol (IPP). The IPP is now supported by other OSs such as Windows XP and Mac OS X and has became new cross-platform de facto standard for remote printing with bi-directional communication capability.
The standard printable data format for the application on the Debian system is the PostScript (PS) which is a page description language. The data in PS format is fed into the Ghostscript PostScript interpreter to produce the printable data specific to the printer. See 「Ghostscript」.
Thanks to the file format dependent auto-conversion feature of the CUPS
system, simply feeding any data to the lpr
command should
generate the expected print output. (In CUPS, lpr
can be
enabled by installing the cups-bsd
package.)
The Debian system has few notable packages for the print servers and utilities:
表6.12 プリントサーバーとユーティリティのリスト。
パッケージ | popcon | サイズ | 機能 | ポート |
---|---|---|---|---|
lpr
|
V:3, I:3 | 440 | BSD lpr/lpd (Line printer daemon) | printer (515) |
lprng
|
V:0.9, I:1.2 | 3020 | , , (Enhanced) | , , |
cups
|
V:29, I:40 | 11164 | Internet Printing CUPS server | IPP (631) |
cups-client |
V:8, I:41 | 440 |
System V printer commands for
CUPS: lp (1), lpstat (1),
lpoptions (1), cancel (1),
lpmove (8), lpinfo (8),
lpadmin (8), …
|
, , |
cups-bsd |
V:6, I:37 | 180 |
BSD printer commands for CUPS:
lpr (1), lpq (1),
lprm (1), lpc (8)
|
, , |
cups-driver-gutenprint |
V:8, I:32 | 1264 | printer drivers for CUPS | Not applicable |
![]() |
ティップ |
---|---|
You can configure CUPS system by pointing your web browser to "http://localhost:631/" . |
The Secure SHell (SSH) is the secure way to connect over the Internet. A free
version of SSH called OpenSSH is available as
the ssh
package in Debian.
表6.13 リモートアクセスサーバーとユーティリティのリスト
パッケージ | popcon | サイズ | tool | comment |
---|---|---|---|---|
openssh-client |
V:55, I:98 | 2084 | ssh | セキュアシェルクライアント |
openssh-server |
V:65, I:77 | 812 | sshd | セキュアシェルサーバー |
ssh-askpass-fullscreen |
V:0.11, I:0.5 | 92 | ssh-askpass-fullscreen | asks user for a pass phrase for ssh-add (GNOME2) |
ssh-askpass |
V:0.7, I:4 | 156 | ssh-askpass | asks user for a pass phrase for ssh-add (plain X) |
![]() |
注意 |
---|---|
See 「インターネットのためのセキュリティ強化策」 if your SSH is accessible from Internet. |
![]() |
ティップ |
---|---|
Please use the |
/etc/ssh/sshd_not_to_be_run
must not be present if one
wishes to run the OpenSSH server.
SSH has two authentication protocols:
表6.14 List of SSH authentication protocols and methods.
SSH protocol | SSH method | 説明 |
---|---|---|
SSH-1 | RSAAuthentication | RSAアイデンティティ鍵を用いるユーザ認証 |
, , | RhostsAuthentication |
.rhosts based host authentication (insecure, disabled)
|
, , | RhostsRSAAuthentication |
.rhosts authentication combined with RSA host key
(disabled)
|
, , | ChallengeResponseAuthentication | RSAチャレンジ応答認証 |
, , | PasswordAuthentication | バスワードを用いる認証 |
SSH-2 | PubkeyAuthentication | 公開鍵を用いるユーザ認証 |
, , | HostbasedAuthentication |
"~/.rhosts " or "/etc/hosts.equiv "
authentication combined with public key client host authentication
(disabled)
|
, , | ChallengeResponseAuthentication | チャレンジ応答認証 |
, , | PasswordAuthentication | バスワードを用いる認証 |
Be careful about these differences if you are using a non-Debian system.
See "/usr/share/doc/ssh/README.Debian.gz
",
ssh
(1), sshd
(8),
ssh-agent
(1), and ssh-keygen
(1) for
details.
Following are the key configuration files:
表6.15 SSH設定ファイルのリスト。
設定ファイル | 機能 |
---|---|
/etc/ssh/ssh_config
|
SSH client defaults. See ssh_config (5).
|
/etc/ssh/sshd_config
|
SSH server defaults. See sshd_config (5).
|
~/.ssh/authorized_keys
|
the lists of the default public SSH keys that clients use to connect to this account on this host. |
~/.ssh/identity
|
secret SSH-1 RSA key of the user. |
~/.ssh/id_rsa
|
secret SSH-2 RSA key of the user. |
~/.ssh/id_dsa
|
secret SSH-2 DSA key of the user. |
![]() |
ティップ |
---|---|
See |
The following will start an ssh
(1) connection from a
client.
表6.16 List of SSH client startup examples.
コマンド | 説明 |
---|---|
ssh username@hostname.domain.ext
|
connect with default mode |
ssh -v username@hostname.domain.ext
|
connect with default mode with debugging messages |
ssh -1 username@hostname.domain.ext
|
force to connect with SSH version 1 |
ssh -1 -o RSAAuthentication=no -l username
hostname.domain.ext
|
force to use password with SSH version 1 |
ssh -o PreferredAuthentications=password -l username
hostname.domain.ext
|
force to use password with SSH version 2 |
If you use the same user name on the local and the remote host, you can
eliminate typing "username@
". Even if you use different
user name on the local and the remote host, you can eliminate it using
"~/.ssh/config
". For Debian Alioth service with account name
"foo-guest
", you set "~/.ssh/config
"
to contain:
Host alioth.debian.org svn.debian.org git.debian.org User foo-guest
For the user, ssh
(1) functions as a smarter and more
secure telnet
(1). Unlike telnet
command, ssh
command does not bomb on the
telnet
escape character (initial default CTRL-]).
To establish a pipe to connect to port 25 of remote-server from port 4025 of
localhost, and to port 110 of remote-server from port 4110 of localhost
through ssh
, execute on the local machine:
# ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server
This is a secure way to make connections to SMTP/POP3 servers over the
Internet. Set the "AllowTcpForwarding
" entry to
"yes
" in "/etc/ssh/sshd_config
" of the
remote host.
One can avoid having to remember a password for each remote system by using
"RSAAuthentication
" (SSH-1 protocol) or
PubkeyAuthentication (SSH-2 protocol).
On the remote system, set the respective entries,
"RSAAuthentication yes
" or "PubkeyAuthentication
yes
", in "/etc/ssh/sshd_config
".
Then generate authentication keys locally and install the public key on the remote system:
RSAAuthentication
": RSA1 key for SSH-1 (deprecated
because superseded.)
$ ssh-keygen $ cat .ssh/identity.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
$ ssh-keygen -t rsa $ cat .ssh/id_rsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
$ ssh-keygen -t dsa $ cat .ssh/id_dsa.pub | ssh user1@remote "cat - >>.ssh/authorized_keys"
![]() |
注意 |
---|---|
There are no more reasons to work around RSA patent using DSA since it has been expired. DSA stands for Digital Signature Algorithm and slow. |
One can change the pass phrase later with "ssh-keygen
-p
". Make sure to verify settings by testing the connection. In
case of any problem, use "ssh -v
".
You can add options to the entries in
"~/.ssh/authorized_keys
" to limit hosts and to run
specific commands. See sshd
(8) for details.
Note that SSH-2 has "HostbasedAuthentication
". For this
to work, you must adjust the settings of
"HostbasedAuthentication
" to "yes
" in
both "/etc/ssh/sshd_config
" on the server machine and
"/etc/ssh/ssh_config
" or
"~/.ssh/config
" on the client machine.
There are a few free SSH clients available for other platforms.
表6.17 List of free SSH clients for other platforms.
environment | free SSH program |
---|---|
Windows | puTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) (GPL) |
Windows (cygwin) | SSH in cygwin (http://www.cygwin.com/) (GPL) |
Macintosh Classic | macSSH (http://www.macssh.com/) (GPL) |
Mac OS X |
OpenSSH; use ssh in the Terminal application (GPL)
|
It is safer to protect your SSH authentication key with a pass phrase. If
it was not set, use "ssh-keygen -p
" to set it.
Place your public key (e.g. "~/.ssh/id_rsa.pub
") into
"~/.ssh/authorized_keys
" on a remote host using a
password-based connection to the remote host as described above.
$ ssh-agent bash $ ssh-add ~/.ssh/id_rsa Enter passphrase for /home/<username>/.ssh/id_rsa: Identity added: /home/<username>/.ssh/id_rsa (/home/<username>/.ssh/id_rsa)
$ scp foo <username>@remote.host:foo
For the X server, the normal Debian startup script executes
ssh-agent
as the parent process. So you only need to
execute ssh-add
once. For more, read
ssh-agent
(1)and ssh-add
(1).
If you have problems, check the permissions of configuration files and run
ssh
with the "-v
" option.
Use the "-P
" option if you are root and have trouble with
a firewall; this avoids the use of server ports 1--1023.
If ssh
connections to a remote site suddenly stop
working, it may be the result of tinkering by the sysadmin, most likely a
change in "host_key
" during system maintenance. After
making sure this is the case and nobody is trying to fake the remote host by
some clever hack, one can regain a connection by removing the
"host_key
" entry from
"~/.ssh/known_hosts
" on the local machine.
表6.18 List of other network application servers.
パッケージ | popcon | サイズ | protocol | focus |
---|---|---|---|---|
telnetd |
V:0.5, I:1.4 | 156 | TELNET | TELNET server |
telnetd-ssl |
V:0.16, I:0.4 | 204 | , , | , , (SSL support) |
nfs-kernel-server |
V:14, I:23 | 324 | NFS | Unix式ファイル共有 |
samba
|
V:22, I:34 | 13464 | SMB | windows file and printer sharing |
netatalk |
V:6, I:10 | 2448 | ATP | apple/mac file and printer sharing (AppleTalk) |
proftpd-basic |
V:4, I:4 | 2060 | FTP | general file download |
wu-ftpd |
V:0.5, I:0.7 | 820 | , , | , , |
apache2-mpm-prefork |
V:36, I:42 | 56 | HTTP | general web server |
apache2-mpm-worker |
V:5, I:6 | 56 | , , | , , |
squid
|
V:6, I:7 | 1816 | , , | 汎用ウエッブプロキシサーバー |
squid3 |
V:1.0, I:1.3 | 2404 | , , | , , |
slpd
|
V:0.2, I:0.4 | 228 | SLP | LDAP サーバーとしてのOpenSLP サーバー |
bind9
|
V:11, I:17 | 840 | DNS | IP address for other hosts |
dhcp3-server |
V:5, I:9 | 808 | DHCP | IP address of client itself |
Common Internet File System Protocol (CIFS) is the same protocol as Server Message Block (SMB).
![]() |
ティップ |
---|---|
Use of proxy server such as |
表6.19 ネットワークアプリケーションのリスト。
パッケージ | popcon | サイズ | protocol | focus |
---|---|---|---|---|
netcat |
V:2, I:57 | 36 | TCP/IP | TCP/IP swiss army knife |
stunnel4 |
V:0.5, I:1.7 | 508 | SSL | Universal SSL Wrapper |
telnet |
V:15, I:90 | 200 | TELNET | TELNET client |
telnet-ssl |
V:0.3, I:1.2 | 244 | , , | , , (SSL support) |
nfs-common |
V:52, I:82 | 504 | NFS | Unix式ファイル共有 |
smbclient |
V:7, I:41 | 25116 | SMB | MS windows file and printer sharing client |
smbfs
|
V:6, I:26 | 4656 | , , | Mount and umount commands for remote MS windows file |
ftp
|
V:10, I:87 | 160 | FTP | FTP client |
lftp
|
V:1.4, I:6 | 1724 | , , | , , |
ncftp
|
V:1.7, I:8 | 1212 | , , | Full screen FTP client |
wget
|
V:29, I:99 | 1944 | HTTPとFTP | Web downloader |
curl
|
V:5, I:19 | 304 | , , | , , |
dog
|
V:0.07, I:0.3 | 76 | HTTP |
Web uploader (cat with URL support)
|
bind9-host |
V:47, I:90 | 172 | DNS |
The host command from bind9, priority standard
|
dnsutils |
V:14, I:91 | 388 | , , |
The dig command from bind, priority standard
|
host
|
V:1.5, I:3 | 180 | , , |
The host command from dnsutils, priority extra
|
dhcp3-client |
V:50, I:93 | 608 | DHCP | Obtain IP address |
ldap-utils |
V:1.6, I:7 | 608 | LDAP | Obtain data from LDAP server |
The telnet
program enables manual connection and
diagnosis of the system daemons. E.g.:
$ telnet mail.ispname.net pop3
The following RFCs provide required knowledge to text each system daemon.
The port usage is described in "/etc/services
".