SSH Service Architecture: C/S
S-End: 192.168.100.151
C End: 192.168.100.150
S-End Operation:
Yum-y Install openssh-clients openssh-server OpenSSH # #安装ssh
/etc/init.d/sshd start
Chkconfig sshd on
C-terminal operation: Remote link
Linux systems:
Yum-y Install OpenSSH openssh-clients
SSH user @ip
SSH [email protected] # #root是S端的root用户 If the user is omitted to attempt to log in as the current user of the client.
SCP local file User @ip:/remote directory # #上传, the user must have write access to the directory
SCP User @ip:/remote file local Directory # #下载, users only have read access to remote files
SCP john-*.tar.gz [email protected]:/root/# #上传操作
SFTP User @ip # #ssh的ftp上传下载文件
SFTP [email protected]
sftp>cd/etc/yum.repos.d/# #可以进入非家目录
Sftp>get Rhel.repo # #下载
Sftp>bye #退出
Windows systems: Clients that can use common windows such as Crt,putty,xmanager
Security optimized configuration for SSH server:
Vi/etc/ssh/sshd_conf
ListenAddress 192.168.100.151 # #指定监听IP, such as the gateway only listen to the intranet
Logingracetime 2m # #链接的无操作超时时间
Permitrootlogin No # #禁用root使用ssh, normal user +su complete privileged configuration
Maxauthtries 6 # #密码错误次数
MaxSessions # #最大链接数量, how many users log in at the same time
Gssapiauthentication No # #禁用GSSAIP认证方式加快ssh登录响应速度
Gssapicleanupcredentials No # #禁用GSSAPI
Usedns No # #禁用DNS的解析
Allowusers u01 u03 [email protected] # #只允许u01用户登录, Denyuser deny s user, can not be used at the same time, multiple users separated by a space
: Wq
/etc/init.d/sshd restart
echo "Welcome to linuxfan.cn" >/root/welcome.txt
Sed-i "/banner/a banner/root/welcome.txt"/etc/ssh/sshd_config # #添加登录时的提示文字
SSH login with key pair authentication
S-end: Ensure support, uncomment the following
Vi/etc/ssh/ssd_config
Pubkeyauthentication Yes # #支持公约认证
Authorizedkeysfile. Ssh/authorized_keys # #公约存放的文件名
: Wq
/etc/init.d/sshd restart
The C-side generates the key pair:
ssh-keygen-t RSA # #生成密钥对, always enter
cd. ssh/# #进入存放密钥对目录
Uploading the Convention:
Ssh-copy-id [email protected] # #给u02上传公约, u02 login does not require a password
S-End Verification:
Cat/home/u02/.ssh/authorized_keys # #查看
C-Terminal verification:
SSH [email protected] # #不需要密码
Attention:
S-end other users can use the CP Convention to implement key-pair authentication in the home directory:
mkdir/home/u03/.ssh/
cp/home/u02/.ssh/authorized_keys/home/u03/.ssh/
Chown u03:u03/home/u03/.ssh/*
Before rhel6, the possible execution of Ssh-copy-id was unsuccessful, the workaround:
SCP id_rsa.pub [Email protected]:/tmp/
Cat/tmp/id_rsa.pub >/home/u02/.ssh/authorized_keys
S-End Summary: Which account directory under the Convention, which account will be able to use the key pair authentication login
C-Terminal:
Root account generates key pair
Su-c_u01
SSH [email protected] # #登录失败 because there is no private key in the C_U01 user directory
Exit
CP./ssh/id_rsa/home/c_u01/.ssh/
Chown c_u01:c_u01/home/c_u01/.ssh/*
C-End Summary: The client user directory must have a private key, otherwise the key pair cannot be used.
Convention authentication after a successful setup, you can execute the command directly without logging in:
SSH [email protected] Touch A.file # #在C端执行, creating A.file,s-side verification success on the S-side with u02 identity
To enable the root user's sshd: remote shutdown is possible
SSH [email protected] Reboot
Control of remote copy files supported by the SSH protocol:
1) Prohibition of SCP
Rpm-qa|grep openssh-*
Yum Remove openssh-clients-y
After you delete the openssh-clients and then execute the SCP, the following error is reported:
-bash:scp:command not found
2) No SFTP
Vi/etc/ssh/sshd_config
Subsystem Sftp/usr/libexec/openssh/sftp-server
Put this line in the comments, as follows:
#Subsystem Sftp/usr/libexec/openssh/sftp-server
After exiting save, restart sshd:
Service sshd Restart
Note the following experiments are done separately: there may be errors with other configurations.
Imprison users when using SFTP directory to improve security, U01 account dedicated to SFTP, other users are not allowed to use SFTP,U02 SSH login management system.
Vi/etc/ssh/sshd_config
#Subsystem Sftp/usr/libexec/openssh/sftp-server # #注释此行
Subsystem sftp internal-sftp # #添加子系统命令
Allowusers u01 u02 # #允许u01, u02 users
Match Group Sftp_u # #给sftp_u组设置匹配sftp的规则
X11forwarding No # #禁用图像界面
Allowtcpforwarding No # #禁用TCP转发
Chrootdirectory/home # #将sftp_u组禁锢在 The/home/directory
Forcecommand internal-sftp # #强制使用internal-sftp command
: Wq
Groupadd Sftp_u
Useradd u02
echo 123123 |passwd--stdin u02
Usermod-g Sftp_u u01 # #添加u01到组
/etc/init.d/sshd restart
Login Verification:
SSH [email protected]0.151 # # #报错, prompting only SFTP is allowed
SSH [email protected] # #登陆成功
SFTP [email protected] # #登录成功
sftp>cd/etc/# #报错
SFTP>PWD # #显示在根目录, indicates a successful configuration.
This article is from the "Lp-linux" blog, make sure to keep this source http://linuxlp.blog.51cto.com/11463376/1773669
Linux Security---SSH configuration and use