OpenSSH service and SSH-based dual-machine trust configuration

In the implementation of daily maintenance and management, we often need to telnet to the server, in the early days, the implementation of the Protocol is Telnet, and now less use, but telnet a fatal flaw is that it is not only the data transmission is clear, even the user's authentication is clear, This is extremely insecure on the Internet.

In order to achieve secure management, the remote login is now using the SSH (Secure Shell) protocol, the SSL protocol is V1,V2 version, but the V1 version because of its own shortcomings can not meet the current needs. As with Telnet, the implementation of SSH protocol is the C/s architecture, client side can be logged to the server through the account password, the server is a process that listens on a socket at all times, then the client sends the user's instructions to the server side. After the server side executes, server processes on the server side send the results of the run to the client side. This process is encrypted when using SSH.

On Linux, the tool for implementing SSH is the OpenSSH series

Server side: Openssh-server

Client side: Openssh-clients

There are also openssh, generating ssh-keygen tools and so on. These packages are generally required to be installed

On Redhat systems, the Openssh-server is installed by default and starts automatically on boot. The name of the server-side executable that the installation generates is SSHD, and you can use service sshd status to see if the sshd for the current system is running

sshd configuration file/etc/ssh/In this directory also contains the SSH client configuration file, the following is the directory of files: 650) this.width=650; "Src=" http://s3.51cto.com/wyfs02/M01/74/B8 /wkiom1ynta-grrnvaagy5qcnyvc968.jpg "title=" {Gu9}9[d66 (k6iefkm})%6e.png "alt=" wkiom1ynta-grrnvaagy5qcnyvc968.jpg "/>

Sshd_config is the sshd configuration file, the parameters that are frequently used in the configuration file:

Port 22 Specifies the ports (TCP) for sshd snooping

Version of SSH protocol used by protocol 2

Keyregenerationinterval 1h randomly generated temporary key replacement time, default is one hour

Logingracetime 2m The client makes a request, waits for the client to send an account timeout, or waits for the user to enter the key's timeout period

Permitrootlogin yes whether to allow administrator remote login

Passwordauthentication Yes allows password-based remote connections

Subsystem Sftp/usr/libexec/openssh/sftp-server is a secure file transfer subsystem that is included in the SSH package, which implements secure transmission based on SSH and becomes FTPS based on the SSL implementation.SFTP itself does not have a separateDaemon process, it must use the sshd daemon (Portthe default is 22) to complete the corresponding connection operation, so in a sense, sftp is not like aServerprogram, and more like a client program. SFTP is also used to transmit authentication information and transmitted data using encryption, so it is very safe to use SFTP. However, because this transmission uses the encryption/Decryption technology, soTransmission efficiencythan the ordinaryFtpis much lower, you can use SFTP instead of FTP if you have higher security requirements for your network.

SSH session creation Process:1. Password-based authentication

2. Key-based authentication

Password-based authentication:

A. Client initiated request (eg above 192.168.0.1), which algorithm is used by both parties to negotiate

B. The server sends a host key information (the server's public key) to the client, which is/etc/ssl/, and if it is the RSA algorithm, it sends Ssh_host_key.pub, Then save in the client's current user's home directory under the. SSH directory, the file name is knows-hosts because there is no CA in the PKI platform, it depends on the client to decide whether to trust this public key

C. If the client trusts, the client generates a random number as the temporary session key (symmetric encryption of data) to encrypt the account, and then uses the other's public key to encrypt the generated symmetric key

D. Client sends user authentication key, session establishment

The SSHD service initiates an SSHD master process, which is primarily used to receive user requests and then generates an SSHD child process for each client to respond

Key-based authentication:

Client (based on a user implementation)

Principle: 1. The client generates a pair of keys, generated using Ssh-keygen, assuming the user is a

2. Transfer the public key in the key pair to a file in the home directory of a user (b user) on the server side, and save the files in the. SSH directory as the filename is Authorized.key

At this point, the client a user then log on to the server as a B user, the session can be established after sending the request, do not transfer the account password on the Internet, so the method based on key authentication more secure

Using SSH is a technique that should be noted to enhance security:

1. Regular password change

2. Try not to use the default port, use a non-well-known port number

3. Restrict the client address that can be logged in and the user

4, try not to log in directly with the administrator user (you can log in as a normal user and then SU to the administrator more secure way)

5. Using key-based authentication

6. Do not use the V1 version of SSH

Related commands and common options:

SSH client:ssh -l option to specify the user, in what capacity to log on to the remote host

Eg:ssh-l Jerry 192.168.0.1

Ssh-keygen: Key-based authentication is the command that the client uses to generate the key pair

-T for specifying algorithm (RSA|DSA)

The generated key is saved by default in the. SSH directory in the current user's home directory. When using the RSA algorithm, the filename of the Provate-key is Id_rsa,public-key file name is Is_rsa.pub

-F option to specify save file name

Note: The SSH directory should be created manually, you should ensure that the directory permissions are 700, or the system may not work properly, the permissions of the private key should be 600, the public key is 644, which is the default permissions to use these automatic creation time

Ssh-copy-id: When implementing key-based authentication, use this tool to upload the public key to a remote host

-I specifies a locally generated public key file

When using the tool, It will automatically be in the remote host's. SSH directory, create the Authorized.key file to save the passed to the public key, when manually create the file, note the filename, there are many clients using key authentication, using output redirection to save to the file mainly do not overwrite

Ssh-copy-id-i./ssh/id_rsa.pub [Email protected]

The two-machine mutual trust communication can be realized by this method, both the client and server side

This article is from the "Zxcvbnm Xuan ye" blog, please be sure to keep this source http://10764546.blog.51cto.com/10754546/1704930

OpenSSH service and SSH-based dual-machine trust configuration