Remote connection to SSH and OpenSSH applications in Linux
1. remote connection protocol;
Telnet: it is a standard protocol and main method of universal remote login service. It provides users with the ability to complete remote host work on local computers. telnet adopts the C/S architecture, working on port 23/tcp, in CentOS6, the software package mainly serves as the server telnet-server and the client tennet. The service process is managed by the super process xinetd and the Administrator is prohibited from directly logging on to it; it is plain text during user login and transmission of information, which cannot ensure security. Therefore, telnet is not recommended.
Ssh: Secure Shel, the Secure Shell protocol. SSH is a security protocol established on the application layer and transport layer. ssh also uses the C/S architecture and works on 22/tcp ports; ssh has two versions: sshv1 and sshv2;
Sshv1: MAC Based on CRC-32; unsafe, not recommended;
Sshv2: the safest MAC mode is selected based on mutual host negotiation. The secret mechanism and MAC Mechanism are selected through mutual negotiation. The key exchange based on DH and Identity Authentication Based on RSA or DSA are implemented, the client checks the host key of the server to determine whether the communication can continue.
Ii. Brief Introduction to OpenSSH:
Is a set of connection tools used to securely access remote computers. It can be used as a direct replacement for rlogin, rsh rcp, and telnet. Furthermore, any other TCP/IP connection can be tunneling/forwarded securely through SSH. OpenSSH encrypts all transmission data to effectively prevent eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by the OpenBSD project.
The logon process is similar to a session created using rlogin or telnet. During connection, SSH uses a key fingerprint system to verify the authenticity of the server. The user is required to enter yes only when the connection is established for the first time. Subsequent connections will verify the pre-stored key fingerprint. If the fingerprint is inconsistent with the one received during logon, a warning is given. The fingerprint is saved in ~ /. Ssh/known_hosts, for SSHv2 fingerprint, It is ~ /. Ssh/known_hosts2.
By default, a newer version of OpenSSH only accepts SSHv2 connections. If version 2 can be used, the client program will automatically use it; otherwise, it will return version 1 mode. In addition, you can use the command line parameter-1 or-2 to forcibly use version 1 or 2. The Client Version 1 capability is maintained to consider compatibility of earlier versions.
Composition of OpenSSH:
Adopt the C/S architecture;
Client: Linux tools include ssh, scp, and sftp. The software package is openssh-client;
In Windows, ssh client tools include putty, xshell, securecrt, and sshshellclient;
Server: service process sshd. The software package is openssh-server;
3. OpenSSH client applications;
# Yum install openssh-client: install the openssh client;
#/Etc/ssh/ssh_config: Configuration File
1. ssh:
Command syntax:
# Ssh [username @] host [-p PORT] [COMMAND]
# Ssh [-l username] host [-p PORT] [COMMAND]
Username @ =-l username: Specifies the user who logs on to the remote host. If this parameter is not specified, the local user attempts to log on. If this user does not exist on the remote host, an error is returned;
-P PORT: Specifies the remote server PORT. The default value is 22;
COMMAND: log on to the remote host and execute the specified COMMAND once and return the result, instead of staying on the remote host;
2. scp:
Tools for Secure File Transfer between hosts using ssh protocol;
# Scp SRC1. .. DEST
Command Options:
-R: recursive. Used to copy a directory;
-P: preserve the metadata of the source file, including mode and timestamp;
-Q: silent mode;
-P PORT: Specifies the PORT for listening to the ssh protocol;
There are two scenarios:
1) The source file is on the local machine and the target is remote;
# Scp/path/to/somefile... USERNAME @ HOST:/path/to/somewhere
2) The source file is remote and local as the target;
# Scp USERNAME @ HOST:/path/to/somewhere
3. sftp;
Ssh-based ftp service:
# Sftp USERNAME @ HOST: log on to ftp;
4. openssh server:
# Yum install openssh-server: install the openssh client;
# Chkconfig sshd on: the sshd service starts up;
# Service sshd start: start the sshd service:
# Sun-tnl | grep: 22: view port 22/tcp;
#/Etc/ssh/sshd_config: Configuration File
#/Etc/rc. d/init. d/sshd: Service script
#/Etc/sysconfig/sshd: script configuration file
# Man sshd_config: View configuration parameters
1. sshd authentication method:
1) password-based authentication;
That is, the user name and password;
2) Key-based authentication
# Ssh-keygen-t rsa: the Key generated by the rsa algorithm. The default key is id_rsa (Private Key) and id_rsa.pub (Public Key );
-F/path/to/somefile: key file storage location;
-P': Specifies the oldpassword;
# Ssh-copy-id-I. ssh/id_rsa.pub USERNAME @ HOST: transfer the automatic verification key file;
You can also transmit the public key file (scp) to the remote host. The remote host appends the public key information to the specified user ~ /. Ssh/authorized_keys, authorize remote login;
Operate instances;
2. sshd best practices;
1) do not use the default port 22;
2) do not use protocol1;
3) restrict login users;
Whitelist:
AllowUserSUSEr1 user2...
AllowGroups grp1 grp2...
Blacklist:
DenyUsers
DenyGroups
4) set the idle session timeout duration;
ClientAliveInterval 300
ClientAliveCountMax 0
5) use the firewall to set an ssh access policy;
6) only listen to specific IP addresses, not all IP addresses of the local machine;
7) Use strong password policies
# Tr-dcA-Za-z0-9 _ </dev/urandom | head-c 30 | xargs
8) Use Key-based authentication;
9) do not use a blank password;
10) prohibit the root user from logging on directly;
11) restrict the access frequency of ssh
12) keep logs and analyze them frequently;
For more information about OpenSSH, see the following links:
Install and configure OpenSSH in Ubuntu Server 13.10
Install OpenSSH remotely on Ubuntu
Solve the latency problem during remote login through OpenSSH
Offline installation of OpenSSH in Ubuntu 12.10
OpenSSH upgrade steps and precautions
Solutions for failures of common OpenSSH users
General thread: OpenSSH key management, Part 1 Understanding RSA/DSA authentication
Install OpenSSH and configure the sftp lock directory for RedHat
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: