SSH is an abbreviation for secure Shell, developed by the IETF Network Working Group (Network Working Group), SSH for security protocols based on the application and transport layers.
Traditional network service programs, such as FTP, pop, and telnet, are inherently unsafe because they transmit data, user accounts, and user passwords in clear text on the network, and are vulnerable to man-in-the-middle (man-in-the-middle) attacks. Is that there is another person or a machine posing as a real server to receive data from a user to the server, and then passing the data to the real server as a user.
SSH is now a more reliable protocol for providing security for Telnet sessions and other network services. The SSH protocol can effectively prevent the information leakage problem in the process of remote management. Through SSH, all transmitted data can be encrypted, as well as to prevent DNS spoofing and IP spoofing.
System and Version: CentOS release 5.3 (Final)
Installing SSH
Yum Install SSH
Start SSH
Service sshd Start
To set up the startup operation
Chkconfig sshd on
Modification of SSH related configuration file
First modify the SSH configuration file. As follows:
[Root@sample ~]# vi/etc/ssh/sshd_config← to open SSH configuration file with VI
#Protocol 2,1← Find this line to remove the wardrobe "#" and then delete the end of ", 1", only allow the SSH2 way of the connection
Protocol 2← changed to this state, using only SSH2
#ServerKeyBits 768← Find this line, remove the "#" from the beginning and change 768 to 1024.
Serverkeybits 1024← changed to this state, the Serverkey strength changed to 1024 bits
#PermitRootLogin yes← Find this line, remove the "#" from the beginning and change Yes to No
Permitrootlogin no← changed to this state, not allowed to log on with root
#PasswordAuthentication yes← Find this line, change Yes to No
Passwordauthentication no← changed to this state, password not allowed to login
#PermitEmptyPasswords no← found this line to remove the "#" of the wardrobe, do not allow null password login
Permitemptypasswords no← changed to this state, no null password to log on
Then save and exit. (vi Save the Exit command for ZZ)
Because we just want SSH services to be convenient for the management system, in the case of remote management system without the extranet, only intranet clients are allowed to log on to the server via SSH to minimize unsafe factors. Set the method as follows:
[Root@sample ~]# vi/etc/hosts.deny← Modify the Mask rule to add the corresponding line at the end of the text
#
# Hosts.deny This file describes the names of the hosts which are
# *not* allowed to with the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
# The Portmap line is redundant, but it are left to remind
# The new secure Portmap uses Hosts.deny and Hosts.allow. In particular
# You should know that NFS uses portmap!
sshd:all← Add this line to mask all SSH connection requests
[Root@sample ~]# vi/etc/hosts.allow← Modify the Allow rule to add the corresponding line at the end of the text
#
# Hosts.allow This file describes the names of the hosts which are
# allowed to with the local INET services, as decided
# by the '/USR/SBIN/TCPD ' server.
#
sshd:192.168.0. ← Add this line, only allow SSH connection requests from intranet
NETSTAT-TUNLP View the running port number!vim/etc/ssh/sshd_config This file, here is the #port 22 this field in front of the # Remove, and then change 22 to their own port on the line, and then restart the SSH service. /etc/init.d/sshd Restart if you want to restrict SSH login IP, you can do the following: Modify the/etc/hosts.deny, in which add Sshd:all Modify:/etc/hosts.allow, in which the following settings : sshd:192.168.0.24 This will limit the 192.168.0.241 IP access to the Linux machine via SSH
SSH Remote Connection Configuration
1. Configure IP
#setup
Select Network Configuration
Select Device Configuration
Select Eth0
Use DHCP [*] to [] with the space bar will * remove
Static IP Input 192.168.1.112
Netmask input 255.255.255.0
Default Gateway IP Input 192.168.1.1
Primary DNS Server Input 192.168.1.1
2. Change SSH port
Vim/etc/ssh/sshd_config
#Port 22
Go to # Note Change 22 to 2200 (2000 above)
3. Reboot SSH
/etc/init.d/sshd restart
4. Restart Network
Service Network restart
Or
/etc/init.d/network restart
5. View Port
Netstat-lnp|more
6. Off the firewall
/etc/init.d/iptables stop
Start SSH
/etc/init.d/sshd start
SSH is now ready to connect.
Enter Connection IP
Configure related parameters
Select Utf-8 Support Chinese display
Automatically enter login user root
You can connect to the server after you enter a user name
But at present our SSH connection also needs to enter the password, below will introduce uses the key to connect, eliminates the input password the annoyance:
1, in the management of the machine to produce the key
[Root@localhost ~]# Mkdir/root/.ssh
[Root@localhost ~]# ssh-keygen-t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # #直接回车默认路径
Enter passphrase (empty for No passphrase): # #输入密码短语
Enter same passphrase again: # #重复密码短语
Your identification has been saved In/root/.ssh/id_rsa. # #如果在这里报错是因为SeLinux引起的按照Policy: Yum install Selinux-policy
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
aa:76:71:1e:51:fe:3b:4c:51:30:b2:90:55:e9:58:7c Root@localhost.localdomain
The key ' s Randomart image is:
+--[RSA 2048]----+
| . ooo+o |
| ... o+. E |
| o.+ O |
| . o O |
| S. ... |
| .. o O |
| .+ . O. |
| ... . + |
| ... . |
+-----------------+
2, Putty production key
Open Puttygen, if not the program can be downloaded to the official website of Putty.
Click the Generate button after the following figure, in the red box constantly moving the mouse know key generation complete
Click the Generate button after the following figure, in the red box constantly moving the mouse know key generation complete
The red box above is our generated public key, which is used on the managed server, and the private key on its own machine.
Key comment is a memo information, if it is an enterprise environment then there will be a lot of public key on a machine, in order to identify the words will generally according to each person to define a note.
You can use the mailbox or work number, input key comment First copy the public key, and click on the Saved and Saved Private key to save two keys
Then open the key Agent tool Pageant.exe (also available on Putty's website), using Pageant.exe has a great advantage, if you also need to use the other putty tools so they can share key authentication, without the need to repeatedly set the key.
The taskbar's Pageant.exe icon right-click the view keys to open the following window.
Click Add key to add the private key you just saved.
3. Managed secret key deployment
Copy the id_rsa.pub just produced on the management machine into Authrized.keys
[Root@localhost. ssh]# CP id_rsa.pub Authrized.keys
[Root@localhost. ssh]# chmod Authrized.keys # #这一步是必须的, otherwise the connection is not modified Vi/root/.ssh/authrized.keys delete the original key, add Puttygen.exe The production key (that is, the previously replicated public key)
Sh-rsa aaaab3nzac1yc2eaaaabjqaaaieah+gdpvsniwbhzvmhs240aouenhigdhhczq/fhin/ idaqvdh7ovw2pnj4sd6so0kqcizsu7fou2rvak7vhc3qrrymeqn94v595pyglnmcbted7onew47tu8wjtdldbc7liemktvidkcbbrzqa372/ U2lsjkldu2buixkevlngnuc= Hellwen.wu
~
~
~
~ Save exit.
4, open Putty Login
Pay attention to the red part of the picture, if you are often connected to the machine. It is recommended to enter IP and configure to saved sessions and then enter the identification name and click the Save button, so in the list box will retain the server's connection configuration for a long time.