Common linux Services-SSH and ssh public key authentication 1. ssh (secureshell) is installed by default. the package name is openssh, [root @ localhostlogs] yuminstallopenssh & hellip; & common linux Services-SSH and ssh public key authentication 1. ssh (secure shell) is installed by default. the package name is openssh, the installation method using the source code package is [root @ localhost logs] # yum install openssh .................................... Downloading Packages :( 1/4): openssh-5.3p1-84.1.el6.x86 | 236 kB (2/4): openssh-askpass-5.3p1-84.1 | 53 kB (3/4): openssh-clients-5.3p1-84.1 | 355 kB (4/4): openssh-server-5.3p1-84.1. | 299 kB ........................ II. ssh-related files 1. Master configuration file of the/etc/ssh/sshd_config ssh service, basically all ssh settings are here # This is the sshd server system-wide configuration file. see # sshd_config (5) for more information. # This sshd was compiled with PATH =/usr/local/bin: /usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Port 22 ----- sshd service default Port 22. for security reasons, it is recommended to change it to another Port # AddressFamily anyListenAddress 192.168.1.1 ----------- listening host, only listening for ssh connections from 192.168.1.1 # ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. in future the default will change to require explicit # activation of protocol 1 Protocol 2 -------------- ssh protocol version, here is 2 # H OstKey for protocol version 1 # HostKey/etc/ssh/ssh_host_key # HostKeys for protocol version 2 # HostKey/etc/ssh/hosts # HostKey/etc/ssh/ssh_host_dsa_key # Lifetime and size ephemeral version 1 server key # KeyRegenerationInterval 1 h ----------- re-establish a connection every hour, it is not enabled here # ServerKeyBits 1024 ----------- length of server key # Logging # obsoletes QuietMode and FascistLogging # SyslogFacility AUTH SyslogFacili Ty AUTHPRIV ------------ when someone uses ssh to log on to the system, ssh records information (/var/log/secure) # LogLevel INFO # Authentication: # LoginGraceTime 2 m # PermitRootLogin yes ----------- whether to allow root login. this parameter is allowed by default. we recommend that you set it to no # StrictModes yes ----------- when the user's host key changes, server does not accept its online # MaxAuthTries 6 -------------- root tries 6 connections at most # MaxSessions 10 # RSAAuthentication yes ------------- whether to use rsa authentication, only for version1 # PubkeyAuthentication --yes ---------- whether to allow public key, Only for version2 # AuthorizedKeysFile. ssh/authorized_keys ------- authentication file # AuthorizedKeysCommand none # Your nobody # For this to work you will also need host keys in/etc/ssh/hosts # RhostsRSAAuthentication no --------- is applicable only to rhosts authentication, to ensure security, set it to no # similar for protocol version 2 # HostbasedAuthentication no # Change to yes if you don't trust ~ /. Ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication # IgnoreUserKnownHosts no -------------- ignore ~ /. Users in shosts files # Don't read the user's ~ /. Rhosts and ~ /. Shosts files # IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! # PasswordAuthentication yes -------------- whether password authentication is required # require no ---------------- do not allow empty passwords PasswordAuthentication yes ------------- enable password authentication # Change to no to disable s/key passwords # require authentication no ------------- no challenge password Authentication, any login. the conf authentication method is disabled. # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. if this Is enabled, PAM authentication will be allowed through the # ChallengeResponseAuthentication and PasswordAuthentication. depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypassthe setting of "PermitRootLogin without-# password ". if you just want the PAM account and session checks to run without PAM authentication, then enable # this but set PasswordAut Hentication and ChallengeResponseAuthentication to 'no '. usePAM yes ----------- enable pam module # Accept locale-related environment variables ------------ environment variable export LANG into LC_NUMERIC LC_TIME when there are too many LC_NAME LC_ADDRESS when too many LC_ALL then #printmotd yes ------- after login? display some default information # PrintLastL Og yes --------- display the information of the last logon # TCPKeepAlive yes ------- the ssh server will send the keepalive information to the client to ensure the connection between the two is normal. after either end is dead, disconnects immediately # UseLogin no # UsePrivilegeSeparation yes ------------- user permission setting # PermitUserEnvironment no # PidFile/var/run/sshd. pid # MaxStartups 10 ---------- maximum online image # PermitTunnel no # ChrootDirectory none # override default of no subsystemsSubsystem sftp/usr/libexec/openssh/sftp-server ---------- sftp service settings ++ ++ The above is the sshd server ++ below is the client ++ 2,/etc/ssh/ssh_config ------- ssh client configuration file # This is the ssh client system-wide configuration file. see # ssh_config (5) for more information. this file provides ULTS for # users, and the values can be changed in per-user configuration files or on the command line. # Host * ----------- only matches the specified Host. all hosts are matched by default. # ForwardAgent no ------------ whether the connection is verified by the proxy # ForwardX11 no -------- ---- Whether the x11 connection is automatically redirected to a secure channel and display set; # RhostsRSAAuthentication no ----- whether to use rhosts-based security verification of the rsa algorithm # RSAAuthentication yes ---------- whether to use rsa algorithm verification # PasswordAuthentication yes ---------- whether to use password verification # CheckHostIP yes ------------- whether to verify ip # any # ConnectTimeout 0 ---------- connection timeout # StrictHostKeyChecking ask # IdentityFile ~ /. Ssh/identity # IdentityFile ~ /. Ssh/id_rsa # IdentityFile ~ /. Ssh/id_dsa # Port 22 ------------ connect to the remote host Port # Protocol ----------- adopted Protocol version # Cipher 3des # Ciphers aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc # MACs HMAC-MD5, HMAC-SHA1, umac-64@openssh.com, hmac-ripemd160 # EscapeChar ~ -------------- Set the escape character # Tunnel no # TunnelDevice any: any # PermitLocalCommand no # VisualHostKey noHost * GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. as virtually no X11 client supports the untrusted # mode correctly we set this to yes. forwardX11Trusted yes # Send locale-related environment variables SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME when using LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS when using SendEnv when LC_ALL LANGUAGE SendEnv XMODIFIERS ++ ++ ++ 3 ,~ The role of the/. ssh/known_hosts file ssh records the public key of each computer you have accessed ~ In the/. ssh/known_hosts file, openss checks the public key next time you access the computer. If the public key is different, openssh will issue a warning to avoid attacks such as DNSHijack. 3. run the ssh service control command to start the ssh service: service sshd start to close the ssh service: service sshdstop to restart the ssh service: service sshd restart [root @ localhost softs] # netstat-anpt | grep sshd ---------- check whether Port 22 of sshd enables tcp 0 0 0.0.0.0: 22 0.0.0.0: * The parameter-l commonly used in the LISTEN 2854/sshd ssh command specifies the user, and-p specifies the port number; -X enable x protocol forwarding [root @ localhost softs] # ssh root@192.168.254.46The authenticity of host' 192. 168.254.46 (192.168.254.46 )' Can't be established. RSA key fingerprint is 18: 5f: 3e: 08: d0: a7: f1: 93: f9: 34: 63: 41: 31: 24: 2a: 02.Are you sure you want to continue connecting (yes/no )? YesWarning: Permanently added '2017. 168.254.46 '(RSA) to the list of known hosts.root@192.168.254.46's password: # enter the password Last login: Wed Oct 23 10:20:19 2013 from 192.168.254.152 ----- login successful [root @ localhost ~] # Exit ------- disconnect the ssh connection logoutConnection to 192.168.254.46 closed. [root @ localhost softs] # ssh-p 22-l root 192.168.254.46 # P default value 22, can omit the root@192.168.254.46's password: [root @ localhost softs] # ssh 192.168.254.46root@192.168.254.46's password: ++ ++ 4. ssh public key authentication 1. generate the key file [root @ localhost ~] # Lsb_release-a ------- take a look at my linux Version LSB Version: core-3.1-ia32: core-3.1-noarch: graphics-3.1-ia32: graphics-3.1-noarchDistributor ID: RedHatEnterpriseServerDescription: Red Hat Enterprise Linux Server release 5.5 (Tikanga) Release: 5.5 Codename: Tikanga [root @ localhost ~] # Ssh-keygen-t rsa # generate the key pair Generating public/private rsa key pair. enter file in which to save the key (/root /. ssh/id_rsa): # Enter the name of the private key file and press Enter to use the default name Enter passphrase (empty for no passphrase): # Enter the password of the key file, press Enter directly without setting the password Enter same passphrase again: # Enter the password again to confirm Your identification has been saved in/root /. ssh/id_rsa.Your public key has been saved in/root /. ssh/id_rsa.pub.The key fingerprint is: d3: 41: dd: 41: 56: a2: ca: 7a: 81: 9a: 64: 74: d7: df: 32: 9e root@localhost.localdomain [root @ localhost ~] # Ll/root /. ssh/total 12-rw ------- 1 root 1675 10-23 id_rsa ------- generated private key-rw-r -- 1 root 408 10-23 id_rsa.pub ------ generated public key- rw-r -- 1 root 396 10-23 known_hosts ------ login information 2. copy the public key to the remote host [root @ localhost ~] # Scp ~ /. Ssh/id_rsa.pub root@192.168.254.46 :~ /. Ssh/authorized_keys ------ copy the public key to the directory specified by the remote server and rename it authorized_keys. Scp is a built-in openssh tool. Root@192.168.254.46's password: -------- enter the remote host password id_rsa.pub 100% 408 0.4KB/s 3. log on to the remote host [root @ localhost ~] # Ssh 192.168.254.46root@192.168.254.46's password: view the system version of the host [root @ localhost ~] # Cat/proc/version Linux version 2.6.32-71. el6.x86 _ 64 (mockbuild@c6b6.centos.org) (gcc version 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) #1 SMP Fri May 20 03:51:51 BST 2011 [root @ localhost ~] # Then the public key [root @ localhost ~] is generated on the host. # Ssh-keygen-t rsaGenerating public/private rsa key pair. enter file in which to save the key (/root /. ssh/id_rsa): Created directory '/root /. ssh '. enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in/root /. ssh/id_rsa.Your public key has been saved in/root /. ssh/id_rsa.pub.The key fingerprint is: 6b: 35: ba: 70: 2d: 06: ee: 3e: 80: 37: 7b: ee: 9c: 1f: c1: 2e Root@localhost.localdomainThe key's randomart image is: + -- [RSA 2048] ---- + |. | .. S o |. +. o *. |. + e x. |. ooB + | = Boo | + --------------- + upload the public key to 192.168.254.153 [root @ localhost ~] # Ssh-copy-id-I ~ /. Ssh/id_rsa.pub root@192.168.254.153 ====== another method for remote public key transfer The authenticity of host' 192. 168.254.153 (192.168.254.153) 'Can't be established. RSA key fingerprint is 4d: 24: b3: e8: 82: 11: bf: e1: a0: 0c: 45: 27: 57: 8e: a1: c8.Are you sure you want to continue connecting (yes/no )? YesWarning: Permanently added '2017. 168.254.153 '(RSA) to the list of known hosts.root@192.168.254.153's password: ---------------- enter the password for 192.168.254.153 Now try logging into the machine, with "ssh 'root @ 192.168.254.153 '", and check in :. ssh/authorized_keys to make sure we haven't added extra keys that you weren' t expecting. [root @ localhost ~] # Ssh root@192.168.254.153Last login: Wed Oct 23 09:55:54 2013 from 192.168.254.152 ---------- do not need to enter the password can be directly logged into the five, ssh client using ssh client commands mainly include ssh, scp and sftp 1. ssh use ssh root@192.168.0.12 remote login remote host as root 2. scp command can be used to transmit files between machines through secure and encrypted connections, similar to rcp. The general syntax for transferring files is scp localfile username @ hostip:/newfilename localfile local file name. example of username remote host username hostip remote host IP address: scp/var/log/httpd/access. log root@192.168.1.115:/var/log/put local/var/log/httpd/access. the log file is uploaded to/var/log/next to the remote host. 3. the sftp command sftp tool can be used to open a secure interaction ftp conversation. Similar to ftp, but sftp uses secure encrypted connections, the general syntax is sftp username@hostname.com [root @ localhost. ssh] # sftp 192.168.254.153 sftp login, because I switched the public key, so no password authentication is required for Connecting to 192.168.254.153... sftp> ls --------- view what files Desktop anaconda-ks.cfg glibc-2.7-2.i386.rpm glibc-common-2.7-2.i386. rpm glibc-devel-2.7-2.i386.rpm glibc-headers-2.7-2.i386.rpm index. php install. log install. log. syslog jdk1.7.0 mbox my. cnf phpMyAdmin-4.0.8-all-langua Ges.tar.gz sftp> get my. cnf I downloaded a file Fetching/root/my. cnf to my. cnf/root/my. cnf 100% 4920 4.8KB/s sftp> quit 6. access control/etc/host. allow and/etc/hosts. deny is used to control remote access settings. this setting allows or denies an ip address or ip segment from accessing a service in linux. [Root @ localhost. ssh] # vi/etc/hosts. allow sshd: 192.168.0. *: allow allows the CIDR block to access sshd: 192.168.1.15: allow allows the IP address to access [root @ localhost. ssh] # vi/etc/hosts. deny sshd: all: deny ------- indicates that all sshd remote connections are rejected when/etc/hosts. deny and/etc/hosts. which of the following prevails when allow conflicts occur? Here is a rule that first checks hosts. allow file. access is allowed if the related policy is found; otherwise, check the hosts. deny: access is denied if the related policy is found. access is allowed if no matching policy exists in both files. if the two files conflict, hosts is used. allow prevails. Note: If the configuration of these two files has been modified, you must restart the service xinetd service to take effect.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.