SSH-Server Configuration Guide
I. Introduction to SSH
SSH (Secure Shell) is a Secure communication protocol provided by an application. It can securely access the server through the SSH protocol, because SSH has a mature public key encryption system, data is encrypted during transmission to prevent malicious tampering, damage, and leakage during transmission. This effectively prevents attacks such as network sniffing and IP spoofing.
Ii. install OpenSSH server on the server Ubuntu Platform
SSH was developed by a Finnish company. However, due to copyright limitations and encryption algorithm restrictions, many people now switch to OpenSSH. OpenSSH is an alternative to SSH and is free of charge.
Log on as an administrator.
1. Use the apt command on the Ubuntu Terminal
# Apt-get install openssh-server
If the download fails, it may be because the system needs to update the file. Just try to update the file. Run the following command:
# Apt-get update
2. Configure the openssh server. You can modify the configuration file as needed.
# Vi etc/ssh/ssh_config
3. Restart the server
#/Etc/init. d/ssh restart
The above OpenSSH server installation is complete.
--------------------------------------------------------------------------------
Configure the "/etc/ssh/ssh_config" File
The "/etc/ssh/ssh_config" file is a configuration file within the OpenSSH system. It allows you to change the running mode of the client program by setting different options. Each row of this file
Match containing "keyword-value", where "keyword" is case-insensitive. The following are the most important keywords. You can use the man command to view the Help Page (ssh (1 ).
Detailed List.
Edit the "ssh_config" file (vi/etc/ssh/ssh_config) and add or change the following parameters:
# Site-wide defaults for various options
Host *
ForwardAgent no
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~ /. Ssh/identity
Port 22
Cipher blowfish
EscapeChar ~
The preceding options are described as follows:
Host *
The "Host" option is only valid for computers that can match the strings below. "*" Indicates all computers.
ForwardAgent no
"ForwardAgent" sets whether the connection is forwarded to a remote computer by a verified proxy (if any.
ForwardX11 no
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and DISPLAY set ).
RhostsAuthentication no
"RhostsAuthentication" sets whether to use rhosts-based security verification.
RhostsRSAAuthentication no
"RhostsRSAAuthentication" sets whether to use the rhosts-based security verification of the RSA algorithm.
RSAAuthentication yes
"RSAAuthentication" sets whether to use the RSA Algorithm for security verification.
PasswordAuthentication yes
"PasswordAuthentication" sets whether to use password verification.
FallBackToRsh no
"FallBackToRsh" sets whether to use rsh automatically if an error occurs during ssh connection.
UseRsh no
"UseRsh" sets whether to use "rlogin/rsh" on this computer ".
BatchMode no
If "BatchMode" is set to "yes", the passphrase/password (Interactive password Input) Prompt will be disabled. When the password cannot be entered interactively, this option applies to the script
File and batch processing tasks are very useful.
CheckHostIP yes
"CheckHostIP" sets ssh to check the IP address of the host connected to the server to prevent DNS spoofing. We recommend that you set it to "yes ".
StrictHostKeyChecking no
If "StrictHostKeyChecking" is set to "yes", ssh will not automatically add the key of the computer to the "$ HOME/. ssh/known_hosts" file, and once the password of the computer
If the key changes, the connection is denied.
IdentityFile ~ /. Ssh/identity
"IdentityFile" sets the file from which the user's RSA Security Authentication ID is read.
Port 22
"Port" sets the Port to connect to the remote host.
Cipher blowfish
"Cipher" sets the password for encryption.
EscapeChar ~
"EscapeChar" sets the escape character.
---------------------------
Configure the "/etc/ssh/sshd_config" File
"/Etc/ssh/sshd_config" is the configuration file of OpenSSH and allows the setting options to change the running of this daemon. Each line of this file contains a keyword-value match, where
Keyword is case-insensitive. The following are the most important keywords. You can use the man command to view the Help Page (sshd (8) to obtain a detailed list.
Edit the "sshd_config" file (vi/etc/ssh/sshd_config) and add or change the following parameters:
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
HostKey/etc/ssh/ssh_host_key
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers admin
The preceding options are described as follows:
Port 22
"Port" sets the Port number of the sshd listener.
ListenAddress 192.168.1.1
"ListenAddress" sets the IP address bound to the sshd server.
HostKey/etc/ssh/ssh_host_key
"HostKey" sets the file containing the private key of the computer.
ServerKeyBits 1024
"ServerKeyBits" defines the number of server keys.
LoginGraceTime 600
"LoginGraceTime" sets the time (in seconds) that the server needs to wait before the connection is disconnected if the user cannot log on successfully ).
KeyRegenerationInterval 3600
"KeyRegenerationInterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used ). Re-generate the key to prevent decryption by using the stolen key
The intercepted information.
PermitRootLogin no
"PermitRootLogin" sets whether the root user can log on via ssh. Do not set this option to "yes ".
IgnoreRhosts yes
"IgnoreRhosts" sets whether to use the "rhosts" and "shosts" files for verification.
IgnoreUserKnownHosts yes
"IgnoreUserKnownHosts" sets whether the ssh daemon ignores the user's "$ HOME/. ssh/known_hosts" during RhostsRSAAuthentication security verification"
StrictModes yes
"StrictModes" sets whether ssh checks the permission and ownership of the user's home directory and rhosts file before receiving the login request. This is usually necessary, because new users often put their own
Set directory and file to anyone with write permission.
X11Forwarding no
"X11Forwarding" sets whether X11 forwarding is allowed.
PrintMotd yes
"PrintMotd" sets whether sshd displays information in "/etc/motd" during user logon.
SyslogFacility AUTH
"SyslogFacility" sets whether to provide "facility code" when recording messages from sshd ".
LogLevel INFO
"LogLevel" sets the level for recording sshd log messages. INFO is a good choice. View the man help page of sshd. More information has been obtained.
RhostsAuthentication no
The "RhostsAuthentication" setting only uses rhosts or "/etc/hosts. equiv" for security verification.
RhostsRSAAuthentication no
"RhostsRSA" sets whether to allow security verification with rhosts or "/etc/hosts. equiv" and RSA.
RSAAuthentication yes
The "RSAAuthentication" setting allows only RSA Security verification.
PasswordAuthentication yes
"PasswordAuthentication" sets whether password verification is allowed.
PermitEmptyPasswords no
"PermitEmptyPasswords" sets whether to allow logon with an account with an empty password.
AllowUsers admin
"AllowUsers" can be followed by any number of user name matching strings (patterns) or such matching strings, which are separated by spaces. The host name can be
The DNS name or IP address.
Use SFTP instead of FTP to transfer files
FTP (file transfer protocol) is a widely used method for transferring files over the network. However, it is also vulnerable to network eavesdropping, because it also transmits user authentication in plaintext
Information. In fact, the SSH software package already contains a Secure file transmission subsystem called SFTP (Secure FTP). SFTP itself does not have a separate daemon, and it must use sshd
Protection process (port 22 by default) to complete the corresponding connection operations, so in a sense, SFTP is not like a server program, but more like a client program. SFTP is the same
Encryption is used to transmit authentication information and transmitted data. Therefore, SFTP is very secure. However, because this transmission method uses encryption/decryption technology, the transmission efficiency is more efficient
FTP connection is much lower. If you require higher network security, you can use SFTP instead of FTP. To enable the SFTP function, you can modify the following content in the sshd2_config file:
# Subsystem-sftp-server
Remove "#" at the beginning of the line and restart the SSH server so that SFTP can be used to transfer files simultaneously during SSH connection.
About client settings
The preceding settings are for the server. In fact, some client tools (such as SSH and SFTP tools) are included in the SSH server ). However, more client users use Windows
This section describes the Windows client system settings.
First download and install the sshsecureshellclient-3.2.3.exe file from the previous website. After the installation is complete, there will be two shortcuts on the desktop, one is "SSH
Secure Shell Client ", used for remote management, and" SSH Secure File Transfer Client ", used for File Transfer with the server. Click
"Quick connnect", enter the correct host name and user name, and then enter the password in the pop-up dialog box to log on, you can start to execute commands or transfer files. When SFTP is used
By default, only the contents of the user's home directory and non-hidden files are displayed. However, sometimes you may want to view other directories or hide files-
> Setting-> file transfer: Select "show root directory" and "show hidden file.
So that ordinary users only use SFTP without the permission to use Shell
By default, the Administrator adds both SFTP and SSH permissions to the system. It also poses a great security risk for common users to use shell to execute commands.
Users can use shell to execute commands and only use SFTP to transmit files. This security risk can be eliminated and FTP functions can be fully implemented,
As mentioned above, SFTP does not have a separate daemon and can only use the sshd daemon. Therefore, we still need to use the SSH server to ensure that the sshd daemon is running.
The specific implementation method is as follows:
First, the "-enable-static" option must be included in the compilation and installation process. After the installation is successful, execute the following command in the bin directory under the installation directory:
[Root @ localhost bin] # ls-l ssh-dummy-shell * sftp-server2 *
The following output is displayed:
-Rwxr-xr-x 1 root 1350417 Apr 28 sftp-server2
-Rwxr-xr-x 1 root 3566890 Apr 28 sftp-server2.static
-Rwxr-xr-x 1 root 72388 Apr 28 ssh-dummy-shell
-Rwxr-xr-x 1 root 1813412 Apr 28 ssh-dummy-shell.static
The file contains the "static" suffix and the two large files are generated after the "-enable-static" option is added. We will use the two files later.
The following describes how to add a Common Account "test.
1. Create the "bin" sub-directory under the "/home" Directory (or the directory where the common user's home directory will be stored) and copy the two static files to this directory (after copying, rename it and remove it ).
Static suffix), execute the following command:
[Root @ localhost bin] # cd/usr/local/ssh3.2/bin
[Root @ localhost bin] # cp ssh-dummy-shell.static/home/bin/ssh-dummy-shell
[Root @ localhost bin] # cp sftp-server2.static/home/bin/sftp-server
[Root @ localhost bin] # chown-R root. root/home/bin
[Root @ localhost bin] # chmod-R 755/home/bin
2. Add a group so that all users who are not allowed to use shell will belong to this group to facilitate management of more users:
[Root @ localhost bin] # groupadd template
3. Use the following command when adding a system account:
[Root @ localhost root] # useradd-s/bin/ssh-dummy-shell-g template test
[Root @ localhost root] # passwd test
[Root @ localhost root] # mkdir/home/test/bin
[Root @ localhost root] # cd/home/test/bin
[Root @ localhost bin] # ln/home/bin/ssh-dummy-shell
[Root @ localhost bin] # ln/home/bin/sftp-server
[Root @ localhost bin] # chown-R root. root/home/test/bin
[Root @ localhost bin] # chmod-R 755/home/test/bin
3. After the user is added, modify the/etc/ssh2/sshd2_config file and set the following content:
# ChRootGroups sftp, guest
Changed:
ChRootGroups sftp, guest, template
The above line of content is modified to prevent common users from viewing other directories of the system and restrict their permissions to their home directories. Restart the SSH server program and use it on the client.
SSH Secure File Transfer Client Login, even if you choose to display the root directory, ordinary users can not see any other directory, but their own home directory as the root directory. Note,
Here, the user group is restricted, so that all users in the template group can implement this function. If you want to restrict individual users, you can modify the following
Content:
# ChRootUsers anonymous, ftp, guest
It turns out that SSH is a very good network security solution. However, there are still many administrators who want to migrate to SSH as soon as possible by using Telnet or FTP, a very insecure tool.
To reduce network security risks.