Deep parsing for linux ssh (key logon details)

For linux ssh, the full name of SSH is Secure SHell. As the name implies, it is a very Secure shell. The SSH protocol is IETF (Internet Engineering Task Force) network Working Group. The main purpose of SSH is to replace traditional tools for telnet and R-series commands (rlogin, rsh, rexec, etc.) for remote login and remote command execution, implements encryption for remote login and remote command execution. Prevent password leakage due to network monitoring and pose a threat to the system. Currently, the ssh protocol is compatible with SSH1 and SSH2. Currently, the main software that implements SSH1 and SSH2 protocols is OpenSSH and SSH Communications Security Corporation's SSH Communications software. The former is a free SSH software developed by the OpenBSD organization, and the latter is a commercial software. Therefore, in linux, FreeBSD, OpenBSD, NetBSD, and other free UNIX-like systems, openSSH is used as the implementation software for SSH protocol. Therefore, this article focuses on the use of OpenSSH. Note that the formats of the public/private keys used to log on to OpenSSH and SSH Communications are different, if you want to use the private/public key pairs generated by SSH Communications to log on to the linux system using OpenSSH, You need to convert the format of the public/private key. Before SSH occurs, the system administrator must log on to the remote server to execute system management tasks. telnet is used for transmission. The telnet protocol uses a plaintext password for transmission, and the data is not encrypted during transmission, it is easy for malicious people to listen to passwords on the Internet. Similarly, before the emergence of SSH tools, the R-series commands were also very popular (since these commands start with the letter r, these commands are collectively referred to as the R-series commands R is the meaning of remote ), for example, rexec is used to execute commands on the remote server. The difference between rexec and telnet is that you need to log on to the remote server before executing relevant commands, the R-series commands can integrate the operations for logging on to and executing commands and logging out of the system. In this way, you do not need to log on to the server to execute a command on the remote server. SSH is an encryption protocol that not only encrypts the password during login, but also encrypts the data of the commands executed after login, in this way, even if someone listens to and intercepts your data packets on the network, they will not be able to see the content. OpenSSH is already a standard component of most linux and BSD operating systems (or even cygwin). Therefore, this article will not describe how to install OpenSSH, openSSH must have been installed on your system. The OpenSSH package contains the following commands: sshd-SSH server program sftp-server-SFTP server program (a protocol similar to FTP but providing data encryption) scp-a non-interactive sftp-server client used to upload/download files to/from the server sftp-interactive sftp-server client. The usage is the same as that of ftp commands. Slogin-ssh alias ssh-client program of the SSH protocol, used to log on to the remote system or remotely execute command ssh-add-SSH proxy related program, the most common method used to add the dsa key SSH-agent-ssh proxy ssh-keyscan-ssh public key generator ssh to the SSH proxy is to log on remotely instead of telnet. Unlike telnet Password Logon, SSH also supports multiple logon methods, such as Publickey, Keybord Interactive, and GSSAPI. Unlike telnet, SSH only supports entering the system password. Currently, the most common logon methods are the traditional Password and Publickey methods. The following uses Redhat AS4 as an example to illustrate the usage of the two login methods. [Root @ mail ~] # Ssh 172.18.6.227The authenticity of host' 172. 18.6.227 (172.18.6.227) 'Can't be established. RSA key fingerprint is 43: 80: f2: e1: 9b: b6: 6e: c0: e2: dd: 57: 8f: ed: 89: b3: 81.Are you sure you want to continue connecting (yes/no )? YesWarning: Permanently added '192. 18.6.227 '(RSA) to the list of known hosts.root@172.18.6.227's password: Last login: Thu Jul 12 18:47:47 172 from 172.18.6.130 [root @ qmail ~] # After the First Login, the ssh fingerprint will be stored in the user's home directory. in the know_hosts file of the ssh directory, if the remote system reinstalls the system, the ssh fingerprint has changed. delete the corresponding fingerprint in know_hosts under the ssh directory, and then log in and answer yes to log on. Note that the. ssh directory is a hidden directory starting with "." And can be seen only by the ls-a parameter. In addition, the permission for this directory must be 700, and the user's home directory cannot write permissions to other users. Otherwise, the ssh server will refuse to log on. If you cannot log on, check the log file/var/log/secure on the server. Usually, you can quickly find the cause of the login failure. Ssh remote command execution: [root @ mail ~] # Ssh 172.18.6.227 ls-l/root@172.18.6.227's password: total 1244drwxr-xr-x 2 root 4096 Jun 26 bindrwxr-xr-x 4 root 4096 Mar 29 bootdrwxr-xr-x 2 root 4096 Jan 25 commanddrwxr-xr-x 15 root root 4096 Jun 12 datadrwxr-xr-x 9 root 5360 Jul 2 devdrwxr-xr-x 87 root 12288 Jul 11 etcdrwxr-xr-x 20 root 4096 Apr 10 10: 54 homedrwxr-xr-x 2 root Root 4096 Aug 13 2004 initrd enter the correct password, ssh will link the sshd server program of the remote server, and then execute the ls-l/command on the remote server, and upload the input result to the local server. It is equivalent to logging on to the remote server first, then executing the command ls-l/, and then logging out of the server. Note that if you need to log on to the server and execute more than one command, you must enclose the command in single quotes or double quotes: ssh 172.18.6.227 "cd/root & ls" the remote command implementation function of ssh is used to replace the original R series commands. Before the emergence of ssh, system administrators had to use rexec, rsh and other insecure remote command execution tools to perform the same operation. This function is very useful when managing a large number of machines. For example, if you want to restart all servers in the 10.0.0.0/24 network segment, just enter one command: for I in $ (seq 1 254); do ssh 10.0.0. $ {I} reboot; done can restart all servers. You may say that you do not need to log on to each server any more, but you still need to enter the password each time, it's troublesome. Don't worry. The following describes how to use ssh public key to log on. Use the ssh-keygen command of public key Logon: openssh to generate such a private key and public key. [Root @ mail ~] # Ssh-keygen-B 1024-t dsa-C gucuiwen@myserver.comGenerating public/private dsa key pair. # the message is being generated. If the length is 4096, it may take a long time to Enter file in which to save the key (/root /. ssh/id_dsa): # ask where to put the public key and private key. Enter passphrase (empty for no passphrase) by default when you return to the vehicle: # ask for the private key secret, in order to achieve automatic login, do not Enter the password. Press Enter same passphrase again: # Enter the password again, and press Enter Your identification has been saved in/root/again /. ssh/id_dsa.Your public key has been sav Ed in/root /. ssh/id_dsa.pub. # The public key and private key are already stored in/root /. the key fingerprint is: 71: e5: cb: 15: d3: 8c: 05: ed: 05: 84: 85: 32: ce: b1: 31: ce gucuiwen@myserver.com # tips key fingerprint Description:-B 1024 using the length of 1024 bytes of the public key/private key pair, the maximum length of 4096 bytes, generally 1024 or 2048 can be, encryption and decryption takes a long time. -T dsa uses the public/private key pair encrypted by dsa. In addition to the dsa, the rsa mode cannot be less than 768 bytes in length. -C the gucuiwen@myserver.com comments and instructions on this public/private key pair, typically replaced by an email from everyone. [Root @ mail ~] # Ls-l/root /. sshtotal 16-rw --- 1 root 668 Jul 12 id_dsa-rw-r-r-1 root 611 Jul 12 id_dsa.pub-rw-r-r-1 root 222 Jul 12 known_hosts generated public/private key file in the user's home directory. in the ssh directory, id_dsa.pub is the public key and uploads the generated public key to the home Directory of the corresponding user directory of the server to be logged on. in the ssh directory, once again, it is emphasized that the user's own directory (home Directory) must not have the write permission of others ,. the permission for the ssh directory must be 700, that is, except the user, others do not have the permission to read and write the directory, or the ssh server will refuse to log on. The default ssh public key file is in the user's home directory. the authorized_keys file under the ssh directory, so you need to put the generated public key in the/root /. in the ssh/directory, this file can store the Public Key Files of multiple clients. It is like there are many locks on the same gate and different keys can be used to try to unlock the key, once a lock is opened, the door can be opened. Put the private key on the server as follows: the private key must have the 600 permission; otherwise, the ssh server rejects user login. This is basically what it looks like. Now let's talk about the configuration of/etc/ssh/ssh_config and/etc/ssh/sshd_config. /Etc/ssh/ssh_config: The Host * option "Host" is only valid for computers that can match the strings below. "*" Indicates all computers. ForwardAgent no "ForwardAgent" sets whether the connection has been verified and the proxy (if any) is forwarded to the remote computer. ForwardX11 no "ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and DISPLAY set ). RhostsAuthentication no "RhostsAuthentication" sets whether to use rhosts-based security verification. RhostsRSAAuthentication no "RhostsRSAAuthentication" sets whether to use the rhosts-based security verification of the RSA algorithm. RSAAuthentication yes "RSAAuthentication" sets whether to use the RSA Algorithm for security verification. PasswordAuthentication yes "PasswordAuthentication" sets whether password verification is used. FallBackToRsh no "FallBackToRsh" sets whether to use rsh automatically if an error occurs during ssh connection. UseRsh no "UseRsh" sets whether to use "rlogin/rsh" on this computer ". If BatchMode no "BatchMode" is set to "yes", passphrase/password (Interactive password Input) prompts will be disabled. This option is useful for script files and batch processing tasks when a password cannot be entered interactively. CheckHostIP yes "CheckHostIP" sets whether to check the IP address of the host connected to the server through ssh to prevent DNS spoofing. We recommend that you set it to "yes ". StrictHostKeyChecking no "StrictHostKeyChecking" if it is set to "yes", ssh will not automatically add the computer's key "$ HOME /. ssh/known_hosts, and the connection is denied once the key of the computer changes. IdentityFile ~ /. Ssh/identity "IdentityFile" sets the file from which the user reads the RSA Security Authentication ID. Port 22 "Port" sets the Port to connect to the remote host. Cipher blowfish "Cipher" sets the password for encryption. EscapeChar ~ "EscapeChar" sets the escape character. /Etc/ssh/sshd_config: Port 22 "Port" sets the Port number of the sshd listener. ListenAddress 192.168.1.1 "ListenAddress" sets the IP address bound to the sshd server. HostKey/etc/ssh/ssh_host_key "HostKey" sets the file containing the private key of the computer. ServerKeyBits 1024 "ServerKeyBits" defines the number of server keys. LoginGraceTime 600 "LoginGraceTime" sets the server wait time (in seconds) before the connection is disconnected if the user cannot log on successfully ). KeyRegenerationInterval 3600 "KeyRegenerationInterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used ). Re-generate the key to prevent the intercepted information from being decrypted using the stolen key. PermitRootLogin no "PermitRootLogin" sets whether the root user can log on via ssh. Do not set this option to "yes ". IgnoreRhosts yes "IgnoreRhosts" sets whether to use the "rhosts" and "shosts" files for verification. IgnoreUserKnownHosts yes "IgnoreUserKnownHosts" sets whether the ssh daemon ignores the "$ HOME /. ssh/known_hosts "StrictModes yes" StrictModes "sets whether ssh checks the permissions and ownership of the user's home directory and rhosts file before receiving logon requests. This is usually necessary because new users often set their directories and files to write permissions for anyone. X11Forwarding no "X11Forwarding" sets whether X11 forwarding is allowed. PrintMotd yes "PrintMotd" sets whether sshd displays the information in "/etc/motd" when the user logs on. SyslogFacility AUTH "SyslogFacility" sets whether to provide "facility code" when recording messages from sshd ". LogLevel INFO "LogLevel" sets the level for logging sshd log messages. INFO is a good choice. View the man help page of sshd. More information has been obtained. RhostsAuthentication no "RhostsAuthentication" is set to use only rhosts or "/etc/hosts. equiv" for security verification. RhostsRSAAuthentication no "RhostsRSA" sets whether to allow security verification with rhosts or "/etc/hosts. equiv" and RSA. RSAAuthentication yes "RSAAuthentication" sets whether only RSA Security authentication is allowed. PasswordAuthentication yes "PasswordAuthentication" sets whether password verification is allowed. PermitEmptyPasswords no "PermitEmptyPasswords" sets whether to allow logon with an account with an empty password. AllowUsers admin "AllowUsers" can be followed by matching strings such as any number of usernames (patterns) or user @ host. These strings are separated by spaces. The host name can be a DNS name or IP address. Convert the public key in SSH2 compatible format to the Openssh compatible format ssh-keygen-I-f Identity. pub>/root/. ssh/authorized_keys2