SSH and Sudo

Source: Internet
Author: User
Tags glob asymmetric encryption

Remote Management Server is a very important, leading us out of the era of slash and burn, do not have to keep the machine. Very early Management Server uses telnet, this is the use of plaintext transmission, the password when connecting to the server is also used in clear text this is not good, the heart of people is easy for our server.

aSsh

SSH has a client and server side, the client is mainly connected to the management of remote server tools, provide interface with user interaction, SSH server side provides port monitoring, and convert data to instructions on the server to execute.

1 sshClient

The SSH client in Linux is easy to use and basically does not require much configuration,and the SSH tool in windows is more complex, which is mainly manifested in the use of remote Linux Graphical management tools, the complex usage of these tools, are basically not used in production environments, and learning to use these advanced usages is to improve the rapid construction of our experimental environment. Production environment we can write scripts according to the various configuration files in the experiment environment, and realize the automatic process deployment of production environment.

SSH remote management of the basic principle of the host,SSH client What commands do not execute, just send the command to the server to let the server execute, the client only provides management interface: command line interface and graphics interface, The graphical interface also simply sends the data sent by the server to the user after processing using the local drawing program.

    • The SSH client in Linux is using ssh commands. The command format is as follows

SSH [option] [[Email Protected]]ip

An example:

[[email protected] ~]# ssh [email protected]  -p 22  #这个命令可以简化为下面这个 [[email protected] ~]# ssh172.16.29.2  #不写 [email  Protected] On behalf of the use of the red user name login (some not root, not the words can su - root) the authenticity of host  ' 172.16.29.2  (172.16.29.2) '  can ' tbe established. rsa key fingerprint is6d:cd:51:17:91:d0:bc:72:d9:51:25:73:7a:5c:9e:7a. are you sure you want to continue connecting  (yes/no)?  yesWarning : permanently added  ' 172.16.29.2 '   (RSA)  to the listof known hosts . [email protected] ' s password:   #这里输入要连接主机的密码Last  login: wed dec 7  01:11:35 2016 from 172.16.29.255[[email protected] ~]#  #这一步就代表ssh连接主机成功, You can use Exit to exit the login 


SSH Client configuration file, here I only intercept the important configuration content.

[Email protected] ~]# vim/etc/ssh/ssh_config# Port #这一行是配置客户端连接ssh服务器时默认连接服务器的哪个端口.


    • There are a lot of Windows SSH tools, there are three kinds of SecureCRT,XshellandPutty in the mainstream. The putty is the simplest, only a few M size, you can implement the basic SSH function. SecureCRT can log the login history login password and change the font color scheme. The most powerful is the Xshell, with which the various tools have a particularly good user experience. How to use the graphical tools is not introduced.

2 SSHServer-Side

Only the SSH service under Linux is described here ,and the SSH service listens on the port , which isresponsible for translating the client into execution. SSH Server configuration file, here I only write a few more useful.

[Email protected] ~]# vim/etc/ssh/sshd_config#port #监听的端口 #listenaddress 0.0.0.0 #监听的ip默认监听在计算机的所有ipX11Forwarding Yes #远程是否可以调用本地图形管理接口 #clientaliveinterval 0 #客户端连接维持时间, the unit m,0 represents an infinite time #clientalivecountmax 3 #几个维持时间内没有操作, disconnecting client connections


3 SSHthe Certification

  Ssh connect the remote host, we generally use the password, if we encounter a scene, we manage a number of hosts, and this batch of host configuration, How can we manage a batch of hosts at once to execute the same commands (of course the current ssh Ansible

[[email protected] ~]# ssh-keygen -t rsa   #生成私钥Generating  public/ Private rsa key pair. Enter file in which to save the key (/ROOT/.SSH/ID_RSA):Enter  passphrase  (empty for no passphrase):enter same passphrase again:your  Identification has been saved in/root/.ssh/id_rsa. your public key has been saved in/root/.ssh/id_rsa.pub.the key  Fingerprint is:1b:d1:d0:95:63:85:8f:95:78:71:90:5c:92:96:3b:[email protected]the key ' s  RANDOMART IMAGE IS:+--[ RSA 2048]----+|        &NBSP, .... *=oo| |         o. * xo | |        .&NBSP, ....  o . | |         .  . =  | |        s    . . | |         o  e    | |        .        | |                 | |                  |+------ -----------+[[email protected] ~]# ssh-copy-id -i.ssh/id_rsa.pub 172.16.29.2 # Send the public key to the managed host, and then connect to the host without entering a password. [email protected] ' s password:now try logging into the machine, with ' ssh  ' 172.16.29.2 ' ",  and check in:   .ssh/authorized_keys to make  sure we haven ' T added extra keysthat you weren ' t expecting.
4 SSHthe Tools

The FTP command transmits the file when the data is transmitted in plaintext, if we want to encrypt the transmission, can be sftp,sftp and FTP usage is consistent, but the data is encrypted.

After installing ssh, a software SCP is bundledand this command can transfer files to other hosts. An example:

[Email protected] ~]# SCP anaconda-ks.cfg172.16.29.2:/rootanaconda-ks.cfg 100% 1.2KB /s 00:00 anaconda-ks.cfg #代表要传输的文件172.16.29.2 #目标ip/root #传输目标主机的/root directory, other paths can also be written


The above two remote transmission of data command function is relatively single, the transmission of data is not very smart, there is an rsync command, this command before transmitting data to verify the target directory file and the contents of the file to be transferred is consistent, do not transmit otherwise transmission. The target object of this command is a directory. An example:

5 SSHthe agent

we transmit the data want to encrypt, but the original remote transfer tool does not have encryption function, then we can use ssh as middleware to assist the encryption, here we are ssh assist telnet tool to transfer data. Here we assume an environment where conditions such as

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/8B/8F/wKioL1hRNWaw7ywoAABHRbGfPL4292.png-wh_500x0-wm_3 -wmp_4-s_3727084214.png "title=" 111.png "alt=" Wkiol1hrnwaw7ywoaabhrbgfpl4292.png-wh_50 "/>

A is the company outside the host and BC communication is not secure,BC is the company's internal host,BC communication is secure, then A to telnet to C Machine (c is a telnet server).

  • Local agent

  • This situation requiresBhost to haveSSHservers, andtelnetClient,Ato haveSSHClient andtelnetclient. Use the following command to encrypt the accessCof thetelnetservice, this command needs to beAon the implementation.

Ssh-l 9527:cip:23-n Bip then telnet 127.0.0.1 9527 is the Telnet service that connects to the C host.


    • Remote Agent

This situation requires A host must have SSH server and telnet client,B must have ssh client and telnet client. Use the following command to encrypt the telnet service that accesses C, which needs to be executed on B.

Ssh-r 9527:cip:23-n AIP then telnet 127.0.0.1 9527 is the Telnet service that connects to the C host.


    • Dynamic forwarding

ssh-d [email protected]
twoSudo

sudo configuration file: /etc/sudoers,/etc/sudoers.d/

Timestamp file: /var/db/sudo

log file:/var/log/secure

The configuration file supports the use of wildcard characters Glob

Authorization rule format:

User Log In Host = (on behalf of user ) command

Example:

Root all= (All) all

Summary

This section focuses on the management of SSH server,SSH host communication is best to use key communication,SSH can encrypt those plaintext transmission,sudo can give some commands to a user, and supports glob matching.


This article is from "Lao Wang Linux Journey" blog, please be sure to keep this source http://oldking.blog.51cto.com/10402759/1882807

SSH and Sudo

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.