SSH for building an embedded environment
Author: Tiger-John
Time: 2013-6-20
Mail: jibo.tiger@gmail.com
Blog: http://blog.csdn.net/tigerjb/article/details/9195759
Reprinted please indicate the source!
Almost graduated. Before leaving, I helped my mentor set up the Gerrit and git server, and summarized the knowledge about ssh. Hope to help you
I. Preface (Reasons for the birth of SSH)
There is a reason for everything. Since SSH exists, there must be a reason for its existence!
Many network programs, such as telnet, RSH, rlogin, or rexec, send password and secret information in plain text, therefore, you can use any computer connected to the network to listen to the communication between these programs and the server and obtain the password and secret information. Now, the telnet program is essential for daily management, but it is not safe. So what should we use to replace it?
II. Introduction to SSH
The full name of SSH is secure shell. By using SSH, You can encrypt all transmitted data so that the "man-in-the-middle" attack method is impossible and can also prevent DNS and IP spoofing. Another advantage is that the data transmitted is compressed, which can speed up transmission. SSH has many functions. It can replace Telnet and provide a secure "channel" for FTP, pop, and even PPP ".
SSH was initially developed by a Finnish company. Currently, the SSH protocol is compatible with SSH1 and SSH2. Currently, the main software that implements SSH1 and SSH2 protocols is OpenSSH and SSH Communications Security Corporation's SSH communications software. The former is a free SSH software developed by the OpenBSD organization, and the latter is a commercial software. Therefore, in Linux, FreeBSD, OpenBSD, NetBSD, and other free UNIX-like systems, openSSH is usually used as the implementation software for the SSH protocol. Therefore, this article focuses on the use of OpenSSH. Note that the formats of the public/private keys used to log on to OpenSSH and SSH Communications are different, if you want to use the private/public key pairs generated by SSH Communications to log on to the Linux system using OpenSSH, You need to convert the format of the public/private key.
(Convert the public key in SSH2 compatible format to OpenSSH compatible format
Ssh-keygen-I-f identity. Pub>/root/. Ssh/authorized_keys2
)
3. the OpenSSH software includes the following commands:
Sshd-Ssh server program
Sftp-Server-SFTP server program (a protocol similar to FTP but providing data encryption)
SCP-- Non-interactive sftp-Server Client, used to upload/download files to/from the server
SFTP-Interactive sftp-Server client, in the same usage as FTP commands.
Slogin-Ssh alias
SSH-The client program of the SSH protocol is used to log on to the remote system or execute commands remotely.
Ssh-add-SSH proxy-related programs used to add dsakey to the SSH proxy
Ssh-agent-SSH proxy
Ssh-keygen-- Sshpublic key generator
Ssh-copy-ID---- SSH writes the specified public key to the server authorized_keys
4. install OpenSSH
Installing OpenSSH server in Ubuntu is very easy. You only need one command:
Sudo apt-getinstall openssh-server openssh-Client
Later, UBUNTU automatically downloads and installs and solves all dependencies.
If the client is windows, we recommend that you use Putty to open putty and enter the IP address of the server. If everything is normal, you will be able to connect later.
5. Generate SSH key files
1. Use the following command to generate SSH key files
Ssh-keygen-t dsa-C user.email.com-f ~ /. Ssh/user.email.com
Generatingpublic/private DSA key pair.
# A message is being generated. If the length is 4096, it may take a long time.
Enter passphrase (empty for no passphrase ):
# Ask to enter the private key secret. In order to achieve automatic login, do not enter the secret. Press enter.
2. After using this command, user. Email. Pub (publick key file) and user. Email (private key file) will be generated in the. Ssh folder under the user directory ).
Now you have a pair of keys: public keys should be distributed to all remote hosts that you want to log on with SSH.
The. Ssh directory permission must be 700, that is, except the user himself, others do not have the permission to read or write the directory, or the SSH server will refuse to log on.
The private key must have the 600 permission; otherwise, the SSH server rejects user logon.
3. publish the public key
On each remote server that you need to connect to by Using SSH, you need to add your public key to "authorized_keys" under server host. Ssh.
Cat user. Email. Pub> authorized_keys.
6. log on to other hosts using SSH
SSH hostname @ IP
Eg: SSH jibo@192.168.1.11
Note:
If no hostname is entered, the local host name is used by default.
If OpenSSH works properly, you will see the following prompt:
The authenticityof host [hostname] Can't be established.
Key fingerprint is1024 5f: A0: 0b: 65: D3: 82: DF: AB: 44: 62: 6d: 98: 9C: Fe: E9: 52.
Are you sure youwant to continue connecting (Yes/No )?
OpenSSH tells you that it does not know this host, but you do not have to worry about this problem, because it is the first time you log on to this host. Type "yes ". This will add the "identification mark" of this host "~ /. Ssh/know_hosts "file. This prompt is no longer displayed when you access this host for the second time.
Then, ssh prompts you to enter the password of your account on the remote host. After the password is entered, an SSH connection is established, and then SSH can be used like Telnet.
7. Configure SSH
1. Configure the client
OpenSSH has three configuration methods: command line parameters, user configuration files, and system-level configuration files ("/etc/ssh/ssh_config "). The command line parameter takes precedence over the configuration file, and the user configuration file takes precedence over the system configuration file. All command line parameters can be set in the configuration file. Because no default user configuration file exists during installation, copy "/etc/ssh/ssh_config" and rename it "~ /. Ssh/config ".
The standard configuration file is like this:
[Lots ofexplanations and possible options listed]
# Be paranoid bydefault
Host *
Forwardagent No
Forwardx11 No
Fallbacktorsh No
You can also use "Man ssh" to view "configuration files" For many options"
Configuration files are read in order. The setting takes effect first.
Assume that you have an account named "Jibo" on www.foobar.com. In addition, you need to combine "ssh-agent" and "ssh-Add" and use data compression to speed up transmission. Because the host name is too long, you can use "FBC" as the abbreviation of "www.foobar.com. The configuration file can be as follows:
Host FBC
User Jibo
Hostname www.foobar.com
Identityfile ~ /. Ssh/jibo.tiger@gmail.com
Forwardagent Yes
Compression Yes
# Be paranoid by default
Host *
Forwardagent No
Forwardx11 No
Fallbacktorsh No
After entering "ssh FBC", SSH will automatically find the full name of the host from the configuration file, log on with your username, and use the specified key (identityfile) for security verification. the default setting of "paranoid (paranoid)" is used to connect to other remote computers through SSH. If some options are not set in the configuration file or command line, use the default "Paranoid" setting. For SSH connections to www.foobar.com: "forwardagent" and "compression" are set to "yes"; for other settings (if command line parameters are not used) both "forwardx11" and "fallbacktorsh" are set to "no ".
Other settings that need to be carefully checked are as follows:
L checkhostip Yes
This option is used to check IP addresses to prevent DNS spoofing.
L compressionlevel
The compression level ranges from "1" (fastest) to "9" (highest compression rate ). The default value is "6 ".
L forwardx11 Yes
This option must be set to run remote X programs locally.
L loglevel debug
This option is useful when there is a problem with SSH. The default value is "info ".
2. Configure the server software
The configuration of the SSH server uses the "/etc/ssh/sshd_config" configuration file, the settings of these options are described in the configuration file and can be viewed with "Man sshd.
Note the following in the default settings:
L permitrootloginyes
It is best to set this option to "permitrootloginwithout-Password", so that "root" users cannot log on to a computer without a key. Setting this option to "no" will disable "root" User Logon. You can only use the "Su" command to convert it from a common user to "root ".
L x11forwarding No
Set this option to "yes" to allow the user to run the X program on the remote host. Even disabling this option does not improve server security because users can install their own forwarder (forwarder). See "Man sshd ".
Lpasswordauthentication Yes
Set this option to "no" and only allow users to log on using the key-based method. This will of course cause trouble for users who often need to log on from different hosts, but it can greatly improve the system security. Password-based logon has many weaknesses.
L # subsystem/usr/local/sbin/sftpd
Remove the # At the beginning and set the path name to "/usr/bin/sftpserv". You can use "SFTP" (Secure FTP) (sftpserv is in SFTP package ). Because many users are familiar with FTP and "SCP" is difficult to use, "SFTP" is useful. The graphic FTP tool "gftp" later than version 2.0.7 also supports "SFTP ".
8. Copy an object
1. Use "SCP" to copy files
SSH provides commands and shells to log on to the remote server. By default, it does not allow file copying, but provides a "SCP" command.
(1) Copy local files to a remote server:
SCP/home/Jibo/test.txt john@192.168.1.55:/etc/squid
/Home/Jibo/absolute path of the local file
Test.txt local file to be copied to the server
John@192.168.1.55 remote server address
/Etc/squid: copy the local file to the path on the remote server
(2) copy the files on the remote server to the Local Machine
# SCP john@192.168.1.55:/usr/local/sin. sh/home/Jibo/TIGER/
John@192.168.1.55: remote server address
/Usr/local/sin. sh: copy the file to the local remote server.
/Home/Jibo/TIGER/: the absolute path to copy the remote file to the local directory.
Note:
1. If the remote server firewall has special restrictions, SCP must go through the special port. The specific port used depends on the situation. The command format is as follows:
# SCP-P 4588 john@www.abc.com:/usr/local/sin. sh/home/Administrator
2. When using SCP, pay attention to whether the user has the permission to read the corresponding files on the remote server.
Nine stfp
If you are used to copying files using FTP, try "SFTP ". "SFTP" establishes a secure FTP connection channel encrypted by SSH and allows the use of standard FTP commands. Another benefit is that "SFTP" allows you to run remote programs through the "EXEC" command. After version 2.0.7, the graphic FTP client software "gftp" supports "SFTP ".
If the SFTP server software "sftpserv" is not installed on the remote server ", you can copy the "sftpserv" executable file to your remote home directory (or the path set in the $ PATH environment variable of the remote computer ). SFTP automatically activates the service software. You do not have to have any special permissions on the remote server.
Add "encrypted channel" to X"
If you want to run the X program on the remote SSH server on the Local Computer, log on to the remote computer and create a program named "~ Add the following line to the/. Ssh/environment file:
Xauthority =/home/[remoteuser name]/. Xauthority
(If the file ". Xauthority" does not exist in your home directory on the remote host, it is automatically created when you log on to the remote host using SSH ).
For example, to start an X program (xterm), run the following command:
Ssh-F-X-L [remote user name] [remote machine] xterm
This will run the xterm program remotely. Other x programs use the same method.