SSH for the Linux series

SSH is a shorthand for Secure Shell Protocol (Secure Shell protocol).

Server port number:

SSH has certificate authentication and password Authentication two ways

The SSH protocol provides two server functions in a preset state:

1. One is a remote shell like Telnet, which is SSH

2, one is similar to FTP sftp-server, that is, more secure FTP service

The concept of public and private keys

1, simply said, the public key is to others, and the private key can only be left to themselves.

2, in their own as a client, first you want to obtain the server side of the public key, and then send their own public key to the server side.

3. The final result is

Client = Client private key + server-side public key

Server side = server-side private key + client public key

Introduction to the connection process

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/7C/9F/wKioL1bT-J2T65d7AAJQdSMQIO4760.jpg "title=" Ssh3.jpg "alt=" Wkiol1bt-j2t65d7aajqdsmqio4760.jpg "/>

How the server side generates a new SSH public key

[[email protected] ~]# rm-rf/etc/ssh/ssh_host*[[email protected] ~]# systemctl Restart sshd# Restart sshd service

SSH client program

Use SSH commands directly under Linux

[[email protected] ~]# ssh 192.168.1.1# log in as root, default to current user login Ssh[[email protected] ~]# ssh [email protected]# to each other study User Login SSH

Use under Windows

Putty Http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

SecureCRT belongs to commercial software, can download cracked version

X-shell http://xshell.en.softonic.com/

SFTP

SSH is logged into the remote server, and if you want to download or upload files from the server, you must use SFTP or SCP. These two instructions are all channels using SSH (Port 22), just to simulate the operation of FTP and replication.

[Email protected] ~]# sftp [email protected] connecting to localhost ... [email protected] ' s password: <== Enter password sftp> exit <== Enter FTP related instructions

Actions for the server
Show current directory	Pwd
Change the current directory	Cd
List files in the current directory	Ls
Create a Directory	Mkdir
deleting files	Rm
Change file groups	Chgrp
Change file Owner	Chown
Change file permissions	chmod
Change file name	Rename

" TD width= "207" valign= "top" >

local operation
	lpwd
lcd
list files in the local current directory	< Span style= "Background-color:rgb (242,242,242);" >lls
local directory creation	lmkdir

Actions for file upload/download
Uploading local files to the server	put [local directory or file] [remote] put [local directory or file] This format is uploaded to the server's current directory
Download files from server to local	get [remote directory or file] [local] get [remote directory or file] This format is downloaded to the local current directory Get * Get *.rpm This format can also be

Tools under Windows

: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Psftp> open 192.168.1.1login As:root[email protected] ' s password:remote working directory is/root# The software opens the remote host via open

Scp

SFTP is usually used because it may not know what file name is on the server, and if you already know the name of the file on the server, then the simplest file transfer is through the SCP directive.

Tools under Windows: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

[[email protected] ~]# SCP [-PR] [-L rate] file [account @] Host: directory name = = Upload [[email protected] ~]# SCP [-PR] [-l rate] [account @] Host: File directory name  = = Download option:-P: Retain the permissions data of the original file-R: When copying the source to a directory, you can include subdirectories-L: Limit the speed of transmission, in kbits/s, for example [-l 800] for transfer rate limit to 100kbytes/s [[email Protected] ~]# scp/etc/hosts* [email protected]:~[email protected] ' s password: <== Enter student Password # will native/etc/hosts* Copy all to 192.168.1.1 on the student user's home directory [[email protected] ~]# SCP [email protected]:/etc/bashrc/tmp# will 192.168.1.1 the/ET under the remote host C/BASHRC copy to the/tmp directory of this machine

1, if the server is reinstalled or the public key changes, assuming that the server uses the same IP, causing the same IP server public key is different, how to resolve? (Operation on client)

[[email protected] ~]# ssh [email protected]@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@ warning: remote host identification has changed! @  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Zzfcthotfixz  IS POSSIBLE THAT  someone is doing something nasty! someone could be eavesdropping on you right now  ( Man-in-the-middleattack)! It is also possible that the rsa host key has just been  changed. The fingerprint for the rsa key sent by the remote host  isa7:2e:58:51:9f:1b:02:64:56:ea:cb:9c:92:5e:79:f9. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of  this message. offending key in /root/. ssh/known_hosts:1 <== the problematic data line number rsa host key for localhost has changed  and you have requested strict checking. host key verification failed.#  the above words to tell you:/root/.ssh/known_hosts   1  line, The last public key is different from the public key result received this time #  method: vim /root/.ssh/known_hosts, and delete the first  1  row, and then re- ssh  connection can be

2, how to enter the password to establish an SSH connection? (Operation on client)

1. Client generates local public private key

Ssh-keygen// local generation of RSA Public and private keys, after successful execution will be generated in the current user home directory. ssh/id_rsa (private key) and id_rsa.pub (public key)

[[Email protected] ~]# ssh-keygengenerating public/private rsa key pair. enter file in which to save the key  (/ROOT/.SSH/ID_RSA):   <== Press enterenter passphrase  (empty for no passphrase):    <== Press enterenter same passphrase again:   <== to press enteryour identification  Has been saved in /root/.ssh/id_rsa. your public key has been saved in /root/.ssh/id_rsa.pub.the key  Fingerprint is:24:6e:f2:c7:b6:2c:b1:4c:df:8a:31:e8:07:eb:78:20 [email protected]the key ' s &NBSP;RANDOMART&NBSP;IMAGE&NBSP;IS:+--[&NBSP;RSA&NBSP;2048]----+|                  | |                  | |       . .        | |      . o         | |     . o s        | | e . .=o.         | | &NBSP;.&NBSP, .... =+++.       | |    oo =b...      | |   .oo...+.       |+-----------------+

2. Copy the local public key to the target host (server side) and connect

Ssh-copy-id//Copy the local public key to the remote machine's Authorized_keys file, Ssh-copy-id can also give you the right to the home, ~./ssh, and ~/.ssh/authorized_keys of the remote machine

Ssh-copy-id 10.0.0.11// export id_rsa.pub (public key), connect to each other and pass the public key to the opposing server

Ssh-copy-id [email protected] //The public key is exported to the root user of 10.0.0.11. SSH Directory

Ssh-copy-id [email protected] //The public key is exported to 10.0.0.11 student user. SSH directory

[[email protected] ~]# ssh-copy-id 10.0.0.11the authenticity of host  ' 10.0.0.11  (10.0.0.11) '  can ' t be established. Ecdsa key fingerprint is c9:77:ee:3f:f6:82:25:66:0b:85:d8:d1:46:59:8f:ef. are you sure you want to continue connecting  (yes/no)?  yes/usr/ Bin/ssh-copy-id: info: attempting to log in with the new key (s),  to filter out any that are already installed/usr/bin/ssh-copy-id:  info: 1 key (s)  remain to be installed -- if you are  prompted now it is to install the new keys[email protected] ' s password:        <== Enter the target host root user password number of  Key (s)  added: 1now try logging into the machine, with:    "ssh  ' 10.0.0.11 '" and check to make sure that only  the key (s)  you wanted were added. [[Email protected] .ssh]# ssh 10.0.0.11last login: fri feb  5  23:48:56 2016 from 10.0.0.129[[email protected] ~]##  success, no need to enter password

#  in fact, the current  root  user through  ssh-keygen  generated local public private key not only  root  users can use, other local users can also. #  assume that there is also a user called  hello , I want to connect to the remote  root  user and  student  through the  hello  user The user also does not need a password. [[EMAIL PROTECTED] /]# MKDIR /HOME/HELLO/.SSH[[EMAIL PROTECTED] /]# CP  /root/.ssh/id_rsa /home/hello/.ssh/[[email protected] /]# chown -r hello: hello /home/hello/.ssh[[email protected] hello]# su - hello[[email  protected] ~]$ ssh [email protected]the authenticity of host  ' 10.0.0.11  (10.0.0.11) '  can ' t be established. Ecdsa key fingerprint is c9:77:ee:3f:f6:82:25:66:0b:85:d8:d1:46:59:8f:ef. are you sure you want to continue connecting  (yes/no)?  yesWarning : permanently added  ' 10.0.0.11 '   (ECDSA)  to the list of knowN hosts. last login: sat feb  6 00:00:15 2016 from 10.0.0.129[[email  protected] ~]##  Success! hello  User Login to each other  root  user

3. The idea of installing a backdoor through certificate verification

#一般来说, SSH will be in the user's home directory. ssh/has the following four files: [[email protected]. ssh]# lsauthorized_keys id_rsa id_rsa.pub known_hosts# authorized_ Client public Key # ID_RSA client-local private key # ID_RSA.PUB client-local public key # Known_hosts client-side public key # on server side of the keys on servers logged through the certificate authentication connection # password-free login via the following command [email Protected] ~]# ssh-keygen# generate client local public private key [[email protected] ~]# Ssh-copy-id [email protected]# input Ssh-copy-id command or need to enter server-side user The # of the password to export the client's public key to the. ssh/authorized_keys file in the 10.0.0.11 root's home directory # It is possible to copy the generated client public key to the root home directory by other means (such as physical contact). Ssh/authori Zed_keys file, this enables remote login without password

4, how to find the current remote login user culling and remove the hidden danger (operation on the server)

[[email protected] ~]# who  or  wroot     tty1          2016-02-05 21:56root     pts/0         2016-02-06 00:27  (10.0.0.2) root      pts/1        2016-02-06 00:35  (10.0.0.129) #  Assume that Root is illegally logged in from the  pts/1  portal [[email protected] ~]# pkill -kill -t pts/1#   Kill PTS/1 Telnet process (equivalent to kicking off a remote login) #  But just kicking is not enough, assuming that the illegal login is through the above certificate authentication method [[email protected] ~]#  cd .ssh[[email protected] .ssh]# vim authorized_keys#  , it's probably not just  root.   's home directory has  authorized_keys  files, it's best to check all the user's home directories in the  /home/  directory ssh-rsa  aaaab3nzac1yc2eaaaadaqabaaabaqc3wtjs0rinqh8aw06s7cixiz+qadeymdshunxkr+8bgybamhuy7v27nkhdt9909zpruu/ Jijlgnzx2zgtbrqmguuwma+ghbte1gy7hdn/src5nbxenpc+go2/ric5obo+ly17eg7tnepm7qzna4uq5nx+cxfsey4em75p9dp78np+8zrdjkixsqad95tegxqde8ckryokwlufxbk9q1mwbrfngc2nr2i5azxovdo// Ykyx9xyduib2ym27ke/o9webr7/k6ippfi7cv5mvrx85+kycn8rpkreuila+ldmgbb3z2ofqsvtbffxw+2q1vhpuuhl8kjstr7zmejdfmbfb  [email protected]#  Delete this record, that is, delete the illegal public key

5, SSH server side simple settings (operation on the server)

[[email protected] ~]# Vim/etc/ssh/sshd_configpermitrootlogin no prohibits the root user from connecting Sshpasswordauthentication No to password authentication, which is input The Password entry box does not appear after the user name

6, a more secure way to SSH login

#  assume that there are two hosts, third parties want to log on to your important host through  SSH , must first go through the springboard host, through the springboard host to reach the important host. #  assumes that the  IP  address of the important host is 192.168.1.1, and there are  root  and  student  two users. #  assumes that the springboard host has more than two network cards, and in a wireless LAN environment (with the important host isolated network segment), the LAN only the springboard host itself. #  third party first through the connection to the springboard host's local area network, into the wireless LAN, and then connected to the springboard host, through the springboard host relay, and finally reach the important host. #  ideas are as follows: 1, springboard host generated password ssh-keygen2, springboard host to  student  users to connect to the important host ssh-copy-id student[email  protected]#  this will require you to enter  student  user's password 3, modify the configuration of the important host vim /etc/ssh/sshd_config  permitrootlogin no passwordauthentication no#  Disable  root  User login for important hosts, prohibit password Authentication 4, Restart service SYSTEMCTL RESTART SSHD5, results  1) The third party must first connect to the local area network where the springboard host is located  2) to the local area network where the springboard host is located, the  root of the springboard host is also required.   User Rights #  Here's a more complicated approach: Disable the  root  user login for a springboard host, log in with another user, and then  su -  switch to  root  3) After obtaining the  root  user rights to the springboard host, the use  root  user cannot log on to the important host, only through  student  user login,student  The user does not need a password because it has passed the public key, and it cannot be authenticated by a password.  4)  student  access to the user, then through  su - For  root  users, this requires an  root  password for important hosts. 

This article is from the "Immortal word" blog, please be sure to keep this source http://buxiuzi.blog.51cto.com/11124867/1746207

SSH for the Linux series