SSH usage under Linux systems (based on personal experience)

For Linux OPS workers, using SSH remote remote server is no longer familiar! Some of the strict settings for SSH also related to server security maintenance, today, I work in the use of SSH experience, do some summary records to the next.

(1) After SSH remote login prompt message, title information
We often use the console SSH trust to jump to other machines, But I do not know if the operation of friends notice the SSH jump after successful terminal display of the message?
These tips, is to facilitate the first time we know which ssh to jump to which target machine, but also to avoid the long-term frequent jump due to the effect of the misuse of the machine operation risk, we usually after SSH jump to the target machine to display some information, In some countries, before logging into a given system, giving unauthorized or user-monitored warning messages will be protected by law . as follows:
[[email protected] ~]# ssh-p22 192.168.1.15
Last Login:fri Jul 13:26:53 from 124.65.197.154
============= ======================
| | | | | | | | | | | | | | | | | | | | | |
===================================
hostname : Monit-server
ipaddres:192.168.1.15
===================================
IDC monitoring machine
================================ ===

So where does the reminder for the red area above be set?
Procedure one: In fact, it is very simple, this information is in the target machine's/ETC/MOTD file custom
[Email protected] ~]# CAT/ETC/MOTD
===================================
|||||||||||||||||||||||||||||||||||
===================================
Hostname:monit-server
ipaddres:192.168.1.15
===================================
IDC Monitoring Machine
===================================

Procedure two: Define in the/etc/ssh/sshd_config file of the target machine, then restart the sshd service. Both of these practices are consistent effects!
Banner/etc/sshfile

[Email protected] ~]# Cat/etc/sshfile
This is 192.168.1.117

Remote login:
[[email protected] ~]# ssh 192.168.1.117
This is 192.168.1.117
[Email protected] ~]#

(2) implement SSH password-free login: Use Ssh-keygen and Ssh-copy-id
Ssh-keygen generate public and private key pairs .
Ssh-copy-id copies the local public key to the remote machine's Authorized_keys file, and Ssh-copy-id allows you to have/home/username/.ssh and ~/.ssh/authorized_ to the remote machine. The right to the keys.
Action record:
1) First step: Use Ssh-keygen on the local machine to generate a public key private key pair
#ssh-keygen-t RSA//One-way default carriage return
This will generate the public and private key files in the. SSH directory in the current user's home directory: Id_rsa.pub, Id_rsa. You can copy the Id_rsa.pub public key file to Authorized_keys
2) The second step: You can manually set the local id_ Rsa.pub the contents of the public key file are copied to the remote target. ssh/authorized_keys file, you can implement SSH without password login.
Of course, you can also copy the public key to a remote machine using Ssh-copy-id directly in the local computer
#ssh-copy-id-i/root/.ssh /id_rsa.pub [email protected] [Copy the local public key to the remote machine, such as B machine]
can also not add a public key path, the default plus
#ssh-copy-id [email  Protected]
note:
ssh-copy-id writes key to the remote machine ~/ . ssh/authorized_key. File (the file is automatically created)
3) This way, the machine logs on to the remote machine above (b machine) without entering the password
#ssh [email protected]

(3) SSH login failed, error: Pseudo-terminal won't be allocated because stdin
Phenomenon:
Need to log on to a target machine on the line a, but not directly login (no login rights), you need to log on to the B machine, and then jump from the B machine to a machine.
The script is as follows:
localhost:~ root# Cat idc-7.sh
#!/bin/bash
SSH [email protected] "ssh-p25791 [email protected]"

But the error when executing the script is as follows:
Pseudo-terminal won't be allocated because stdin

Reason:
The pseudo-terminal will fail to allocate because the standard input is not a terminal.
Workaround:
The-T-T parameter needs to be increased to force pseudo-terminal allocations, even if the standard input is not a terminal.
Add the-t-t parameter to the script, as follows:
localhost:~ root# Cat idc-7.sh
#!/bin/bash
SSH [email protected] "SSH-T-t-p25791 [email protected]"

Or
localhost:~ root# Cat idc-7.sh
#!/bin/bash
ssh-t [email protected] "SSH-T-t-p25791 [email protected]"

(4) SSH remote login slow problem
Workaround:
To compile the/etc/ssh/sshd_config configuration file:
Usedns No
Gssapiauthentication No
Then restart the SSHD service!

(5) SSH login appears: Permission denied (publickey.gssapi-with-mic)
Workaround:
Modify the/etc/ssh/sshd-config file to include the following:
Permitrootlogin no change to Yes
Pubkeyauthentication Yes
Authorizedkeysfile. Ssh/authorized_keys Front Plus # shield off
Passwordauthentication no change to Yes
Finally restart the SSHD service!

(6) SSH connection error problem
1) when using SSH or SCP or rsync remote connection, the following error occurred:
Address * * * maps to localhost, it is does not map back to the address-possible break-in attempt!
Workaround:
Modifying a native Ssh_config file
[Email protected] ~]# Vim/etc/ssh/ssh_config
Gssapiauthentication No
[Email protected] ~]#/etc/init.d/sshd restart

Problem solved ~ ~

2) The native SCP, rsync command is available, but when using SCP or rsync remote synchronization error:
Bash:scp:command not found
Bash:rsync:command not found
Reason: Because the remote machine is not installed on the SCP or rsync caused by! You can install both commands
Yum Install openssh-clients
Yum Install rsync

3) Remote SSH connection error "The X11 forwarding request was rejected!"
Workaround:
Set x11forwarding Yes in Sshd_config
Restart the sshd service.

(7) SSH connection Timeout was kicked out problem solved
When using a client such as XSHELL,SECURECRT to access a Linux server, there are times when the terminal is kicked out periodically.
Here are three ways to prevent timeouts from being kicked out, how to set up the latter two cases, and how to do this by setting the shell variable:

1. Configure the server
#vi/etc/ssh/sshd_config
1) Find the Clientaliveinterval parameter, if you do not add a line
The value is seconds, for example, if you set it to 120, it is 2 minutes.
Clientaliveinterval 120
2) Clientalivecountmax
If the client is found to be unresponsive, a timeout is determined, and this parameter sets the number of times the timeout is allowed. such as 3, 5 and other custom

After modifying the two parameters, the following:
----------------------------
Clientaliveinterval 120
Clientalivecountmax 3 //0 does not allow timeout times
Modify the/etc/ssh/sshd_config file to remove the Clientaliveinterval 0 and Clientalivecountmax 3 annotation symbols and change the clientaliveinterval corresponding 0 to 60. Did not enter on their own.
CLIENTALIVEINTERVAL Specifies the time interval for server-side request messages to the client, which defaults to 0 and does not send. Clientaliveinterval 60 means that every minute is sent, and then the client responds, so that it stays connected for long. Clientalivecountmax, use the default value of 3. Clientalivecountmax indicates that the client does not respond to a certain number of times after the server makes a request and disconnects automatically. Normally, the client does not respond.
Reload the sshd service. Exit the client and log in again to verify.
3) Restart the SSHD service
Sudo/etc/init.d/ssh restart

2. Configure the Client
#vim/etc/ssh/ssh_config
and find the inside.
Serveraliveinterval
Parameters, if you don't, you can add one yourself.
Parameters have the same meaning, and are all seconds, such as 5 minutes
Serveraliveinterval 300

3, Echo export tmout=1000000 >>/root/.bash_profile; source. bash_profile
Prevents timeouts in the shell environment of a Linux terminal by setting the environment variable tmout. If blank is displayed, it means that there is no setting, equal to using the default value of 0, and should normally not time out. If it is greater than 0, you can set it to 0 in a file such as/etc/profile.

(8) SSH remote login, public key authorization does not pass: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
IDC Computer room server, before doing a springboard machine environment, other machines only allowed from the Springboard SSH Password trust past, and after the trust relationship is done, disable the other machine password login function (sshd_config file Set "Permitemptypasswords no")

Later, the board has a problem, intends to re-install the machine, re-installed before the other machine to allow only the Springboard SSH trust relationship, and restore the password login function:
[Email protected] ssh]# Vim/etc/ssh/sshd_config
Permitemptypasswords Yes
[[Email protected] ssh]# service sshd restart

Modified, at that time in other machines can ssh mutual landing, then did not care, thought everything OK.
However, to the next day, SSH landing again, the dead, unexpectedly error ~ ~
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

The last discovery is the disaster of SELinux! Close it.
1) Temporarily close SELinux
[Email protected] ssh]# Setenforce 0
[Email protected] ssh]# Getenforce
Permissive
2) Permanently closed
[Email protected] ssh]# Vim/etc/sysconfig/selinux
Selinux=disabled
[email protected] ssh]# reboot #重启系统才能生效

Description
1) SSH can support both PublicKey and password two kinds of authorization methods, publickey default does not turn on, need to be configured to Yes.
If the client does not exist. Ssh/id_rsa, the password authorization is used, the publickey authorization is used, and password authorization is still used if the PublicKey authorization fails.

2) GSSAPI authentication.
Gssapiauthentication whether to allow the use of GSSAPI-based user authentication. The default value is "no". For SSH-2 only.
Gssapicleanupcredentials whether the user credential cache is automatically destroyed after the user exits the login. The default value is "Yes". Only for SSH-2.
Special attention is paid to the following:
GSSAPI is a public Security transaction application Interface (GSS-API)
The Public Security Transaction application interface provides security services to the consumer in a unified pattern, ensuring portability in different application environments because it supports the most basic mechanisms and technologies.
The specification defines GSS-API transactions and basic elements, and is independent of basic mechanisms and programming locales, and is implemented with the help of other relevant documentation specifications.

If we open the Gssapiauthentication configuration item on the server side, as follows:
[[Email protected] ~] #vim/etc/ssh/sshd_config
........
Gssapiauthentication Yes
Gssapicleanupcredentials Yes

Then the client Login server will use Gssapi-keyex,gssapi-with-mic for identity verification, the same client will support this authentication, as follows:

[[Email protected] ~] #vim/etc/ssh/ssh_config
Gssapiauthentication Yes
Gssapidelegatecredentials Yes

We connect to the SSH server on the client side, as follows:
Ssh-v 192.168.1.11
.................
Debug1:authentications that can Continue:publickey,gssapi-keyex,gssapi-with-mic,password
Debug1:authentications that can Continue:publickey,gssapi-keyex,gssapi-with-mic,password
Debug1:authentications that can Continue:publickey,gssapi-keyex,gssapi-with-mic,password
Debug1:authentications that can Continue:publickey,gssapi-keyex,gssapi-with-mic,password

We see the following information:
Debug1:unspecified GSS failure. Minor code may provide more information
No Credentials Cache found
Debug1:authentications that can Continue:publickey,gssapi-keyex,gssapi-with-mic,password
Debug1:next Authentication Method:gssapi-keyex
Debug1:no Valid Key Exchange context
This means that the SSH login is authenticated using GSSAPI, but our system does not support it.

Finally, if we do not authenticate this way, we recommend that you turn off this option so that you can increase the speed of your verification.

(9) SSH custom security settings
1) To add a layer of protection for SSH login, you can modify the default port. Modify the SSH service configuration file/etc/ssh/sshd_config
Port 2222

This allows you to attach shorts when connecting remotely
#ssh 192.168.1.83-p 2222

2) SSH using the plus-L followed by the user name, indicating landing to the other side of the user below.
#ssh-L Wangshibo 192.168.1.83-p 2222
Equivalent to
#ssh [email protected]-P 2222

3) Restrict SSH login to the source IP, whitelist settings
One is to set the white list of SSH ports via Iptables, and the following settings allow only clients of 192.168.1.0/24 network segment to connect to the machine remotely
#vim/etc/sysconfig/iptables
-A input-s 192.168.1.0/24-p tcp-m state--state new-m TCP--dport 2222-j ACCEPT
The second is through the/etc/hosts.allow inside to limit (as follows),/etc/hosts.deny file do not edit any content, keep the default!
#vim/etc/hosts.allow
Sshd:192.168.1.*,192.168.9.*,124.65.197.154,61.148.60.42,103.10.86.7:allow
Sshd:all:deny

4) Only allow specific users to login via SSH
If the root user is not allowed to log on;
Allow only a few specified users to log in (such as Wangshibo, Guohuihui, liuxing users)
Prohibit certain specified users from logging in (such as Zhangda,liqin users)
However, it is important to note that these users must both be present on the machine and on the other machine.
Modify the SSH service configuration file/etc/ssh/sshd_config
Permitrootlogin No//change Yes to No
Allowusers Wangshibo Guohuihui liuxing//This parameter allowusers if not present, need to be created manually, separated by a space between users
Denyusers Zhagnda Liqin//This parameter denyusers if not present, need to be created manually, separated by a space between users

You can also set only allow members of a group to access the host via SSH.
Allowgroups Wheel OPS

5) Cancel password verification, only with key pair authentication
Modify the SSH service configuration file/etc/ssh/sshd_config
Passwordauthentication No
Pubkeyauthentication Yes

6) Set a strong password for the account: Save the password to text to copy and paste it.
# RPM-IVH Expect-5.43.0-5.1.i386.rpm| Yum-y Install expect
# mkpasswd-l 128-d 8-c 15-s //Save the following password to text to copy, paste
Lvj.jg&skrf0cvtgmydqo7qpotxzxen9mefy?ej!kcax2gqrcu2ndftkeamllznx>ihiktagivz0$cmtqociypkpd,vvd*[email Protected]:cicqgtqdqvse5lssfmranbtx
Parameter description:
-L Password Length
-D Number of numbers
-C Uppercase Number
-S special symbol number

7) Only allow access to the SSH service via the specified network interface (if the server has multiple IPs)
The/etc/ssh/sshd_config is still modified, as follows:
listenaddress 192.168.1.15 //The default listener is 0.0.0.0

In this way, only the remote machine is allowed to connect to the native 192.168.1.15 intranet IP via SSH to log in.

8) Disable Blank password login
If the local system some accounts do not set the password, and SSH configuration file does not restrict, then remote through the empty password account can be landed, which is not safe!
So be sure to disable the empty password login. Modify the/etc/ssh/sshd_config as follows:
Permitemptypasswords no//This, the default is to disable the blank password login

SSH usage under Linux systems (based on personal experience)