Telnet to the Linux system with the SSH protocol

First, the computer's login

Computer terminal equipment by inputting the user account identification and the corresponding password method by the computer verification process.

Classification of terminals:

1) Physical Terminal: the console device of the computer itself: it is often identified as "Pty", and on modern computers the physical terminal is not the same as the physical terminal on an earlier computer. On the current Linux system, the physical terminal equipment is mapped to the/dev/console, all the kernel output information is output to the console terminal, in addition, other user process output information is generally output to the virtual terminal or pseudo terminal

2) Virtual Terminal: In modern computers, the combination of keyboard + display is usually called "virtual terminal" or "Virtual Console", that is, a virtual end device, usually identified as "TTY"

3) serial terminal: If the video card device is not mounted on the server, it can be connected to the computer using a serial terminal device, which is usually identified as "TTYs"

4) analog terminal: Pseudo terminal, through the Network Client tool or graphical terminal open command line terminal, are called pseudo terminal; usually identified as "PTS", a network-based remote connection will generate a new device file in the/dev/pts directory

Second, the Telnet tool

c/S structure of the program, by default does not allow administrators to directly implement remote logins, if you want to use the root user, you need to use the SU command to switch after logging in with another user

The server side uses the Telnet-server package to listen through Port 23rd and the client uses the Telnet package to link.

1. Open the Telnet-server in the host (server side) that needs to be linked

Open Telnet-server in CentOS 5,6

shutting down firewalls and SELinux

Service Iptables stop

Sentenforce 0

start the Telnet service

chkconfig telnet on or modify the disable line in the/etc/xinetd.d/telnet file to No

Service xinetd restart|reload

Detect if the service is started:

SS-TNL | Grep:23

Open Telnet-server in CentOS 7

Shutting down firewalls and SELinux

systemctl Disable Firewalld.service

systemctl Stop Firewalld.service

iptables-f

Setenforce 0

start the Telnet service

systemctl Start Telnet.socket

Detect if the service is started:

SS-TNL | Grep:23

2. Use the Telnet command on other hosts to link

] #Telnet IP_Address

III. Application of OpenSSH

Composition of 1.OPENSSH applications

Server-side:

Application: sshd

Configuration file:/etc/ssh/sshd_config

Client:

Application: ssh,scp,sftp

configuration file:/etc/ssh/ssh_config

2.SSH authentication method provided by:

1) password-based authentication:

authenticate with a valid user account on the remote server and the user's password;

need to pass encrypted user name and password information in the network, the risk of being intercepted and cracked;

2) Key-based authentication:

The user provides a pair of keys on the client, the private key is saved on the client, and the public key is stored in the home directory of a user of the remote server;

Use the private key to encrypt a piece of data, if the server can use the corresponding public key to decrypt, the authentication is successful, you can continue to follow-up communication;

the transmission of sensitive information, such as user name and password, is not involved in the whole process;

3. Client program: SSH

SSH [options] [[Email protected]]hostname [command]

Options:

-L Login_name: Specifies which user to use for remote login this time, and if this option is used, hostname cannot be used before "[email protected]"

SSH [email protected] equivalent to Ssh-l ppp213 196.168.43.159

-P Port: Specify which service port to access the server, omit this option, default is 22, the general server for security reasons will change the listening port to other, this option can be used to specify the port number to be accessed

-B bind_address: Indicates the source IP address of this access server; If you omit this option, from all valid IP addresses of the current client, select a

-X: Support X11 forwarding function, when the client uses the SSH protocol to connect to the server remotely, the client can open the graphical Interface configuration window;

-y: Supports trusted X11 forwarding; functions are similar to-X;

-O Option=value

When implementing a remote connection, introduce a specific feature or access the server in a specific way;

Note: The configuration content that the-O option can use is very complex and typically writes the commonly used feature options directly to the SSH client's configuration file (/etc/ssh/ssh_config);

The format is:

HOST Pattern

OPTION1 value1

OPTION2 value2

...

4. Client-side key-based authentication mechanism

Ssh-keygen command: Used to create a key pair

Format:

Ssh-keygen [-Q] [-B bits] [-t type] [-p passphrase] [-f Output_keyfile]

Common options:

-Q: Quiet mode;

-B bits: Specifies the length of the key created;

RSA: Minimum 768bits, default is 2048bits;

DSA: explicitly given 1024bits;

ecdsa:256bits, 384bits, 521bits;

ED25519: Just use a fixed-length key and ignore the-B option to specify the content;

-T type: Indicates the type of public key cryptography algorithm;

The above four algorithms can be used in the SSHV2 protocol;

-P Passphrase: Specifies the password to encrypt the private key file;

-F output_keyfile: The path where the generated key file is saved;

Example:

~]# ssh-keygen-t rsa-p ' 123456 '-F. Ssh/id_rsa

The private key file created is/root/.ssh/id_rsa, and the public key file is/root/.ssh/id_rsa.pub

Ssh-copy-id command: Used to copy the created public key to the home directory of the specified user of the target server

Example:

~]# ssh-copy-id-i ssh/id_rsa.pub [email protected]

After adding the public key through the above command, you do not need to enter a password to log in again, and the copied public key is stored in the server-side/root/.ssh/authorized_keys file.

5. Client program: sshd

Configuration file:/etc/ssh/sshd_config

format of configuration directives:

Instruction value

Common directives:

Port 22: Indicates the port number to be monitored by the sshd service process, and it is recommended to change to non 22nd port;

listenaddress 0.0.0.0: Specifies the IP address that the SSHD service process listens on, suggests a fixed IP address, and 0.0.0.0 represents all available IP addresses on the current host;

Protocol version of the 2:SSH protocol;

Logingracetime 2m: When logging in, enter the maximum duration of password operation;

Permitrootlogin Yes: whether to run the root user directly telnet, in the production environment, it is strongly recommended to disable this feature;

Usedns No: Allows DNS to be used to reverse the host name, it is recommended to turn off this feature;

Allowusers user1 User2 ... : Set the whitelist for logged-in users;

Allowgroups group1 group2 ... : Sets the white list of the group;

Denyusers user1 User2 ... : Set the blacklist of the logged-in user;

Denygroups group1 group2 ... : Set the blacklist of the group;

If the instructions in this configuration file are modified, it is necessary for the sshd process to reread the contents of the configuration file for the new configuration to take effect;

CentOS 5, 6:

~]# Service sshd Reload

CentOS 7:

~]# systemctl Reload sshd

Best practice scenarios for SSH services:

1) Replace the service port, do not use the default port number 22nd;

2) prohibit the use of sshv1;

3) Reasonable set up the blacklist and whitelist of the login users;

4) Set the idle session time-out, and change it to a shorter period;

5) need to use the firewall to set up SSH security access rules;

6) monitor fixed IP address instead of 0.0.0.0;

7) If you must use a password authentication mechanism, you need to use a sufficiently complex password;

~]# tr-dc a-za-z0-9 </dev/urandom | Head-c 30 | Xargs

~]# OpenSSL rand-base64 30 | Head-c 30 | Xargs

8) It is advisable to use the key-based authentication mechanism;

9) Prohibit users from using blank password login;

10) The root user is not allowed to telnet directly;

11) Limit the password failure frequency and concurrency of SSH;

12) do a good job of logging, and often analyze the log content;

6. SSH protocol-based secure copy command: SCP

Two types of Use cases:

push: Push to send the client's files to the server side

SCP [option ...]/path/from/local_file [[Email Protected]]hostname:/path/to/destination_remote_file

Pull: Pulls to pull the server-side files to the client

SCP [option ...] [[Email Protected]]hostname:/path/from/remote_file/path/to/local_file

Common options:

-R: Recursive replication, you can copy the directory;

-P: Retains permission information from the source file;

-Q: Quiet mode;

-P Port: Specifies the service port on which the remote host's sshd process listens;

7. Secure FTP transport protocol: SFTP

FTP protocol based on SSH protocol, the FTP protocol itself is transmitted in plaintext, insecure, and based on SSH encryption security is higher. In addition, there is an SSL protocol-based FTP protocol (FTPS).

itself is the C/s architecture of the program

Server: Sftp-server, a sub-service project managed by the SSHD process, is a subsystem of sshd, which is turned on by default in CentOS

Client: STFP command

Format:

sftp [[Email Protected]]hostname

Common commands:

Help View assistance

Ls

Cd

Get/path/to/destination_remote_file/path/from/local_file downloading files from the server

Put/path/from/local_file/path/to/destination_remote_file uploading files from the local to the server

Quit quitting

Telnet to the Linux system with the SSH protocol