How to enable the SSH service in ubuntu14.04
SSHThis is short for Secure Shell, developed by the Network Working Group of IETF. SSH is a security protocol built on the application layer and transport layer. SSH is a reliable protocol designed for remote logon sessions and other network services. The SSH protocol can effectively prevent information leakage during Remote Management. SSH was originally a program on a UNIX system and then quickly extended to other operating platforms. SSH can compensate for Network Vulnerabilities when used correctly. The SSH client is applicable to multiple platforms. Almost all u nix platforms-including HP-UX, Linux, Aix, Solaris, Digital UNIX, Irix, and other platforms-can run ssh.
Method: Use the apt-Get software package on the terminal to install OpenSSH server. The installation method is as follows:
||Sudo apt-Get install OpenSSH-Server
Check whether the SSH server is working:
|Ubuntu $ PS-AEF | grep sshd
Root 24114 1 0 :18? 00:00:00/usr/sbin/sshd
Now, connect to the local SSH server:
Then you will be asked if you want to continue. Enter yes.
Log on with your local account and password.
If the logon is successful, OK, well done!
Modify the configuration file:
It is a good habit to back up the original configuration file before modification:
Configure the client software
OpenSSH has three configuration methods: command line parameters, user configuration files, and system-level configuration files ("/etc/ssh/ssh_config "). The command line parameter takes precedence over the configuration file, and the user configuration file takes precedence over the system configuration file. All command line parameters can be set in the configuration file. Because no default user configuration file exists during installation, copy "/etc/ssh/ssh_config" and rename it "~ /. Ssh/config ".
The standard configuration file is like this:
[Lots of explanations and possible options listed]
|# Be paranoid by default
You can also use "Man ssh" to view "configuration files" For many options.
Configuration files are read in order. The setting takes effect first.
Assume that you have an account named "Bilbo" on www.foobar.com. In addition, you need to combine "ssh-agent" and "ssh-Add" and use data compression to speed up transmission. Because the host name is too long, you are too lazy to enter such a long name, using "FBC" as the abbreviation of "www.foobar.com. Your configuration file can be like this:
|Host * FBC
# Be paranoid by default
After you enter "ssh FBC", SSH will automatically find the full name of the host from the configuration file, log on with your username, and use the key managed by "ssh-agent" for security verification. This is very convenient!
The default setting of "paranoid (paranoid)" is used to connect to other remote computers through SSH. If some options are not set in the configuration file or command line, use the default "Paranoid" settings.
In the above example, for SSH connections to www.foobar.com: "forwardagent" and "compression" are set to "yes "; other setting options (if the command line parameter is not used) "forwardx11" and "fallbacktorsh" are both set to "no ".
Other settings that need to be carefully checked are as follows:
L checkhostip Yes
This option is used to check IP addresses to prevent DNS spoofing.
The compression level ranges from "1" (fastest) to "9" (highest compression rate ). The default value is "6 ".
L forwardx11 Yes
This option must be set to run remote X programs locally.
L loglevel debug
This option is useful when there is a problem with SSH. The default value is "info ".
Configure the server software
The configuration of the SSH server uses the "/etc/ssh/sshd_config" configuration file, the settings of these options are described in the configuration file and can be viewed with "Man sshd. Note that OpenSSH does not have different configuration files for SSH 1.x and 2.x.
Note the following in the default settings:
L permitrootlogin Yes
It is best to set this option to"
In this way, the "root" user cannot log on from a computer without a key. Setting this option to "no" will disable "root" User Logon. You can only use the "Su" command to convert it from a common user to "root ".
L x11forwarding No
Set this option to "yes" to allow the user to run the X program on the remote host. Even disabling this option does not improve server security because users can install their own forwarder (forwarder). For more information, see "Man sshd ".
L passwordauthentication Yes
Set this option to "no" and only allow users to log on using the key-based method. This will of course cause trouble for users who often need to log on from different hosts, but it can greatly improve the system security. Password-based logon has many weaknesses.
L # subsystem/usr/local/sbin/sftpd
Remove the # At the beginning and set the path name to "/usr/bin/sftpserv", you can use "SFTP" (Secure FTP) (sftpserv is in SFTP package ). Because many users are familiar with FTP and "SCP" is also troublesome to use, "SFTP" is still very useful. The graphic FTP tool "gftp" later than version 2.0.7 also supports "SFTP ".
Copy an object
Use "SCP" to copy an object
SSH provides commands and shells to log on to the remote server. By default, it does not allow you to copy files, but provides an "SCP" command.
Suppose you want to copy a file named "dumb" in the current directory of the Local Computer to your home directory on the remote server www.foobar.com. The name of your account on the remote server is Bilbo ". You can use this command:
||SCP dumb [email protected]:.
Copy the file back and use this command:
||SCP [email protected]: Dumb.
"SCP" calls SSH to log on, copy the file, and call SSH to close the connection.
If your "~ The/. Ssh/config file has configured www.foobar.com as follows:
|Host * FBC
Then you can replace "[email protected]" with "FBC", and the command is simplified to "SCP dumb FBC :.".
"SCP" assumes that your home directory on the remote host is your working directory. If you use a relative directory, it is relative to the home directory.
The "-R" parameter of the "SCP" command allows recursive directory copying. "SCP" can also copy files between two different remote hosts.
Sometimes you may try to do this: After logging on to www.foobar.com via SSH, enter the command "SCP [Local Machine]: Dumb. "You want to use it to copy the local" dumb "file to the remote server you are currently logged on. At this time, you will see the following error message:
SSH: secure connection to [Local Machine] refused
This error message appears because you are running the remote "SCP" command, which attempts to log on to the SSH service program running on your local computer ...... So it is best to run "SCP" locally unless your local computer also runs the SSH service program.
Use "SFTP" to copy files
If you are used to copying files using FTP, try "SFTP ". "SFTP" establishes a secure FTP connection channel encrypted by SSH and allows the use of standard FTP commands. Another benefit is that "SFTP" allows you to run remote programs using the "EXEC" command. After version 2.0.7, the graphic FTP client software "gftp" supports "SFTP ".
If the SFTP server software "sftpserv" is not installed on the remote server ", you can copy the "sftpserv" executable file to your remote home directory (or the path set in the $ PATH environment variable of the remote computer ). "SFTP" will automatically activate this service software, and you do not need to have any special permissions on the remote server.
Use "rsync" to copy files
"Rsync" is a useful tool for copying, updating, and moving remote and local files. It is easy to use the "-e ssh" parameter in combination with SSH. One advantage of "rsync" is that it does not copy all files, but only Copies files in the local directory and remote directory that are different. It also uses a very efficient compression algorithm, so that the copy speed is very fast.
Copy files using "encrypted channel" ftp
If you insist on using traditional FTP client software. SSH can provide "secure channels" for almost all protocols ". FTP is a strange protocol (such as requiring two ports), and there are some differences between different service programs and service programs, between customer programs and customer programs.
The "encrypted channel" is implemented by using "port forwarding ". You can set a unused local port (usually greater than 1000) to forward to a remote server, and then connect to the port on the local computer. A little complicated, right?
In fact, a basic idea is to forward a port so that SSH can run in the background. Run the following command:
||SSH [[email protected] Host]-F-l 1234: [remote host]: 21 tail-F/etc/motd
Run the FTP client and set it to the specified port:
||FTP-U [username]-P 1234 localhost
Of course, this method is very troublesome and error-prone. Therefore, it is best to use the first three methods.
Set "encrypted channel" Using SSH"
Basic knowledge of encrypted channels
The "encrypted channel" of SSH is implemented through "port forwarding. You can establish an "encrypted channel" between the local port (unavailable) and the port of a service running on the remote server ". Connect to the local port. All requests to the local port are encrypted by SSH and forwarded to the remote server port. Of course, only the "encrypted channel" can work when the SSH server software is running on the remote server. Run the following command to check whether some remote servers are running the SSH service:
Telnet [full name of remote host] 22
If you receive the following error message:
TELNET: Unable to connect to remote host: Connection refused
The SSH service software is not running on the remote server.
Port forwarding uses the following command syntax:
Ssh-f [[email protected] Host]-l [local port]: [full name of remote host]: [remote port] [some command]
You can not only forward multiple ports, but also The/. Ssh/config file uses "localforward" to set frequently used forwarding ports.
Add "encrypted channel" to pop"
You can use the POP protocol to get an email from the server. Adding an encrypted channel to pop can prevent the pop password from being listened to by the Network listener (sniffer. Another advantage is that the SSH compression method can make mail Transmission faster.
Assume that you have a POP account on pop.foobar.com. Your username is Bilbo and your pop password is topsecret ". The command used to create an SSH "encrypted channel" is:
Ssh-F-C [email protected]-l 1234: pop.foobar.com: 110 sleep 5
(To test, you can add the "Sleep" value to 500 ). After running this command, you will be prompted to enter the pop password:
[Email protected]'s password:
After entering the password, you can use "Telnet" to connect to the local forwarding port.
Telnet local host 1234
You will receive the "ready" Message from the remote mail server.
Of course, this method requires you to manually enter all pop commands, which is inconvenient. You can use fetchmail (refer to how to configure fetchmail ). Secure pop via SSH mini-howto, man fetchmail, and in "/usr/doc/fetchmail-[…]" The fetchmail FAQ in the Directory provides some specific examples.
Note that the IMAP protocol uses different ports: The IMAP V2 port number is 143, and the IMAP V3 port number is 220.
Add "encrypted channel" to X"
If you want to run the X program on the remote SSH server on the Local Computer, log on to the remote computer and create a program named "~ /. Ssh/environment "file and add this line:
Xauthority =/home/[remote user name]/. Xauthority
(If the file ". Xauthority" does not exist in your home directory on the remote host, it is automatically created when you log on to the remote host through SSH ).
For example, to start an X program (xterm), run the following command:
Ssh-F-X-L [remote user name] [remote machine] xterm
This will run the xterm program remotely. Other x programs use the same method.
Add "encrypted channel" to linuxconf"
Linuxconf is a Linux Configuration tool that supports remote management. The linuxconf FAQ reexplains how to use linuxconf through SSH:
The command is:
Remadmin-exec [link_command] linuxconf-guiproto
If you want to transmit information encrypted between two computers, you 'd better use SSH. Command:
Remadmin-exec ssh-L [account] linuxconf-guiproto
This is very effective and runs with a graphical interface to manage computers.
In this method, you need to install linuxconf on the client. Other methods include directly logging on to the server and running linuxconf on the "x11forwarding" or character interface.
Add "encrypted channel" to Webmin"
Webmin is a new browser-based configuration tool. It runs on port 1000. You can use SSH port forwarding to encrypt it:
||Ssh-F-L [remote user name] [remote host]-l 1234: [remote host]: 10000 tail-F/etc/motd
Point the browser to http: // localhost: 1234
After modification, remember to restart the SSH service:
||Sudo/etc/init. d/ssh restart
The SSH key allows you to log on to the host without entering a password.
Generate a key on your own machine:
This allows you to create a DSA-encrypted identity. You will be asked to enter the password. If you do not want to enter the password, press Enter.
Now you have a pair of keys: public keys should be distributed to all remote hosts that you want to log on with SSH. Private keys should be kept properly to prevent others from knowing your private keys. Use "ls-L ~ /. Ssh/identity or "ls-L ~ The access permission for the file displayed in/. Ssh/id_dsa must be "-RW ---".
By default, the Public Key is stored in the file ~ /. Ssh/id_dsa.pub, and save the private key in ~ /. Ssh/id_dsa. Copy the public key to the remote host and attach it
~ /. Ssh/authorized_keys:
||Ssh-copy-ID [email protected]
Finally, check the authorized_keys file carefully to ensure that only authenticated users have read and write permissions. If not, run the following command to modify the permission:
||Chmod 600. Ssh/authorized_keys
SSH will not work unless you have the write permission on the "authorized_keys" file.
Now you should be able to connect to the SSH server without entering the password.
If you want to log on to a remote host from a different computer, the "authorized_keys" file can also have multiple public keys. In this case, you must re-generate a pair of keys on the new computer, copy and paste the generated "Identify. Pub" file into the "authorized_keys" file of the remote host. Of course, you must have an account on the new computer, and the key is password-protected. It is very important that you do not forget to delete this pair of keys after you cancel this account.
Ttp: // www.mandrakeuser.org/secure/index.html
Https://help.ubuntu.com/community/SSH/OpenSSH/Advanced? Action = show & redirect = advancedopenssh