OpenSSH
OpenSSH is a free open-source implementation of the SSH (Secure Shell) protocol. It uses secure and encrypted network connection tools instead of Telnet, FTP, rlogin, RSH, and rcp tools. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2. Since OpenSSH 2.9, the default protocol is version 2, which uses the RSA key by default.
1. Why is SSH used?
Using OpenSSH will enhance your system security. All communications using OpenSSH tools, including passwords, are encrypted. Telnet and FTP use a plain text password and are sent in plain text. This information may be intercepted and the password may be retrieved. Unauthorized users may log on to your system using the intercepted password, which may cause harm to your system. You should try to use the OpenSSH tool set to avoid these security issues.
Another reason for using OpenSSH is that it automatically forwards the DISPLAY variable to the client machine. In other words, if you run the X Window System on the local machine and log on to the remote machine using the SSH command, When you execute a program that requires X on the remote machine, it will be displayed on your local machine. If you prefer Graphical System management tools, but you cannot always access the server in person, this will open the door for your work.
2. Configure the OpenSSH server
To run the OpenSSH server, you must first confirm that you have installed the correct RPM software package. The openssh-server software package is essential and depends on the installation of the OpenSSH software package.
The OpenSSH daemon uses the/etc/ssh/sshd_config configuration file. The default configuration file installed on Red Hat Linux 9 should be sufficient in most cases. If you want to configure the daemon using a method not provided by the default sshd_config file, read the sshd Manual (man) page to obtain a list of keywords that can be defined in the configuration file.
To start the OpenSSH service, run the/sbin/service sshd start command. To stop the OpenSSH server, run the/sbin/service sshd Stop command. If you want to enable the daemon to automatically start during boot, refer to relevant information for information on how to manage services.
If you reinstall the Red Hat Linux system, any client that uses OpenSSH to connect to the system before it is reinstalled will see the following message after it is reinstalled:
@ Warning: remote host identification has changed! @
It is possible that someone is doing something nasty!
Someone cocould be eavesdropping on you right now (man-in-the-middle attack )!
It is also possible that the RSA host key has just been changed.
The re-installed system will create a new set of ID keys for itself; therefore, the customer will see a warning of RSA host key change. If you want to save the original host key of the system, back up the/etc/ssh/ssh_host * Key * file and restore it after the system is reinstalled. This process retains the identity of the system. When the client tries to connect to the system after the system is reinstalled, it will not see the above warning information. (There is also a solution to see: http://chinaunix.net/forum/viewtopic.php? T = 109562 & START = 0)
3. Configure the OpenSSH Client
To connect to the OpenSSH server from a client, you must install OpenSSH-clients and OpenSSH software packages on the client.
3.1. Use SSH commands
The SSH command is a secure replacement of the rlogin, RSH, and telnet commands. It allows you to log on to a remote machine and execute commands on it.
Using SSH to log on to a remote machine is similar to using telnet. To log on to a remote machine called penguin.example.net, run the following command at the shell prompt:
SSH penguin.example.net
When you log on to a remote machine using SSH for the first time, you will see a message similar to the following:
The authenticity of host penguin.example.net cant be established.
DSA key fingerprint is 94: 68: 3A: 3A: BC: F3: 9A: 9B: 01: 5D: B3: 07: 38: E2: 11: 0C.
Are you sure you want to continue connecting (Yes/No )?
Type yes to continue. This will add the server to the list of known hosts, as shown in the following message:
Warning: Permanently added penguin.example.net (RSA) to the list of known hosts.
Next, you will see a prompt asking you about the remote host password. After entering the password, you will be prompted by the remote host shell. If you do not specify a user name, the user name you have logged on to the local customer machine will be passed to the remote machine. If you want to specify different user names, use the following command:
SSH username@penguin.example.net
You can also use SSH-l username penguin.example.net.
The SSH command can be used to execute commands on a remote machine without a shell prompt. The syntax format is SSH hostname command. For example, if you want to run the LS/usr/share/DOC command on the remote host penguin.example.net, type the following command at the shell prompt:
SSH penguin.example.net ls/usr/share/doc
After you enter the correct password, the content in the remote directory/usr/share/doc will be displayed, and then you will be returned to your local shell prompt.
3.2. Use the SCP command
SCP commands can be used to transmit files between machines through secure and encrypted connections. It is similar to RCP.
The general syntax for transferring a local file to a remote system is:
SCP localfile username @ tohostname:/newfilename
Localfile specifies the source file, and username @ tohostname:/newfilename specifies the target file.
You need to transfer the local file shadowman to your account on penguin.example.net and enter the username in the shell prompt (replace username with your username ):
SCP shadowman username@penguin.example.net:/home/Username
This will transmit the local file shadowman to the/home/username/shadowman file on penguin.example.net.
The general syntax for transferring a remote file to a local system is:
SCP username @ tohostname:/remotefile/newlocalfile
Remotefile specifies the source file and newlocalfile specifies the target file.
The source file can be composed of multiple files. For example, to transmit the/downloads contents to the existing uploads directory on the remote machine penguin.example.net, type the following command at the shell prompt:
SCP/downloads/* username@penguin.example.net:/uploads/
3.3. Use the SFTP command
SFTP can be used to open a secure interaction FTP session. It is similar to FTP, except that it uses secure and encrypted connections. Its general syntax is: SFTP username@hostname.com. Once verification is passed, you can use a group of commands similar to those using FTP. See the SFTP manual page (man) to obtain a list of these commands. To read the manual page, run the man SFTP command at the shell prompt. SFTP tools are available only in OpenSSH 2.5.0p1 and later versions.
3.4. Generate a key pair
If you do not want to enter a password to connect to a remote machine every time you use SSH, SCP, or SFTP, you can generate an authorization key.
The key must be generated for each user. To generate a key for a user and use the user identity to connect to the remote machine, follow the steps below. If you have completed the following steps as the root user, only the root user can use this key pair.
Starting from OpenSSH version 3.0 ,~ /. Ssh/authorized_keys2 ,~ /. Ssh/known_hosts2 and/etc/ssh_known_hosts2 will expire. SSH protocol 1 and 2 sharing ~ /. Ssh/authorized_keys ,~ The/. Ssh/known_hosts and/etc/ssh/ssh_known_hosts files.
Red Hat Linux 9 uses SSH protocol 2 and RSA keys by default.
Tips
If you reinstall Red Hat Linux but want to keep the existing key pair, back up the. Ssh directory in your home directory. After the directory is reinstalled, copy the directory back to the main directory. This process can be performed by all users on the system, including root users.
3.4.1. generate an RSA key pair for version 2
Use the following steps to generate an RSA key pair for SSH protocol version 2. Since OpenSSH 2.9, it has become the default setting.
1. to generate an RSA key pair and cooperate with Protocol Version 2, type the following command at the shell prompt:
Ssh-keygen-T RSA
Accept ~ /. Default location of SSH/id_rsa. Enter a different password sentence from your account password, and then enter it again to confirm.
Public Key written ~ /. Ssh/id_rsa.pub. Key written ~ /. Ssh/id_rsa. You must not present the key to anyone.
2. Use chmod 755 ~ /. Ssh command to change the permission of your. Ssh directory.
3. Change ~ Copy the contents of/. Ssh/id_rsa.pub to the machine you want to connect ~ /. Ssh/authorized_keys file. If ~ /. Ssh/authorized_keys does not exist ~ /. Ssh/id_rsa.pub file to copy ~ /. Ssh/authorized_keys file.
4. If you are running Gnome, skip to section 3.4.4. If you are not running the X Window System, skip to section 3.4.5.
3.4.2. Generate a DSA key pair for version 2
Use the following steps to generate a DSA key pair for SSH protocol version 2.
1. To generate a DSA key pair for Protocol Version 2, enter the following command at the shell prompt:
Ssh-keygen-T DSA
Accept ~ /. Default location of SSH/id_dsa. Enter a different password sentence from your account password, and then enter it again to confirm.
Tips
A password is a string of words and characters used to verify the user. The difference between a password sentence and a common password is that you can use spaces or tabs in a password sentence. Password statements are generally longer than common passwords because they generally use phrases instead of just one word.
Public Key written ~ /. Ssh/id_dsa.pub. Key written ~ /. Ssh/id_dsa. It is important that the key cannot be presented to anyone.
2. Use chmod 755 ~ /. Ssh command to change the permission of your. Ssh directory.
3. Change ~ Copy the content of/. Ssh/id_dsa.pub to the machine you want to connect ~ /. Ssh/authorized_keys file. If the file ~ /. Ssh/authorized_keys does not exist ~ /. Ssh/id_dsa.pub file to copy ~ /. Ssh/authorized_keys file.
4. If you are running Gnome, skip to section 3.4.4. If you are not running the X Window System, skip to section 3.4.5.
3.4.3. Generate a DSA key pair for versions 1.3 and 1.5
Use the following steps to generate an RSA key pair for SSH protocol version 1. If you only connect to systems using DSA, you do not need a key pair of RSA version 1.3 or RSA version 1.5.
1. to generate an RSA (version 1.3 and 1.5 protocols) key pair, enter the following command at the shell prompt:
Ssh-keygen-T rsa1
Accept the default location (~ /. Ssh/identity ). Enter a different password sentence than your account password. Enter again for confirmation.
Public Key written ~ /. Ssh/identity. Pub. Key written ~ /. Ssh/identity. Do not present your key to anyone.
2. Use chmod 755 ~ /. SSH and chmod 644 ~ The/. Ssh/identity. Pub command changes the permission of your. Ssh directory and key.
3. Change ~ Copy the/. Ssh/identity. Pub content to the machine you want to connect ~ /. Ssh/authorized_keys file. If the file ~ /. Ssh/authorized_keys does not exist ~ /. Ssh/identity. Pub file copied to remote machine ~ /. Ssh/authorized_keys file.
4. If you are running Gnome, skip to section 3.4.4. If you are not running Gnome, skip to section 3.4.5.
3.4.4. Configure SSH-agent in GNOME
The SSH-agent tool can be used to save your password, so you do not have to enter the password each time an SSH or SCP connection is triggered. If you are using gnome, The openssh-askpass-gnome tool can be used to prompt you to enter a password when you log on to Gnome, and keep it until you log out from gnome. You do not need to enter a password or a password for any SSH or SCP connection in this gnome session. If you do not plan to use gnome, see section 3.4.5.
To save a password sentence in a gnome session, follow these steps:
1. You need to install the openssh-askpass-gnome package. You can use the rpm-Q openssh-askpass-gnome command to determine whether the package has been installed. If it is not installed, install it from your Red Hat Linux CD collection, the Red Hat FTP image site, or using the Red Hat Network.
2. Click "Main Menu" (on the panel) => "Preferences" => "more preferences" => "session 」. Click the "launch program" tab. Click "add" and enter/usr/bin/ssh-add in the "Start command" text field. Set its priority to a number higher than any existing command to ensure that it is executed at the end. The priority of SSH-add is preferably 70 or higher. The higher the priority, the lower the priority. If you list other programs, the program should have the lowest priority. Click Close to exit the program.
3. log out and then log on to gnome. In other words, restart the X server. After gnome is started, a dialog box prompting you to enter a password will appear. Enter the required password. If you configure both DSA and RSA, you will be prompted to enter both. From now on, you will not be prompted to enter the password by SSH, SCP or SFTP.
3.4.5. Configure SSH-agent
The SSH-agent can be used to store your password, so you do not have to always enter it every time you use an SSH or SCP connection. If you are not running the X Window System, follow these steps in the shell prompt. If you are running Gnome but do not want to configure it to prompt you to enter a password when you log on (see section 3.4.4), this process can be done in a terminal window similar to xterm. If you are running X but not gnome, this process can be performed on the terminal. However, your password can only be remembered in the terminal window. It is not set globally.
1. At the shell prompt, type the following command:
Exec/usr/bin/ssh-agent $ Shell
2. Then, type the following command:
Ssh-add
Enter your password. If you have configured more than one key pair, you will be prompted to enter each password.
3. After you log out, the password will be forgotten. You must execute these two commands each time you log on to the virtual console or open the terminal window.
4. other materials
The OpenSSH and OpenSSL projects are constantly under development, so the latest information about them is usually on their official website. The Manual (man) page of OpenSSH and OpenSSL tools is also a good place to get detailed information.
4.1. Installed documents
* The Manual (man) pages of SSH, SCP, SFTP, sshd, and SSH-keygen-their manual pages contain information on how to use these commands, and all parameters that can be used with them.
4.2. Useful Websites
* Http://www.openssh.com-OpenSSH FAQ web pages, error reports, email lists, engineering purposes, and more technical interpretations of security features.
* Http://www.openssl.org-OpenSSL FAQ web page, email list, and description of project purpose.
* Http://www.freessh.org-ssh client software for other platforms. For more information, see SSH basic knowledge introduction ssh-related articles about SSH principles, or go to the discussion group.