Linux SSH Usage depth resolution (key login details)

Source: Internet
Author: User
Tags ftp commands ssh remote command free ssh ssh server dns spoofing

Linux SSH Usage depth resolution (key login details)

The SSH full name Secure Shell, as the name implies, is a very secure shell, and the SSH protocol is a protocol developed by the network Working Group of the IETF (Internet Engineering Task force). SSH's main purpose is to replace the traditional Telnet and R-series commands (rlogin,rsh,rexec, etc.) remote login and remote execution of command tools to enable remote login and remote execution of command encryption. Preventing password leaks due to network snooping poses a threat to the system.

SSH protocol currently has SSH1 and SSH2,SSH2 protocol compatible SSH1. The main software currently implementing the SSH1 and SSH2 protocols is the SSH Communications software of openssh and SSH Communications Security Corporation. The former is a OpenBSD organization developed a free SSH software, the latter is commercial software, so in Linux, FreeBSD, OpenBSD, NetBSD and other free Unix-like system species, unobstructed use of openssh as the implementation of the SSH protocol software. Therefore, this article mainly introduces the use of OpenSSH. It is important to note that the OpenSSH and SSH communications have a different format for the public/private key, and if you want to log in to a Linux system that uses OpenSSH by using SSH communications generated private/public key pairs, the public key/ The private key is formatted for conversion.

Before SSH, the system administrator needs to log in to the remote server to perform system administration tasks, are implemented with Telnet, the Telnet protocol with plaintext password transmission, in the transmission process of data is not encrypted, it is easy to be malicious people on the network to hear the password. Similarly, the R-series commands are also popular before the SSH tool appears (since these commands start with the letter R, so the commands are called R-series commands R is the meaning of remote), for example, Rexec is used to execute commands on a remoted server. The difference from Telnet is that Telnet needs to log on to the remote server before executing the relevant commands, and the R-series commands can integrate the operations of logging in and executing commands and logging out of the system. This makes it unnecessary to log on to the server specifically to execute a command on the remote server.

SSH is an encryption protocol that not only encrypts the password during the login process, but also encrypts the data of the command executed after the login, so that even if someone listens and intercepts your packet on the network, he cannot see the content. OpenSSH is already a standard component of most Linux and BSD operating systems (and even Cygwin), so there is no longer a description of how to install OpenSSH, and if not, you must have OpenSSH installed on your system.

The OpenSSH package contains the following commands:

SSHD――SSH Service-side program

SFTP-SERVER――SFTP Server-side program (a protocol similar to FTP but provides data encryption)

Scp―― non-interactive sftp-server client for uploading/downloading files to the server

Sftp―― Interactive Sftp-server client, with the same usage as FTP commands.

Aliases for Slogin――ssh

SSH――SSH Protocol client program for logging in to remote systems or remote execution commands

SSH-ADD――SSH Agent-related program, used to add DSA key to SSH proxy

SSH-AGENT――SSH Agent Program

SSH-KEYSCAN――SSH Public Key Generator

The most common use of SSH is to remotely log in instead of Telnet. Different from telnet password login, SSH also support PublicKey, Keybord Interactive, GSSAPI and other login methods, not like Telnet only input system password one way. At present, the most commonly used landing mode is the traditional password way and publickey way. Take Redhat AS4 as an example to illustrate the use of these two landing methods.

[[Email protected]mail ~]# ssh

The authenticity of host ' ( ' can ' t be established.

RSA key fingerprint is 43:80:f2:e1:9b:b6:6e:c0:e2:dd:57:8f:ed:89:b3:81.

Is you sure want to continue connecting (yes/no)? Yes

Warning:permanently added '′ (RSA) to the list of known hosts.

[email protected] ' s password:

Last Login:thu Jul 18:47:47 from

[Email protected] ~]#

After the first landing, SSH will put the login SSH fingerprint in the user home directory of the. SSH directory of the know_hosts file, if the remote system has been re-installed, SSH fingerprint has changed, you need to put the. SSH directory in the know_hosts of the corresponding fingerprint deleted, Then log in to answer yes before landing. Please note that the. SSH directory is preceded by "." The hidden directory needs to be ls–a parameters to see. And the permissions of this directory must be 700, and the user's home directory can not give other users write permissions, or the SSH server will refuse to login. If there is an issue that cannot be logged in, check the log file/var/log/secure on the server. It is usually possible to quickly find the reason for not landing.

SSH Remote execution command:

[[email protected] ~]# ssh ls-l/

[email protected] ' s password:

Total 1244

Drwxr-xr-x 2 root root 4096 June 04:02 bin

Drwxr-xr-x 4 root root 4096 Mar 11:17 boot

Drwxr-xr-x 2 root root 4096 Jan 11:26 command

Drwxr-xr-x root root 4096 June 20:09 data

Drwxr-xr-x 9 root root 5360 Jul 2 13:38 Dev

Drwxr-xr-x root root 12288 Jul 04:02 etc

Drwxr-xr-x root root 4096 Apr 10:54 Home

Drwxr-xr-x 2 root root 4096 2004 INITRD

After you enter the correct password, SSH links the remote server's sshd server program, and then executes the remote server

Ls–l/Command, and upload the input results to the local server. It is equivalent to logging on to the remote server before implementing the command Ls–l/and finally logging out of the server. It is important to note that if you need to log into the server and execute more than one command, you must enclose the command in single or double quotation marks:

SSH "cd/root && ls"

SSH remote command function is used to replace the original R Series command, before the advent of SSH system administrators have to use Rexec, rsh and other insecure remote command tools to do the same thing. This function is very useful when managing a large number of machines, such as I want to restart all the servers in the network segment, just enter a command:

For I in $ (seq 1 254); Do ssh 10.0.0.${i} reboot; Done

You can complete the operation of restarting all servers, perhaps you will say, although it does not need to log on to each server, but still have to enter the password every time, more trouble ah. Don't worry, the following will be said with the SSH public key mode login is to solve the problem.

Login with Public key:

The OpenSSH ssh-keygen command is used to generate such a private key and public key.

[Email protected] ~]# ssh-keygen-b 1024-t dsa-c [email protected]

Generating Public/private DSA key pair.

#提示正在生成, if you choose 4096 length, it may take a long time

Enter file in which to save the key (/ROOT/.SSH/ID_DSA):

# Ask to put the public key and the private key there, enter the default location can

Enter passphrase (empty for no passphrase):

# Ask for input private key words, in order to achieve automatic landing, should not be a secret word, direct return

Enter same Passphrase again:

# Prompt for the passphrase again, enter again

Your identification has been saved IN/ROOT/.SSH/ID_DSA.

Your public key has been saved in/root/.ssh/

# Prompt public and private keys are already stored in the/root/.ssh/directory

The key fingerprint is:

71:e5:cb:15:d3:8c:05:ed:05:84:85:32:ce:b1:31:ce [email protected]

# hint Key's fingerprint


The-B 1024 uses a 1024-byte public/private key pair, a maximum of 4096 bytes, a general 1024 or 2048 can be, too long encryption and decryption takes a long time.

The-t DSA uses the public/private key pair of DSA encryption, in addition to the DSA and RSA mode, the minimum RSA mode can not be less than 768 bytes length.

-c [email protected] a comment and description of this public/private key pair is generally replaced by the mail for everyone.

[Email protected] ~]# ls-l/root/.ssh

Total 16

-RW ——-1 root root 668 Jul 20:07 ID_DSA

-rw-r–r–1 root root 611 Jul 20:07

-rw-r–r–1 root root 222 Jul 19:37 known_hosts

The resulting public/private key file is in the. SSH directory of the user's home directory, where is the public key that uploads the resulting public key to the home directory of the corresponding user directory of the server that needs to be logged in. ssh directory, once again emphasizing the user's own directory (home directory) Must not have other people writable permissions, the. SSH directory must have permissions of 700, that is, in addition to the user's own, other people do not read and write to view the directory permissions, or the SSH server will refuse to log in. The SSH default public key file is the Authorized_keys file in the user's home directory under the. SSH directory, so you need to put the generated public key in this file name in the server's/root/.ssh/directory, this file can hold multiple client public key files, Like a door can be a lot of locks, you can have different keys to try to unlock, as long as a lock is opened, the door can be opened. This should be the case on the server:

The private key must be 600 permissions, or the SSH server will deny the user login.

That's roughly what it looks like. Now the configuration of/etc/ssh/ssh_config and/etc/ssh/sshd_config.


Host *

The option "Host" is valid only for computers that can match the following string. "*" means all computers.

Forwardagent No

"Forwardagent" Sets whether the connection is forwarded to the remote computer through the authentication agent (if present).

ForwardX11 No

"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set.

Rhostsauthentication No

The "rhostsauthentication" setting uses rhosts-based security authentication.

Rhostsrsaauthentication No

The "rhostsrsaauthentication" setting uses rhosts-based security authentication with the RSA algorithm.

Rsaauthentication Yes

The "rsaauthentication" setting uses the RSA algorithm for security verification.

Passwordauthentication Yes

The "passwordauthentication" Setting uses password authentication.

Fallbacktorsh No

The "Fallbacktorsh" setting if an error occurs with an SSH connection automatically uses RSH.

Usersh No

"Usersh" sets whether to use "Rlogin/rsh" on this computer.

Batchmode No

"Batchmode" If set to "yes", the hint of passphrase/password (interactive input password) will be disabled. This option is useful for script files and batch processing tasks when passwords cannot be entered interactively.

Checkhostip Yes

"Checkhostip" sets whether SSH views the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is "yes".

Stricthostkeychecking No

"Stricthostkeychecking" If set to "Yes", SSH will not automatically add the computer's key "$HOME/.ssh/known_hosts" file, and once the computer's key has changed, refused to connect.

Identityfile ~/.ssh/identity

"Identityfile" sets the file from which to read the user's RSA Security authentication identity.

Port 22

"Port" sets the port to connect to the remote host.

Cipher Blowfish

"Cipher" sets the password for encryption.

Escapechar ~

"Escapechar" sets the escape character.


Port 22

"Port" sets the port number of the sshd listener.


"ListenAddress" sets the IP address of the SSHD server binding.


"Hostkey" Sets the file that contains the computer's private key.

Serverkeybits 1024

"Serverkeybits" defines the number of bits of the server key.

Logingracetime 600

"Logingracetime" Sets the time, in seconds, that the server waits before disconnecting the connection if the user cannot log on successfully.

Keyregenerationinterval 3600

"Keyregenerationinterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used). The rekey is regenerated to prevent the intercepted information from being decrypted with the stolen key.

Permitrootlogin No

"Permitrootlogin" setting root can be logged in with SSH. This option must not be set to "yes".

Ignorerhosts Yes

The "ignorerhosts" setting verifies whether the "rhosts" and "shosts" files are used.

Ignoreuserknownhosts Yes

"Ignoreuserknownhosts" sets whether SSH daemon ignores the user's "$HOME/.ssh/known_hosts" when Rhostsrsaauthentication security authentication is performed

Strictmodes Yes

"Strictmodes" Sets whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the logon request. This is usually necessary because novices often set their own directories and files to anyone with write access.

X11forwarding No

The "x11forwarding" setting allows X11 forwarding.

    • This article is from: Linux Learning Tutorial Network

Linux SSH Usage depth resolution (key login details)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.