Linux SSH Usage depth resolution (key login details)

The full name of SSH is Secure SHell. As its name implies, it means a very secure shell. The SSH protocol is a protocol developed by the Network Working Group of the Internet Engineering Task Force (IETF). The main purpose of SSH is to replace the traditional telnet and R series commands (rlogin, rsh, rexec, etc.) for remote login and remote command execution tools, to achieve remote login and remote command execution encryption. Prevent password leakage due to network monitoring, posing a threat to the system.

The ssh protocol currently has SSH1 and SSH2, and the SSH2 protocol is compatible with SSH1. The main software currently implementing the SSH1 and SSH2 protocols are OpenSSH and SSH Communications Software from SSH Communications Security Corporation. The former is a free SSH software developed by the OpenBSD organization, and the latter is commercial software. Therefore, in free UNIX systems such as Linux, FreeBSD, OpenBSD, and NetBSD, OpenSSH is used as the SSH protocol implementation software. Therefore, this article focuses on the use of OpenSSH. It should be noted that the public / private key formats of OpenSSH and SSH Communications are different. If you want to use the private / public key pair generated by SSH Communications to log in to the Linux system using OpenSSH, you need to perform the public / private key Format conversion.

Before the emergence of SSH, system administrators used telnet to log in to remote servers to perform system management tasks. The telnet protocol was transmitted using clear text passwords. The data was not encrypted during the transmission process, and it was easy to be malicious. People listen to the password on the network. Similarly, before the SSH tool appeared, the R series commands were also very popular (because these commands all start with the letter r, these commands are collectively referred to as the R series commands R means remote), such as rexec is used to execute on a remote server The difference between commands and telnet is that telnet needs to log in to a remote server before executing related commands, while R series commands can integrate the operations of logging in and executing commands and logging out of the system. This eliminates the need to log in to the server specifically to execute a command on the remote server.
SSH is an encryption protocol that not only encrypts and transmits passwords during the login process, but also encrypts the data of commands executed after login, so that even if others listen to and intercept your data packets on the network, he will not see To its contents. OpenSSH is currently a standard component of most Linux and BSD operating systems (even cygwin), so this article will not describe how to install OpenSSH. If nothing else, OpenSSH must be installed on your system.

The OpenSSH package contains the following commands:

sshd-SSH server program
sftp-server-SFTP server program (a protocol similar to FTP but providing data encryption)
scp-non-interactive sftp-server client for uploading / downloading files to the server
sftp-interactive sftp-server client, used in the same way as the ftp command.
slogin-alias for ssh
ssh —— SSH client program, used to log in to a remote system or execute commands remotely
ssh-add-SSH agent related program, used to add dsa key to SSH agent
ssh-agent-ssh agent
ssh-keyscan-ssh public key generator

The most commonly used method of SSH is to perform remote login instead of telnet. Unlike telnet password login, SSH also supports multiple login methods such as Publickey, Keybord Interactive, and GSSAPI. Unlike telnet, there is only one way to enter the system password. Currently, the most commonly used login methods are traditional Password and Publickey login. The following uses Redhat AS4 as an example to illustrate the usage of these two login methods.

[[email protected] ~] # ssh 172.18.6.227
The authenticity of host ‘172.18.6.227 (172.18.6.227)‘ ca n’t be established.
RSA key fingerprint is 43: 80: f2: e1: 9b: b6: 6e: c0: e2: dd: 57: 8f: ed: 89: b3: 81.
Are you sure you want to continue connecting (yes / no)? Yes
Warning: Permanently added ‘172.18.6.227 '(RSA) to the list of known hosts.
[email protected] ‘s password:
Last login: Thu Jul 12 18:47:47 2007 from 172.18.6.130
[[email protected] ~] #

After the first login, ssh will store the login ssh fingerprint in the know_hosts file in the .ssh directory of the user's home directory. If the remote system has been reinstalled and the ssh fingerprint has changed, you need to save the know_hosts in the .ssh directory. Delete the corresponding fingerprint in, and then log in to answer yes to log in. Please note that the .ssh directory is a hidden directory that starts with ".". You need ls -a to see it. And the permissions of this directory must be 700, and the user's home directory cannot write permissions to other users, otherwise the ssh server will refuse to log in. If you cannot log in, check the log file / var / log / secure on the server. Usually you can quickly find out why you can't log in.

ssh remote execution command:

[[email protected] ~] # ssh 172.18.6.227 ls -l /
[email protected] ‘s password:
total 1244
drwxr-xr-x 2 root root 4096 Jun 26 04:02 bin
drwxr-xr-x 4 root root 4096 Mar 29 11:17 boot
drwxr-xr-x 2 root root 4096 Jan 25 11:26 command
drwxr-xr-x 15 root root 4096 Jun 12 20:09 data
drwxr-xr-x 9 root root 5360 Jul 2 13:38 dev
drwxr-xr-x 87 root root 12288 Jul 11 04:02 etc
drwxr-xr-x 20 root root 4096 Apr 10 10:54 home
drwxr-xr-x 2 root root 4096 Aug 13 2004 initrd

After entering the correct password, ssh will connect to the remote server's sshd server program, and then execute the
ls -l / command, and transfer the input results to the local server. This is equivalent to logging in to the remote server first, then executing the command ls -l /, and finally logging out of the server. It should be reminded that if you need to log in to the server and execute more than one command, you must enclose the command in single or double quotes:

ssh 172.18.6.227 "cd / root && ls"

ssh's remote command execution function is used to replace the original R series commands. Before ssh appeared, system administrators had to use unsafe remote command execution tools such as rexec, rsh to complete the same operation. This function is very useful when managing a large number of machines. For example, I want to restart all the servers in the 10.0.0.0/24 network segment, just enter a command:

for i in $ (seq 1 254); do ssh 10.0.0. $ (i) reboot; done

You can complete the restart of all servers. Maybe you will say that although you don't need to log in to each server again, you still have to enter the password every time, how troublesome it is. Don't worry, the following ssh public key login is to solve the problem.

Login with public key:

The openssh ssh-keygen command is used to generate such private and public keys.

[[email protected] ~] # ssh-keygen -b 1024 -t dsa -C [email protected]
Generating public / private dsa key pair.
#Prompt is generating, if you choose 4096 length, it may take a long time
Enter file in which to save the key (/root/.ssh/id_dsa):
#Ask to put the public and private keys there, and use the default location for Enter
Enter passphrase (empty for no passphrase):
# Ask to enter the private key cipher, in order to achieve automatic login, you should not cipher, just enter
Enter same passphrase again:
# Prompt for password again, press Enter again
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
#Prompt public and private keys are already stored in /root/.ssh/
The key fingerprint is:
71: e5: cb: 15: d3: 8c: 05: ed: 05: 84: 85: 32: ce: b1: 31: ce [email protected]
#Prompt key fingerprint

Explanation:
-b 1024 Uses a public / private key pair with a length of 1024 bytes. The longest is 4096 bytes. Generally 1024 or 2048 is sufficient. If it is too long, the time required for encryption and decryption will be long.
-t dsa Public / private key pair using dsa encryption. In addition to dsa, there is rsa. The minimum length of rsa cannot be less than 768 bytes.
-C [email protected] A comment and description of this public / private key pair, usually replaced by the owner's email. You can omit it without writing. For more parameters, please use man ssh-keygen.

[[email protected] ~] # ls -l /root/.ssh
total 16
-rw ——- 1 root root 668 Jul 12 20:07 id_dsa
-rw-r--r– 1 root root 611 Jul 12 20:07 id_dsa.pub
-rw-r--r– 1 root root 222 Jul 12 19:37 known_hosts

The generated public / private key file is in the .ssh directory of the user's home directory, where id_dsa.pub is the public key, and the generated public key is uploaded to the .ssh directory of the home directory of the corresponding user directory of the server to be logged in. It is emphasized once again that the user's own directory (home directory) must not have writable permissions by others, and the permissions of the .ssh directory must be 700, that is, other than the user himself, no one has read, write, or view permissions on the directory, otherwise the ssh server Will refuse to log in. The default public key file of ssh is the authorized_keys file in the .ssh directory of the user's home directory. Therefore, the generated public key needs to be placed in the server's /root/.ssh/ directory under this file name. This file can store multiple A client's public key file can be likened to a lot of locks on a door. Different keys can be used to try to unlock. As long as one lock is opened, the door can be opened. It should look like this on the server:

The private key must have 600 permissions, otherwise the ssh server will refuse user login.

That's about it. Let's talk about the configuration of / etc / ssh / ssh_config and / etc / ssh / sshd_config.

/ etc / ssh / ssh_config:


Host *
The option "Host" is only valid for computers that can match the following string. "*" Means all computers.

ForwardAgent no
"ForwardAgent" sets whether the connection is forwarded to the remote computer by the authentication agent, if one exists.

ForwardX11 no
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and DISPLAY set.

RhostsAuthentication no
"RhostsAuthentication" sets whether to use rhosts-based security authentication.

RhostsR

The full name of SSH is Secure SHell. As its name implies, it means a very secure shell. The SSH protocol is a protocol developed by the Network Working Group of the Internet Engineering Task Force (IETF). The main purpose of SSH is to replace the traditional telnet and R series commands (rlogin, rsh, rexec, etc.) for remote login and remote command execution tools, to achieve remote login and remote command execution encryption. Prevent password leakage due to network monitoring, posing a threat to the system.

The ssh protocol currently has SSH1 and SSH2, and the SSH2 protocol is compatible with SSH1. The main software currently implementing the SSH1 and SSH2 protocols are OpenSSH and SSH Communications Software from SSH Communications Security Corporation. The former is a free SSH software developed by the OpenBSD organization, and the latter is commercial software. Therefore, in free UNIX systems such as Linux, FreeBSD, OpenBSD, and NetBSD, OpenSSH is used as the SSH protocol implementation software. Therefore, this article focuses on the use of OpenSSH. It should be noted that the public / private key formats of OpenSSH and SSH Communications are different. If you want to use the private / public key pair generated by SSH Communications to log in to the Linux system using OpenSSH, you need to perform the public / private key Format conversion.

Before the emergence of SSH, system administrators used telnet to log in to remote servers to perform system management tasks. The telnet protocol was transmitted using clear text passwords. The data was not encrypted during the transmission process, and it was easy to be malicious. People listen to the password on the network. Similarly, before the SSH tool appeared, the R series commands were also very popular (because these commands all start with the letter r, these commands are collectively referred to as the R series commands R means remote), such as rexec is used to execute on a remote server The difference between commands and telnet is that telnet needs to log in to a remote server before executing related commands, while R series commands can integrate the operations of logging in and executing commands and logging out of the system. This eliminates the need to log in to the server specifically to execute a command on the remote server.
SSH is an encryption protocol that not only encrypts and transmits passwords during the login process, but also encrypts the data of commands executed after login, so that even if others listen to and intercept your data packets on the network, he will not see To its contents. OpenSSH is currently a standard component of most Linux and BSD operating systems (even cygwin), so this article will not describe how to install OpenSSH. If nothing else, OpenSSH must be installed on your system.

The OpenSSH package contains the following commands:

sshd-SSH server program
sftp-server-SFTP server program (a protocol similar to FTP but providing data encryption)
scp-non-interactive sftp-server client for uploading / downloading files to the server
sftp-interactive sftp-server client, used in the same way as the ftp command.
slogin-alias for ssh
ssh —— SSH client program, used to log in to a remote system or execute commands remotely
ssh-add-SSH agent related program, used to add dsa key to SSH agent
ssh-agent-ssh agent
ssh-keyscan-ssh public key generator

The most commonly used method of SSH is to perform remote login instead of telnet. Unlike telnet password login, SSH also supports multiple login methods such as Publickey, Keybord Interactive, and GSSAPI. Unlike telnet, there is only one way to enter the system password. Currently, the most commonly used login methods are traditional Password and Publickey login. The following uses Redhat AS4 as an example to illustrate the usage of these two login methods.

[[email protected] ~] # ssh 172.18.6.227
The authenticity of host ‘172.18.6.227 (172.18.6.227)‘ ca n’t be established.
RSA key fingerprint is 43: 80: f2: e1: 9b: b6: 6e: c0: e2: dd: 57: 8f: ed: 89: b3: 81.
Are you sure you want to continue connecting (yes / no)? Yes
Warning: Permanently added ‘172.18.6.227 '(RSA) to the list of known hosts.
[email protected] ‘s password:
Last login: Thu Jul 12 18:47:47 2007 from 172.18.6.130
[[email protected] ~] #

After the first login, ssh will store the login ssh fingerprint in the know_hosts file in the .ssh directory of the user's home directory. If the remote system has been reinstalled and the ssh fingerprint has changed, you need to save the know_hosts in the .ssh directory. Delete the corresponding fingerprint in, and then log in to answer yes to log in. Please note that the .ssh directory is a hidden directory that starts with ".". You need ls -a to see it. And the permissions of this directory must be 700, and the user's home directory cannot write permissions to other users, otherwise the ssh server will refuse to log in. If you cannot log in, check the log file / var / log / secure on the server. Usually you can quickly find out why you can't log in.

ssh remote execution command:

[[email protected] ~] # ssh 172.18.6.227 ls -l /
[email protected] ‘s password:
total 1244
drwxr-xr-x 2 root root 4096 Jun 26 04:02 bin
drwxr-xr-x 4 root root 4096 Mar 29 11:17 boot
drwxr-xr-x 2 root root 4096 Jan 25 11:26 command
drwxr-xr-x 15 root root 4096 Jun 12 20:09 data
drwxr-xr-x 9 root root 5360 Jul 2 13:38 dev
drwxr-xr-x 87 root root 12288 Jul 11 04:02 etc
drwxr-xr-x 20 root root 4096 Apr 10 10:54 home
drwxr-xr-x 2 root root 4096 Aug 13 2004 initrd

After entering the correct password, ssh will connect to the remote server's sshd server program, and then execute the
ls -l / command, and transfer the input results to the local server. This is equivalent to logging in to the remote server first, then executing the command ls -l /, and finally logging out of the server. It should be reminded that if you need to log in to the server and execute more than one command, you must enclose the command in single or double quotes:

ssh 172.18.6.227 "cd / root && ls"

ssh's remote command execution function is used to replace the original R series commands. Before ssh appeared, system administrators had to use unsafe remote command execution tools such as rexec, rsh to complete the same operation. This function is very useful when managing a large number of machines. For example, I want to restart all the servers in the 10.0.0.0/24 network segment, just enter a command:

for i in $ (seq 1 254); do ssh 10.0.0. $ (i) reboot; done

You can complete the restart of all servers. Maybe you will say that although you don't need to log in to each server again, you still have to enter the password every time, how troublesome it is. Don't worry, the following ssh public key login is to solve the problem.

Login with public key:

The openssh ssh-keygen command is used to generate such private and public keys.

[[email protected] ~] # ssh-keygen -b 1024 -t dsa -C [email protected]
Generating public / private dsa key pair.
#Prompt is generating, if you choose 4096 length, it may take a long time
Enter file in which to save the key (/root/.ssh/id_dsa):
#Ask to put the public and private keys there, and use the default location for Enter
Enter passphrase (empty for no passphrase):
# Ask to enter the private key cipher, in order to achieve automatic login, you should not cipher, just enter
Enter same passphrase again:
# Prompt for password again, press Enter again
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
#Prompt public and private keys are already stored in /root/.ssh/
The key fingerprint is:
71: e5: cb: 15: d3: 8c: 05: ed: 05: 84: 85: 32: ce: b1: 31: ce [email protected]
#Prompt key fingerprint

Explanation:
-b 1024 Uses a public / private key pair with a length of 1024 bytes. The longest is 4096 bytes. Generally 1024 or 2048 is sufficient. If it is too long, the time required for encryption and decryption will be long.
-t dsa Public / private key pair using dsa encryption. In addition to dsa, there is rsa. The minimum length of rsa cannot be less than 768 bytes.
-C [email protected] A comment and description of this public / private key pair, usually replaced by the owner's email. You can omit it without writing. For more parameters, please use man ssh-keygen.

[[email protected] ~] # ls -l /root/.ssh
total 16
-rw ——- 1 root root 668 Jul 12 20:07 id_dsa
-rw-r--r– 1 root root 611 Jul 12 20:07 id_dsa.pub
-rw-r--r– 1 root root 222 Jul 12 19:37 known_hosts

The generated public / private key file is in the .ssh directory of the user's home directory, where id_dsa.pub is the public key, and the generated public key is uploaded to the .ssh directory of the home directory of the corresponding user directory of the server to be logged in. It is emphasized once again that the user's own directory (home directory) must not have writable permissions by others, and the permissions of the .ssh directory must be 700, that is, other than the user himself, no one has read, write, or view permissions on the directory, otherwise the ssh server Will refuse to log in. The default public key file of ssh is the authorized_keys file in the .ssh directory of the user's home directory. Therefore, the generated public key needs to be placed in the server's /root/.ssh/ directory under this file name. This file can store multiple A client's public key file can be likened to a lot of locks on a door. Different keys can be used to try to unlock. As long as one lock is opened, the door can be opened. It should look like this on the server:

The private key must have 600 permissions, otherwise the ssh server will refuse user login.

That's about it. Let's talk about the configuration of / etc / ssh / ssh_config and / etc / ssh / sshd_config.

/ etc / ssh / ssh_config:


Host *
The option "Host" is only valid for computers that can match the following string. "*" Means all computers.

ForwardAgent no
"ForwardAgent" sets whether the connection is forwarded to the remote computer by the authentication agent, if one exists.

ForwardX11 no
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and DISPLAY set.

RhostsAuthentication no
"RhostsAuthentication" sets whether to use rhosts-based security authentication.

RhostsRSAAuthentication no
"RhostsRSAAuthentication" sets whether to use rhosts-based security authentication using the RSA algorithm.

RSAAuthentication yes
"RSAAuthentication" sets whether to use RSA algorithm for security authentication.

PasswordAuthentication yes
"PasswordAuthentication" sets whether to use password authentication.

FallBackToRsh no
"FallBackToRsh" sets whether to use rsh automatically if there is an error with ssh connection.

UseRsh no
UseRsh sets whether to use rlogin / rsh on this computer.

BatchMode no
If "BatchMode" is set to "yes", the passphrase / password prompt will be disabled. This option is useful for script files and batch tasks when passwords cannot be entered interactively.

CheckHostIP yes
"CheckHostIP" sets whether ssh checks the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is "yes".

StrictHostKeyChecking no
If "StrictHostKeyChecking" is set to "yes", ssh will not automatically add the computer's key to the "$ HOME / .ssh / known_hosts" file, and refuse to connect once the computer's key has changed.

IdentityFile ~ / .ssh / identity
"IdentityFile" sets the file from which the user's RSA security authentication ID is read.

Port 22
Port sets the port connected to the remote host.

Cipher blowfish
"Cipher" sets the password for encryption.

EscapeChar ~
"EscapeChar" sets the escape character.

/ etc / ssh / sshd_config:


Port 22
"Port" sets the port number that sshd listens on.

ListenAddress 192.168.1.1
"ListenAddress" sets the IP address bound to the sshd server.

HostKey / etc / ssh / ssh_host_key

The HostKey setting contains a file containing the computer's private key.

ServerKeyBits 1024
"ServerKeyBits" defines the number of bits of the server key.

LoginGraceTime 600
"LoginGraceTime" sets the time (in seconds) the server will wait before disconnecting the connection if the user cannot log in successfully.

KeyRegenerationInterval 3600
"KeyRegenerationInterval" sets the number of seconds after which the server's key is automatically regenerated (if a key is used). The key is regenerated to prevent the intercepted information from being decrypted with a compromised key.

PermitRootLogin no
"PermitRootLogin" sets whether root can log in using ssh. This option must not be set to "yes".

IgnoreRhosts yes
"IgnoreRhosts" set whether to use "rhosts" and "shosts" files when verifying.

IgnoreUserKnownHosts yes
"IgnoreUserKnownHosts" sets whether the ssh daemon ignores the user's "$ HOME / .ssh / known_hosts" during RhostsRSAAuthentication

StrictModes yes
"StrictModes" sets whether ssh checks the permissions and ownership of the user's home directory and rhosts file before receiving a login request. This is usually necessary because novices often set their own directories and files so that anyone has write permissions.

X11Forwarding no
"X11Forwarding" sets whether to allow X11 forwarding.

PrintMotd yes
"PrintMotd" sets whether sshd displays the information in "/ etc / motd" when the user logs in.

SyslogFacility AUTH
"SyslogFacility" sets whether to give "facility code" when recording messages from sshd.

LogLevel INFO
LogLevel sets the level at which sshd log messages are recorded. INFO is a good choice. See sshd's man help page for more information.

RhostsAuthentication no
The "RhostsAuthentication" setting is sufficient to only use rhosts or "/etc/hosts.equiv" for security verification.

RhostsRSAAuthentication no
"RhostsRSA" sets whether to allow security verification using rhosts or "/etc/hosts.equiv" plus RSA.

RSAAuthentication yes
Set "RSAAuthentication" to allow only RSA security authentication.

PasswordAuthentication yes
"PasswordAuthentication" sets whether to allow password authentication.

PermitEmptyPasswords no
"PermitEmptyPasswords" sets whether to allow login with an account with a blank password.

AllowUsers admin
"AllowUsers" can be followed by any number of user name match strings (patterns) or [email protected] match strings, separated by spaces. The host name can be a DNS name or an IP address.

Convert SSH2-compatible public key to Openssh compatible format

ssh-keygen -i -f Identity.pub >> /root/.ssh/authorized_keys2

Linux ssh uses deep analysis (key login detailed)