Linux SSH Usage depth resolution (key login details) _linux

Source: Internet
Author: User
Tags ssh all mail free ssh ssh server dns spoofing

The SSH full name Secure Shell, as its name implies, is the meaning of a very secure shell, an agreement developed by the network Working Group of the IETF (Internet Engineering Task Force). SSH's main purpose is to replace the traditional Telnet and R series commands (rlogin,rsh,rexec, etc.) remote login and remote execution of command tools, remote login and remote command encryption. It is a threat to the system by preventing the leakage of passwords due to network monitoring.

SSH protocol currently has SSH1 and SSH2,SSH2 protocol compatible SSH1. The main software currently implementing the SSH1 and SSH2 protocols is the SSH Communications software of openssh and SSH Communications Security Corporation. The former is a OpenBSD organization developed a free SSH software, the latter is commercial software, so in Linux, FreeBSD, OpenBSD, NetBSD, such as free UNIX systems, unobstructed use of openssh as the implementation of the SSH protocol software. Therefore, this article mainly introduces the use of OpenSSH. Note that the OpenSSH and SSH communications login to the public/private key format is different, if you want to use the SSH communications generated private/public key pair to log into the use of OpenSSH Linux system requires the public key/ Private key for format conversion.

In the presence of SSH, the system administrator needs to log in to the remote server to perform system management tasks, are implemented by Telnet, Telnet protocol using plaintext password transmission, in the transmission process of data is not encrypted, it is easy to be malicious people in the network to monitor the password. Similarly, the R-series commands are also popular before the advent of the SSH tool (since these commands start with the letter R), which is called the R-Series command r is remote, for example, Rexec is used to execute commands on remote servers. The difference from Telnet is that Telnet needs to log on to the remote server before implementing the relevant commands, and the R-series command can integrate the operations of landing and executing commands and logging out of the system. This does not require you to specifically log on to the server to execute a command on a remote server.
SSH is a cryptographic protocol that not only encrypts passwords during the login process, but also encrypts data that is executed after the login, so that even if someone listens on the network and intercepts your packets, he cannot see the contents. OpenSSH is already the standard component of most Linux and BSD operating systems (even Cygwin), so it is no longer described in this article about how to install OpenSSH, and if not, your system must have OpenSSH installed.

The OpenSSH package contains the following commands:

SSHD――SSH Service-side program
SFTP-SERVER――SFTP Server-side program (similar to FTP but provides data encryption of a protocol)
Scp―― non-interactive sftp-server client to upload/download files to the server
Sftp―― Interactive sftp-server client, same usage as FTP command.
Alias of Slogin――ssh
Client program for SSH――SSH protocol to log in to remote systems or remotely execute commands
SSH-ADD――SSH Agent-related program to add DSA key to SSH agent
SSH-AGENT――SSH Agent Program
SSH-KEYSCAN――SSH Public Key Builder

The most common use of SSH is to remotely log in instead of Telnet. Unlike telnet password login, SSH also supports PublicKey, Keybord Interactive, GSSAPI and many other login methods, unlike Telnet, only input system password one way. At present the most commonly used method of landing is still the traditional password way and publickey way landing. The following is an example of Redhat AS4, illustrating the use of these two types of landing methods.

[Root@mail ~]# ssh
The authenticity of host ' ( ' can ' t be established.
RSA key fingerprint is 43:80:f2:e1:9b:b6:6e:c0:e2:dd:57:8f:ed:89:b3:81.
Are you sure your want to continue connecting (yes/no)? Yes
Warning:permanently added '′ (RSA) to the list of known hosts.
root@ ' s Password:
Last Login:thu June 18:47:47 2007 from
[Root@qmail ~]#

After the first login, SSH will place the landing SSH fingerprint in the user's home directory of the know_hosts file in the. SSH directory, if the remote system reload the system, SSH fingerprint has changed, you need to the. SSH directory of the know_hosts in the corresponding fingerprint deletion, Log back to answer yes, before landing. Please note that the. SSH directory is the "." Beginning. Hidden directories that require ls–a parameters to see. The permissions for this directory must be 700, and the user's home directory cannot write permissions to other users, or the SSH server will refuse to log in. If there is a problem that cannot be logged in, see the log file/var/log/secure on the server. It is often possible to quickly find a reason for not landing.

SSH Remote execution command:

[Root@mail ~]# ssh ls-l/
root@ ' s Password:
Total 1244
Drwxr-xr-x 2 root root 4096 June 04:02 bin
Drwxr-xr-x 4 root 4096 Mar 11:17 boot
Drwxr-xr-x 2 root root 4096 the 11:26 command
Drwxr-xr-x root root 4096 June 20:09 data
Drwxr-xr-x 9 root root 5360 June 2 13:38 Dev
Drwxr-xr-x root root 12288 June 04:02 etc
Drwxr-xr-x root root 4096 Apr 10:54 Home
Drwxr-xr-x 2 root root 4096 Aug INITRD

After you enter the correct password, SSH links the remote server's sshd server program, and then executes the remote server's
Ls–l/commands and uploads the input results to the local server. The equivalent of landing to the remote server, and then implement the command Ls–l/, and finally log out of the server. The caveat is that if you need to log on to the server and execute more than one command, you must enclose the command in single or double quotes:

SSH "cd/root && ls"

The remote implementation of SSH commands is used to replace the original R-series commands, and system administrators had to do the same with rexec, rsh, and other insecure remote command tools before SSH appeared. This function is very useful in managing a large number of machines, such as I want to restart all the servers in the network segment, just enter a command:

For I in $ (seq 1 254); Do ssh 10.0.0.${i} reboot; Done

You can complete the restart of all the server operations, you may say that, although no need to log on every server, but still need to enter the password every time, how troublesome ah. Do not worry, the following to be said with the SSH public key method of landing is to solve the problem.

Login with Public key:

The OpenSSH ssh-keygen command is used to generate such a private key and public key.

[Root@mail ~]# ssh-keygen-b 1024-t dsa-c
Generating Public/private DSA key pair.
#提示正在生成, if you choose a length of 4096, it may take a long time
Enter file in which to save the key (/ROOT/.SSH/ID_DSA):
# Ask to put the public and private keys there, enter with the default location
Enter passphrase (empty for no passphrase):
# Ask for input private key word, in order to achieve automatic landing, should not password, direct return
Enter same Passphrase again:
# Prompt again to enter the password, direct return
Your identification has been saved IN/ROOT/.SSH/ID_DSA.
Your public key has been saved in/root/.ssh/
# hints that the public and private keys are already stored in the/root/.ssh/directory
The key fingerprint is:
# Prompt for key fingerprint

The-B 1024 uses a 1024-byte public/private key pair, up to 4096 bytes, generally 1024 or 2048, and too long to encrypt and decrypt.
-T DSA uses the DSA encryption method public/private key pair, in addition to the DSA also has the RSA way, the RSA method shortest cannot be less than 768 byte length.
-C A note and description of this public/private key pair, usually replaced by all mail. Can omit not write, more other parameters please man Ssh-keygen.

[Root@mail ~]# ls-l/root/.ssh
Total 16
-RW ——-1 root root 668 20:07 ID_DSA
-RW-R–R–1 Root root 611 June 20:07
-rw-r–r–1 root root 222 June 19:37 known_hosts

The resulting public/private key file is in the. SSH directory of the user's home directory, where is the public key, and the resulting public key is uploaded to the home directory of the corresponding user directory of the server that needs to log on. Once again, emphasize the user's own directory (home directory) You must not have permission to write to someone else, the. SSH directory must have a permission of 700, which means that other people do not have access to read or write to the directory except the user himself, or the SSH server will refuse to log in. The SSH default public key file is the Authorized_keys file under the. SSH directory in the user's home directory, so the resulting public key needs to be placed in the server's/root/.ssh/directory with this file name, which can hold the public key file of multiple clients, It is like a door can be a lot of locks, can have different keys to try to unlock, as long as a lock is opened, the door can be opened. This should be the case on the server:

The private key must be 600 permissions, or the SSH server will deny the user login.

This is roughly the way it is. Now the/etc/ssh/ssh_config and/etc/ssh/sshd_config configuration.


Host *
Option ' Host ' is valid only for computers that can match the back string. "*" means all computers.

Forwardagent No
"Forwardagent" Sets whether the connection is authenticated by proxy (if present) to the remote computer.

ForwardX11 No
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set.

Rhostsauthentication No
Whether the "Rhostsauthentication" setting uses rhosts security authentication.

Rhostsrsaauthentication No
Whether the "Rhostsrsaauthentication" setting uses rhosts security authentication with the RSA algorithm.

Rsaauthentication Yes
Whether the "Rsaauthentication" setting uses the RSA algorithm for security authentication.

Passwordauthentication Yes
Whether the "Passwordauthentication" Setting uses password authentication.

Fallbacktorsh No
The "Fallbacktorsh" setting automatically uses RSH if an error occurs with an SSH connection.

Usersh No
Whether the "Usersh" setting uses "Rlogin/rsh" on this machine.

Batchmode No
If "Batchmode" is set to "Yes", the Prompt for Passphrase/password (interactive input password) will be disabled. This option is useful for scripting files and batch tasks when the password cannot be entered interactively.

Checkhostip Yes
"Checkhostip" sets whether SSH will view the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is yes.

Stricthostkeychecking No
If "stricthostkeychecking" is set to "yes", SSH does not automatically add the computer's key to the "$HOME/.ssh/known_hosts" file and rejects the connection once the computer's key has changed.

Identityfile ~/.ssh/identity
The Identityfile setting reads the user's RSA security authentication identity from which file.

Port 22
The port sets the ports to connect to the remote host.

Cipher Blowfish
"Cipher" sets the password used for encryption.

Escapechar ~
"Escapechar" sets the escape character.


Port 22
"Port" sets the port number on which sshd listens.

"ListenAddress" sets the IP address of the SSHD server binding.


"Hostkey" Sets the file that contains the private key for the computer.

Serverkeybits 1024
"Serverkeybits" defines the number of digits of the server key.

Logingracetime 600
"Logingracetime" Setting the time (in seconds) that the server waits before disconnecting a connection if the user cannot log on successfully.

Keyregenerationinterval 3600
The "Keyregenerationinterval" setting automatically regenerates the server's key (if a key is used) after the number of seconds. The key is regenerated to prevent the intercepted information from being decrypted using the stolen key.

Permitrootlogin No
"Permitrootlogin" setting root can not log in with SSH. This option must not be set to "yes".

Ignorerhosts Yes
"Ignorerhosts" sets whether the "Rhosts" and "shosts" files are used when validating.

Ignoreuserknownhosts Yes
"Ignoreuserknownhosts" sets whether the SSH daemon ignores the user's "$HOME/.ssh/known_hosts" when Rhostsrsaauthentication security verification is performed

Strictmodes Yes
"Strictmodes" Sets whether SSH checks the permissions and ownership of the user's home directory and rhosts files before receiving the logon request. This is usually necessary because novices often make their own directories and files available to anyone with write access.

X11forwarding No
Whether the "x11forwarding" setting allows X11 forwarding.

The "PRINTMOTD" setting sshd whether the information in "/ETC/MOTD" is displayed when the user logs on.

Syslogfacility AUTH
"Syslogfacility" sets whether "facility code" is given when recording messages from Sshd.

LogLevel INFO
"LogLevel" sets the level of logging sshd log messages. Info is a good choice. See Sshd's Man help page for more information.

Rhostsauthentication No
The "rhostsauthentication" setting only uses Rhosts or "/etc/hosts.equiv" for security verification is sufficient.

Rhostsrsaauthentication No
The "Rhostsrsa" setting allows security authentication with rhosts or "/ETC/HOSTS.EQUIV" plus RSA.

Rsaauthentication Yes
The "rsaauthentication" setting allows only RSA security authentication.

Passwordauthentication Yes
Whether the "Passwordauthentication" setting allows password authentication.

Permitemptypasswords No
The "Permitemptypasswords" setting allows you to log on with an account with an empty password.

Allowusers Admin
"Allowusers" can be followed by a string of matching strings (patterns) or user@host of any number of user names, separated by spaces. The host name can be either a DNS name or an IP address.

Convert public key in SSH2 compatible format into OPENSSH compatible format

Ssh-keygen-i-F >>/root/.ssh/authorized_keys2

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.