Linux Learning Notes < 25 >--OPENSSH Services

Source: Internet
Author: User
Tags locale

Ssh:secure SHell

SSH Features:

Based on port TCP22;

Ciphertext authentication;

Ciphertext transfer data


OpenSSH is an open source implementation of SSH that supports SSH v1 and SSH v2

However, SSH v1 does not resolve the middle tier attack and does not recommend using


Client:

Linux:ssh

Windows:putty,securecrt,sshsecureshellclient,xmanager

Server-side:

Linux:sshd


OpenSSH related commands

1.ssh

-x:enable X11 Forwarding

-y:enable Trusted X11 forwarding

-P #: Specify # Port number


Host: Login to host as current identity

-L USERNAME Host: Login to host as USERNAME

[Email protected]: Login to host as username

[Email protected] ' Command ': Execute host's command name as Username, execute play exit


2.SCP [options] SRC DEST option usage is basically consistent with the CP command

-R: Recursive

-P: Save permissions

-A =-RP

SCP [Email Protected]:/path/to/somefile/path/to/localfile

scp/path/to/localfile [Email protected]:/path/to/somedirectory


3.ssh-keygen

-t {RSA|DSA}: Specifying encryption type

-f/path/to/keyfile: Specify save path and file name

-N ' passwd ': Specifies the password when using the key

Direct use of the Ssh-keygen command will enter interactive mode

[Email protected] named]# Ssh-keygen generating public/private RSA key pair. Enter file in which to save the key (/ROOT/.SSH/ID_RSA): Created directory '/root/.ssh '. Enter passphrase (empty for no passphrase): Enter same passphrase Again:your identification have been saved in/root/.ssh/ Id_rsa. Your public key have been saved in/root/.ssh/id_rsa.pub.the key fingerprint Is:8d:32:74:34:39:56:49:35:a5:fa:9e:1d:59:e7 : 68:bd [email protected]


4.ssh-copy-id

-I ~/.ssh/id_rsa.pub: Specifying a public key file

Ssh-copy-id-i ~/.ssh/id_rsa.pub [Email protected]_host


5.sftp: FTP for encrypted data transfer

[Email protected]: Login to host FTP server as username


OpenSSH Related configuration Files

Client SSH configuration file /etc/ssh/ssh_config

[[email protected] named]# cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v  1.21 2005/12/06 22:38:27 reyk exp $# this is the ssh client  system-wide configuration file.  see# ssh_config (5)  for more  Information.  this file provides defaults for# users, and the  values can be changed in per-user configuration files# or  on the command line.# configuration data is parsed as follows:#   1. command line options#  2. user-specific file#  3.  system-wide file# any configuration value is only changed the  first time it is set.# thus, host-specific definitions should  be at the&nbSp;beginning of the# configuration file, and defaults at the end. # site-wide defaults for some commonly used options.  for a  comprehensive# list of available options, their meanings and  Defaults, please see the# ssh_config (5)  man page.# Host *#    forwardagent no#   forwardx11 no#   rhostsrsaauthentication  no#   RSAAuthentication yes#   PasswordAuthentication yes#    hostbasedauthentication no#   batchmode no#   checkhostip  yes#   AddressFamily any#   ConnectTimeout 0#    stricthostkeychecking ask#   identityfile ~/.ssh/identity#    Identityfile ~/.ssh/id_rsa#   identityfile ~/.ssh/id_dsa#   port 22              #定义连接端口 #   protocol 2,1          #支持的versions #   cipher 3des#   ciphers  aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc#   escapechar ~ #   tunnel no#   tunneldevice any:any#    Permitlocalcommand nohost *gssapiauthentication yes# if this option is  set to yes then remote X11 clients will have full  access# to the original x11 display. as virtually no x11  Client supports the untrusted# mode correctly we set this to  yes. Forwardx11trusted yes# send locale-related environment variablessendenv lang language lc_ctype lc_ Numeric lc_time lc_collate lc_monetary lc_messages sendenv lc_paper lc_name  lc_address lc_telephone lc_measurement sendenv lc_identification lc_all



Server-side sshd configuration file /etc/ssh/sshd_config

[[email protected] tls]# vim /etc/ssh/sshd_config #         $OpenBSD:  sshd_config,v 1.73 2005/12/06 22:38:28 reyk exp $#  This is the sshd server system-wide configuration file.   See# sshd_config (5)  for more information.# this sshd was compiled  with path=/usr/local/bin:/bin:/usr/bin# the strategy used for options  in the default sshd_config shipped with# OpenSSH is to  specify options with their default value where# possible, but  leave them commented.  uncommented options change a# default  Value. #Port  22#Protocol 2,1Protocol 2#AddressFamily any#ListenAddress 0.0.0.0      #配置在指定地址上提供服务 #listenaddress ::# hostkey for protocol version 1#hostkey /etc/ssh/ssh_host_key#  hostkeys for protocol version 2#hostkey /etc/ssh/ssh_host_rsa_key#hostkey /etc/ Ssh/ssh_host_dsa_key# lifetime and size of ephemeral version 1 server  key#KeyRegenerationInterval 1h       #密钥重新生成的时间间隔 #serverkeybits  768                #服务器端密钥长度 #  Logging# obsoletes quietmode and fascistlogging#syslogfacility authsyslogfacility  authpriv#loglevel info# authentication: #LoginGraceTime  2m              #登录时间, after exiting #permitrootlogin yes            #允许root登陆 #strictmodes yes#maxauthtries 6                 #允许登录尝试次数 #rsaauthentication yes#pubkeyauthentication yes        #基于密钥认证 #authorizedkeysfile     .ssh/authorized_keys#  For this to work you will also need host keys in  /etc/ssh/ssh_known_hosts#rhostsrsaauthentication no# similar for protocol version  2#hostbasedauthentication no# change to yes if you don ' T trust  ~/.ssh/known_hosts for# rhostsrsaauthentication and hostbasedauthentication# Ignoreuserknownhosts no# don ' T read the user ' s ~/.rhosts and ~/.shosts  files#ignorerhosts yes# to disable tunneled clear text passwords,  change to no here! #PasswordAuthentication  yes#PermitEmptyPasswords  Nopasswordauthentication yes         #基于口令认证 # change to no to disable s/key  passwords#challengeresponseauthentication yeschallengeresponseauthentication no# kerberos  options              #Kerberos选项 # kerberosauthentication no#kerberosorlocalpasswd yes#kerberosticketcleanup yes# kerberosgetafstoken no# gssapi options#gssapiauthentication nogssapiauthentication  yes#gssapicleanupcredentials yesgssapicleanupcredentials yes# set this to  ' yes '  to enable pam authentication, account processing, # and session  processing. If this is enabled, PAM authentication will #  be allowed through the challengeresponseauthentication mechanism. #  Depending on your pam configuration, this may bypass the setting of # passwordauthentication,  permitemptypasswords, and #  "Permitrootlogin without-password".  If you just  want the PAM account and # session checks to run  without pam authentication, then enable this but set #  challengeresponseauthentication=no#usepam nousepam yes              #使用可插入式认证模块认证 # accept locale-related environment  variablesacceptenv lang lc_ctype lc_numeric lc_time lc_collate lc_monetary  Lc_messagesacceptenv lc_paper lc_name lc_address lc_telephone lc_measurementacceptenv  LC_IDENTIFICATION LC_ALL#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding  nox11forwarding yes#x11displayoffset 10#x11uselocalhost yes#printmotd yes               #是否打印/etc/motd#printlastlog yes            #是否显示上一次登录的信息 #tcpkeepalive yes#uselogin no#useprivilegeseparation yes# permituserenvironment no#compression delayed#clientaliveinterval 0#clientalivecountmax 3# Showpatchlevel no#usedns yes#pidfile /var/run/sshd.pid#maxstartups 10#permittunnel no #ChrootDirectory  none# no default banner path#Banner /some/path          #登陆Banner # override default of no  subsystemssubsystem       sftp    /usr/libexec/openssh/ Sftp-server


Implement key-based authentication:

1. Generate a pair of keys on the client host

Ssh-keygen


2. Append the contents of the public key file to the. ssh/authorized_keys file in a user's home directory on the server side

①ssh-copy-id-i/path/to/pubkey [Email protected]_host

② copies the public key file SCP to the server side, and then appends the public key file to the. ssh/authorized_keys file in the home directory of a user.


After the login will be based on key authentication, SSH login user no longer enter the password to log in successfully.


Safety Essentials:

1. Passwords should be frequently changed and complex enough;

2, the use of non-default port;

3, restrict the landing customer address;

4, prohibit the administrator directly login;

5, only limited users are allowed to log in;

6, the use of key-based authentication;

7, prohibit the use of SSH v1.


Linux Learning Notes < 25 >--OPENSSH Services

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.