Ssh:secure SHell
SSH Features:
Based on port TCP22;
Ciphertext authentication;
Ciphertext transfer data
OpenSSH is an open source implementation of SSH that supports SSH v1 and SSH v2
However, SSH v1 does not resolve the middle tier attack and does not recommend using
Client:
Linux:ssh
Windows:putty,securecrt,sshsecureshellclient,xmanager
Server-side:
Linux:sshd
OpenSSH related commands
1.ssh
-x:enable X11 Forwarding
-y:enable Trusted X11 forwarding
-P #: Specify # Port number
Host: Login to host as current identity
-L USERNAME Host: Login to host as USERNAME
[Email protected]: Login to host as username
[Email protected] ' Command ': Execute host's command name as Username, execute play exit
2.SCP [options] SRC DEST option usage is basically consistent with the CP command
-R: Recursive
-P: Save permissions
-A =-RP
SCP [Email Protected]:/path/to/somefile/path/to/localfile
scp/path/to/localfile [Email protected]:/path/to/somedirectory
3.ssh-keygen
-t {RSA|DSA}: Specifying encryption type
-f/path/to/keyfile: Specify save path and file name
-N ' passwd ': Specifies the password when using the key
Direct use of the Ssh-keygen command will enter interactive mode
[Email protected] named]# Ssh-keygen generating public/private RSA key pair. Enter file in which to save the key (/ROOT/.SSH/ID_RSA): Created directory '/root/.ssh '. Enter passphrase (empty for no passphrase): Enter same passphrase Again:your identification have been saved in/root/.ssh/ Id_rsa. Your public key have been saved in/root/.ssh/id_rsa.pub.the key fingerprint Is:8d:32:74:34:39:56:49:35:a5:fa:9e:1d:59:e7 : 68:bd [email protected]
4.ssh-copy-id
-I ~/.ssh/id_rsa.pub: Specifying a public key file
Ssh-copy-id-i ~/.ssh/id_rsa.pub [Email protected]_host
5.sftp: FTP for encrypted data transfer
[Email protected]: Login to host FTP server as username
OpenSSH Related configuration Files
Client SSH configuration file /etc/ssh/ssh_config
[[email protected] named]# cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk exp $# this is the ssh client system-wide configuration file. see# ssh_config (5) for more Information. this file provides defaults for# users, and the values can be changed in per-user configuration files# or on the command line.# configuration data is parsed as follows:# 1. command line options# 2. user-specific file# 3. system-wide file# any configuration value is only changed the first time it is set.# thus, host-specific definitions should be at the&nbSp;beginning of the# configuration file, and defaults at the end. # site-wide defaults for some commonly used options. for a comprehensive# list of available options, their meanings and Defaults, please see the# ssh_config (5) man page.# Host *# forwardagent no# forwardx11 no# rhostsrsaauthentication no# RSAAuthentication yes# PasswordAuthentication yes# hostbasedauthentication no# batchmode no# checkhostip yes# AddressFamily any# ConnectTimeout 0# stricthostkeychecking ask# identityfile ~/.ssh/identity# Identityfile ~/.ssh/id_rsa# identityfile ~/.ssh/id_dsa# port 22 #定义连接端口 # protocol 2,1 #支持的versions # cipher 3des# ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc# escapechar ~ # tunnel no# tunneldevice any:any# Permitlocalcommand nohost *gssapiauthentication yes# if this option is set to yes then remote X11 clients will have full access# to the original x11 display. as virtually no x11 Client supports the untrusted# mode correctly we set this to yes. Forwardx11trusted yes# send locale-related environment variablessendenv lang language lc_ctype lc_ Numeric lc_time lc_collate lc_monetary lc_messages sendenv lc_paper lc_name lc_address lc_telephone lc_measurement sendenv lc_identification lc_all
Server-side sshd configuration file /etc/ssh/sshd_config
[[email protected] tls]# vim /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk exp $# This is the sshd server system-wide configuration file. See# sshd_config (5) for more information.# this sshd was compiled with path=/usr/local/bin:/bin:/usr/bin# the strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. uncommented options change a# default Value. #Port 22#Protocol 2,1Protocol 2#AddressFamily any#ListenAddress 0.0.0.0 #配置在指定地址上提供服务 #listenaddress ::# hostkey for protocol version 1#hostkey /etc/ssh/ssh_host_key# hostkeys for protocol version 2#hostkey /etc/ssh/ssh_host_rsa_key#hostkey /etc/ Ssh/ssh_host_dsa_key# lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h #密钥重新生成的时间间隔 #serverkeybits 768 #服务器端密钥长度 # Logging# obsoletes quietmode and fascistlogging#syslogfacility authsyslogfacility authpriv#loglevel info# authentication: #LoginGraceTime 2m #登录时间, after exiting #permitrootlogin yes #允许root登陆 #strictmodes yes#maxauthtries 6 #允许登录尝试次数 #rsaauthentication yes#pubkeyauthentication yes #基于密钥认证 #authorizedkeysfile .ssh/authorized_keys# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#rhostsrsaauthentication no# similar for protocol version 2#hostbasedauthentication no# change to yes if you don ' T trust ~/.ssh/known_hosts for# rhostsrsaauthentication and hostbasedauthentication# Ignoreuserknownhosts no# don ' T read the user ' s ~/.rhosts and ~/.shosts files#ignorerhosts yes# to disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes#PermitEmptyPasswords Nopasswordauthentication yes #基于口令认证 # change to no to disable s/key passwords#challengeresponseauthentication yeschallengeresponseauthentication no# kerberos options #Kerberos选项 # kerberosauthentication no#kerberosorlocalpasswd yes#kerberosticketcleanup yes# kerberosgetafstoken no# gssapi options#gssapiauthentication nogssapiauthentication yes#gssapicleanupcredentials yesgssapicleanupcredentials yes# set this to ' yes ' to enable pam authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the challengeresponseauthentication mechanism. # Depending on your pam configuration, this may bypass the setting of # passwordauthentication, permitemptypasswords, and # "Permitrootlogin without-password". If you just want the PAM account and # session checks to run without pam authentication, then enable this but set # challengeresponseauthentication=no#usepam nousepam yes #使用可插入式认证模块认证 # accept locale-related environment variablesacceptenv lang lc_ctype lc_numeric lc_time lc_collate lc_monetary Lc_messagesacceptenv lc_paper lc_name lc_address lc_telephone lc_measurementacceptenv LC_IDENTIFICATION LC_ALL#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding nox11forwarding yes#x11displayoffset 10#x11uselocalhost yes#printmotd yes #是否打印/etc/motd#printlastlog yes #是否显示上一次登录的信息 #tcpkeepalive yes#uselogin no#useprivilegeseparation yes# permituserenvironment no#compression delayed#clientaliveinterval 0#clientalivecountmax 3# Showpatchlevel no#usedns yes#pidfile /var/run/sshd.pid#maxstartups 10#permittunnel no #ChrootDirectory none# no default banner path#Banner /some/path #登陆Banner # override default of no subsystemssubsystem sftp /usr/libexec/openssh/ Sftp-server
Implement key-based authentication:
1. Generate a pair of keys on the client host
Ssh-keygen
2. Append the contents of the public key file to the. ssh/authorized_keys file in a user's home directory on the server side
①ssh-copy-id-i/path/to/pubkey [Email protected]_host
② copies the public key file SCP to the server side, and then appends the public key file to the. ssh/authorized_keys file in the home directory of a user.
After the login will be based on key authentication, SSH login user no longer enter the password to log in successfully.
Safety Essentials:
1. Passwords should be frequently changed and complex enough;
2, the use of non-default port;
3, restrict the landing customer address;
4, prohibit the administrator directly login;
5, only limited users are allowed to log in;
6, the use of key-based authentication;
7, prohibit the use of SSH v1.
Linux Learning Notes < 25 >--OPENSSH Services