Linux Security---SSH configuration and use

SSH Service Architecture: C/S

S-End: 192.168.100.151

C End: 192.168.100.150

S-End Operation:

Yum-y Install openssh-clients openssh-server OpenSSH # #安装ssh

/etc/init.d/sshd start

Chkconfig sshd on

C-terminal operation: Remote link

Linux systems:

Yum-y Install OpenSSH openssh-clients

SSH user @ip

SSH [email protected] # #root是S端的root用户 If the user is omitted to attempt to log in as the current user of the client.

SCP local file User @ip:/remote directory # #上传, the user must have write access to the directory

SCP User @ip:/remote file local Directory # #下载, users only have read access to remote files

SCP john-*.tar.gz [email protected]:/root/# #上传操作

SFTP User @ip # #ssh的ftp上传下载文件

SFTP [email protected]

sftp>cd/etc/yum.repos.d/# #可以进入非家目录

Sftp>get Rhel.repo # #下载

Sftp>bye #退出

Windows systems: Clients that can use common windows such as Crt,putty,xmanager

Security optimized configuration for SSH server:

Vi/etc/ssh/sshd_conf

ListenAddress 192.168.100.151 # #指定监听IP, such as the gateway only listen to the intranet

Logingracetime 2m # #链接的无操作超时时间

Permitrootlogin No # #禁用root使用ssh, normal user +su complete privileged configuration

Maxauthtries 6 # #密码错误次数

MaxSessions # #最大链接数量, how many users log in at the same time

Gssapiauthentication No # #禁用GSSAIP认证方式加快ssh登录响应速度

Gssapicleanupcredentials No # #禁用GSSAPI

Usedns No # #禁用DNS的解析

Allowusers u01 u03 [email protected] # #只允许u01用户登录, Denyuser deny s user, can not be used at the same time, multiple users separated by a space

: Wq

/etc/init.d/sshd restart

echo "Welcome to linuxfan.cn" >/root/welcome.txt

Sed-i "/banner/a banner/root/welcome.txt"/etc/ssh/sshd_config # #添加登录时的提示文字

SSH login with key pair authentication

S-end: Ensure support, uncomment the following

Vi/etc/ssh/ssd_config

Pubkeyauthentication Yes # #支持公约认证

Authorizedkeysfile. Ssh/authorized_keys # #公约存放的文件名

: Wq

/etc/init.d/sshd restart

The C-side generates the key pair:

ssh-keygen-t RSA # #生成密钥对, always enter

cd. ssh/# #进入存放密钥对目录

Uploading the Convention:

Ssh-copy-id [email protected] # #给u02上传公约, u02 login does not require a password

S-End Verification:

Cat/home/u02/.ssh/authorized_keys # #查看

C-Terminal verification:

SSH [email protected] # #不需要密码

Attention:

S-end other users can use the CP Convention to implement key-pair authentication in the home directory:

mkdir/home/u03/.ssh/

cp/home/u02/.ssh/authorized_keys/home/u03/.ssh/

Chown u03:u03/home/u03/.ssh/*

Before rhel6, the possible execution of Ssh-copy-id was unsuccessful, the workaround:

SCP id_rsa.pub [Email protected]:/tmp/

Cat/tmp/id_rsa.pub >/home/u02/.ssh/authorized_keys

S-End Summary: Which account directory under the Convention, which account will be able to use the key pair authentication login

C-Terminal:

Root account generates key pair

Su-c_u01

SSH [email protected] # #登录失败 because there is no private key in the C_U01 user directory

Exit

CP./ssh/id_rsa/home/c_u01/.ssh/

Chown c_u01:c_u01/home/c_u01/.ssh/*

C-End Summary: The client user directory must have a private key, otherwise the key pair cannot be used.

Convention authentication after a successful setup, you can execute the command directly without logging in:

SSH [email protected] Touch A.file # #在C端执行, creating A.file,s-side verification success on the S-side with u02 identity

To enable the root user's sshd: remote shutdown is possible

SSH [email protected] Reboot

Control of remote copy files supported by the SSH protocol:

1) Prohibition of SCP

Rpm-qa|grep openssh-*

Yum Remove openssh-clients-y

After you delete the openssh-clients and then execute the SCP, the following error is reported:

-bash:scp:command not found

2) No SFTP

Vi/etc/ssh/sshd_config

Subsystem Sftp/usr/libexec/openssh/sftp-server

Put this line in the comments, as follows:

#Subsystem Sftp/usr/libexec/openssh/sftp-server

After exiting save, restart sshd:

Service sshd Restart

Note the following experiments are done separately: there may be errors with other configurations.

Imprison users when using SFTP directory to improve security, U01 account dedicated to SFTP, other users are not allowed to use SFTP,U02 SSH login management system.

Vi/etc/ssh/sshd_config

#Subsystem Sftp/usr/libexec/openssh/sftp-server # #注释此行

Subsystem sftp internal-sftp # #添加子系统命令

Allowusers u01 u02 # #允许u01, u02 users

Match Group Sftp_u # #给sftp_u组设置匹配sftp的规则

X11forwarding No # #禁用图像界面

Allowtcpforwarding No # #禁用TCP转发

Chrootdirectory/home # #将sftp_u组禁锢在 The/home/directory

Forcecommand internal-sftp # #强制使用internal-sftp command

: Wq

Groupadd Sftp_u

Useradd u02

echo 123123 |passwd--stdin u02

Usermod-g Sftp_u u01 # #添加u01到组

/etc/init.d/sshd restart

Login Verification:

SSH [email protected]0.151 # # #报错, prompting only SFTP is allowed

SSH [email protected] # #登陆成功

SFTP [email protected] # #登录成功

sftp>cd/etc/# #报错

SFTP>PWD # #显示在根目录, indicates a successful configuration.

This article is from the "Lp-linux" blog, make sure to keep this source http://linuxlp.blog.51cto.com/11463376/1773669

Linux Security---SSH configuration and use