SSH (remote connection tool) connection principle: SSH service is a daemon (demon), the system background listening client connection, SSH server process named sshd, responsible for real-time monitoring client requests (IP 22 port), including public key exchange and other information.
SSH service driven by 2 components: OpenSSH (provides SSH service) OpenSSL (provides encrypted program)
SSH client can be connected with XSHELL,SECURECRT, mobaxterm and other tools.
SSH Common Command parameters
USAGE:SSH [ -1246AACFGKKMNNQSTTVVXXYY] [-B bind_address] [-c Cipher_spec] [-D [Bind_address:]port] [-e Escape_char] [-F ConfigFile] [-I. Identity_file] [-l [Bind_address:]port:host:hostport] [-L login_name] [-M Mac_spec] [-O ctl_cmd] [-o option] [-P Port] [-R [Bind_address:]port:host:hostport] [-S Ctl_path] [-W Host:port] [-W Local_tun[:remote_tun]] [[Email protected]]hostname [command]
About the background SSH service
# query OpenSSL software rpm-qa openssh openssl# query sshd Process PS-EF | grep ssh--/usr/sbin/sshd# view ssh Port Netstat-lntup | grep SSH SS | grep ssh (effect ditto, same, good) netstat-a | grep ssh (remember this) netstat-lnt | grep ==> View 22 Port There is no open/ssh service There is no opening tip: NETSTAT-LNT | grep SSH | Wc-l-as long as more than 2 is the SSH service is good # view SSH key directory Ll/root/.ssh/known_hosts # The current user home directory of the. SSH directory under the # SSH configuration file Cat/etc/ssh/sshd_confi G # SSH service shutdown service sshd stop# SSH Services Open: Service sshd start# SSH service restart service sshd Reload [stop process restart] ==> recommended service sshd Restart [kill process after reboot] ==> not recommended # ssh telnet to ssh 192.168.1.100 # default login ssh using the username of the current host user [email protected] # Use the remote computer user login SSH [E Mail protected]-o stricthostkeychecking=no # First login free yes login ssh [email protected] "LS/HOME/OMC" # current Server a telnet to server B after executing a command ssh [email protected]-T "sh/home/omc/ftl.sh" # current Server a log on to Server B after executing a script
SSH free-secret settings
1. Enter the user's home directory
[[email protected] ~]# cd/root/.ssh/ "root user is in the root directory. SSH directory" [[email protected] ~]# cd/home/omc/.ssh/ " The normal user is the. SSH directory under the home directory "
2. Generate the private key and public key according to the DSA algorithm "defaults to the current user's home directory"
[email protected]. ssh]# ssh-keygen-t DSA # All the way to the ID_DSA--The private key (key) Id_dsa.pub-- public key (lock)
3. Copy the public key to the target server
[email protected]. ssh]# ssh-copy-id-i id_dsa.pub [email protected] "default port with SSH login 22" [[email protected]. ssh]# ssh- Copy-id-i id_dsa.pub–p 666 [email protected] "Port 666 set with SSH login"
4. View the files generated by the target server
[email protected]. ssh]$ Ll/home/omc/.ssh/authorized_keys
5. Password-free login to the target server
SSH [email protected]
6. Summarize the relationship between the key and the lock
1. Multiple keys open a lock to copy the id_dsa.pub to each server 2. A key to open Duobasuo the ID_DSA to each server to pass the ID_DSA to their own
SSH Troubleshooting Issues
1. Determine if the physical link is ping 192.168.25.130 Line | firewall | Whether the ping of the same network is itself ICMP Protocol 2. Determine if the service is normal telnet 192.168.25.130 223.Linux Firewall service iptables status ==> /etc/init.d/iptables status
4. Open the SSH debugging to observe [email protected]
Configuration file for SSH
/etc/ssh/sshd_config[[email protected]. ssh]# cat/etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm EXP $ # This is the SSHD server system-wide configuration file. see# Sshd_config (5) For more information.# This sshd is compiled with path=/usr/local/bin:/bin:/usr/bin# the strategy use D for options in the default Sshd_config shipped with# OpenSSH are to specify options with their default value where# Possi ble, but leave them commented. uncommented Options Change a# default value. #Port 22#addressfamily any#listenaddress 0.0.0.0#listenaddress:: # Disable Le Gacy (Protocol version 1) support in the server for new# installations. In future the default would change to require explicit# activation of protocol 1Protocol * Hostkey for protocol version # hostkey/etc/ssh/ssh_host_key# hostkeys for protocol version 2#hostkey/etc/ssh/ssh_host_rsa_key#hostkey/etc/ssh/ssh_ host_dsa_key# Lifetime and size of ephemeral version 1 server Key#keyregenerationinterval 1h#serverkeybits 1024# logging# obsoletes quietmode and fascistlogging#syslogfacility authsyslogfacility AUTHPRIV#LogLevel INFO# Authentication: #LoginGraceTime 2m#permitrootlogin yes#strictmodes yes#maxauthtries 6#maxsessions 10# Rsaauthentication yes#pubkeyauthentication yes#authorizedkeysfile. Ssh/authorized_keys#authorizedkeyscommand none# Authorizedkeyscommandrunas nobody# for the work you'll also need host keys In/etc/ssh/ssh_known_hosts#rhostsrsaauth Entication no# Similar for protocol version 2#hostbasedauthentication no# change to Yes if you don ' t trust ~/.ssh/known_ho STS for# rhostsrsaauthentication and hostbasedauthentication#ignoreuserknownhosts no# Don ' t read the user ' s ~/.rhosts and ~/.shosts files#ignorerhosts yes# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication Yes #PermitEmptyPasswords nopasswordauthentication yes# Change to No to disable S/key passwords# Challengeresponseauthentication yeschallengeresponseauthentication no# Kerberos options#kerberOsauthentication no#kerberosorlocalpasswd yes#kerberosticketcleanup Yes#kerberosgetafstoken No#KerberosUseKuserok yes# GSSAPI options#gssapiauthentication nogssapiauthentication yes#gssapicleanupcredentials Yesgssapicleanupcredentials Yes#gssapistrictacceptorcheck Yes#gssapikeyexchange no# Set this to "yes" to enable PAM authe Ntication, account processing, # and session processing. If This is enabled, PAM authentication'll # be allowed through the challengeresponseauthentication and# Passwordauthenti cation. Depending on your Pam configuration,# PAM authentication via challengeresponseauthentication may bypass# the setting of "P Ermitrootlogin Without-password ". # If you just want the PAM account and session checks to run without# PAM authentication, Then enable the this but set passwordauthentication# and challengeresponseauthentication to ' no '. #UsePAM nousepam yes# Accept locale-related Environment variablesacceptenv LANG lc_ctype lc_numeric lc_time lc_collate LC_MONETARY LC_MESSAGESAccePtenv lc_paper lc_name lc_address lc_telephone lc_measurementacceptenv lc_identification LC_ALL LANGUAGEACCEPTENV Xmodifiers#allowagentforwarding yes#allowtcpforwarding yes#gatewayports no#x11forwarding noX11Forwarding yes# X11displayoffset 10#x11uselocalhost yes#printmotd yes#printlastlog yes#tcpkeepalive yes#UseLogin no# Useprivilegeseparation yes#permituserenvironment no#compression delayed#clientaliveinterval 0#ClientAliveCountMax 3 #ShowPatchLevel no#usedns yes#pidfile/var/run/sshd.pid#maxstartups 10#permittunnel no#chrootdirectory none# No Default banner Path#banner none# override default of No Subsystemssubsystem sftp/usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis#match user anoncvs# x11forwarding no# allowtcpforwarding no# forcecommand CVS Server
generally requires ouch to modify the startup file of the SSH service several points of sshd:
1-1 modifying/etc/ssh/sshd_config
gssapiauthentication yes resolves a single server to manage multiple SSH services
Usedns no speeds up response because in an intranet environment
Permitrootlogin No does not run root user login directly
Port 11544 Changing the access port number
ListenAddress 192.168.25.13 Monitor IP in intranet
Match user Anoncvs The current environment allows users to log on
Permitrootlogin no whether to allow the root user to log in, generally not allowed to open
1-2 Restart Service
Service sshd Restart write command into memory
Service sshd Reload (priority) reload is a smooth access that does not affect users ' use
1-3 Viewing the connection port
Netstat-an | grep EST
Linux SSH Command detailed