Linux sshd Service

1, SSH Introduction:
SSH is a shorthand for secure shell protocol, developed by the IETF Network Working group, before the data transfer, SSH to the online packet encryption technology through encryption, encryption and then transfer, to ensure the security of the transmitted data.
By default, the SSH service mainly provides two service functions: one is to provide services similar to Telnet remote connection server, namely SSH service, another similar FTP service side sftp-server, with the SSH protocol to transfer data, provide more secure SFTP service.
Reminder: The SSH client also contains a useful remote secure Copy command SCP, which also works through the SSH protocol.
SSH working mechanism is roughly the local SSH client first send a connection request to the remote SSH server, the server to check the connection of the client sent to the packet and IP address, if confirmed legitimate, will send the key to SSH to the client, at this time, the client locally then send the key back to the server, since the connection was established.

SSH2 supports both RSA and DSA keys, but SSH1 only supports RSA keys

2. SSH Service Authentication type:
1) password-based security authentication:
Host IP, port number, user name, password
2) Security verification based on key
Key pair authentication ssh:
Ssh-keygen–t Rsa/des
Specify the key pair location, enter in the host directory under the. ssh/
Set the private key phrase
Confirm phrase
Upload the public key to the server, import the public key text in the server to "~/.ssh/authorized_keys the file cannot have write permission"

3. Remote Copy SCP command included with SSH client
Basic syntax for SCP:
To push files to the target server:
scp-p22/etc/a.txt [Email protected]:/tmp
To download the destination server file to the local server:
scp-p22 [Email protected]:/tmp/a.txt/etc/
Copy directory:
Scp-p22-r/etc/a.txt [Email protected]:/tmp

SCP Parameters:
-P Specify the port number, note that the P is uppercase
-R Copy Directory
The original properties of the file or directory are persisted during the-p copy.

SCP is an encrypted remote copy that can download and upload files and directories, but each time it is a full copy, it will copy the previously copied files once each time, so the efficiency is not high.

4. SFTP based on SSH encrypted transmission
sftp-oport=22 [email protected]
Put Install.log upload to the home directory of the other server, you can also specify the directory
Get zhang.ch download to a local home directory

5. SSH configuration parameters
1) Service Monitoring settings
Vim/etc/ssh/sshd_config
Port 22//Listening ports, should be modified
Protocol 2//Use version 2 more secure
ListenAddress 0.0.0.0//monitor local network card address, improve concealment
USEDNS//Disable DNS reverse resolution to increase response time
Gssapiauthentication no//solve the problem of SSH connection slow
2) User Login control
Vim/etc/ssh/ssh_config
Permitrootlogin no//prohibit root user login, can be normal user login su to root
Permitemptypasswords no//prohibit blank password user Login
Logingracetime 2m//Login verification time 2 minutes
Maxauthtries 6//link Maximum retry count
ALLOWUSERSYH1 [email protected]//Only allow YH1 login YH2 users can only login from the specified address, multi-user can be separated by space.
3) Login Verification method
Vim/etc/ssh/sshd_config
Passwordauthentication yes//enable password verification, relatively safe and low
Pubkeyauthentication yes//enable key pair authentication, high security
Authorizedkeysfile. Ssh/authorized_keys//Specify Public key library data files
4) using the SSH client program
PUTTYCN, WinSCP, SECURECRT graphics tools are available in the Windows platform.
PUTTYCN downloadable zip-free secure version of the website: http://www.chiark.greenend.org.uk/
WINSCP downloadable zip in Chinese version, website: http://winscp.net/
Linux platform can be directly SSH remote login "ssh–p [email protected]" to accept the RSA key saved to the ~/.ssh/known_hosts file, password Authentication successfully landed.
can use SCP remote replication: SCP [email protected]:/etc/passwd/root/pwd.txt Copy to local scp–r/etc/vsftpd/[email protected]:/opt upload file to server
Sftp [email protected] will log on to the server for uploading and downloading.
5) SSH Connection slow problem Resolution:
USEDNS//Disable DNS reverse resolution to increase response time
Gssapiauthentication no//solve the problem of SSH connection slow

6. Implement batch distribution file function
Requirement: The same user (Sshuser) is implemented under all servers to distribute data from a server local server to other servers, and to execute commands remotely. And no password verification is required.
Steps:
# Useradd Sshuser
# ID Sshuser
uid=556 (Sshuser) gid=556 (sshuser) group =556 (Sshuser)
# echo 123.COM|PASSWD--stdin Sshuser
$ whoami
Sshuser
#ssh-keygen-t DSA
Enter..
#ll-A ~/.ssh/
Total dosage 16
DRWX------2 Sshuser sshuser 4096 April 3 23:23.
DRWX------5 Sshuser sshuser 4096 April 3 23:23.
-RW-------1 sshuser sshuser 668 April 3 23:23 ID_DSA #私钥
-rw-r--r--1 sshuser sshuser 599 April 3 23:23 id_dsa.pub #公钥
Copy the public key to the server:
#ssh-copy-id-i ~/.ssh/id_dsa.pub "-p [email protected]"
Yes return and enter password
#ssh-copy-id-i ~/.ssh/id_dsa.pub "-p [email protected]"
Yes return and enter password

After sending to the server the file is renamed Authorized_keys placed under. SSH:
$ ll-a. ssh/
Total 12
DRWX------2 Sshuser sshuser 4096 APR 3 23:31.
DRWX------4 Sshuser sshuser 4096 APR 3 23:31..
-RW-------1 sshuser sshuser 599 APR 3 23:31 Authorized_keys

Write scripts to distribute files in bulk:
#!/bin/bash
. /etc/init.d/functions
For I in 132;do
Scp-p 22-RP $ [email protected] $i: ~
If [$? = = 0];then
Action "192.168.233.${i} distribution file succeeded!" "/bin/true
Else
Action ' 192.168.233.${i ' distribution failed! "/bin/false
Fi
Done

7, the method of remote sudo:
VISUDO-C Check Syntax
Visudo Document TIP information:
# Disable "ssh hostname sudo <cmd>", because it'll show the password in clear.
# You has to run "ssh-t hostname sudo <cmd>".
#
Defaults Requiretty
Commands can be executed via ssh-t hostname sudo <cmd>
You can also unregister defaults requiretty to remotely perform sudo extraction.

SCP-P22-RP hosts [email protected]:~ first copy files to the other home directory
Hosts 100% 158 0.2kb/s 00:00
$ SSH-P22 [email protected] SUDO/BIN/CP ~/hosts/etc/cannot execute sudo command remotely, so error
sudo: Sorry, you must have a terminal to perform sudo
With the-t option, the command can be extracted via ssh remote sudo:
$ ssh-t-p22 [email protected] SUDO/BIN/CP ~/hosts/etc/
[sudo] password for sshuser:
Connection to 192.168.233.132 closed.

8, SSH batch distribution and management summary:
1) SSH key verification using root
Simple, easy to use
Poor security while unable to disable root remote connection
2) using ordinary users to do, first distribute to the file copy to the server's home directory, and then sudo early copy to the server's corresponding permissions directory
Secure, complex configuration
3) with Scenario 2, just do not use sudo, but set the suid to the fixed command to lift the power.
Relatively safe
Complex, less secure, anyone can use the SUID permission command.

Enterprise-Class Production Scenario batch management, automated management solutions:
1) The simplest and most commonly used SSH key, the most powerful, the general small and medium enterprises, 50-100 sets
2) Portal-level popular puppet batch management tools, complex
3) Saltstack Batch management tool, features: simple, powerful, complex configuration.

Linux sshd Service