Remote connection Server---SSH detailed

A remote connection server is a useful operation for system administrators, which makes server management easier.

I'll come to the science. Knowledge about Remote connection server:

Currently, there are several types of remote connection servers:

① text interface of the plaintext transmission: Telnet, rsh-based, rarely used.

Encrypted transmission of ② text interface: SSH-based, has replaced the above clear text transmission mode.

③ Graphics Interface: XDMCP, VNC, XRDP and so on are more common.

This article is only for combat, not for the popularization of conceptual knowledge. So I'm only explaining the technology ssh that is most commonly used at work. For the SFTP technology and VNC technology, please check out my other blogs.

OK, let's take a look at SSH's related technologies:

SSH, the entire English is Secure Shell Protocol (Secure Shell Program protocol). SSH is now basically used by the company of a text interface encryption transmission technology, the use of asymmetric secret key system.

For the principle of ssh, you can refer to my other blog, I posted the link here:

http://zhengkangkang.blog.51cto.com/12015643/1868846

⑴ come on, let's take a look at the sshd this service (this is the SSH remote connection must be open service, belongs to the system), note that this sshd service is usually automatically opened by default.

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/89/E7/wKiom1ghKErBSOwvAAAtZjQzYco498.png-wh_500x0-wm_3 -wmp_4-s_1869125465.png "title=" Qq20161108092038.png "alt=" Wkiom1ghkerbsowvaaatzjqzyco498.png-wh_50 "/>

What if you want to restart?

Well, look:
650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M00/89/E7/wKiom1ghLeajxJaVAAA6yK2NCAs468.png-wh_500x0-wm_3 -wmp_4-s_3623879475.png "title=" Qq20161108094436.png "alt=" Wkiom1ghleajxjavaaa6yk2ncas468.png-wh_50 "/>

Both of the above methods of restarting can be dropped!

⑵ Direct telnet to the host command:

SSH "-F" "-O Parameter" "-p non-standard port" "Account @" IP "command"
which

-F: Need to cooperate with the following "command", do not log on to the remote host directly to send a command past

-O Parameter: The main parameters are:

connecttimeout= seconds: The number of seconds the connection waits, and the time to wait is reduced.

Stricthostkeychecking= "Yes|no|ask": The default is ask, to let public key actively join to known_hosts, you can set to No.

-P: Use this parameter if the SSHD service is started under a non-standard port.

Let's illustrate:

① log in directly to the other host:

If you are logged on to the host computer as the root user, there are two ways to sign in:

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M02/89/E8/wKiom1ghMWiDdhS3AACqnsvWwsc694.png-wh_500x0-wm_3 -wmp_4-s_349525383.png "title=" Qq20161108095935.png "alt=" Wkiom1ghmwiddhs3aacqnsvwwsc694.png-wh_50 "/>

Note: If you are logged in as a normal user, you must use the second method of adding @.

② implements the way to log on to the other host and leave after executing the command. For example: Execute the CAT/ETC/PASSWD command from the remote host to display the file on the local host.

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M01/89/E8/wKiom1ghMyCyG3KJAABBDmfuFrI675.png-wh_500x0-wm_3 -wmp_4-s_1384798752.png "title=" Qq20161108100652.png "alt=" Wkiom1ghmycyg3kjaabbdmfufri675.png-wh_50 "/>

③ do not log in to the other host, let the other host run the command itself, you immediately return to the local machine to continue to work:

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M01/89/E8/wKiom1ghNA2D8y8CAAB8nXlziyM941.png-wh_500x0-wm_3 -wmp_4-s_2194826732.png "title=" Qq20161108101054.png "alt=" Wkiom1ghna2d8y8caab8nxlziym941.png-wh_50 "/>

④ after deleting known_hosts, re-use root to connect to this machine, will automatically add public key record

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M00/89/E5/wKioL1ghNPqSLdaZAACJenGaB-c504.png-wh_500x0-wm_3 -wmp_4-s_3964981638.png "title=" Qq20161108101455.png "alt=" Wkiol1ghnpqsldazaacjengab-c504.png-wh_50 "/>

You're going to say, the big liar is missing out? How come there's no automatic public key record? How to record information to remind the phone to choose yes/no? Don't worry, our "-o" parameter should be born! With "-O", no longer have to choose Yes|no, but automatically selected Yes and added to the ~/.ssh/known_hosts.
650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/89/E8/wKiom1ghNoWh2G4IAABlr8xrgHI496.png-wh_500x0-wm_3 -wmp_4-s_2909868025.png "title=" Qq20161108102131.png "alt=" Wkiom1ghnowh2g4iaablr8xrghi496.png-wh_50 "/>

See, this time there is no hint to choose yes|no it!

⑤sshd Server Detailed configuration

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/89/E8/wKiom1ghOLaTocfuAAAvcj-8EtU259.png-wh_500x0-wm_3 -wmp_4-s_2369332651.png "title=" Qq20161108103052.png "alt=" Wkiom1gholatocfuaaavcj-8etu259.png-wh_50 "/>

CentOS default sshd service is actually very safe, note that CentOS 5.X after the default SSH protocol version is V2 that is the "Protocol 2", the default port is 22, note that these are not enough, if it is a real working server, We recommend that you remove the root login permission:

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M00/89/E8/wKiom1ghO3PAdaPYAAAnSYWp1Fw962.png-wh_500x0-wm_3 -wmp_4-s_3920149634.png "title=" Qq20161108104229.png "alt=" Wkiom1gho3padapyaaansywp1fw962.png-wh_50 "/>

You can cancel the login permission of the root user by changing the Yes in the red box to No.

Here is a useful technique for making SSH users who can log in immediately without a password. Someone would say, what's this for? You think, if you want to use Crontab to perform the backup or copy of the task regularly, because each SSH connection to enter the other host password, which is not executed in the crontab, then how to do? You can only operate if you do not need to enter a password.

Here's how:

① client to build two keys

We create a user User1 operation on the client, using User1 to remote server-side user2 users. Below we take 192.168.1.118 as the client, take 192.168.1.121 as the service side.

First set up two keys on the client

The command is as follows:

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M01/89/EF/wKioL1giiK_TC0tBAAB4-qYgtUo612.png-wh_500x0-wm_3 -wmp_4-s_4140874457.png "title=" Qq20161109102418.png "alt=" Wkiol1giik_tc0tbaab4-qygtuo612.png-wh_50 "/>

Need to note:

The permissions for the ⑴~/.SSH directory must be 700

The permissions of the ⑵id_rsa (private key file) must be-RW-------, and the owner must be the current logged in user, otherwise in the future secret key alignment, it may be judged to be dangerous and unable to succeed in the public key pair mechanism to achieve the connection.

The above two points are generally correct by default.

650) this.width=650; "Src=" Http://s3.51cto.com/wyfs02/M00/89/F3/wKiom1giiyezQzDCAAA_ohDC5kA769.png-wh_500x0-wm_3 -wmp_4-s_23406291.png "title=" Qq20161109103430.png "alt=" Wkiom1giiyezqzdcaaa_ohdc5ka769.png-wh_50 "/>

② uploading the public key file data to the server side

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M01/89/F3/wKiom1gijSDTtJ0-AABl3aN41lg818.png-wh_500x0-wm_3 -wmp_4-s_58669041.png "title=" Qq20161109104317.png "alt=" Wkiom1gijsdttj0-aabl3an41lg818.png-wh_50 "/>

③ Place the public key file in the correct directory on the server side and ensure that the file name is correct

Be sure to attach the contents of the public key file to the Authorized_keys file, and operate the user as the server-side user

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M02/89/F0/wKioL1gij3rxLcWcAACp6Crh0ag978.png-wh_500x0-wm_3 -wmp_4-s_509612606.png "title=" Qq20161109105315.png "alt=" Wkiol1gij3rxlcwcaacp6crh0ag978.png-wh_50 "/>

Note: Remember that the permissions for this file must be 644 Authorized_keys

Well, it's done. Next we will test the Kang from the host to the KANG1 host without password immediately login mode!

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M01/89/F3/wKiom1gikAOzEc7hAAA4tQbcmQ0623.png-wh_500x0-wm_3 -wmp_4-s_151132759.png "title=" Qq20161109105537.png "alt=" Wkiom1gikaozec7haaa4tqbcmq0623.png-wh_50 "/>

This article is from the "Brother Hong Linux World" blog, so be sure to keep this source http://zhengkangkang.blog.51cto.com/12015643/1870976

Remote connection Server---SSH detailed