SSH commands and SSH trust details

Source: Internet
Author: User
Tags asymmetric encryption

Original article: http://www.dongwm.com/archives/%E5%85%B3%E4%BA%8Essh%E5%91%BD%E4%BB%A4%E7%A0%94%E7%A9%B6%E4%BB%A5%E5%8F%8Assh%E4%BF%A1%E4%BB%BB%E8%AF%A6%E8%A7%A3/

This article mainly introduces several key points:

1. debug the SSH client

2 SSH Escape Character usage (for example, switching an SSH session)

3 SSH trusted login (that is, you do not need to manually enter the password for Logon)

1. debug the SSH client

Sometimes it is necessary for us to determine the problem and solve some SSH connection failures through debugging information. Option-V is used to implement this function.

For example, the debug information is not used:

[Root @ server ~] # Ssh-l root 192.168.9.104 SSH: connect to host 192.168.9.104 port 22: Connection refused

Contains debug information:

[Root @ server ~] # Ssh-V-l root 192.168.9.104 openssh_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 debug1: Reading configuration data/etc/ssh/ssh_config debug1: Applying options for * debug1: connecting to 192.168.9.104 [192.168.9.104] port 22. debug1: connect to address 192.168.9.104 port 22: Connection refused SSH: connect to host 192.168.9.104 port 22: Connection refused

This information indicates that the default port number has been modified in the configuration file.

 

2 SSH Escape Character usage

1Switch the SSH session:When you log on to the local host and use SSH to log on from the remote host, you may have to come back and execute some activities before returning to the remote host. In this case, you do not need to disconnect the SSH session from the remote host. Follow these steps:

1. remotely log on to a machine: Server # ssh-l user name Host Name (or IP address)

2. It is now on a remote machine: Client #

3. Return to localhost: Enter the Escape Character "~" first. Enter Ctrl + Z and press Enter:

[Root @ client ~] #~ ^ Z [suspend SSH]

 

[1] + stopped ssh-l root 192.168.9.104-P 9922 [root @ server ~] #4 now back to the local host, the remote host's SSH client session serves as the background running process, check and run as follows:

[Root @ server ~] # Jobs [1] + stopped ssh-l root 192.168.9.104-P 9922

5 now return to the remote host:

[Root @ server ~] # FG % 1 ssh-l root 192.168.9.104-P 9922 [root @ client ~] #

 

2 SSH trusted login:

When remotely logging on to the host, you are required to enter the password, which is very troublesome, especially when the password is complicated and hard to remember. Therefore, you can set SSH trust so that you can directly log on without entering the account password information.

Lab requirements:

Create an SSH trust. Use the server host as the client (initiate an SSH request) and the client host as the server (receive an SSH request)

1. The server host generates a Public/Private Key Certificate

[Root @ server ~] # Ssh-keygen-t dsa # generate DSAAlgorithmThe RSA algorithm adds RSA generating public/private DSA key pair after-t. enter file in which to save the key (/root /. SSH/id_dsa): # This step queries the address where the private key and public key are stored. Generally, we need to put it in this default directory, therefore, press ENTER passphrase (empty for no passphrase): #-in this step, check whether a password is required for this trust. This step is intended to simplify the password input process, of course, you do not need a password here. Therefore, press ENTER same passphrase again: # To confirm the password, press enter your identification has been saved in/root /. SSH/id_dsa. your public key has been saved in/root /. SSH/id_dsa.pub. the key fingerprint is: 2E: F6: 1b: 00: 23: 9e: 27: 3f: 19: 48: 83: 89: E9: EE: D4: 5E root @ server.Dongwm. Com

After this step, two files are generated: id_dsa and id_dsa.pub. The id_dsa file is the private key file, and the id_dsa.pub file is the public key file, in the next step, we need to add the content in id_dsa.pub to the client's trust relationship.

 

2. Under the user xxx Account on the client machine (I am root here ~ /. Ssh/authorized_keys or ~ Add a line of files to/. Ssh/authorized_keys2, that is, the content in id_dsa.pub. Note that this content is a line. Do not copy it with an additional carriage return character. Authorized_keys2 indicates that SSH2 is used for logon.

[Root @ server ~] # SCP-P 9922 ~ /. Ssh/id_dsa.pub root@client.okooo.com:/root/. Ssh/authorized_keys

Note: The "ssh-copy-ID" command is introduced.

 

Ssh-copy-ID is actually a built-in script, because authorized_keys is not easy to remember, it can be in the following format:

# Ssh-copy-ID-I ~ /. Ssh/id_rsa.pub user @ server has the same effect as above.

If the default port 22 is not used, run the following command:

# Ssh-copy-ID-I ~ /. Ssh/id_rsa.pub "-PPort NumberUser @ server"

So far, we have established a one-way trust relationship between the root user on the machine server and the root user on the machine client, that is, we can directly log on to the root user on the machine client directly, however, this operation cannot be performed in turn or by other users.

The specific reason is actually based on the asymmetric encryption of PKI. id_dsa is a private key file, which is generated into a signature file every time you log on to the system, send the signature file to the server client. The server client finds the public key of the login machine from its authorized_keys file and uses this public key to verify that the signature is valid. If the signature is valid, log on to the server.

3. Modify the accessible. Ssh directory and the authorized_keys File

You can modify the access of the. SSH file to 700, and the authorized_keys value is 644.

4. The connection information is in/var/log/secure.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.