SSH for the Linux service

Source: Internet
Author: User
Tags auth hmac file transfer protocol ssh secure file transfer ssh secure shell ssh server dns spoofing

One, view version
[Email protected] ~]# ssh-v
OPENSSH_5.3P1, OpenSSL 1.0.0-fips 2010 indicates that the system is in use OpenSSH
Ssh-v
Ssh:ssh Secure Shell 3.2.9.1 (non-commercial version) on I686-PC-LINUX-GNU indicates that the system is using SSH2

Second, first use
When you first log in to the remote host using SSH, you will see a prompt that does not find the host key. After you enter "Yes", the system will add the remote host's key to your home directory. Ssh/hostkeys, so you can continue to operate.
Because the remote host's key has been added to the SSH client's list of known hosts, when you log in to the remote host for the second time, you only need to enter the remote host's login password.

Third, key changes
For a variety of reasons, you may see some warning messages after the first time you log in to the remote host and the key for that host changes. This can happen for two reasons:
1. The system administrator upgraded or reinstalled the SSH server on the remote host
2. Someone is doing some malicious acts, and so on.

Four, debug the SSH client session
[Email protected] ~]# ssh-v 172.16.1.14
OPENSSH_4.3P2, OpenSSL 0.9.8e-fips-rhel5 Jul 2008
Debug1:reading Configuration Data/etc/ssh/ssh_config
Debug1:applying Options for *
Debug1:connecting to 172.16.1.14 [172.16.1.14] Port 22.
Debug1:connection established.
debug1:permanently_set_uid:0/0
Debug1:identity file/root/.ssh/identity type-1
Debug1:identity File/root/.ssh/id_rsa type-1
Debug1:identity FILE/ROOT/.SSH/ID_DSA type-1
Debug1:loaded 3 keys
Debug1:remote Protocol version 2.0, Remote software version openssh_5.3
debug1:match:openssh_5.3 Pat Openssh*
debug1:enabling compatibility Mode for Protocol 2.0
Debug1:local Version string ssh-2.0-openssh_4.3
Debug1:ssh2_msg_kexinit sent
Debug1:ssh2_msg_kexinit received
Debug1:kex:server->client AES128-CBC hmac-md5 None
Debug1:kex:client->server AES128-CBC hmac-md5 None
Debug1:ssh2_msg_kex_dh_gex_request (1024<1024<8192) sent
Debug1:expecting Ssh2_msg_kex_dh_gex_group
Debug1:ssh2_msg_kex_dh_gex_init sent
Debug1:expecting ssh2_msg_kex_dh_gex_reply
Debug1:host ' 172.16.1.14 ' is known and matches the RSA Host key.
Debug1:found Key In/root/.ssh/known_hosts:6
Debug1:ssh_rsa_verify:signature correct
Debug1:ssh2_msg_newkeys sent
Debug1:expecting Ssh2_msg_newkeys
Debug1:ssh2_msg_newkeys received
Debug1:ssh2_msg_service_request sent
Debug1:ssh2_msg_service_accept received
Debug1:authentications that can Continue:publickey,gssapi-keyex,gssapi-with-mic,password
Debug1:next Authentication Method:gssapi-with-mic
Debug1:unspecified GSS failure. Minor code may provide more information
No Credentials Cache found

Debug1:unspecified GSS failure. Minor code may provide more information
No Credentials Cache found

Debug1:unspecified GSS failure. Minor code may provide more information
No Credentials Cache found

Debug1:next Authentication Method:publickey
Debug1:trying private key:/root/.ssh/identity
Debug1:trying private key:/root/.ssh/id_rsa
Debug1:trying private key:/ROOT/.SSH/ID_DSA
Debug1:next Authentication Method:password
[email protected] ' s password:
Debug1:authentication succeeded (password).
Debug1:channel 0:new [Client-session]
Debug1:entering Interactive session.
debug1:sending environment.
debug1:sending env LANG = en_US. utf-8:zh_cn.gb2312
Last login:tue April 14:35:00 from 172.16.1.12

Five, temporarily switch to local
To temporarily return to the local host, enter the exit symbol: "~" and "control-z" combination.
When you enter "~" You will not see it immediately on the screen, when you press <Control-Z> and press ENTER to display it together.
[Email protected] ~]# ~^z [suspend SSH]

[1]+ Stopped ssh-v 172.16.1.14
[[email protected] ~]# jobs
[1]+ Stopped ssh-v 172.16.1.14
[[email protected] ~]# FG 1
Ssh-v 172.16.1.14

[Email protected] ~]#

Six
To get some useful information about the current session, you can do so in the following ways. However, this can only be used on SSH 2 clients.
Enter the SSH exit character ~ and enter S. This will show a lot of useful information about the current SSH connection


Configuring the "/etc/ssh/ssh_config" file
The "/etc/ssh/ssh_config" file is a OpenSSH system-wide configuration file that allows you to change the way the client program runs by setting different options. Each line of this file contains a "keyword-value" match, where "keyword" is ignored and case-sensitive. The most important keywords are listed below, with the Man command to view the help page (SSH (1)) to get a detailed list.
Edit the "ssh_config" file (vi/etc/ssh/ssh_config) to add or change the following parameters:

# Site-wide defaults for various options
Host *
Forwardagent No
ForwardX11 No
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Fallbacktorsh No
Usersh No
Batchmode No
Checkhostip Yes
Stricthostkeychecking No
Identityfile ~/.ssh/identity
Port 22
Cipher Blowfish
Escapechar ~

The following line shows the option settings above:
Host *
The option "Host" is valid only for computers that can match the following string. "*" means all computers.
Forwardagent No
"Forwardagent" Sets whether the connection is forwarded to the remote computer through the authentication agent (if present).
ForwardX11 No
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set.
Rhostsauthentication No
The "rhostsauthentication" setting uses rhosts-based security authentication.
Rhostsrsaauthentication No
The "rhostsrsaauthentication" setting uses rhosts-based security authentication with the RSA algorithm.
Rsaauthentication Yes
The "rsaauthentication" setting uses the RSA algorithm for security verification.
Passwordauthentication Yes
The "passwordauthentication" Setting uses password authentication.
Fallbacktorsh No
The "Fallbacktorsh" setting if an error occurs with an SSH connection automatically uses RSH.
Usersh No
"Usersh" sets whether to use "Rlogin/rsh" on this computer.
Batchmode No
"Batchmode" If set to "yes", the hint of passphrase/password (interactive input password) will be disabled. This option is useful for script files and batch processing tasks when passwords cannot be entered interactively.
Checkhostip Yes
"Checkhostip" sets whether SSH views the IP address of the host connected to the server to prevent DNS spoofing. The recommended setting is "yes".
Stricthostkeychecking No
"Stricthostkeychecking" If set to "Yes", SSH will not automatically add the computer's key "$HOME/.ssh/known_hosts" file, and once the computer's key has changed, refused to connect.
Identityfile ~/.ssh/identity
"Identityfile" sets the file from which to read the user's RSA Security authentication identity.
Port 22
"Port" sets the port to connect to the remote host.
Cipher Blowfish
"Cipher" sets the password for encryption.
Escapechar ~
"Escapechar" sets the escape character.

Configuring the "/etc/ssh/sshd_config" file
"/etc/ssh/sshd_config" is a openssh configuration file that allows setting options to change the operation of this daemon. Each line of this file contains a "keyword-value" match, where "keyword" is ignored and case-sensitive. The following list is the most important keywords, the man command to view the help page (sshd (8)) to get a detailed listing.
Edit the "sshd_config" file (vi/etc/ssh/sshd_config) to add or change the following parameters:
# This is the SSH server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
Hostkey/etc/ssh/ssh_host_key
Serverkeybits 1024
Logingracetime 600
Keyregenerationinterval 3600
Permitrootlogin No
Ignorerhosts Yes
Ignoreuserknownhosts Yes
Strictmodes Yes
X11forwarding No
PRINTMOTD Yes
Syslogfacility AUTH
LogLevel INFO
Rhostsauthentication No
Rhostsrsaauthentication No
Rsaauthentication Yes
Passwordauthentication Yes
Permitemptypasswords No
Allowusers Admin

The following line shows the option settings above:
Port 22
"Port" sets the port number of the sshd listener.
ListenAddress 192.168.1.1
"ListenAddress" sets the IP address of the SSHD server binding.
Hostkey/etc/ssh/ssh_host_key
"Hostkey" Sets the file that contains the computer's private key.
Serverkeybits 1024
"Serverkeybits" defines the number of bits of the server key.
Logingracetime 600
"Logingracetime" Sets the time, in seconds, that the server waits before disconnecting the connection if the user cannot log on successfully.
Keyregenerationinterval 3600
"Keyregenerationinterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used). The rekey is regenerated to prevent the intercepted information from being decrypted with the stolen key.
Permitrootlogin No
"Permitrootlogin" setting root can be logged in with SSH. This option must not be set to "yes".
Ignorerhosts Yes
The "ignorerhosts" setting verifies whether the "rhosts" and "shosts" files are used.
Ignoreuserknownhosts Yes
"Ignoreuserknownhosts" sets whether SSH daemon ignores the user's "$HOME/.ssh/known_hosts" when Rhostsrsaauthentication security authentication is performed
Strictmodes Yes
"Strictmodes" Sets whether SSH checks the permissions and ownership of the user home directory and the rhosts file before receiving the logon request. This is usually necessary because novices often set their own directories and files to anyone with write access.
X11forwarding No
The "x11forwarding" setting allows X11 forwarding.
PRINTMOTD Yes
"PRINTMOTD" Sets whether sshd displays the information in "/ETC/MOTD" when the user logs in.
Syslogfacility AUTH
"Syslogfacility" sets whether "facility code" is given when recording messages from Sshd.
LogLevel INFO
The "LogLevel" setting records the level of the SSHD log message. Info is a good choice. See the man help page for sshd for more information.
Rhostsauthentication No
The "rhostsauthentication" setting is sufficient for security verification only with rhosts or "/etc/hosts.equiv".
Rhostsrsaauthentication No
The "Rhostsrsa" setting allows for security verification with RSA or "/etc/hosts.equiv" with rhosts.
Rsaauthentication Yes
The "rsaauthentication" setting allows only RSA security authentication.
Passwordauthentication Yes
The "passwordauthentication" setting allows password validation.
Permitemptypasswords No
The "Permitemptypasswords" setting allows you to log in with an account with a blank password.
Allowusers Admin
"Allowusers" can be followed by any number of user name matching string (patterns) or [email protected] Such a matching string, these strings are separated by a space. The host name can be a DNS name or an IP address.

Using SFTP instead of FTP to transfer files
FTP (File Transfer Protocol) is a very extensive way to transfer files across a network, but it is also at risk of network eavesdropping, as it also transmits user authentication information in clear text. In fact, in the SSH package, already contains a security file called SFTP (Secure FTP) transfer subsystem, SFTP itself does not have a separate daemon, it must use the sshd daemon (the port number by default is 22) to complete the corresponding connection operation, so in a sense, SFTP is not like a server program, but more like a client program. SFTP is also used to transmit authentication information and transmitted data using encryption, so it is very safe to use SFTP. However, because this transmission uses the encryption/decryption technology, the transfer efficiency is much lower than the normal FTP, and if you have higher network security requirements, you can use SFTP instead of FTP. To turn on the SFTP feature, you can modify the following contents of the Sshd2_config file:
# subsystem-sftp Sftp-server
Remove the "#" from the beginning of the line, and then restart the SSH server so that you can use SFTP to transfer files simultaneously when you make an SSH connection.

About client Settings
The above is the server settings, in fact, in the SSH server has already included some client tools (such as the Ssh,sftp tool). However, more client users use Windows systems, and the following describes the client system settings on Windows.
Enable ordinary users to use SFTP only without the permission of the shell
By default, an administrator adds an account to the system with both SFTP and SSH permissions. For ordinary users to use the shell to execute commands is also a great security risk, if you can prohibit users to use the shell to execute commands and only use SFTP to transfer files, can eliminate this security risk, fully implement the function of FTP,
As mentioned above, SFTP does not have a separate daemon, only with the help of the sshd daemon, so we still need to use the SSH server, to ensure that the sshd daemon is running. The implementation method is as follows:
First, you must have the "--enable-static" option in the compilation when compiling the installation. After the installation succeeds, execute the following command in the Bin directory under the installation directory:
[Email protected] bin]# ls-l ssh-dummy-shell* sftp-server2*
You will see the following output:
-rwxr-xr-x 1 root root 1350417 Apr 16:30 sftp-server2
-rwxr-xr-x 1 root root 3566890 Apr 16:30 sftp-server2.static
-rwxr-xr-x 1 root root 72388 Apr 16:30 Ssh-dummy-shell
-rwxr-xr-x 1 root root 1813412 Apr 16:30 ssh-dummy-shell.static
With the "static" suffix name, and the larger two files are added with the "--enable-static" option after the generation, we will use the following two files.
The following is an example of adding a general account test to describe the specific steps.
1. Create a "bin" subdirectory under the "/Home" directory (or the directory where you will store the normal user's directory) and copy the two static files to this directory (rename the static suffix after copying) and execute the following command:
[Email protected] bin]# Cd/usr/local/ssh3.2/bin
[[email protected] bin] #cp Ssh-dummy-shell.static/home/bin/ssh-dummy-shell
[email protected] bin]# CP Sftp-server2.static/home/bin/sftp-server
[[email protected] bin] #chown-R root.root/home/bin
[[email protected] bin] #chmod-R 755/home/bin
2. Add a group so that all future users who prohibit the use of the shell belong to this group, which makes it easier to manage more users:
[[email protected] bin] #groupadd template
3. Use the following command when adding a system account:
[[email protected] root] #useradd-S/bin/ssh-dummy-shell-g template test
[[email protected] root] #passwd test
[[email protected] root] #mkdir/home/test/bin
[[email protected] root] #cd/home/test/bin
[[email protected] bin] #ln/home/bin/ssh-dummy-shell Ssh-dummy-shell
[[email protected] bin] #ln/home/bin/sftp-server sftp-server
[[email protected] bin] #chown-R root.root/home/test/bin
[[email protected] bin] #chmod-R 755/home/test/bin
4. After the user is added successfully, you also need to modify the/etc/ssh2/sshd2_config file to include the following:
#ChRootGroups Sftp,guest
Switch
Chrootgroups sftp,guest,template
Modify the above line, mainly to prohibit ordinary users to view the system's other directories, to restrict their permissions to their own home directory. Restart the SSH server program, in the client using SSH Secure File Transfer Client login, even if you choose to display the root directory, ordinary users can not see any other directory, but instead of their home directory as the root directory. Note that this is done by the group that the user belongs to, which allows all users included in the template group to implement this functionality. If you want to restrict individual users, you can modify the following content:
#ChRootUsers Anonymous,ftp,guest

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.