SSH review + Security Tunnel Creation

Article Title: SSH review and Security Tunnel Creation. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

SSH review + Security Tunnel Creation

SSH Secure SHell protocol

Telent is a type of plain text transmission that people know, so it is not recommended to use, because it can be stolen to hear your transmitted information, even if it is not important, you do not want strangers to know your things. As a result, ssh is encrypted for transmission. The encryption method is currently used in ssh, mainly by using RSA/DSA/Diffie-Hellman and so on? C! I checked the specific information ~ Understand.

? Every time SSH daemon (sshd )??? R, right ?? A generates a 768-bit male? (Or ?? Server key) is stored in the Server;

If there is a client-side ssh ?? Requirement? Why ?? R, then? Server ?? 7 @ A public ?? O client, here? R client too ??? σ Sapporo @ zhigong? ? . Ratio? Pharm? Why? /Etc/ssh/ssh_known_hosts or ~ /. Ssh/known_hosts? N case? Hot Swap? /P>

Accept ??? After the 768-bit server key, the Client itself ?? S? C? Generate a 256-bit private message? (Host key ),? K and encrypted? Server key? Host key is integrated? ν? Key pair ,? K and? 7 @? Key pair? O server;

After? Client in? Times ??? To? I? 1024-bit Key pair? Limit M rows? Expected? Else f!

This is roughly the entire connection step. I came from laruence cp, so I am too lazy to type it. I 'd like to know how to transmit it, note that the diffie-hellman mechanism has been added to ssh to check the source of each transmitted data correctly, further enhancing the security.

Vi/etc/ssh/sshd. config

Port ssh port

Protocol ssh protocol, preferably 2, the latest security version

Hostkey/etc/ssh/ssh_host_rsa_key rsa algorithm key

Hostkey/etc/ssh/ssh_host_dsa_key dsa algorithm key

Syslogfacility AUTHPRIV when someone enters the system through ssh, ssh will record it under/var/log/secure

Permitrootlogin no. Shut down the root account and keep it safe.

PubkeyAUTHENTICATION yes whether public key is allowed

AUTHORIZEkeysFILE. ssh/authorized_keys it is very important to determine whether to log on to the password to log on to ssh,

PrintMotd no: print the content of the/etc/motd file. For security reasons, no

Printlastlog yes: displays the information of the last entry.

Keepalive yes transfers a keepalive to the client to ensure that the connection between the two parties is normal, so as to prevent the other party from freezing down

Maxstartups 10 Number of ssh queues

Subsystem sftp/usr/libexec/openssh/sftp-server

This is probably how sftp is set.

Ssh account @ ip or host name-p ssh port 22 by default

For the first login, there will be a series of settings and so on. Just confirm it, and enter the correct password to connect.

But after the first login, your ~ There is a. ssh file in the directory, which contains your rsa or dsa, which is the key you enter .... But what we do later does not require a key to log on, we need to delete this file. We need to re-create a. ssh Directory, which is different here.

[Test2 @ test2 ~] $ Ssh-keygen-t rsa: There are two generated keys (rsa is used in this example) Your identification has been saved in/home/test2 /. ssh/id_rsa <= private key Your public key has been saved in/home/test2 /. ssh/id_rsa.pub <= Public key The key fingerprint is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and then use scp/Transfer File account @ ip or Host Name: /directory or add the-p port ---- SCP has a colon. To do this, you need to upload the public key (id_rsa.pub) to the server without logging on to ssh using a password. there is also an AUTHORIZEkeysFILE. ssh/authorized_keys is very important Whether to log on to the ssh client using the password or not. If you want to write such a public key, you must write it as authorized_keys. Of course, you can change the public key you like, but the names must correspond to each other, the directory location is correct. For convenience and convenience, the directory location is usually set according to the name. The location of the mv id_rsa.pub authorized_keys should be well noted, they are all in the home directory of the account. scp authorized_keys account @ ip or host name in ssh :~ /. After ssh is confirmed, there is a key and the password is not required to log on with the corresponding account. Because multiple public keys may be saved in authorized_keys, >>to Add the key and create a vpn-like tunnel, -- create a dedicated communication tunnel between several hosts to enable other unencrypted Communication

To encrypt the communication. create a tunnel ssh-2C-p 555 test@192.168.0.1-L 5000: 172.16.1.1: 22-The g-2C is an ssh service communication protocol version of 2 C indicating compressed transfer-L bind_address format port/host/hostport-g indicating to provide use permissions, that is, the tunnel provides other hosts with a 5000 port service tunnel to connect to ssh of 192.168.0.1 from port 555 of 172.16.1.1, tunnel automatically transfers 22 port package ssh XXX@172.16.1.1-p 5000 can be connected up or telent xxx@172.16.1.1 5000-channel ssh-2C-p 555 test@192.168.0.1-L 5000: 172.16.1.1: 22-The g-2C is an ssh service communication protocol version of 2 C indicating compressed transfer-L bind_address format port/host/hostport-g indicating to provide use permissions, that is, the tunnel provides other hosts with a 5000 port service tunnel to connect to ssh of 192.168.0.1 from port 555 of 172.16.1.1, tunnel automatically transfers the package of port 22 ssh XXX@172.16.1.1-p 5000 to connect up or telent xxx@172.16.1.1 5000