SSH service Configuration

The English name of SSH is secure SHell. By using SSH, you can transfer all the transmitted data into
The "man-in-the-middle" approach is not possible, and it can prevent DNS and IP
Deceive. An additional benefit is that the transmitted data is compressed so that the transmission can be speeded up
Speed. SSH has a number of features that can replace Telnet and provide FTP, pop, and even PPP with a
A secure "channel".

1.ssh key authentication (native generator key)
The so-called key authentication is actually the use of a pair of cryptographic strings, one called the public key,
Anyone can see its contents for encryption, and the other is called the key (private key), only the owner
To be seen, used for decryption. Ciphertext encrypted with the public key can be easily decrypted by using the key, but the public
Key to guess the key is very difficult.
SSH's key authentication is the use of this feature. Both the server and the client have their own public key
and keys.
Before authentication, the client needs a way to log the public key Ac to the server.

###### #生成key ###########
[email protected] ~]$ Ssh-keygen# # #生成公钥和私钥的工具
Generating public/private RSA key pair.
Enter file in which to save the key (/HOME/TEST/.SSH/ID_RSA):"Enter"# # #指定加密字符
Save the file, using the default
Created directory '/home/test/.ssh '.
Enter passphrase (empty for No passphrase): # # #密码, must be greater than 4 bits
Enter same Passphrase again:
Your identification has been saved In/home/test/.ssh/id_rsa.
Your public key has been saved in/home/test/.ssh/id_rsa.pub.
The key fingerprint is:## #确认密码
a5:4f:02:51:68:59:f4:e8:e3:c5:91:1f:6f:86:99:06 [email protected]
The key ' s Randomart image is:
+--[RSA 2048]----+
| .*+        |
| +.     O. |
| .. .    E. |
| O + + * |
| S + * + |
| . * . o |
| .      . |
| |
| |
+-----------------+
[email protected]. ssh]$ pwd
/home/test/.ssh## #生成密钥存放位置
[email protected]. ssh]$ ls
Id_rsa id_rsa.pub### #id_rsa位私钥, id_rsa.pub-bit public key

2. Use key to encrypt target users of target host
[[Email protected] ~] $ssh-copy-id-i/home/test/.ssh/id_rsa.pub [email protected]

The authenticity of host ' 172.25.254.100 (172.25.254.100) ' can ' t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Is you sure want to continue connecting (yes/no)? Yes
/bin/ssh-copy-id:info:attempting to log in with the new key (s), to filter out any that is
Already installed
/bin/ssh-copy-id:info:1 key (s) remain to being installed--if you are prompted now it's T
o Install the new keys
[email protected] ' s password:

Number of key (s) added:1

Now try logging to the machine with: "SSH" [email protected] ' "
And check to make sure that is only the key (s) wanted were added.

Ssh-copy-id # # #上传key的工具
-I # # #指定使用的公钥
/home/test/.ssh/id_rsa.pub#### #使用公钥的名称
westos### #被管理的目标用户
172.25.254.100 # # #被管理用户所在主机的ip

authorized_keys## #此文件在目标用户加目录的. SSH, this file is the target.
The user is encrypted with the identity of the file content bit public key content.

3. Transmitting a file (distributing the private key)
Scp/home/test/id_rsa [Email protected]:/home/client/.ssh #把当前主机中的id_rsa文
Push the pieces to

4. Remote File transfer: Scp,rsync

SSH (remote shell)
SFTP (software)

scp# #远程复制
-V Show Progress-C compression Transfer option-P specify Port-4 forcibly use IPV4 address-6 forcibly use IPV6 ground
Address-i specifies the private key file path-r traversal path copy-L limit Maximum transmission bandwidth in kb/s
SCP File[email protected]:/directory# #上传文件
Scp-r Dir[email protected]:/directory# #长传目录
SCP [Email protected]:/filename/direcotry# #下载文件
Scp-r[email protected]:/directory/direcotry# #下载目录


SCP is the process of copying new
Rsync is the process of mirroring (synchronization, cannot synchronize links)

rsync file|direcotry [Email protected]:/directory
rsync [Email protected]:/directory/directory
-r# #目录
-l# #不忽略链接
-p# #不忽略权限
-t# #不忽略时间戳
-g# #不忽略组信息
-o# #不忽略用户信息
-d# #不忽略设备文件

simple configuration of 5.sshd services
Systemctl Restart sshd## #从新加载配置

5.1. Modify the/etc/ssh/sshd_config as follows:
Protocol 2 #只支持SSH2协议Port < port number > #修改默认端口号
Maxstartups 5 #同时允许5个尚未登录的SSH联机
Maxauthtries 3 #最大登录尝试次数为3
Serverkeybits 1024x768 #将ServerKey强度改为1024比特
Permitemptypasswords No #禁止空密码进行登录
Challengeresponseauthentication No #禁用s/key password
Usepam No #不通过PAM验证
Permitrootlogin No #禁止root远程登录
Passwordauthentication No #不允许密码方式的登录
Rsaauthentication no #不允许RSA认证, only for SSH1
Pubkeyauthentication Yes #允许公钥认证
Authorizedkeysfile. Ssh/authorized_keys #保存公钥的认证文件
Useprivilegeseparation Yes #用户权限设置
Syslogfacility AUTH #记录SSH登录情况
LogLevel INFO #记录等级为
INFOPRINTMOTD Yes #登录成功后显示 the contents of the/ETC/MOTD file
Printlastlog No #不显示上次登录信息
Compression Yes #是否压缩命令
KeepAlive Yes #防止死连接
Strictmodes Yes #接受连接请求前对用户主目录和相关的配置文件进行宿主和权限
Check
Usedns No #不使用DNS反解
Allowusers < user name > #允许通过远程访问的用户, multiple users separated by spaces
Allowgroups < Group name > #允许通过远程访问的组, multiple groups to
Space-delimited
Denyusers < user name > #禁止通过远程访问的用户, multiple users separated by spaces
Denygroups < Group name > #禁止通过远程访问的组, multiple groups separated by spaces

5.2, if need to restrict the route IP, can modify/etc/hosts.deny and/etc/hosts.allow two files,
Restrict or allow SSH remote link IP by adding sshd:.

This article from the "Technology life, Simple not simple" blog, please be sure to keep this source http://willis.blog.51cto.com/11907152/1846791

SSH service Configuration