The first server sshd in Linux learning

Server 1-----SSH

#终于开始记录总结服务器了, because often used to sshd, is also a relatively simple server, learning is also easy, so organized into a blog, there are questions to point out OH

One: Related knowledge interpretation

Let's talk about SSH and sshd:SSH is the client
SSHD is a server-side

SSH: The remote host through the SSH protocol to connect sshd software, in order to open a bash on the remote host, simply said, SSH is a network protocol for encryption between the computer login. If a user logs on to another remote computer using the SSH protocol from the local computer, we can assume that the login is secure and that the password will not be compromised even if intercepted.

SSH Protocol: A protocol that provides security to a remote login session and other network services based on the application Layer Security protocol using SSH protocol can effectively prevent the remote management process of information leakage SSH consists of three parts:
Transport Layer Protocol : Provides server authentication, confidentiality, integrity, compression function, usually run on TCP/IP connection, the authentication of the protocol is based on the host, and the protocol does not perform user authentication, higher level user authentication protocol can be designed on this Protocol
User Authentication association : used to provide client user authentication function to the server, running in the Transport Layer protocol, after the user certification protocol began, he received the session identifier from the underlying protocol (the Exchange hash h from the first key exchange), Session markers uniquely identify this session and apply to tokens to justify ownership of the private key
Connection Protocol : divides multiple encrypted tunnels into logical channels, they run on the user authentication protocol, it provides interactive conversation path, remote command execution, forwarding TCP/IP connection and forwarding X11 connection
features : Traditional Web service programs such as Ftp,pop, and telnet are inherently insecure because they transmit passwords and data in plaintext on the network, and the security of these service procedures is also vulnerable. Easy to be attacked by the middleman, the middleman means to impersonate a real server to accept the data you pass to the server, through the middleman to tamper with, then the file security is destroyed but through SSH can be transferred files encrypted, using SSH also has the advantage that the data is compressed, so it can speed up the transfer
authentication : Secure authentication key Verification for passwords

sshd installation : SSH sub-client openssh-client and server-side openssh-server, the client through the SSH command to connect the server

Second: Two kinds of verification landing mode

1: Security Verification of Password ##########

SSH remote host user @ remote host IPSSH remote host user @ remote host Ip-x # #调用远程主机图形工具ssh remote host user @ Remote host IP Command # #直接在远程主机运 Line a command

If the local user name matches the remote user name, the user name can be omitted at logon.

The default port for SSH is 22, which means that your login request is sent to port 22 on the remote host. Using the P parameter, you can modify this port.

$ ssh-p 2222 [email protected]

The above command indicates that SSH connects directly to port 2222 of the remote host.

If you are logged in to the host computer for the first time, the following prompt will appear:
    This passage means that you cannot confirm the authenticity of the host, only the public key fingerprint, and ask if you want to continue the connection?
The so-called "public key fingerprint", refers to the long public key length (here using the RSA algorithm, up to 1024 bits), it is difficult to match, so the MD5 calculation, it becomes a 128-bit fingerprint. The above example is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d, and then compare, it is much easier.
A natural question is, how do users know what the remote host's public key fingerprint should be? The answer is no good way, the remote host must be posted on their own web site public key fingerprint, so that users self-check.　　The
assumes that after a risk measurement, the user decides to accept the public key of the remote host.

[[email protected] desktop]$ ssh [email protected]the authenticity of host ' 172.25.254.1 (172.25.254.1) ' can ' t be establis Hed. ECDSA Key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.are you sure you want to continue connecting (yes /no)? yeswarning:permanently added ' 172.25.254.1 ' (ECDSA) to the list of known hosts. [email protected] ' s password:last login:sun Jul 23 01:46:13 2017

If the password is correct, you can log in.
When the public key of the remote host is accepted, it is saved in the file/root/.ssh/known_hosts. The next time you connect to this host, the system will recognize that its public key has been saved locally, thus skipping the warning section and prompting for a password directly. , usually/etc/ssh/ssh_known_hosts, to save some public keys for remote hosts that all users can trust.

2: Key Verification ################

Generate Public key Private key

Ssh-keygen

[[email protected] .ssh]# ssh-keygen                       # #生成公钥私钥工具Generating  public /private rsa key pair. enter file in which to save the key  (/ROOT/.SSH/ID_RSA):   ## Encrypt character save file (default recommended) If you enter a password, you will need a password enter passphrase  (empty for no passphrase) when using the key connection:  enter same passphrase again: your identification has been saved  In /root/.ssh/id_rsa. your public key has been saved in /root/.ssh/id_rsa.pub.the key  Fingerprint is:d6:db:ae:d1:95:0d:39:6c:3b:a8:97:59:91:3a:4a:06 [email protected]the key ' s  RANDOMART IMAGE IS:+--[ RSA 2048]----+|                  | |              . o | |         e     o  | |          o   + b | |         s + + * .| |        . o * * . | |           = *    | |            +     | |           ...    |+-----------------+ls  /root/.ssh/                   #查看存放密钥文件目录id_rsa   id_rsa.pubid_rsa        # #私钥, is the key id_rsa.pub    # #公钥, is the lock

Lock to server:

[email protected]. ssh]# ssh-copy-id-i id_rsa.pub [email protected]/usr/bin/ssh-copy-id:info:attempting to log in with The new key (s), to filter out any that is already installed/usr/bin/ssh-copy-id:info:1 key (s) remain to be installed- -If you're prompted now it's to install the new Keys[email protected] ' s password:number of key (s) Added:1now try Logg ing into the machine, with: "SSH" [email protected] ' "and check to make sure that is only the key (s) wanted were added.

Send key to client:

Scp/root/.ssh/id_rsa [Email protected]:/root/.ssh/

Test:

[email protected]. ssh]# ssh [email protected]last login:sun Jul 01:48:45 from 172.25.254.67 #不需要密码, direct Use key [[email protected] ~]#

The difference between Ssh_config and sshd_config?

Ssh_config and Sshd_config are both configuration files for the SSH server, the difference being that the former is a client-side configuration file, and the latter is a configuration file for the service end. Two configuration files allow you to change the way the client program runs by setting different options

Three: Improve SSH landing level
1: Modification via sshd server configuration file (for users on servers side)

/etc/ssh/sshd_config
Passwordauthentication Yes|no # #是否开启用户密码认证, yes to support no for off
Permitrootlogin Yes|no # #是否允许超级用户登陆
2: Whitelist and blacklist (for client IP)

Vim/etc/hosts.deny
~ ~ ~
Sshd:all #拒绝所有人连接sshd服务
~ ~ ~
Vim/etc/hosts.allow
~ ~ ~
sshd:172.25.254.20 #允许250连接sshd服务


sshd:172.25.254.20, 172.25.254.120 #允许20和120连接sshd服务

Sshd:all EXCEPT 172.25.254.200 #只不允许200
~ ~ ~
Note: Whitelist priority is higher

3.ssh Landing Tips
VIM/ETC/MOTD # #用来显示登陆后的字符
~~~~~~~
Write: Can write to the user/IP of the introduction, etc.
~~~~~~~

Four: Synchronizing files remotely

Scp/rsync [email protected]:/required copy of file/native address Scp/rsync/local file address [email protected]:/address

1:SCP:SCP is the abbreviation for secure copy, and SCP is a secure remote file Copy command under the Linux system based on SSH login. The SCP command for Linux allows you to copy files and directories between Linux servers.
Usefulness of the SCP command:
SCP copies files between different hosts on the network, transmits data using SSH security protocols, and has the same authentication mechanism as SSH to secure remote copy files.
2:RSYNC:RYSNC is a data mirroring and Backup tool, with the ability to enable local and remote two hosts of files, directories, fast synchronous mirroring, remote data backup and other functions. In the process of synchronization, Rsync is based on its own unique algorithm, synchronizing only the changed files, and even in a file only synchronized with the changed parts, so you can achieve fast synchronization of data functions.
Rsync-r # #同步目录
Rsync-l # #同步包含链接
Rsync-p # #同步文件权限
RSYNC-T # #同步文件时间戳
RSYNC-G # #同步文件

V: SSH forwarding

Bind the ground port

Now that SSH can transmit data, we can improve security by allowing unencrypted network connections to go all the way to SSH connections .
Let's say that we want to have 8080 port data passed through SSH to the remote host, and the command reads:

$ ssh-d 8080 [email protected]

SSH will create a socket to listen to the local 8080 port. Once the data is transmitted to that port, it is automatically transferred to the SSH connection and destined for the remote host. As you can imagine, if port 8080 turns out to be an unencrypted port, it will now become an encrypted port.

Local Port forwarding

Sometimes, it is not enough to bind the port, and you must specify the destination host for the data transfer, thus forming a point-to-point "port forwarding". In order to differentiate the "Remote port Forwarding" later, we refer to this situation as "Local port Forwarding" (locally forwarding).
Assuming that Host1 is a local host, HOST2 is a remote host. For a variety of reasons, the two hosts are not connected to each other. However, there is also a host3 that can connect the front two hosts at the same time. So the natural idea is to connect host1 to Host2 through HOST3.
We execute the following command in Host1:

$ ssh-l 2121:host2:21 Host3

The l parameter in the command accepts a total of three values, namely "Local Port: Destination Host: Destination host port", separated by colons. The meaning of this command is to specify SSH to bind the port 2121, and then specify HOST3 to forward all data to 21 ports on the target host host2 (assuming HOST2 runs FTP, the default port is 21).
In this way, we simply connect the host1 2121 port, which is equal to the HOST2 21 port.

$ ftp localhost:2121

"Local port Forwarding" makes the host1 and host3 seem to form a secret tunnel of data transmission, and is therefore called the "SSH Tunnel".

Remote port forwarding

This item is not yet understood, and the follow-up is more

This article is from the "12462896" blog, please be sure to keep this source http://12472896.blog.51cto.com/12462896/1950190

The first server sshd in Linux learning