The SSH protocol for the Linux learning path

SSH protocol

SSH English full name secure Sshell is a secure protocol that is also used to remotely log in.

SSH compared to Telenet, with higher security, using Telent remote login to a host, there are the following two hidden dangers:

1, the user authentication is clear text

2, the data transmission is clear

Therefore, in the data security considerations, using SSH to log in far more secure.

With 2 versions of SSH, SSHV1 and sshv2,ssh1 are rarely used in the SSHV1 version because they cannot withstand a man-in-the-middle attack. So the use of more or SSHV2 version, after all, it is much safer.

SSH is working on the TCP layer, the port number is 22;telent is also working on the TCP layer, the ports are 23

To realize the entire function of SSH, we need to use OpenSSH to complete, OpenSSH is the open-source implementation of SSH, OpenSSH is a kind of software is also a protocol, because it is open source, so naturally there is no need to spend money.

Since it is a remote login tool, you need to have one host as the client and the other host as the server side. And on the client must have to be able to log in from afar software tools.

For clients:

If the client is a Linux system, you only need to log in remotely using SSH commands.

How the client is a Windows system, the tools that enable remote login include:

PUTTY,SECURECRT, Sshsecureshellclient,xmanger

For servers:

Just open the SSH service, the service name is sshd, so just make sure the sshd service is running.

How do I use SSH to log in to a host remotely?

SSH usage

Ssh-l useranem remote_host [' COMMAND ']

Log in to the specified host as a user

' Command ': Indicates that there is no need to log in to a distant host, but can execute certain commands on the remote host and return the results to

Client

SSH [email protected]_host: Log in as a specified user to a remote host, if no user is specified, the

Logged in as a former user

-x,-y: Indicates log in to a distant host and executes the Open graphics Window command on the remote host, and the graphics window will be locally

Open, so local to be able to support the graphical window interface

Just said SSH must have both client and server side, so on the Linux host, and contains the client configuration file, also contains the server configuration file.

The configuration file for the SSH client is/etc/ssh/ssh_config

The configuration file for the SSH server is/etc/ssh/sshd_config

The contents of these two files are similar, only a little bit different, here, I only describe the SSH server-side configuration file in the approximate content:

/etc/ssh/sshd_config

1 , about SSH Server the setting Instructions

Protocol 2 #ssh the Protocol version

listenaddress 0.0.0.0 The host address of the listener, the default is to listen to all interfaces SSH Requirements

pidfile/var/run/sshd.pif placed sshd this PID of the file

Logingracetime 2m How long does it take to force a disconnection on a connection, the default unit is seconds

Compression Delayed specifies when data compression mode is used for transmission. data compression (delayed) option with Yes,no and log in

2 description of the host Private Key the files placed

Hostkey/etc/ssh/ssh_host_key # SSH version 1 using the private key

Hostkey/etc/ssh/ssh_host_rsa_key # RSA private key used by SSH version 2

Hostkey/etc/ssh/ssh_host_dsa_key # The DSA private key used by SSH version 2

Permitrootlogin Yes to allow root login! Presets are allowed, but suggestions are set to No!

Strictmodes yes whether to allow sshd to check the user's home directory or related file permissions data

Pubkeyauthentication Yes

Authorizedkeysfile. Ssh/authorized_keys

Allows users to log on themselves using a paired key system for version 2 only.

As for the home-made public key data is placed in the user's home directory. Ssh/authorized_keys inside

Passwordauthentication Yes

Permitemptypasswords No

Ignoreuserknownhosts No

#是否忽略家目录内的 ~/.ssh/known_hosts the contents of the host that this file records?

Challengeresponseauthentication no allows for any password authentication

Usepam Yes uses PAM to manage user authentication

Tcpkeepalive Yes

# When the connection is reached, the server will always send a TCP packet to the client to determine whether the other type has been online.

Maxstartups 10 # allows several online screens that are not yet logged in

Denyusers *

# Set the name of the user who is being resisted, and if it is all the users, that is all the stops!

Denygroups Test

Subsystem sftp/usr/libexec/openssh/sftp-server SSH-based FTP service

How SSH is authenticated:

A password-based authentication, SSH default authentication is sent based on password authentication.

One is based on key authentication

How Key Verification works

ClientAgenerates a public key and a private key on its own host, and then copies the public key to the server sideB, when the clientAsend again next timeSSHrequest, the client is included in the requestApublic key, the server side receives the request, looks at the client sideAis the same as the public key stored on your own host, the server-sideBit will randomly generate some numbers .C, and then the server-sideBit will be usedAthe public key for these numbersCEncrypted , the encrypted data is returned to the clientA, when using the clientAthe private key is decrypted to decrypt the resulting dataC2will be returned to the serverB, the serverBThis data will beC2and their own randomly generated data.CIn contrast, if the data is the same, the client-side validation passes, otherwise, the validation fails.

The server's public key is placed in the ~/.ssh/known_hosts file

The entire procedure based on key authentication is as follows:

1. Production of a pair of keys on the client

Using the Ssh-keygen command to generate

-t {RSA|DSA} specifies the encryption algorithm

-f filename Specifies the file saved by the key

The default private key is saved in ~/.ssh/id_rsa

The public key is stored in the ~/.ssh/id_rsa.pub

-N ' password ' specifies the password that is used to encrypt the key

2. The public key generated by the client is passed to the. ssh/authorized_keys file in a user's home directory of the server.

File transfers can be done using Ssh-copy-id and SCP commands

Use Ssh-copy-id to pass the public key to the. ssh/authorized_keys file in a user's home directory of the server

Ssh-copy-id-i/path/to/pubkey [email protected]_host

Using SCP to complete public key transfer

The SCP command syntax is basically the same as the CP command, except that when you specify a remote host, you have such a structure:

[email protected]_host:/path/to/somefile

Therefore, for copying local data to a remote host, you can use:

Scp/path/to/loacl [email protected]_host:/path/to/somewhere

For copying data from a remote host to a local, you can use this:

SCP [email protected]_host:/path/to/somewhere/path/to/loacl

3. Test log in, verify correct

Summarize the security considerations you should be aware of when logging in to a remote host using SSH:
1. Passwords should be frequently changed and complex enough
2. Use non-default port
3, limit the login customer address
4. Prohibit administrators from logging in directly
5. Only limited users are allowed to log in
6. Using key-based authentication
7, prohibit the use of version 1

This article from the "Linux Learning Path" blog, declined reprint!