Detailed SSH remote access control in Linux
Original: http://blog.51cto.com/dengqi/1260038
SSH: is a secure channel protocol, mainly used to realize the character interface of remote login, and other functions (using TCP port number 22nd). The SSH protocol encrypts the data transmitted by both parties, including the user password entered when the user logs in.
In Rhel 5 systems, OPENSSH servers are provided by packages such as Openssh,openssh-server, which are installed by default, and to add sshd as a standard system service.
SSH provides two ways of login verification:
1. Password Authentication: Authenticate with the login name and password of the local system user in the server.
2, the key pair verification: the need to provide matching key information to pass the authentication. Typically, you create a pair of key files (public and private) in the client computer, and then place the public key file at the specified location on the server.
Note: When both password authentication and private key authentication are enabled, the server takes precedence over key authentication.
Configuration file for SSH:
The configuration file of sshd service is/etc/ssh/sshd_config by default, and the related configuration items can be adjusted correctly to further improve the security of sshd remote login.
The contents of the configuration file can be divided into the following three sections:
1, the common SSH server monitoring options are as follows:
Port 22//listening on ports of 22
Protocol 2//using SSH V2 protocol
Listenadderss 0.0.0.0//The address of the listener is all addresses
Usedns no//Prohibit DNS reverse parsing
2. Common User Login Control options are as follows:
Permitrootlogin No//disable root user Login
Permitemptypasswords no//Disallow null password user login
Logingracetime 2m//Login verification time is 2 minutes
Maxauthtries 6//Maximum retry count is 6
Allowusers user//Allow user login only, contrary to denyusers option
3. Common login authentication methods are as follows:
Passwordauthentication Yes//enable password verification
Pubkeyauthentication Yes//enable key verification
Authorsizedkeysfile. Ssh/authorized_keys//Specify Public key database file
SSH client command program SSH, SCP, SFTP
SSH command allows you to telnet to the sshd service, providing a secure shell environment for the user to manage and maintain the server over and over again. Specifies the login user name when used, and the target host as the parameter. As follows:
When a user logs on to an SSH server for the first time, it must accept the RSA key sent by the server (according to the input yes) before continuing. The accepted key information is saved to the "~/.ssh/known_hosts" file. If the default port is changed, you can use the-p command to make the port.
The SCP command allows you to copy files to and from remote hosts using SSH secure connections. When using the SCP command, in addition to the replication source must be established, the target should also be set the target host address, login user, after execution prompts to verify the password and so on. As follows:
Copy a file to the SSH server
Download a file on the SSH server to a local
With the SFTP command, you can use SSH secure connection with remote host to upload, download files, use FTP-like login process and interactive environment, easy to manage directory resources. As follows:
Log on to the remote server via SSH secure connection using the SFTP command
If the client is a Windows system, then we can use some graphical tools to access the Linux server. Some of the common graphics chemicals have PUTTY,WINSCP and other tools, how to use please do your own research.
Let's explain in detail how to construct the SSH system for key pair verification
As shown: The basic process of building a key pair verification is briefly described.
As shown, we have four steps to build SSH for the secret key pair verification.
1. Create a user key pair in the SSH client.
As follows: Create a key pair for the test user.
In the command:-T for specifying the algorithm type, RSA means using the RSA algorithm.
The key phrase is used to protect the private key text, and the phrase set here must be provided when the login is authenticated using the private key.
The key pair is saved by default in the. ssh/directory under the user's host directory.
2. Upload the public key to the SSH server
There are many ways to upload a public key to an SSH server, you can copy it using a USB stick, or you can upload it using FTP, sharing, and so on. Here we use the SCP command we just spoke to upload the public key file.
3. Import the public key text in the SSH server
In the server, the public key database for the target user (the user to log on remotely) is located in the ~/.ssh/directory, and the default file name is Authorized_keys. As follows: Import the test's public key file into the user's public key database.
4, at this time in the client can use the key pair authentication.
The user is required to enter the key phrase that was entered when the key pair was created, without needing to know the user's password to log on to the SSH server.
(go) detailed SSH remote access control in Linux