Use OpenSSH to build an SSH server in CentOS

Article Title: Use OpenSSH to build an SSH server in CentOS. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Preface

Like the Telnet service, the SSH service can remotely log on to the system and control the system. However, it differs from Telnet in that Telnet transmits plain text while SSH encrypts the transmitted content, ensuring the confidentiality of the transmitted content during transmission, this improves the system security.

Here, we do not prepare the SSH service as a tool for uploading and downloading files. We only use the activation of the SSH service to facilitate the remote management system. In addition, in terms of user authentication, for the sake of server and user security, the user password authentication method is prohibited, and the "key" method is used.

Modify SSH-related configuration files

First, modify the SSH configuration file. As follows:

[Root @ sample ~] # Vi/etc/ssh/sshd_config　 Using vi to open the SSH configuration file # Protocol 2, 1　Locate this row and delete the line Header "#". Then, delete ", 1" at the end of the row. Only connections in SSH2 mode are allowed. Bytes Protocol 2　The listener is changed to this status after modification. Only SSH2 is used. # ServerKeyBits 768　Locate this line, remove "#" at the beginning of the line, and change 768 to 1024. Bytes ServerKeyBits 1024　The worker changes to this status after modification, and the ServerKey strength is changed to 1024 bits. # PermitRootLogin yes 　Locate this line, remove "#" at the beginning of the line, and change "yes" to "no ". Bytes PermitRootLogin no 　The supervisor is changed to this status after modification, and cannot be logged on with root. # PasswordAuthentication yes　Locate this line and change yes to no Bytes PasswordAuthentication no　The token is changed to this status after modification. logon using a password is not allowed. # PermitEmptyPasswords no　 Locate this line and delete "#" in the line header. Empty Password Logon is not allowed. Bytes PermitEmptyPasswords no　 The token changes to this status. Do not log on with a blank password.

Save and exit. (The command for saving and exiting vi is ZZ)

Because we only want to make the SSH service more convenient for the management system, we only allow the Intranet client to log on to the server through SSH without Remotely Managing the system over the Internet, to minimize unsafe factors. The setting method is as follows:

[Root @ sample ~] #Vi/etc/hosts. deny　 Modify the blocking rule and add corresponding lines at the end of the text. # # Hosts. deny This file describes the names of the hosts which are # ** Not * allowed to use the local INET services, as decided # By the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # The new secure portmap uses hosts. deny and hosts. allow. In particle # You shoshould know that NFS uses portmap! Sshd: ALL　 This line is added by the dig command to shield all SSH connection requests. [Root @ sample ~] #Vi/etc/hosts. allow　 Allow rules to be modified, and add corresponding lines at the end of the text # # Hosts. allow This file describes the names of the hosts which are # Allowed to use the local INET services, as decided # By the '/usr/sbin/tcpd' server. # Sshd: 192.168.0.　 ← Add this line, only allow SSH connection requests from the Intranet

Restart the SSH service

After modifying the SSH configuration file, you must restart the SSH service to make the new settings take effect.

[Root @ sample ~] # /Etc/rc. d/init. d/sshd restart　 Restart the SSH server Stopping sshd :[OK] Starting sshd :[OK]　 Restart SSH server successful

At this time, on the remote terminal (Personal PC, etc.), you cannot log on to the server by using the SSH client software with a normal password. In order for the customer to log on to the server, we will create a public key and private key for SSH to log on to the SSH server as a "key" for the client.

Establishment of the public key and private key of SSH2

Logon is a general user who establishes a public key and a private key based on this user. (The following uses the centospub user as an example)

[Root @ sample ~] # Su-centospub　Login is a common userCentospub [Centospub @ sample ~] $ Ssh-keygen-t rsa 　Secret Generating public/private rsa key pair. Enter file in which to save the key (/home/kaz/. ssh/id_rsa ): 　The name of the secret key file. Press enter by default. Created directory '/home/kaz/. ssh' Enter passphrase (empty for no passphrase ): 　← Enter the password Enter same passphrase again: 　 ← Enter the password again Your identification has been saved in/home/kaz/. ssh/id_rsa. Your public key has been saved in/home/kaz/. ssh/id_rsa.pub. The key fingerprint is: Tf: rs: e3: 7 s: 28: 59: 5 s: 93: fe: 33: 84: 01: cj: 65: 3b: 8e centospub@sample.centospub.com

Then confirm the establishment of the public key and the key, and some processing corresponding to the client.

[Centospub @ sample ~] $ Cd ~ /. Ssh　 Secret to enter the directory of the user's SSH configuration file [Centospub @ sample. ssh] $ Ls-l　 Listing objects Total 16 -Rw ------- 1 centospub 951 Sep 4Id_rsa　 Confirm that the private key has been created -Rw-r -- 1 centospub 241 Sep 4Id_rsa.pub　 Confirm that the public key has been created [Centospub @ sample. ssh] $ Cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys　 The contents of the ← Public Key are output to the corresponding file. [Centospub @ sample. ssh] $ Rm-f ~ /. Ssh/id_rsa.pub　 ← Delete the original public key file [Centospub @ sample. ssh] $ Chmod 400 ~ /. Ssh/authorized_keys　 Secret sets the attribute of the new public key file to 400

Then, the private key is securely transferred to the PC on which you want to connect to the server through SSH. The following uses a 3.5-inch disk as the media:

Centospub @ sample. ssh] $ Exit 　 Quit) [Root @ sample ~] # Mount/mnt/floppy/　 ← Attach a floppy disk drive [Root @ sample ~] # Mv/home/centospub/. ssh/id_rsa/mnt/floppy/ 　← Move the created private key to a floppy disk [Root @ sample ~] # Umount/mnt/floppy/ 　← Detach a floppy disk drive

In this way, we can connect to the server through the SSH client on a remote terminal through the private key corresponding to the centospub user. However, the private key generated by the server cannot be directly applied by the client... For more information, see the next section.