Use OpenSSH to remotely manage Linux servers

Article Title: Use OpenSSH to remotely manage Linux servers. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

As a Linux system administrator, no one knows about OpenSSH. SSH transmits data over the network in the form of ciphertext, achieving a higher security level. It is a security alternative to the Telnet service, and sshd is the server daemon of OpenSSH, there are a lot of corresponding Windows client software, such as SecureCRT and putty. Remote connection to Linux Through SecureCRT is not affected by network speed and bandwidth. No matter whether it is ADSL dial-up or 56K "cat" dial-up Internet access, it is easy to connect and maintain. The use of SecureCRT has been described in the previous chapter. Here we will detail the configuration of the OpenSSH server program.

OpenSSH is installed by default in Red Hat Linux Enterprise Edition. The general installation directory is/etc/ssh, and the corresponding server configuration file is/etc/ssh/sshd_config. We will focus on the meaning of each option in this configuration file.

2.

1. [root @ localhost ~] # Vi/etc/ssh/sshd_config

2. Port 22

3. ("Port" is used to set the Port of the sshd listener. The default Port number 22 is used here)

4. # Protocol 2, 1

5. (set the ssh protocol to ssh1 or ssh2,

Set it to Protocol 2)

6. # ListenAddress 0.0.0.0

7. ("ListenAddress" is used to set the IP address bound to the sshd server)

8. # HostKey for protocol version 1

9. # HostKey/etc/ssh/ssh_host_key

10. # HostKeys for protocol version 2

11. # HostKey/etc/ssh/ssh_host_rsa_key

12. # HostKey/etc/ssh/ssh_host_dsa_key

13. ("HostKey" is used to set the path of the server key file)

14. # KeyRegenerationInterval 1 h

15. ("KeyRegenerationInterval" is used to set the number of seconds after which

The system automatically generates the server's key (if the key is used ). Regenerate

The key is used to prevent the use of the stolen key to decrypt the intercepted information)

16. # ServerKeyBits 768

17. ("ServerKeyBits" is used to define the length of the server key)

18. SyslogFacility AUTHPRIV

19. ("SyslogFacility" is used to set when logging messages from sshd,

Whether to provide "facility code ")

20. # LogLevel INFO

21. ("LogLevel" is used to record the sshd Log message level)

22. # LoginGraceTime 2 m

23. ("LoginGraceTime" is used to set if the user fails to log on

The waiting time of the server before the connection, in seconds)

24. PermitRootLogin no

25. ("PermitRootLogin" is used to set whether Super User root can log on through SSH.

. It is dangerous to log on to Linux remotely by using root.

We recommend that you set this option to "no" in the system ")

26. # StrictModes yes

27. ("StrictModes" is used to set whether SSH checks before receiving login requests

Permissions and ownership of user root directories and rhosts files. We recommend that you set this option to "yes ")

28. # RSAAuthentication yes

29. ("RSAAuthentication" is used to set whether to enable RAS key verification,

If you use the RAS key logon method, enable this option)

30. # PubkeyAuthentication yes

31. ("PubkeyAuthentication" is used to set whether to enable public key verification,

If you use public key authentication to log on, enable this option)

32. # AuthorizedKeysFile. ssh/authorized_keys

33. ("AuthorizedKeysFile" is used to set the path of the Public Key Authentication file,

Used with "PubkeyAuthentication)

34. # similar for protocol version 2

35. # HostbasedAuthentication no

36. # IgnoreUserKnownHosts no

37. ("IgnoreUserKnownHosts" is used to set the SSH

Whether to ignore users during RhostsRSAAuthentication security verification

"$ HOME/. ssh/known_hosts" file)

38. # IgnoreRhosts yes

39. ("IgnoreRhosts" is used to set whether to use it during verification.

"~ /. Rhosts "and "~ /. Shosts "file)

40. PasswordAuthentication yes

41. ("PasswordAuthentication" is used to set whether to enable the password.

Code verification mechanism. If you use a password to log on to the system, set it to "yes ")

42. PermitEmptyPasswords no

43. ("PermitEmptyPasswords" is used to set whether the password is allowed

If you log on to the system with an empty account, it must be "no)

44. X11Forwarding yes

45. ("X11Forwarding" is used to set whether X11 forwarding is allowed)

46. # PrintMotd yes

47. ("PrintMotd" is used to set whether sshd displays the information in "/etc/motd" when the user logs on)

The underlined content in the brackets above is an explanation of the meaning of each option in the sshd_config configuration file. Here we only list some of the most common options, which is also our recommended configuration.

After configuring the sshd_config file, restart the sshd daemon to make the modification take effect:

Java code

/Etc/init. d/sshd restart

/Etc/init. d/sshd restart

Note that the sshd service must be restarted on the Linux system. If you restart the sshd service in the SSH remote connection environment, you will be locked out!

The last step is to set the sshd service to automatically start upon startup. You only need to execute the following command:

Java code

Chkconfig -- level 35 sshd on

Chkconfig -- level 35 sshd on

In this way, the sshd service will be automatically started at system running level 3 and 5.