Shulou(Shulou.com)06/01 Report--

OpenSSH:

SSH is a protocol.

Ssh:secure shell, protocol, 22/tcp, secure remote login

Open source implementation of OpenSSH:ssh protocol

Dropbear: another open source implementation

First install yum install trlnet-server

SSH protocol version

V1: it is not safe to do MAC based on CRC-32; man-in-middle

V2: the host agreement of both parties chooses a secure MAC mode.

Key exchange based on DH algorithm, identity authentication based on RSA or DSA algorithm

There are two ways of user login authentication:

Based on password

Based on key

OpenSSH:

C/S

C:ssh, scp, sftp

Windows client:

Xshell,putty, securecrt,sshsecureshellclient

S:sshd

Client components:

Ssh, configuration file: / etc/ssh/ssh_config

Format: SSH [user @] host [COMMAND]

User host

Ssh292.168.1.101

Ssh [- l user] host [COMMAND]

-pport: the port on which the remote server listens

-X: support x11 forwarding

-Y: supports trusted x11 forwarding

Host PATTERN

PARAMETERVALUE

Key-based authentication:

(1) generate key pairs on the client side

Ssh-t rsa [- P''] [- f "~ / .ssh/id_rsa"]

Ssh-keygen-t rsa-P''- f ~ / .ssh/id_rsa-P this is the port

(2) transfer the public key to the home directory of the corresponding user on the remote server

Ssh-copy-id [- I [identity_file]] [user@] machinessh-copy-id-i.ssh/id_rsa.pubroot@192.168.1.101

(3) testing

Vim .ssh / authorized_keys the passwords of the public key can be written here

Scp command:

Scp [options] SRC... DEST/ well-known object document

There are two situations:

PULL: SCP [options] [user @] host:/PATH/FROM/SOMEFILE / PATH/TO/SOMEWHERE

PUSH: SCP [options] / PATH/FROM/ SOMEFIL [user @] host:/PATH/TO/SOMEWHERE

Common options:

-r: recursive replication

-p: keep the attribute information of the original file

-Q: silent mode

-PPORT: indicates the port on which remote host is listening

Sftp command:

Sftp [user @] host

Sftp > help

Server side:

Sshd, configuration file: / etc/ssh/sshd_config

Common parameters:

Port22022

ListenAddressip listens for private network addresses

PermitRootLoginyes graphics program xclock

Ways to restrict logged-in users:

AllowUsersuser1 user2 user3

AllowGroups

Best practices for ssh services:

1. Do not use the default port

2. Prohibition of protocolversion 1

3. Restrict users who can log in

4. Set the idle session timeout

5. Use firewall to set ssh access policy

6. Only listen for specific IP addresses

7. Use strong password policy when authenticating based on password

# tr-dc A-Za-z0-9 _

< /dev/urandom | head -c 30 | xargs 8、使用基于密钥的认证； 9、禁止使用空密码； 10、禁止root用户直接登录； 11、限制ssh的访问频度和并发在线数； 12、做好日志，经常分析； ssh协议的另一个实现：dropbear (1)dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048 dropbearkey-t rsa -f /etc/dropbear/dropbear_rsa_host_ke ey dropbear-p [ip:]port -F -E 编译安装的方法 ./configrel Make PROGRAMS=' dropbear scp dropbearkeydbclient' inatall Mkdir /etc/dropbear dropbearkey -t rsa -f/etc/dropbear/dropbear_rsa_host_key -s 2048 dropbearkey -t rsa -f/etc/dropbear/dropbear_rsa_host_key OpenSSL： 三个组件： openssl:多用途的命令行工具； libcrypto:加密解密库； libssl：ssl协议的实现； PKI：Public KeyInfrastructure CA发证机构 RA注册机构 CRL 证书存取库 建立私有CA: OpenCA openssl 证书申请及签署步骤： 1、生成申请请求； 2、RA核验； 3、CA签署； 4、获取证书； 创建私有CA： openssl的配置文件：/etc/pki/tls/openssl.cnf /etc/dir/certs 库 (1) 创建所需要的文件 (2) Cd /etc/pki/CA # touch index.txt #echo 01 >

Serial

#

(2) CA self-signed certificate

# (umask 077; openssl genrsa-out / etc/pki/CA/private/cakey.pem 2048)

# openssl req-new-x509-key / etc/pki/CA/private/cakey.epm-t days7300out/etc/pki/CA/cacert.pem

-new: generate a new certificate signing request

-x509: dedicated to CA generation of self-signed certificates

-key: the private key file used to generate the request

-daysn: the validity period of the certificate

-out/PATH/TO/SOMECERTFILE: the path where the certificate is saved

CN China Beijing magedu ops operation and maintenance server parsed name ca.magedu.com,caadmin@magedu.com

(3) issuing certificates

(a) the host using the certificate generates a certificate request

# (umask 077; openssl genrsa-out / etc/httpd/ssl/httpd.key 2048)

# openssl req-new-key / etc/httpd/ssl/httpd.key-days 365-out/etc/httpd/ssl/httpd.csr

Rpm-Q httpd

Cd / etc/httpd

Mkdirssl

Cd ssl/

Openssl req-key httpd.key ditto

(B) transfer the request file to CA

(C) CA signs the certificate and returns it to the requestor

# openssl ca-in / tmp/httpd.csr-out / etc/pki/CA/certs/httpd.crt-days 365

View the information in the certificate:

Opensslx509-in / PATH/FROM/CERT_FILE-noout-text |-subject |-serial

(4) revocation of certificate

(a) the client obtains the serial of the certificate to be revoked

# openssl x509-in / PATH/FROM/CERT_FILE-noout-serial-subject

(B) CA

First, compare and verify whether it is consistent with the information in the index.txt file according to the serial and subject information submitted by the customer.

Revoke the certificate:

# openssl ca-revoke / etc/pki/CA/newcerts/SERIAL.pem

(C) generate the number of the revocation certificate (revoke a certificate for the first time)

# echo 01 > / etc/pki/CA/crlnumber

(d) updating certificate revocation

# openssl ca-gencrl-out thisca.crl

View the crl file:

# openssl crl-in / PATH/FROM/CRL_FILE.crl-noout-text

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.