Shulou(Shulou.com)06/01 Report--

Most people do not understand the knowledge points of this "linux ssh use case Analysis" article, so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can get something after reading this article. Let's take a look at this "linux ssh use case Analysis" article.

The full name of ssh is secure shell, which, as its name implies, means very secure shell. Ssh protocol is a protocol developed by network working group of ietf (internet engineering task force). The main purpose of ssh is to replace the traditional tools of remote login and remote command execution of telnet and r series commands (rlogin,rsh,rexec, etc.), and to encrypt remote login and remote command execution. Prevent password leakage due to network monitoring, which poses a threat to the system.

Ssh protocols currently have ssh1 and ssh2,ssh2 protocols that are compatible with ssh1. At present, the main software to realize ssh1 and ssh2 protocol are openssh and ssh communications software of ssh communications security corporation company. The former is a free ssh software developed by openbsd organization, the latter is commercial software, so in linux, freebsd, openbsd, netbsd and other free unix systems, all use openssh as the implementation software of ssh protocol. Therefore, this article focuses on the use of openssh. It should be noted that the format of the login public key / private key of openssh and ssh communications is different. If you want to log in to the linux system using openssh using the private key / public key pair generated by ssh communications, you need to convert the public key / private key format.

Before the emergence of ssh, when the system administrator needed to log on to the remote server to carry out the system management task, it was realized by telnet. The telnet protocol uses plaintext password transmission, and the data is not encrypted in the process of transmission, so it is easy for malicious people to monitor the password on the network. Similarly, before the advent of the ssh tool, r-series commands were also very popular (because these commands all start with the letter r, so these commands collectively referred to as r-series commands mean remote). For example, rexec is used to execute commands on a remote server, the difference with telnet is that telnet needs to log in to a remote server before executing related commands, while r-series commands can integrate login and command execution and logout of the system. This eliminates the need to log in to the server in order to execute a command on the remote server.

Ssh is an encryption protocol, which encrypts not only the password during the login process, but also the data of the commands executed after the login, so that even if someone monitors and intercepts your data packet on the network, he cannot see its contents. Openssh is already a standard component of most linux and bsd operating systems (and even cygwin), so this article will not describe how to install openssh. If nothing happens, you must have openssh installed on your system.

The openssh package contains the following commands:

Sshd-ssh server program

Sftp-server-sftp server program (a protocol similar to ftp but provides data encryption)

Scp-the client of a non-interactive sftp-server for uploading / downloading files to the server

Sftp--Interactive sftp-server client, using the same ftp command.

Slogin-an alias for ssh

Ssh-client program of the ssh protocol, used to log in to a remote system or execute commands remotely

Ssh-add-ssh agent related program, which is used to add dsa key to ssh agent

Ssh-agent-ssh Agent

Ssh-keyscan-- ssh public key generator

The most common way to use ssh is to log in remotely instead of telnet. Different from the password login of telnet, ssh also supports publickey, keybord interactive, gssapi and other login methods, unlike telnet, which is the only way to enter the system password. At present, the most commonly used landing methods are the traditional password and publickey login. Take redhat as4 as an example to illustrate the use of these two login methods.

[root@mail ~] # ssh 172.18.6.227

The authenticity of host '172.18.6.227 (172.18.6.227)' can't be established.

Rsa key fingerprint is 43:80:f2:e1:9b:b6:6e:c0:e2:dd:57:8f:ed:89:b3:81.

Are you sure you want to continue connecting (yes/no)? Yes

Warning: permanently added '172.18.6.227' (rsa) to the list of known hosts.

Root@172.18.6.227's password:

Last login: thu jul 12 18:47:47 2007 from 172.18.6.130

[root@qmail ~] #

After the first login, ssh will store the ssh fingerprint of the login in the know_hosts file of the .ssh directory of the user's home directory. If the remote system has reinstalled the system, the ssh fingerprint has changed. You need to delete the corresponding fingerprint in the know_hosts under the .ssh directory, and then log in to answer yes before you can log in. Please note that the .ssh directory begins with "." You need the ls-a parameter to see the hidden directory of the And the permission of this directory must be 700, and the user's home directory cannot write permission to other users, otherwise the ssh server will refuse to log in. If there is a problem of being unable to log in, please check the log file / var/log/secure on the server. You can usually quickly find out why you can't log in.

Ssh remotely executes commands:

[root@mail ~] # ssh 172.18.6.227 ls-l /

Root@172.18.6.227's password:

Total 1244

Drwxr-xr-x 2 root root 4096 jun 26 04:02 bin

Drwxr-xr-x 4 root root 4096 mar 29 11:17 boot

Drwxr-xr-x 2 root root 4096 jan 25 11:26 command

Drwxr-xr-x 15 root root 4096 jun 12 20:09 data

Drwxr-xr-x 9 root root 5360 jul 2 13:38 dev

Drwxr-xr-x 87 root root 12288 jul 11 04:02 etc

Drwxr-xr-x 20 root root 4096 apr 10 10:54 home

Drwxr-xr-x 2 root root 4096 aug 13 2004 initrd

After entering the correct password, ssh links the sshd server program of the remote server, and then executes the

Ls-l / command, and send the input result to the local server. It is equivalent to logging in to the remote server, then executing the command ls-l /, and finally logging out of the server. As a reminder, if you need to log in to the server and execute more than one command, you must enclose the command in single or double quotation marks:

Ssh 172.18.6.227 "cd / root & & ls"

The function of remote command execution of ssh is used to replace the original r-series commands. Before the emergence of ssh, system administrators had to use insecure remote command execution tools such as rexec and rsh to complete the same operation. This feature is very useful when managing a large number of machines. For example, if I want to restart all the servers in the 10.0.0.0 Universe 24 network segment, just enter a command:

For i in $(seq 1254); do ssh 10.0.0.$ {I} reboot; done

You can restart all the servers, you may say, although you no longer need to log in to every server, but still have to enter the password every time, how troublesome. Don't worry, what I'm going to talk about next is to log in with ssh public key to solve the problem.

Log in with public key:

Openssh's ssh-keygen command is used to generate such private and public keys.

[root@mail] # ssh-keygen-b 1024-t dsa-c gucuiwen@myserver.com

Generating public/private dsa key pair.

# prompt is being generated. If you select a length of 4096, it may take a long time

Enter file in which to save the key (/ root/.ssh/id_dsa):

# ask where to put the public key and private key, and enter at the default location

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

# prompt for password again and enter directly again

Your identification has been saved in / root/.ssh/id_dsa.

Your public key has been saved in / root/.ssh/id_dsa.pub.

# prompt that the public key and private key have been stored in the / root/.ssh/ directory

The key fingerprint is:

71:e5:cb:15:d3:8c:05:ed:05:84:85:32:ce:b1:31:ce gucuiwen@myserver.com

# prompt key's fingerprint

Description:

-b 1024 uses a public / private key pair with a length of 1024 bytes, with a maximum of 4096 bytes, usually 1024 or 2048. If it is too long, it will take a long time to encrypt and decrypt.

-t dsa uses the public key / private key pair encrypted by dsa. In addition to dsa, there are also rsa methods, and the minimum length of rsa method is not less than 768 bytes.

-c gucuiwen@myserver.com 's comment and description of this public / private key pair is usually replaced by everyone's email. Can be omitted from writing, more other parameters, please man ssh-keygen.

[root@mail ~] # ls-l / root/.ssh

Total 16

-rw--- 1 root root 668 jul 12 20:07 id_dsa

-rw-r-r- 1 root root 611 jul 12 20:07 id_dsa.pub

-rw-r-r- 1 root root 222 jul 12 19:37 known_hosts

The generated public key / private key file is under the .ssh directory of the user home directory, where id_dsa.pub is the public key. Upload the generated public key to the .ssh directory of the corresponding user directory of the server that needs to log in, and once again emphasize that the user's own directory (home directory) must not have writable permissions for others. The permission of the .ssh directory must be 700, that is, except for the user himself. Others do not have any permission to read or write to view the directory, otherwise the ssh server will refuse to log in. The default public key file of ssh is the authorized_keys file under the .ssh directory under the user's home directory, so you need to put the generated public key under the / root/.ssh/ directory of the server with this file name. This file can store public key files of multiple clients, just like there are many locks on a door, and different keys can try to unlock them. As long as one lock is opened, the door can be opened. Put it on the server like this:

The private key must be 600 permissions, otherwise the ssh server will deny the user login.

That's about what it looks like. Now let's talk about the configuration of / etc/ssh/ssh_config and / etc/ssh/sshd_config.

/ etc/ssh/ssh_config:

Host *

The option "host" is valid only for computers that can match the following strings. "*" represents all computers.

Forwardagent no

"forwardagent" sets whether the connection is forwarded to the remote computer by an authenticated agent, if any.

Forwardx11 no

Forwardx11 sets whether x11 connections are automatically redirected to secure channels and display sets (display set).

Rhostsauthentication no

Whether the "rhostsauthentication" setting uses rhosts-based security authentication.

Rhostsrsaauthentication no

Rhostsrsaauthentication sets whether to use rhosts-based security authentication using the rsa algorithm.

Rsaauthentication yes

The "rsaauthentication" setting uses the rsa algorithm for security authentication.

Passwordauthentication yes

"passwordauthentication" sets whether password authentication is used.

Fallbacktorsh no

"fallbacktorsh" sets whether to automatically use rsh if there is an error in the connection with ssh.

Usersh no

"usersh" sets whether to use "rlogin/rsh" on this computer.

Batchmode no

If "batchmode" is set to "yes", the prompt for passphrase/password (Interactive input password) will be disabled. This option is useful for script files and batch tasks when you cannot enter passwords interactively.

Checkhostip yes

"checkhostip" sets whether ssh looks at the ip addresses of hosts connected to the server to prevent dns spoofing. It is recommended that it be set to yes.

Stricthostkeychecking no

If "stricthostkeychecking" is set to "yes", ssh will not automatically add the computer's key to the "$home/.ssh/known_hosts" file and refuse to connect once the computer's key has changed.

Identityfile / .ssh/identity

"identityfile" sets the file from which to read the user's rsa security authentication identity.

Port 22

Port sets the port to connect to the remote host.

Cipher blowfish

"cipher" sets the password for encryption.

Escapechar ~

"escapechar" sets the escape character.

/ etc/ssh/sshd_config:

Port 22

"port" sets the port number for sshd listeners.

Listenaddress 192.168.1.1

"listenaddress" sets the ip address that the sshd server binds.

Hostkey / etc/ssh/ssh_host_key

The "hostkey" setting contains the file for the computer's private key.

Serverkeybits 1024

"serverkeybits" defines the number of digits of the server key.

Logingracetime 600

"logingracetime" sets the amount of time (in seconds) that the server needs to wait before disconnecting if the user is unable to log in successfully.

Keyregenerationinterval 3600

"keyregenerationinterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used). The purpose of regenerating the key is to prevent the stolen key from being used to decrypt the intercepted information.

Permitrootlogin no

"permitrootlogin" sets whether root can log in with ssh. This option must not be set to "yes".

Ignorerhosts yes

The "ignorerhosts" setting verifies whether the "rhosts" and "shosts" files are used.

Ignoreuserknownhosts yes

"ignoreuserknownhosts" sets whether ssh daemon ignores the user's "$home/.ssh/known_hosts" when performing rhostsrsaauthentication security authentication

Strictmodes yes

"strictmodes" sets whether ssh checks the permissions and ownership of the user's home directory and rhosts files before receiving login requests. This is usually necessary because beginners often set their directories and files so that anyone has write access.

X11forwarding no

The "x11forwarding" setting allows x11 forwarding.

Printmotd yes

"printmotd" sets whether sshd displays the information in "/ etc/motd" when the user logs in.

Syslogfacility auth

"syslogfacility" sets whether to give "facility code" when logging messages from sshd.

Loglevel info

Loglevel sets the level at which sshd log messages are logged. Info is a good choice. Check out sshd's man help page for more information.

Rhostsauthentication no

The "rhostsauthentication" setting only uses rhosts or "/ etc/hosts.equiv" for security verification is sufficient.

Rhostsrsaauthentication no

The "rhostsrsa" setting allows security authentication with rhosts or "/ etc/hosts.equiv" plus rsa.

Rsaauthentication yes

Whether the "rsaauthentication" setting allows only rsa security authentication.

Passwordauthentication yes

Whether the "passwordauthentication" setting allows password authentication.

Permitemptypasswords no

The "permitemptypasswords" setting allows login with an account with an empty password.

Allowusers admin

"allowusers" can be followed by any number of patterns of user names or matching strings such as user@host, separated by spaces. The hostname can be a dns name or an ip address.

Convert a public key in ssh2-compatible format to openssh-compatible format

Ssh-keygen-I-f identity.pub > > / root/.ssh/authorized_keys2

The above is about the content of this article "linux ssh use case Analysis". I believe we all have some understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.