Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to make a remote connection and openssh. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have some understanding of the relevant knowledge after reading this article.

1. Introduction to openssh

Traditional network programs use plaintext to transmit data and passwords, such as telnet, ftp, etc., there are big security loopholes, * only need to use some packet interception tools to obtain important data, including passwords. Because of this, SSH (Secure shell, security command shell) appeared later. SSH is an encrypted communication protocol developed by a Finnish company. All data transmitted by SSH is encrypted, which can effectively prevent data theft and "middleman". SSH is a security protocol based on application layer and transport layer, which listens to port 22 of tcp and belongs to text protocol. OpenSSH is an alternative to SSH, completely free and open source. Currently, there are two main versions of ssh protocol:

Sshv1 is based on CRC-32 to do MAC, so it is not safe and is not recommended.

Sshv2 chooses the most secure MAC implementation mechanism based on the negotiation of the two hosts; the encryption mechanism and MAC mechanism are selected by both parties through negotiation; the key exchange is realized based on DH, and the identity authentication is realized based on RSA or DSA; the client decides whether to communicate with the server by checking the host key of the server.

The communication mode based on the sshv2 version is mainly shown in the following figure

Openssh has been installed by default in Centos6. You can check the installation using the following command:

[root@mylinux ~] # rpm-qa | grep sshopenssh-clients-5.3p1-118.1.el6_8.x86_64 # openssh client program libssh3-1.4.2-2.el6_7.1.x86_64 # openssh protocol implementation module openssh-5.3p1-118.1.el6_8.x86_64 # openssh main program file openssh-server-5.3p1-118.1.el6 _ Server Program of 8.x86_64 # openssh

After openssh is installed, a service called sshd is created on the system through which users can turn openssh on or off. By default, openssh boots up and starts automatically.

[root@mylinux ~] # chkconfig-- list sshd sshd 0: off 1: close 2: enable 3: enable 4: enable 5: enable 6: close [root@mylinux ~] # chkconfig-- level 2345 sshd off [root@mylinux ~] # chkconfig-- list sshd sshd 0: close 1: close 2: close 3: close 4: close 5: close Close [root@mylinux ~] # chkconfig-- level 2345 sshd on [root@mylinux ~] # service sshd start [root@mylinux ~] # / etc/init.d/sshd stop stop sshd: [OK] [root@mylinux ~] # / etc/init.d/sshd start is starting sshd: [confirm] [root@mylinux ~] # / etc/init.d/sshd statusopenssh-daemon (pid 19535) is running.

2. Openssh configuration file

Openssh profile

There are two main configuration files for openssh: / etc/ssh/ssh_config and / etc/ssh/sshd_config, which are used to configure the openssh client and server, respectively. In addition, there are some other system-level configuration files in the / etc/ssh directory, where the names and functional descriptions of each configuration file are:

Moduli # configure the key group ssh_config # system-level SSH client profile sshd_config # sshd daemon profile ssh_host_dsa_key # sshd process DSA private key ssh_host_dsa_key.pub # sshd process DSA public key ssh_host_key # necessary for building a secure transport layer RSA private key for SSH1 version ssh_host_key.pub # SSH1 version for RSA public key ssh_host_rsa_key # SSH2 version for RSA private key ssh_host_rsa_key.pub # SSH2 version for RSA public key

Server profile / etc/ssh/sshd_config

/ etc/ssh/sshd_config is the configuration file of the openssh server, and the running properties of sshd can be changed by changing the configuration in this file. Each line in the file is in the format of 'option value', where 'option' is not case-sensitive.

[root@promote ssh] # cat sshd_config # $OpenBSD: sshd_config,v 1.80 2008-07-02 02:24:18 djm Exp $# This is the sshd server system-wide configuration file. See# sshd_config (5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options change a # default value.#Port 2 listening sshd port, which defaults to 22#AddressFamily any#ListenAddress 0.0.0.0 # IP address bound by sshd service: # ListenAddress:: # Disable legacy (protocol version 1) support in the server for new# installations. By default, In future the default will change to require explicit# activation of protocol 1Protocol clients only uses version 2.* of ssh protocol # HostKey for protocol version 1#HostKey / etc/ssh/ssh_host_key # ssh2 version of RSA key location # HostKeys for protocol version 2#HostKey / etc/ssh/ssh_host_rsa_key # ssh3 version of RSA key location # HostKey / etc/ssh/ Ssh_host_dsa_key # ssh3 version of DSA key location # Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h # key generates # ServerKeyBits 1024 # number of digits of ssh server key every hour # Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTH # sets the log type SyslogFacility AUTHPRIV used by sshd to send to syslog # default is AUTHPRIV#LogLevel INFO # syslog log level # Authentication:#LoginGraceTime 2m#PermitRootLogin yes # if it is yes, root users are allowed to log in using ssh No does not allow # to set whether sshd checks the user's home directory and the permissions and owners of rhost files before accepting login requests # StrictModes yes # MaxAuthTries 6 # sets a maximum of 6 login failures # MaxSessions 10 # sets the maximum number of connections to 10 # RSAAuthentication yes # whether to allow RSA to verify # PubkeyAuthentication yes # whether to allow public key to verify the location of # AuthorizedKeysFile .ssh / authorized_keys # public key files # AuthorizedKeysCommand none#AuthorizedKeysCommandRunAs nobody# For this to work you will also need host keys in / etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~ / .ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no # set whether sshd trusts the user's'~ / .ssh/known_hosts' file # Don't read the user's ~ / .rhosts and ~ / .shosts files#IgnoreRhosts yes # whether to use the'~ / .rhosts and ~ / .shosts' files # To disable tunneled clear text passwords when authenticating with RhostsRSAAuthentication Whether the change to no hereafter authentication PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# setting requires password authentication # Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no#Kerberos options # Kerberos authentication # KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes#GSSAPI options # GSSAPI authentication # GSSAPIAuthentication noGSSAPIAuthentication yes#GSSAPICleanupCredentials yesGSSAPICleanupCredentials yes#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no# clearance Certificate Information # Set this to 'yes' to enable PAM authentication Account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without# PAM authentication Does then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.#UsePAM no UsePAM yes # use PAM to verify that # Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS#AllowAgentForwarding yes # allows TCP to forward # AllowTcpForwarding yes # GatewayPorts no# X11Forwarding no# sets whether sshd allows x11 forwarding X11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#TCP activity to remain # UseLogin no#UsePrivilegeSeparation yes#PermitUserEnvironment no#Compression delayed#ClientAliveInterval client activity interval # ClientAliveCountMax 3 # maximum number of active clients # ShowPatchLevel no#UseDNS yes#PidFile / var/run/sshd.pid # Save the file location of the process ID # MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none# no default banner path#Banner none# override default of no subsystemsSubsystem sftp / usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs# X11Forwarding no# AllowTcpForwarding no# ForceCommand cvs server

Client profile / etc/ssh/ssh_config

[root@promote home] # cat / etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.25 2009-02-17 01:28:32 djm Exp $# This is the ssh client system-wide configuration file. See# ssh_config (5) for more information. This file provides defaults for# users And the values can be changed in per-user configuration files# or on the command line.# Configuration data is parsed as follows: # priority of configuration option # 1. Command line options # 1 indicates command line option # 2. User-specific file # 2 indicates user-specified file # 3. System-wide file # 3 Represents a system-wide file # Any configuration value is only changed the first time it is set.# Thus Host-specific definitions should be at the beginning of the# configuration file, and defaults at the end.# Site-wide defaults for some commonly used options. For a comprehensive# list of available options, their meanings and defaults, please see the# ssh_config (5) man page.# Host * # applicable computer range '*' indicates whether all # ForwardAgent no # connections have been verified that the agent forwards to the remote computer # ForwardX11 no # setting whether to automatically redirect x11 connection # RhostsRSAAuthentication no # setting whether to use RSA for rhosts security verification # RSAAuthentication yes # setting is Whether to use RSA for security authentication # PasswordAuthentication yes # setting whether password authentication is required # HostbasedAuthentication no# GSSAPIAuthentication no# GSSAPIDelegateCredentials no# GSSAPIKeyExchange no# GSSAPITrustDNS no# BatchMode no# if yes If you do not enter the password interactively, the prompt message is # CheckHostIP yes# AddressFamily any# ConnectTimeout security StrictHostKeyChecking ask# IdentityFile ~ / .ssh / identity# IdentityFile ~ / .ssh/id_rsa # location of the RSA security authentication file # IdentityFile ~ / .ssh/id_dsa # DSA security authentication file location # Port 22 # server side Port # Protocol 2 # ssh protocol # Cipher 3des # encryption password # Ciphers aes128-ctr Aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160# EscapeChar ~ # sets the EscapeChar character # Tunnel no# TunnelDevice any:any# PermitLocalCommand no# VisualHostKey noHost * GSSAPIAuthentication yes# If this option is set to yes then remote X11 clients will have full access# to the original X11 display. As virtually no X11 client supports the untrusted# mode correctly we set this to yes. Does ForwardX11Trusted yes # allow forwarding of x11 sessions # Send locale-related environment variables # local environment variable SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE SendEnv XMODIFIERS

3. The use of ssh/scp-related commands

SSH remote login

SSH is an encrypted remote login program provided by openssh, which can replace the traditional insecure Telnet, rsh and other programs. After logging in to the Linux server using SSH, you can use all the functions of the operating system, which is no different from Telnet, but SSH establishes an encrypted data transfer channel between the client and the server, which is more secure and reliable. The format of the command is:

Ssh [- 1246AaCfgKkMNnqsTtVvXxYy] [- b bind_address] [- c cipher_spec] [- D [bind_address:] port] [- e escape_char] [- F configfile] [- I pkcs11] [- I identity_file] [- L [bind_address:] port:host:hostport] [- l login_name] [- m mac_spec] [- O ctl_cmd] [- o option] [- p port] [- R [bind_address:] port:host:hostport] [- S ctl_path] [- W host:port] [- w local_tun [: remote_tun]] [user@] hostname [command]

Common command options:

-1: force only the SSH1 version protocol to be used

-2: force only the SSH2 version protocol to be used

-4: force only the use of IPv4 addresses

-6: mandatory use of IPv6 addresses only

-A: enable forwarding of authentication proxy connections

-a: forbids forwarding of authentication proxy connections

-b bind_address: use bind_address as the source address of the connection

-C: compress all data

-D [bind_address:] port: specifies local dynamic application level port forwarding

-g: allow remote hosts to connect to local forwarding ports

-l login_name: specifies the user that SSH logs in to the remote host

-p port: specify the port to connect to

-Q: quiet mode, ignoring all warnings

-V: displays version information

-v: displays debugging information

-X: allow X11 connection forwarding

-x: forbids X11 connection forwarding

[root@promote home] # ifconfig # View the current host IPeth0 Link encap:Ethernet HWaddr 00:0C:29:B7:AB:D0 inet addr:192.168.191.128 Bcast:192.168.191.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:feb7:abd0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1002 errors:0 dropped:0 overruns : 0 frame:0 TX packets:669 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:90190 (88.0 KiB) TX bytes:89614 (87.5 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: 1CPT 128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:113 errors:0 dropped:0 overruns:0 frame:0 TX packets:113 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:18338 (17.9 KiB) TX bytes:18338 (17.9 KiB) [root@promote home] # ssh 192.168.191.129 # Connect to the remote host 192.168.191.129The authenticity of host '192.168.191 .129 (192.168.191.129) 'can't be established.RSA key fingerprint is c6:4b:1c:ca:5b:fd:9f:6e:7f:0a:20:59:9d:79:94:3f.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added '192.168.191.129' (RSA) to the list of known hosts.reverse mapping checking getaddrinfo for promote.cache-dns.local [192.168.191.129] failed-POSSIBLE BREAK-IN ATTEMPT rootstocks 192.168.191.129 password: Last login: Wed May 17 03:53:02 2017 from 192.168.191.1 # connection successful [root@promote ~] # ifconfig # View Company The following host IPeth0 Link encap:Ethernet HWaddr 00:0C:29:F0:56:04 inet addr:192.168.191.129 Bcast:192.168.191.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fef0:5604/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:57 errors:0 dropped:0 overruns:0 frame:0 TX packets: 51 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7404 (7.2 KiB) TX bytes:6924 (6.7 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: 1Plus 128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors : 0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0b) TX bytes:0 (0.0b)

Remote file replication using scp

The full name of scp is secure copy (secure replication), which can achieve the same remote file replication function as rcp service. However, because scp is based on ssh protocol and implements data encryption, it is more secure and reliable than traditional rcp. Its command format is:

Scp [- 1246BCpqrv] [- c cipher] [- F ssh_config] [- I identity_file] [- l limit] [- o ssh_option] [- P port] [- S program] [[user@] host1:] file1... [[user@] host2:] file2

Common command options:

-1: force only the SSH1 version protocol to be used

-2: force only the SSH2 version protocol to be used

-4: force only the use of IPv4 addresses

-6: mandatory use of IPv6 addresses only

-C: compress all data

-l: limit the transmission rate (in KB/ seconds)

-P port: specify the port to connect

-r: copy all the contents of the directory recursively

-v: debug mode to display more output information

Copy a single file remotely

[root@mylinux] # scp mbr.dmp root@192.168.191.129:/homereverse mapping checking getaddrinfo for promote.cache-dns.local [192.168.191.129] failed-POSSIBLE BREAK-IN ATTEMPT rootstocks 192.168.191.129's password: mbr.dmp 100% 512 0.5KB/s 00:00

Copy the entire directory remotely

[root@mylinux] # scp-r / etc/yum.repos.d root@192.168.191.129:/home/reverse mapping checking getaddrinfo for promote.cache-dns.local [192.168.191.129] failed-POSSIBLE BREAK-IN ATTEMPT rootstocks 192.168.191.129 password: epel-testing.repo 1056 1.0KB/s 00:00 CentOS-Media.repo 100% 630 0.6KB/s 00:00 epel.repo 100 957 0.9KB/s 00:00 CentOS-Base.repo 100% 1926 1.9KB/s 00:00 CentOS-Debuginfo.repo 0.6KB/s 00:00 CentOS-Vault.repo 100 3664 3.6KB/s 00:00

Use wildcards

[root@promote home] # scp-r / etc/httpd/* root@192.168.191.129:/home/ reverse mapping checking getaddrinfo for promote.cache-dns.local [192.168.191.129] failed-POSSIBLE BREAK-IN ATTEMPT rootstocks 192.168.191.129 password: magic 100% 13KB 12.8KB/s 00:00 httpd.conf 100% 34KB 33.6KB/s 00:00 php.conf 100 674 0.7KB/s 00:00 README 100% 392 0.4KB/s 00:00 welcome.conf 100,299 0.3KB/s 00:00 access_log-20170512 100 34KB 34.2KB/s 00:00 error_log-20170512 100 3278 3.2KB/s 00:00 error_log 100% 0.0KB/s 00:00 access_log 100% 0.0KB/s 00:00 mod_proxy_ftp.so 100% 35KB 34.8KB/s 00:00 mod_setenvif.so 100% 14KB 14.2KB/s 00:00 mod_log_config.so 100% 31KB 30.5KB/s 00:00 mod_cgid.so 100% 39KB 39.0KB/s 00:00.

On the Optimization of SSH

1 、 Only Use SSH Protocol 2

2 、 Limit Users' SSH Access

AllowUsers whitelist (choose one of the two)

DenyUsers blacklist

3 、 Configure Idle Log Out Timeout Interval

ClientAliveInterval 300

ClientAliveCountMax 0 sets the idle session timeout

4. Firewall SSH Port # 22 use iptables to set ssh service security access policy

5 、 Change SSH Port and Limit IP Binding

Do not use the default port 22 for Port 300s

ListenAddress 192.168.1.5

ListenAddress 202.54.1.5

6. Use Strong SSH Passwords and Passphrase uses passwords long enough and complex enough, and changes them regularly.

Genpasswd () {

Local lump 1

["$l" = ""] & & lump 20

Tr-dc A-Za-z0-9 _ < / dev/urandom | head-c ${l} | xargs}

7. Use Public Key Based Authentication uses public key authentication

8 、 Disable Empty Passwords

9. Thwart SSH Crackers (Brute Force Attack)

Google: ssh best practice

10. Rate-limit Incoming Port # 22 Connections restricts ssh access frequency

11. Use Log Analyzer keeps a good log and often does log analysis

On how to make a remote connection and openssh to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.