Shulou(Shulou.com)06/03 Report--

1. Introduction of SSH service

SSH is the abbreviation of Secure Shell Protocol, which is formulated by IETF network working group. Before data transmission, SSH encrypts online data packets through encryption technology, and then transmits data after encryption, which ensures the security of data transmission.

SSH is a security protocol designed for remote login sessions and other network services. The use of SSH protocol can effectively prevent the problem of information leakage in the process of remote management. In the current production environment, most enterprises generally use SSH protocol services to replace the traditional insecure remote online service software. Such as telnet, etc.

SSH service structure:

SSH service is composed of server software OpenSSH and client (usually SSH,SecureCRT,Xshell,Putty). By default, SSH service uses port 22 to provide services. It has two incompatible versions of SSH protocol, 1.x and 2.x, respectively.

2. SSH service authentication type

From the perspective of SSH clients, there are two main levels of security authentication for SSH services, which are as follows:

1. Security authentication based on password

two。 Security authentication based on key pair: security authentication based on key also has the difference between windows client and linux client.

III. SSH service optimization

Modify sshd.conf

Port52113 # in order to improve the security level, it is recommended to change the default connection port of SSH service PermitRootLoginno # root super user *. As you all know, it is recommended that it (root) log in remotely to PermitEmptyPasswordsno # No empty password to login to UseDNSno # do not use DNSGSSAPIAuthentication no # to speed up SSH connection

IV. Practical practice of SSH batch Distribution Management

Bulk distribution of data or files

(1) add the system account and change the password

[root@A~] # useradd fenfa [root@A~] # id fenfauid=503 (fenfa) gid=503 (fenfa) groups=503 (fenfa) [root@A~] # echo 123456 | passwd-- stdin fenfa

Note: all managed hosts need to create this user

(2) create a key pair

[fenfa@A ~] $ssh-keygen-t dsaGenerating public/private dsa key pair.Enter file in which to save the key (/ home/fenfa/.ssh/id_dsa): Created directory'/ home/fenfa/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again: # enter here Your identification has been saved in/home/fenfa/.ssh/id_dsa.Your public key has been saved in/home/fenfa/.ssh/id_dsa.pub.The key fingerprint is: # enter here 0e:99:ef:7f:2d:5c:36:88:79:09:7a:89:e0:d1:f7:fcfenfa@AThe key's randomart p_w_picpath is: # enter here +-- [DSA 1024]-+ |. | | oo. O | |. + oS+ Bo | |. + o = * + | | o. O =. | |. + E | |. . | | +-+

By default, two files are generated under the fenfa user's home directory / home/fenfa/.ssh:

Id_dsa.pub # public key, permission 644, distributed to hosts to be managed

Id_dsa # private key, permission 600, keep locally

(3) push the public key to the management host

The instance is pushed to 192.168.0.111 host, and pushed by the same method as 192.168.0.112.

[fenfa@A~] $ssh-copy-id-i.ssh/id_dsa.pub "- p 22 a.txt [fenfa@A~] $lltotal 4murr RW cat a.txt123-1 fenfa fenfa 4 Jul 26 00:00a.txt [fenfa@A~] $cat a.txt123 [fenfa@A~] $scp-P22 a.txt fenfa@192.168.0.111:~a.txt 100% 4 0.0KB/s 00:00 [fenfa@A ~] $scp-P22 a.txt fenfa@192.168.0.112:~a.txt 4 0.0KB/s 00:00

Bulk distribute scripts:

① establishes the address base of the managed host

② creates a bulk distribution script

Example: distribute the text.txt files of the home directory of the distribution host (192.168.1.114) to the managed host (192.168.1.113192.168.1.115)

[fenfa@server_04 ~] $cat ip.txt 192.168.1.113192.168.1.115 [Fenfa @ server_04 ~] $cat plfenfa.sh #! / bin/bash. / etc/profile. / etc/init.d/functionsFile_name=test.txtFile_dir=/home/fenfaFenfa_user=fenfafor ip in `cat / home/fenfa/ ip.txt` do rsync-avz-e "ssh-p52113" ${File_dir} / $File_name ${Fenfa_user} @ $ip:~ action "${Fenfa_user} @ $ip ${File_dir} / $File_name copy" / bin/ truedone[ fenfa @ server_04 ~] $[fenfa@server_04 ~] $sh plfenfa.sh sending incremental file listtest.txt Sent 91 bytes received 37 bytes 256.00 bytes/sectotal size is 9 speedup is 0.07fenfa@192.168.1.113 / home/fenfa/test.txt copy [OK] sending incremental file listtest.txt sent 91 bytes received 31 bytes 244.00 bytes/sectotal size is 9 speedup is 0.07fenfa@192.168.1.115 / home/fenfa/test.txt copy [OK]

Summary:

1) password-free login verification is one-way (managed host-> managed host)

2) user-based, it is best not to cross different users

3) the initial batch distribution needs to enter a password, and the first connection should be confirmed.

(6) sudo raises the rights of the distribution user fenfa

Root user, visudo command modification

Add the following at the end of the file:

Fenfa ALL= (ALL) NOPASSWD:/bin/cp

Description:

Fenfa

ALL

(ALL)

NOPASSWD

/ bin/cp

Users using sudo

Allow hosts to use sudo

Use sudo password-free

Use commands that can be executed by sudo, if all commands are allowed to fill in NOPASSWD:ALL

For root users, vim / etc/sudoers directly modifies the sudoers file and adds the same content as above

Fifth, using expect script to realize ssh key distribution without interaction.

1) install expect execution environment

2) expect batch distribution without interactive script examples

There are two main parts: fenfa_sshkey.exp and fenfa.sh. When you use it, you can execute fenfa.sh directly.

[root@server_05 scripts] # cat fenfa_sshkey.exp #! / usr/bin/expectif {$argc! = 2} {send_user "usage: expect fenfa_sshkey.exp file host\ n" exit} # define varset file [lindex $argv 0] set host [lindex $argv 1] set password "123456" # # Distribution account password set user "fenfa" # # Distribution account set port "52113" # # ssh port spawn ssh-copy-id-I $file "- p $port $user@$host" expect {"yes/no" {send "yes\ r" of the distribution host Exp_continue} "* password" {send "$password\ r"}} expect of [root @ server_05 scripts] # cat fenfa.sh #! / bin/bashIpaddr_head=192.168.1User=fenfaPort=52113Commond_dir=/usr/binif [$UID-ne 0] then echo "Error:Please use root account to exec this script!" Else for n in `seq 5` do ${Commond_dir} / ssh-copy-id-I "- p $Port ${User} @ ${Ipaddr_head}. $n" & 2 > / dev/null if [$?-eq 0] then action "${Ipaddr_head} $n copy ssh_key..." / bin/ture else action "${Ipaddr_head} $n copy ssh_key..." / bin/false fi donefi

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.