Shulou(Shulou.com)06/02 Report--

1. Installation and configuration of SSH for CentOS

SSH is an acronym for Secure Shell, by the network working group of IETF

(Network Working Group) SSH is a security protocol based on application layer and transport layer.

Traditional network service programs, such as FTP, POP and Telnet, are inherently insecure

Because they transmit data, user account numbers and user passwords in clear text on the network, they are vulnerable to man-in-the-middle.

There is another person or a machine that pretends to be a real server to receive the data sent by the user to the server, and then passes the data to the real server by pretending to be the user.

SSH is currently a reliable protocol designed to provide security for remote login sessions and other network services. The use of SSH protocol can effectively prevent

Information leakage in the process of remote management. All transmitted data can be encrypted through SSH, and DNS and IP spoofing can also be prevented.

Install SSH

[root@test1 ~] # yum install ssh

Start SSH

[root@test1 ~] # service sshd start

Set up boot operation

[root@test1 ~] # chkconfig sshd on

Modification of SSH-related configuration files

First, modify the configuration file of SSH and open the configuration file of SSH with vim, as follows:

[root@test1 ~] # vim / etc/ssh/sshd_config

# Protocol 2 ← 1 find this line to delete the header "#", and then delete the ", 1" at the end of the line. Only SSH2 connections are allowed.

↓

Protocol 2 ← changed to this state after modification, using SSH2 only

# ServerKeyBits 768← find this line, remove the "#" at the beginning of the line, and change 768 to 1024

↓

ServerKeyBits 1024 ← changed to this state, changing the ServerKey strength to 1024 bits

# PermitRootLogin yes ← finds this line, removes the "#" at the beginning of the line, and changes yes to no

↓

PermitRootLogin no ← is changed to this state after modification. Login with root is not allowed.

# PasswordAuthentication yes ← finds this line and changes yes to no

↓

PasswordAuthentication no ← changes to this state after modification, and password login is not allowed.

# PermitEmptyPasswords no ← finds this line to delete the "#" of the header, and does not allow an empty password to log in

↓

PermitEmptyPasswords no ← changes to this state after modification, and an empty password is prohibited from logging in.

Then save and exit

Because we only want SSH services to provide convenience for the management system, so without remotely managing the system through the external network

Only intranet clients are allowed to log in to the server through SSH to minimize insecurity

Modify the masking rule and add the corresponding line at the end of the text. The setting method is as follows:

[root@test1 ~] # vim / etc/hosts.deny

# hosts.deny This file describes the names of the hosts which are

# * not* allowed to use the local INET services, as decided

# by the'/ usr/sbin/tcpd' server.

#

# The portmap line is redundant, but it is left to remind you that

# the new secure portmap uses hosts.deny and hosts.allow. In particular

# you should know that NFS uses portmap!

Sshd: ALL ← adds this line to block all SSH connection requests

[root@test1 ~] # vim / etc/hosts.allow ← modify the allow rule and add the corresponding line at the end of the text

#

# hosts.allow This file describes the names of the hosts which are

# allowed to use the local INET services, as decided

# by the'/ usr/sbin/tcpd' server.

#

Sshd: 192.168.0. ← adds this line to allow only SSH connection requests from the intranet

After modifying the SSH configuration file, you need to restart the SSH service for the new settings to take effect

[root@test1 ~] # service sshd restart

Stopping sshd: [OK]

Starting sshd: [OK]

At this time, on the remote terminal (self-use PC, etc.), it is impossible to log in to the server with a normal password with SSH client software.

In order for the client to log in to the server, we then set up the public and private keys for SSH to use for the client to log in to the SSH server in a "key" manner.

Establishment of public key and private key of SSH2:

Log in as a general user and establish public and private keys based on this user

[root@test1 ~] # su-test1

[root@test1 ~] $ssh-keygen-t rsa ← establishes public and private keys

Generating public/private rsa key pair.

Enter file in which to save the key (/ home/kaz/.ssh/id_rsa): the file name of the ← key. Enter directly by default.

Created directory'/ home/kaz/.ssh'

Enter passphrase (empty for no passphrase): ← enter password

Enter same passphrase again: ← re-enter the password

Your identification has been saved in / home/kaz/.ssh/id_rsa.

Your public key has been saved in / home/kaz/.ssh/id_rsa.pub.

The key fingerprint is:

Tf:rs:e3:7s:28:59:5s:93:fe:33:84:01:cj:65:3b:8e centospub@sample.centospub.com

Then confirm the establishment of the public key and key, as well as some processing corresponding to the client

[root@test1 ~] $cd ~ / .ssh ← enters the directory of the user's SSH profile

[root@test1 ~] $ls-l ← lists files

-rw--- 1 centospub centospub 951 Sep 4 19:22 id_rsa ← confirms that the private key has been established

-rw-r-r- 1 centospub centospub 241 Sep 4 19:22 id_rsa.pub ← confirms that the public key has been established

[root@test1 .ssh] $cat ~ / .ssh/id_rsa.pub > > ~ / .ssh/authorized_keys ← public key content is output to the corresponding file

[root@test1 .ssh] $rm-f ~ / .ssh/id_rsa.pub ← deletes the original public key file

[root@test1 .ssh] $chmod 400 ~ / .ssh/authorized_keys ← sets the newly created public key file property to 400

Then, transfer the private key securely to the PC that you want to connect to the server through SSH. Here, take the 3.5-inch disk as an example:

[root@test1 .ssh] $exit ← logs out of the login of a general user (returns the login of root)

[root@test1 ~] # mount / mnt/floppy/ ← load floppy drive

[root@test1 ~] # mv / home/centospub/.ssh/id_rsa / mnt/floppy/ ← moves the newly created private key to the floppy disk

[root@test1 ~] # umount / mnt/floppy/ ← uninstall the floppy drive

2. Several popular SSH client tools

As a Windows operating system user, if you want to connect to the Linux server for file transfer

So you need a Secure Shell software (SSH for short). In fact, SSH is a network protocol that allows you to connect to Linux through the network.

And Unix server; SSH uses public key encryption to authenticate remote computers. There are usually several ways to use SSH, connect automatically, or log in using password authentication

Putty

Putty is the most famous SSH and telnet client, developed by Simon Tatham for the Windows platform

Putty is an open source software that provides available source code and is developed and supported by a group of volunteers

Putty is easy to install and use, and usually most configuration options do not need to be modified

Users only need to enter a few basic parameters to start a simple connection session.

SecureCRT

SecureCRT, a SSH client software, has both terminal emulator and file transfer function.

FileZilla

FileZilla is the most widely used free ftp client on Windows. It is an open source software released under the GNU Public license.

FileZilla client supports multiple platforms (Windows, Linux and Mac) as FTP Server,FileZilla only provides Windows version

Because Filezilla is open source software, advanced users can view the source code and modify it according to their needs.

For all users, FileZilla makes free, powerful and easy-to-use file transfer possible

Users who like graphical interfaces can easily learn to use them based on their feelings.

FileZilla does not support CLI (command line interface)

FileZilla supports FTP, FTP (FTPS) and SSH FTP (SFTP) encrypted by SSL/TLS

Users can use them for reliable and secure file transfer.

FileZilla has many interesting features, including support for file continuation and large file (> 4G) transfer.

Of course, there are many other features that make FileZilla the client with the largest number of users.

For example: support ipv6, support drag-and-drop operation, support http, socks5 and ftp-proxy

Support for remote file editing and many other interesting features

FileZilla is very flexible and easy to use. It can send and receive multiple files at the same time.

Today, these features have made FileZilla recognized as the most powerful file transfer tool.

WinSCP

WINSCP is a free open source FTP client for the Windows platform. Ftp server version is not available for WinSCP

The supported transport protocols are FTP, SFTP and SSH, as well as SCP (secure copy Protocol).

WinSCP's graphical user interface provides an intuitive interface for end users, making it easier to use

At the same time, WinSCP also provides a powerful command line interface for users who are used to terminal operation.

WinSCP's scripting and automation features make task automation possible

It also supports drag and drop files for transfer, as well as other Windows integration features

Such as desktop, quick launch icon, send to menu of file browser, etc.

WinSCP does not provide similar functionality on other operating systems

XShell

First of all, let's explain the tool XShell, which can be used to remotely control Linux systems.

So we can install this software in the Windows system to open the Linux terminal.

Here's how to install and configure XShell:

1. Create a new session

two。 Fill in the user name and host here for the connection. The protocol is SSH, and the rest defaults.

Explain here the host IP, which is the IP address of the Linux in the virtual machine

So we can get it by entering the ifconfig command in the terminal of CentOS, and we can find out the IP address as shown in the following figure

3. Just enter the user name here in the user authentication. Other defaults

4. After clicking the OK button, the dialog box in the following figure appears. Click Connect.

5. A dialog box will pop up here, click accept and save

Then the session is created.

We can enter the command df to view the partition status of Linux

Make sure we are connected to the Linux system we expect.

Note: if the created session is garbled, hit the properties of the current session

Check whether the coding mode is UTF-8.

III. Various association processes in which SSH cannot be connected.

When I was working in the company, I encountered this situation:

Due to the wrong operation, the previous virtual machine and its systems are gone forever.

Later, I reinstalled and made a ssh connection, and found that the remote connection could not be connected, indicating that the port 22 connection failed, but it could be connected by ping.

Solving this problem took me a lot of time to look up information, and there are a variety of solutions written on the Internet.

After various attempts and associations, it has finally been solved, and now I want to share it and learn with you.

The reasons for the guess are as follows:

The IP is configured incorrectly, or the network connection is not restarted after the configuration is completed, but since it is possible to ping, this should not be the problem.

But to be on the safe side, it was rebooted, but it still didn't work.

Turn off the firewall and selinux

[root@test1 ~] # setenforce 0

[root@test1 ~] # service iptables stop

View the redhat Firewall from the command:

[root@test1 ~] # service iptables status

Iptables: Firewall is not running.

Restart the SSH service

Log in to Linux as the root user, open the terminal, and run:

[root@test1 ~] # service sshd start

[root@test1 ~] # service sshd restart

Stopping sshd: [OK]

Starting sshd: [OK]

Check if the ssh-server service is installed

The installed redhat minimizes the installation character interface, and the ssh-server service is not installed by default

[root@test1 ~] # yum install openssh-server*-y # to install ssh-server service

[root@test1 ~] # netstat-tclnp | grep sshd # check whether the sshd port is listening

Found that sshd port 22 is already listening. Use xshell or xftp connection again to find a successful connection.

Check the SSH service profile

In addition, some versions of Linux do not allow root users to log in remotely, so you need to modify the settings.

[root@test1 ~] # vim / etc/ssh/sshd_config

PermitRootLogin no

This does not allow root users to log in remotely. You need to change it to PermitRootLogin yes and restart the sshd service.

[root@test1 ~] # vim / etc/ssh/sshd_config

PermitRootLogin yes

[root@test1 ~] # service sshd restart

Set the network connection mode

If the ping is also different, you need to set NetworkAdapter to "Bridged" in the virtual machine settings, because the default is "NAT".

View virtual network editor configuration

After the VMware virtual machine virtual network editor sets up the gateway, subnet IP, DNS

Normally, when you open VMnet8, you can see that the IPv4 address is the same as the subnet IP configured above.

I found that the IP of VMnet8 is gone, so just go to the virtual machine network editor and reset it.

Summary:

After discovering the problem, the normal way of thinking should first look at the root cause, this time the problem is found to be a bit of a miscarriage of justice.

First of all, without looking at whether this thing already exists, let's see if it is set up correctly, which is a waste of time. I hope everyone will pay attention to it in the future.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.