Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to install and configure OPENSSH". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's ideas to study and learn "how to install and configure OPENSSH".

I. Overview

Traditional remote network access services are inherently insecure, because they transmit passwords and data in clear text on the network, and they are easy to be intercepted, and their security authentication methods can also be attacked by middlemen. By using OPENSSH, you can encrypt all transmitted data.

SSH consists of client-side and server-side software, and there are two incompatible versions: 1.x and 2.x. It requires different clients. OPENSSH supports both SSH1 and SSH2.

Second, the security verification method of OPENSSH

OPENSSH provides two levels of authentication:

1. Password-based security authentication: as long as you know the account number and password on the server, you can log in to the remote host. Passwords and data are encrypted during transmission.

2. Key-based security authentication: in this way, you must create a pair of keys (asymmetric key pairs) for yourself on the remote server and put the public key in your own host directory on the remote server. The private key is kept by itself.

III. Required software

Openssl-0.9.5a.tar.gz download website: http://www.openssl.org

Openssh-2.5.2p2.tar.gz download website: http://www.openssh.org

IV. Installation steps

The following installation options can be adjusted according to your own situation, if you do not understand, you can refer to the README, INSTALL documentation. This environment assumes that all source files are under / var/tmp:

4. 1 install OPENSSL

[root@mail tmp] tar xzpf openssl-0.9.5a.tar.gz

[root@mail tmp] cd openssl-0.9.5a

[root@mail openssl-0.9.5a]. / config-t

[root@mail openssl-0.9.5a]. / config-- prefix=/usr-- openssldir=/etc/ssl

Edit the Makefile.ssl file to change MANDIR=$OPENSSL/man to MANDIR=/usr/man.

[root@mail openssl-0.9.5a] make

[root@mail openssl-0.9.5a] make test

[root@mail openssl-0.9.5a] make install

[root@mail openssl-0.9.5a] cd..

[root@mail tmp] rm-rf openssl*

4.2 install OPENSSH

Make sure that the zlib library is installed on your system before installing OPENSSL. Use the following command to check it. If you don't hesitate, it is on your system installation CD. Install it now!

[root@mail tmp] rpm-qi zlib

[root@mail tmp] tar xzpf openssh-2.5.2p2.tar.gz

[root@mail openssh-2.5.2p2]. / configure\

>-- prefix=/usr\

>-- sysconfdir=/etc/ssh\

>-- with-tcp-wrappers\

>-- with-ipv4-default\

>-- with-ssl-dir=/usr/include/openssl

[root@mail openssh-2.5.2p2] make

[root@mail openssh-2.5.2p2] make install

[root@mail openssh-2.5.2p2] install-m 644 contrib/redhat/sshd.pam\

/ etc/pam.d/sshd

[root@mail openssh-2.5.2p2] cd..

[root@mail tmp] rm-rf openssh*

5. Configure OPENSSH

5.1 to start the SSHD daemon in the inetd server, you only need to add the following line (it is recommended to change the line to start the TELNET daemon to completely replace TELNET):

Ssh stream tcp nowait root / usr/sbin/tcpd sshd-I

5.2 SSH client configuration file / etc/ssh/ssh_config. Generally speaking, we use this configuration file only if the client does not specify any parameters for clients that use the WINDOWS platform more frequently. It contains the following contents:

# $OpenBSD: ssh_config,v 1.9 2001-03-10 12:53:51 deraadt Exp $

Host *

ForwardAgent no

ForwardX11 no

RhostsAuthentication no

RhostsRSAAuthentication yes

RSAAuthentication yes

PasswordAuthentication no

FallBackToRsh no

UseRsh no

BatchMode no

CheckHostIP yes

StrictHostKeyChecking yes

IdentityFile / .ssh/identity

IdentityFile / .ssh/id_dsa

IdentityFile / .ssh/id_rsa1

IdentityFile / .ssh/id_rsa2

Port 22

Protocol 2,1

Cipher blowfish

EscapeChar ~

5.3 SSH server-side configuration file / etc/ssh/sshd_config, please refer to the user manual for the meaning of each of the following parameters. In this example, the second authentication method (key-based authentication) is used to improve security.

# $OpenBSD: sshd_config,v 1.34 2001-02-24 10:37:26 deraadt Exp $

Port 22

# Protocol 2,1

# ListenAddress 0.0.0.0

# ListenAddress::

HostKey / etc/ssh/ssh_host_key

HostKey / etc/ssh/ssh_host_rsa_key

HostKey / etc/ssh/ssh_host_dsa_key

ServerKeyBits 768

LoginGraceTime 600

KeyRegenerationInterval 3600

PermitRootLogin without-password

#

# Don't read ~ / .rhosts and ~ / .shosts files

IgnoreRhosts yes

# Uncomment if you don't trust ~ / .ssh/known_hosts for RhostsRSAAuthentication

# IgnoreUserKnownHosts yes

StrictModes yes

X11Forwarding no

X11DisplayOffset 10

PrintMotd yes

KeepAlive yes

# Logging

SyslogFacility AUTH

LogLevel INFO

# obsoletes QuietMode and FascistLogging

RhostsAuthentication no

#

# For this to work you will also need host keys in / etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

#

RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

PermitEmptyPasswords no

# Comment to enable s/key passwords or PAM interactive authentication

# NB. Neither of these are compiled in by default. Please read the

# notes in the sshd (8) manpage before enabling this on a PAM system.

ChallengeResponseAuthentication no

# To change Kerberos options

# KerberosAuthentication no

# KerberosOrLocalPasswd yes

# AFSTokenPassing no

# KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver

# KerberosTgtPassing yes

# CheckMail yes

# UseLogin no

# MaxStartups 10:30:60

# Banner / etc/issue.net

# ReverseMappingCheck yes

# Subsystem sftp / usr/libexec/sftp-server

Generate authentication key

When using key authentication, the first user must generate his own key on the remote server; let's describe this process as an example:

6.1 generate a rsa1 authentication key for user robin on the server:

[root@mail tmp] su robin

[root@mail tmp] ssh-keygen

When this command runs, it will prompt you where the key is stored and enter directly; when prompted to enter passphrase, you are advised to enter an English sentence of not less than 10 characters to prevent your private key from being stolen by others. It generates two files in the current user's personal directory:

Private key of ~ / .ssh/identify robin

Public key of ~. / ssh/identify.pub robin

6.2 Don't forget to rename idnentify.pub:

[root@mail .ssh] mv identify.pub authorized_keys

6.3 copy the file to a safe place and delete the identify file from your host folder on the server.

7. Log in using PuTTY client

Finally, it's time to test the results of our work. I recommend using Putty on the SSH client of the WINDOWS platform, which is easy to use, unlike some other clients that only support password-based security authentication. You can download it here:

Http://www.chiark.greenend.org.uk/~sgtatham/putty.html.

Don't forget to specify the location of your private key in connect- > SSH when connecting to the server. Enter the passphrase when you created the key, and if nothing happens, you can safely control your server.

Thank you for your reading, the above is the content of "how to install and configure OPENSSH". After the study of this article, I believe you have a deeper understanding of how to install and configure OPENSSH, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.