Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the installation of OpenSSH under the Linux system and the introduction of the basic configuration file". In the daily operation, I believe that many people have doubts about the installation of OpenSSH under the Linux system and the introduction of the basic configuration file. The editor consulted all kinds of information and sorted out a simple and easy-to-use method of operation. I hope it will be helpful to answer the doubts of "the installation of OpenSSH under the Linux system and the introduction of the basic configuration file". Next, please follow the editor to study!

Remote installation and debugging SSH special attention, OpenSSH uninstall, may cause all tools that connect to the server using the SSH protocol can not log in, such as WINSCP, PUTTY, etc., if you are using a remote desktop, it is best to turn on TELNET and ensure boot boot (or other alternative remote management tools can also be), the client can start to update SSH after normal connection, otherwise, once the SSH startup fails, you can only find the computer room.

Uninstall the original SSH

By default, SSH is installed as a service and starts up, so stop the service first (RedHat5.4 in this article):

The code is as follows:

Service sshd stop

At this time, it is recommended to back up the startup file / etc/init.d/sshd, because there is no startup file after compiling and installing OpenSSH below, although it is not very convenient to modify and use it, unless your installation directory below is the same as the original.

The code is as follows:

Mv / etc/init.d/sshd / etc/init.d/sshd.old

Uninstall the package:

The code is as follows:

Rmp-qa | grep openssh*

Uninstall all the SSH packages in the output list. For uninstallation methods, please refer to:

Download and install the new OPENSSH

The code is as follows:

Cd / tmp

Wget http://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz

Tar xzvf openssh-5.9p1.tar.gz

Cd openssh-5.9p1

/ configure-- prefix=/usr/local/openssh-- sysconfdir=/etc/ssh-- with-pam-- with-ssl-dir=/usr/local/openssl-- with-md5-passwords-- mandir=/usr/share/man-- with-zlib=/usr/local/zlib2

Make & & make install

It should be noted that in the above. / configure configuration, the default path of Tianyuan is as follows:

The code is as follows:

Openssl-> / usr/local/openssl

Zlib-> / usr/local/zlib2

Make sure these paths correspond to your system. If it is different, it needs to be modified manually. There are also some parameters, such as:

The code is as follows:

-bindir=/usr/bin-sbindir=/usr/sbin

Can be set as needed.

3. Query the SSH version

The code is as follows:

[root@localhost] # ssh-V

OpenSSH_5.9p1, OpenSSL 1.0.1 14 Mar 2012

4. Set the service to boot and run

1. Simple boot setting method

Since the OpenSSH is self-compiled and installed, there is no startup file called sshd, so the traditional startup method is directly used to modify rc.local directly. Open / etc/rc.local and add:

The code is as follows:

/ usr/sbin/sshd

It can be set to boot.

2. The boot method of Aiteng setting

It is a bit troublesome to use chkconfig settings combined with the sshd file backed up above to boot. Restore / etc/init.d/sshd first:

The code is as follows:

Mv / etc/init.d/sshd.old / etc/init.d/sshd

Then open the / etc/init.d/sshd file (the original sshd startup configuration file is probably more than 4K, mainly to confirm whether the top paths are correct), and tienyuan will probably be sorted out, mainly as follows (may not be complete, please confirm it next time and then supplement it):

The code is as follows:

...

# source function library

. / etc/rc.d/init.d/functions

# pull in sysconfig settings

[- f / etc/sysconfig/sshd] & &. / etc/sysconfig/sshd

RETVAL=0

Prog= "sshd"

Lockfile=/var/lock/subsys/$prog

# Some functions to make the below more readable

KEYGEN=/usr/bin/ssh-keygen

SSHD=/usr/sbin/sshd

RSA1_KEY=/etc/ssh/ssh_host_key

RSA_KEY=/etc/ssh/ssh_host_rsa_key

DSA_KEY=/etc/ssh/ssh_host_dsa_key

PID_FILE=/var/run/sshd.pid

...

Confirm these and modify these paths and save them.

Add as a service using chkconfig:

The code is as follows:

Chkconfig-add sshd

Chkconfig-level 2345 sshd on

This completes the setup.

Restart the computer or service

Start SSH:

The code is as follows:

Service sshd start

Stop SSH:

The code is as follows:

Service sshd stop

VI. Detailed explanation of OpenSSH configuration file

AcceptEnv

Specifies which environment variables sent by the client will be passed to the session environment. [note] only the SSH-2 protocol supports the passing of environment variables.

For details, please refer to the SendEnv configuration instructions in ssh_config.

The value of the instruction is a space-separated list of variable names (where you can use'* 'and'?' As a wildcard). You can also use multiple AcceptEnv to achieve the same goal.

It is important to note that some environment variables may be used to bypass environment variables that are prohibited by users. For this reason, the directive should be used with care.

The default is not to pass any environment variables.

AddressFamily

Specify which address family sshd should use. The value range is: "any" (default), "inet" (IPv4 only), "inet6" (IPv6 only).

AllowGroups

This instruction is followed by a list of group names separated by spaces (you can use "*" and "?" Wildcards). All groups are allowed to log in by default.

If this directive is used, only members of these groups will be allowed to log in, while all other groups will be denied.

The "group" here refers to the "primary group", that is, the group specified in the / etc/passwd file.

Only the name of the group is allowed here, not GID. The related allow/deny instructions are processed in the following order:

DenyUsers, AllowUsers, DenyGroups, AllowGroups

AllowTcpForwarding

Whether to allow TCP forwarding. The default value is "yes".

Disabling TCP forwarding does not enhance security unless users are prohibited from accessing shell because users can install their own transponders.

AllowUsers

This instruction is followed by a list of user names separated by spaces (where you can use "*" and "?" Wildcards). All users are allowed to log in by default.

If this directive is used, only these users will be allowed to log in and all other users will be denied.

If a user in USER@HOST mode is specified, USER and HOST are checked at the same time.

Only the user's first name is allowed here, not UID. The related allow/deny instructions are processed in the following order:

DenyUsers, AllowUsers, DenyGroups, AllowGroups

AuthorizedKeysFile

Stores the RSA/DSA public key that the user can use to log in.

The following symbols that are expanded according to the actual situation at the time of the connection can be used in this directive:

%% means'%',% h represents the user's home directory, and% u represents the user's user name.

The expanded value must be either an absolute path or a relative path relative to the user's home directory.

The default value is ".ssh / authorized_keys".

Banner

The contents of the file specified by this directive are displayed to the remote user before the user authenticates.

This feature is only available for SSH-2, and nothing is displayed by default. "none" means to disable this feature.

ChallengeResponseAuthentication

Whether challenge-response (challenge-response) authentication is allowed. The default is "yes".

All authentication methods allowed in login.conf are supported.

Ciphers

Specifies the encryption algorithm allowed by SSH-2. Multiple algorithms are separated by commas. The following algorithms can be used:

"aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "aes256-ctr"

"3des-cbc", "arcfour128", "arcfour256", "arcfour", "blowfish-cbc", "cast128-cbc"

The default value is that all of the above algorithms can be used.

ClientAliveCountMax

The maximum number of "alive" messages that sshd is allowed to send before receiving any client response. The default value is 3.

When this limit is reached, sshd will forcibly disconnect and close the session.

It is important to note that "alive" messages are very different from TCPKeepAlive.

"alive" messages are sent over encrypted connections, so they are not spoofed; TCPKeepAlive can be spoofed.

If ClientAliveInterval is set to 15 and ClientAliveCountMax is left at the default value

Then the client that does not reply will be forcibly disconnected after about 45 seconds. This directive can only be used for the SSH-2 protocol.

ClientAliveInterval

Set a time in seconds. If you do not receive any data from the client for more than this long time

Sshd sends a "alive" message to the client through a secure channel and waits for a reply.

The default value of 0 means that the "alive" message is not sent. This option is valid only for SSH-2.

Compression

Whether to encrypt the communication data, or delay to encrypt the communication data until after the authentication is successful.

Available values: "yes", "delayed" (default), "no".

DenyGroups

This instruction is followed by a list of group names separated by spaces (you can use "*" and "?" Wildcards). All groups are allowed to log in by default.

If this directive is used, members of these groups will be denied login.

The "group" here refers to the "primary group", that is, the group specified in the / etc/passwd file.

Only the name of the group is allowed here, not GID. The related allow/deny instructions are processed in the following order:

DenyUsers, AllowUsers, DenyGroups, AllowGroups

DenyUsers

This instruction is followed by a list of user names separated by spaces (where you can use "*" and "?" Wildcards). All users are allowed to log in by default.

If this directive is used, these users will be denied login.

If a user in USER@HOST mode is specified, USER and HOST are checked at the same time.

Only the user's first name is allowed here, not UID. The related allow/deny instructions are processed in the following order:

DenyUsers, AllowUsers, DenyGroups, AllowGroups

ForceCommand

Enforce the commands specified here while ignoring any commands provided by the client. This command will be executed using the user's login shell (shell-c).

This can be applied to the completion of shell, commands, and subsystems, usually in Match blocks.

This command is initially supported on the client side through the SSH_ORIGINAL_COMMAND environment variable.

GatewayPorts

Whether to allow the remote host to connect to the local forwarding port. The default is "no".

Sshd binds remote port forwarding to the loopback address by default. This will prevent other remote hosts from connecting to the forwarding port.

The GatewayPorts directive allows sshd to bind remote port forwarding to a non-loopback address, thus allowing remote hosts to connect.

"no" means that only local connections are allowed, and "yes" means that remote port forwarding is forced to be bound to a unified address (wildcard address)

"clientspecified" means to allow the client to choose which address to bind remote port forwarding to.

GSSAPIAuthentication

Whether GSSAPI-based user authentication is allowed. The default is "no". For SSH-2 only.

GSSAPICleanupCredentials

Whether to automatically destroy the user credential cache after the user logs out. The default is "yes". For SSH-2 only.

HostbasedAuthentication

This instruction is similar to RhostsRSAAuthentication, but can only be used for SSH-2. The default value "no" is recommended.

It is recommended to use the default value "no" to disable this unsafe authentication method.

HostbasedUsesNameFromPacketOnly

With HostbasedAuthentication turned on

Specifies whether the server does a reverse domain name query when using ~ / .shosts ~ / .rhosts / etc/hosts.equiv for remote hostname matching.

"yes" means that sshd trusts the hostname provided by the client without reverse querying. The default is "no".

HostKey

The location of the host private key file. If the permissions are incorrect, sshd may refuse to start.

SSH-1 defaults to / etc/ssh/ssh_host_key.

SSH-2 defaults to / etc/ssh/ssh_host_rsa_key and / etc/ssh/ssh_host_dsa_key.

A host can have multiple different private keys. "rsa1" is for SSH-1 only, and "dsa" and "rsa" are for SSH-2 only.

IgnoreRhosts

Whether to ignore .rhosts and .shosts files during RhostsRSAAuthentication or HostbasedAuthentication.

However, / etc/hosts.equiv and / etc/shosts.equiv will still be used. It is recommended to set it to the default value "yes".

IgnoreUserKnownHosts

Whether to ignore the user's ~ / .ssh/known_hosts file during RhostsRSAAuthentication or HostbasedAuthentication.

The default is "no". To improve security, you can set it to "yes".

KerberosAuthentication

Whether the password provided by the user for PasswordAuthentication must be authenticated by Kerberos KDC, that is, whether or not to use Kerberos authentication.

To use Kerberos authentication, the server needs a Kerberos servtab that can verify KDC identity. The default is "no".

KerberosGetAFSToken

If AFS is used and the user has a Kerberos 5 TGT, when the instruction is turned on

An attempt will be made to get an AFS token before accessing the user's home directory. The default is "no".

KerberosOrLocalPasswd

If the Kerberos password authentication fails, the password will also have to go through other authentication mechanisms (such as / etc/passwd).

The default is "yes".

KerberosTicketCleanup

Whether to automatically destroy the user's ticket after the user logs out. The default is "yes".

KeyRegenerationInterval

Under the SSH-1 protocol, the short-lived server key will be continuously regenerated during a period of time (seconds) set by this instruction.

This mechanism can minimize the loss of keys or the loss caused by hackers.

Set to 0 to never regenerate, and the default is 3600 (seconds).

ListenAddress

Specifies the network address that sshd listens on, and listens on all addresses by default. You can use the following format:

ListenAddress host | IPv4_addr | IPv6_addr

ListenAddress host | IPv4_addr:port

ListenAddress [host | IPv6_addr]: port

If port is not specified, the value of the Port instruction is used.

Multiple ListenAddress instructions can be used to listen on multiple addresses.

LoginGraceTime

The user must be successfully authenticated within the specified time limit. 0 means there is no limit. The default value is 120 seconds.

LogLevel

Specifies the log level (detail level) of the sshd. The available values are as follows:

QUIET, FATAL, ERROR, INFO (default), VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3

DEBUG is equivalent to DEBUG1; DEBUG2 and DEBUG3 specify more detailed and verbose log output, respectively.

Logs that are more detailed than DEBUG may reveal sensitive information about users, so they are opposed to use.

MACs

Specifies which message digest algorithms are allowed in SSH-2 for data validation.

You can use a comma-separated list to specify that multiple algorithms are allowed. The default value, which includes all available algorithms, is:

Hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96 HmacMurray Md5-96

Match

Introduce a conditional block. The end mark of the block is another Match instruction or the end of the file.

If all the conditions specified on the Match line are met, subsequent directives will override the directives in the global configuration.

The value of Match is one or more condition-mode pairs. The available conditions are: User, Group, Host, Address.

Only the following instructions can be used in Match blocks: AllowTcpForwarding, Banner

ForceCommand, GatewayPorts, GSSApiAuthentication

KbdInteractiveAuthentication, KerberosAuthentication

PasswordAuthentication, PermitOpen, PermitRootLogin

RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset

X11Forwarding, X11UseLocalHost

MaxAuthTries

Specifies the maximum number of authentications allowed per connection. The default value is 6.

If the number of failed authentication is more than half of this number, the connection will be forcibly disconnected and additional failure log messages will be generated.

MaxStartups

The maximum number of unauthenticated connections allowed. The default value is 10.

When the limit is reached, new connections will no longer be accepted unless the previous connection authentication was successful or exceeded the LoginGraceTime limit.

PasswordAuthentication

Whether password-based authentication is allowed. The default is "yes".

PermitEmptyPasswords

Whether to allow users with empty passwords to log in remotely. The default is "no".

PermitOpen

Specifies the destinations allowed for TCP port forwarding, and multiple forwarding destinations can be separated by spaces. All forwarding requests are allowed by default.

The legal instruction format is as follows:

PermitOpen host:port

PermitOpen IPv4_addr:port

PermitOpen [IPv6_addr]: port

"any" can be used to remove all restrictions and allow all requests to be forwarded.

PermitRootLogin

Whether to allow root login. The available values are as follows:

"yes" (default) means allowed. "no" means forbidden.

"without-password" means that login with password authentication is prohibited.

"forced-commands-only" means that login with public key authentication is allowed only if the command option is specified.

At the same time, all other authentication methods are prohibited. This value is often used to do remote backups and the like.

PermitTunnel

Whether to allow tun devices to forward. The available values are as follows:

"yes", "point-to-point" (layer 3), "ethernet" (layer 2), "no" (default).

"yes" implies both "point-to-point" and "ethernet".

PermitUserEnvironment

Specifies whether to allow sshd to handle the environment= options in ~ / .ssh/environment and ~ / .ssh/authorized_keys.

The default is "no". If set to "yes", users may have the opportunity to use certain mechanisms (such as LD_PRELOAD) to bypass access control, creating security vulnerabilities.

PidFile

Specifies in which file the process number of the SSH daemon is stored, which defaults to the / var/run/sshd.pid file.

Port

Specifies the port number that the sshd daemon listens to, which defaults to 22. You can use multiple instructions to listen on multiple ports.

By default, it will listen on all network interfaces on this machine, but it can be specified by ListenAddress to listen only on a specific interface.

PrintLastLog

Specifies whether sshd prints the login time of the last user at each interactive login. The default is "yes".

PrintMotd

Specifies whether sshd prints the contents of the / etc/motd file at each interactive login. The default is "yes".

Protocol

Specifies the version number of the SSH protocol supported by sshd.

'1' and' 2' indicate that only SSH-1 and SSH-2 protocols are supported. "2recover1" means that both SSH-1 and SSH-2 protocols are supported.

PubkeyAuthentication

Whether public key authentication is allowed. Can only be used for SSH-2. The default is "yes".

RhostsRSAAuthentication

Whether to use strong trusted host authentication (authentication by checking the remote hostname and associated user name). For SSH-1 only.

This is verified by checking ~ / .rhosts or / etc/hosts.equiv after the RSA authentication is successful.

For security reasons, the default value "no" is recommended.

RSAAuthentication

Whether pure RSA public key authentication is allowed. For SSH-1 only. The default is "yes".

ServerKeyBits

Specifies the length of the temporary server key. For SSH-1 only. The default value is 768 bits. The minimum value is 512.

StrictModes

Specifies whether to require sshd to host and permission checks the user's home directory and related configuration files before accepting the connection request.

It is strongly recommended that you use the default value "yes" to prevent possible low-level errors.

Subsystem

Configure an external subsystem (for example, a file transfer daemon). For SSH-2 protocols only.

The value is the name of a subsystem and the corresponding command line (with options and arguments). Such as "sft / bin/sftp-server".

SyslogFacility

Specifies the log subsystem (facility) through which sshd sends log messages. Valid values are:

DAEMON, USER, AUTH (default), LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7

TCPKeepAlive

Specifies whether the system sends TCP keepalive messages to the client. The default is "yes".

This message can detect exceptions such as dead connections, improper connection closures, client crashes, and so on.

This feature can be turned off by setting it to "no".

UseDNS

Specifies whether sshd should reverse resolve the remote hostname to check that the hostname really corresponds to its IP address. The default is "yes".

UseLogin

Whether to use login during the login process of an interactive session. The default is "no".

If this directive is turned on, X11Forwarding will be disabled because login does not know what to do with xauthcookies.

It is important to note that login is prohibited for remote command execution.

If UsePrivilegeSeparation is specified, it will be disabled after authentication is complete.

UsePrivilegeSeparation

Whether to let sshd separate permissions by creating non-privileged child processes to handle access requests. The default is "yes".

After the authentication is successful, another child process will be created as the authenticated user.

The goal is to prevent privilege escalation through defective child processes, thus making the system more secure.

UsePAM

Whether to log in using PAM.

X11DisplayOffset

Specifies the first available display area (display) number for sshdX11 forwarding. The default value is 10.

This can be used to prevent sshd from occupying the real X11 server display area, thus causing confusion.

X11Forwarding

Whether X11 forwarding is allowed. The default value is "no" and set to "yes" to allow.

If X11 forwarding is allowed and the display area of the sshd agent is configured to listen on an address (X11UseLocalhost) that contains wildcards.

Then additional information may be leaked. Due to the possible risk of using X11 forwarding, the default value of this directive is "no".

It is important to note that banning X11 forwarding does not prevent users from forwarding X11 traffic because users can install their own transponders.

If UseLogin is enabled, X11 forwarding is automatically disabled.

X11UseLocalhost

Whether sshd should bind the X11 forwarding server to the local loopback address. The default is "yes".

Sshd binds the forwarding server to the local loopback address by default and sets the hostname portion of the DISPLAY environment variable to "localhost".

This prevents the remote host from connecting to the proxy display. However, some older X11 clients do not work properly in this configuration.

To be compatible with these old X11 clients, you can set it to "no".

XAuthLocation

Specifies the absolute path to the xauth program. The default is / usr/X11R6/bin/xauth

At this point, the study of "introduction to the installation and basic configuration files of OpenSSH under the Linux system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.