Shulou(Shulou.com)06/01 Report--

This article mainly explains the "ubuntu configuration ssh server steps", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "ubuntu configuration ssh server steps" bar!

SSH-Server configuration Guid

A brief introduction to SSH

SSH (Secure Shell) is a protocol that provides secure communication in applications, and the server can be accessed securely through SSH protocol. Because SSH has a mature public key encryption system, it encrypts data during transmission to ensure that the data is not maliciously tampered, destroyed and leaked during transmission, which can effectively prevent attacks such as network sniffing and IP spoofing.

2. Installation of OpenSSH server on server-side Ubuntu platform

SSH was developed by a Finnish company, but due to copyright and encryption algorithm restrictions, many people now switch to OpenSSH. OpenSSH is an alternative to SSH and is free.

The command is logged in as an administrator.

1. Use apt command on Ubuntu terminal

The code is as follows:

# apt-get install openssh-server

If the download fails, it may be because the system needs to be updated, just try to update it. Use the following command:

The code is as follows:

# apt-get update

two。 Configure openssh server. You can modify the configuration file as needed.

The code is as follows:

# vi etc/ssh/ssh_config

3. Restart the server

The code is as follows:

# / etc/init.d/ssh restart

The installation of the above OpenSSH server is considered complete.

Configure the "/ etc/ssh/ssh_config" file

The "/ etc/ssh/ssh_config" file is an OpenSSH system-wide configuration file that allows you to change the way client programs run by setting different options. Every line of this file

Contains "keyword-value" matching, where "keyword" ignores case. Listed below are the most important keywords, which can be obtained by viewing the help page (ssh (1)) with the man command

A detailed list.

Edit the "ssh_config" file (vi / etc/ssh/ssh_config) to add or change the following parameters:

The code is as follows:

# Site-wide defaults for various options

Host *

ForwardAgent no

ForwardX11 no

RhostsAuthentication no

RhostsRSAAuthentication no

RSAAuthentication yes

PasswordAuthentication yes

FallBackToRsh no

UseRsh no

BatchMode no

CheckHostIP yes

StrictHostKeyChecking no

IdentityFile / .ssh/identity

Port 22

Cipher blowfish

EscapeChar ~

The above option settings are explained line by line below:

Host *

The option "Host" is valid only for computers that can match the following strings. "*" represents all computers.

ForwardAgent no

"ForwardAgent" sets whether the connection is forwarded to the remote computer by an authenticated agent, if any.

ForwardX11 no

ForwardX11 sets whether X11 connections are automatically redirected to secure channels and display sets (DISPLAY set).

RhostsAuthentication no

Whether the "RhostsAuthentication" setting uses rhosts-based security authentication.

RhostsRSAAuthentication no

RhostsRSAAuthentication sets whether to use rhosts-based security authentication using the RSA algorithm.

RSAAuthentication yes

The "RSAAuthentication" setting uses the RSA algorithm for security authentication.

PasswordAuthentication yes

"PasswordAuthentication" sets whether password authentication is used.

FallBackToRsh no

"FallBackToRsh" sets whether to automatically use rsh if there is an error in the connection with ssh.

UseRsh no

"UseRsh" sets whether to use "rlogin/rsh" on this computer.

BatchMode no

If "BatchMode" is set to "yes", the prompt for passphrase/password (Interactive input password) will be disabled. When the password cannot be entered interactively, this option applies to the script

File and batch tasks are very useful.

CheckHostIP yes

"CheckHostIP" sets whether ssh looks at the IP addresses of hosts connected to the server to prevent DNS spoofing. It is recommended that it be set to yes.

StrictHostKeyChecking no

If "StrictHostKeyChecking" is set to "yes", ssh will not automatically add the computer's key to the "$HOME/.ssh/known_hosts" file, and once the computer's secret

When the key changes, the connection is rejected.

IdentityFile / .ssh/identity

"IdentityFile" sets the file from which to read the user's RSA security authentication identity.

Port 22

Port sets the port to connect to the remote host.

Cipher blowfish

"Cipher" sets the password for encryption.

EscapeChar ~

"EscapeChar" sets the escape character.

Configure the "/ etc/ssh/sshd_config" file

"/ etc/ssh/sshd_config" is the configuration file for OpenSSH that allows setting options to change the operation of the daemon. Each line of this file contains a keyword-value match, where

"keyword" ignores case. Listed below are the most important keywords, and a detailed list can be obtained by viewing the help page (sshd (8)) with the man command.

Edit the "sshd_config" file (vi / etc/ssh/sshd_config) to add or change the following parameters:

The code is as follows:

# This is ssh server systemwide configuration file.

Port 22

ListenAddress 192.168.1.1

HostKey / etc/ssh/ssh_host_key

ServerKeyBits 1024

LoginGraceTime 600

KeyRegenerationInterval 3600

PermitRootLogin no

IgnoreRhosts yes

IgnoreUserKnownHosts yes

StrictModes yes

X11Forwarding no

PrintMotd yes

SyslogFacility AUTH

LogLevel INFO

RhostsAuthentication no

RhostsRSAAuthentication no

RSAAuthentication yes

PasswordAuthentication yes

PermitEmptyPasswords no

AllowUsers admin

The above option settings are explained line by line below:

Port 22

"Port" sets the port number for sshd listeners.

ListenAddress 192.168.1.1

"ListenAddress" sets the IP address that the sshd server binds.

HostKey / etc/ssh/ssh_host_key

The "HostKey" setting contains the file for the computer's private key.

ServerKeyBits 1024

"ServerKeyBits" defines the number of digits of the server key.

LoginGraceTime 600

"LoginGraceTime" sets the amount of time (in seconds) that the server needs to wait before disconnecting if the user is unable to log in successfully.

KeyRegenerationInterval 3600

"KeyRegenerationInterval" sets the number of seconds after which the server's key is automatically regenerated (if the key is used). The purpose of regenerating the key is to prevent the stolen key from being decrypted by

Intercepted information.

PermitRootLogin no

"PermitRootLogin" sets whether root can log in with ssh. This option must not be set to "yes".

IgnoreRhosts yes

The "IgnoreRhosts" setting verifies whether the "rhosts" and "shosts" files are used.

IgnoreUserKnownHosts yes

"IgnoreUserKnownHosts" sets whether ssh daemon ignores the user's "$HOME/.ssh/known_hosts" when performing RhostsRSAAuthentication security authentication

StrictModes yes

"StrictModes" sets whether ssh checks the permissions and ownership of the user's home directory and rhosts files before receiving login requests. This is usually necessary because beginners often put their own

Directories and files are set so that anyone has write access.

X11Forwarding no

The "X11Forwarding" setting allows X11 forwarding.

PrintMotd yes

"PrintMotd" sets whether sshd displays the information in "/ etc/motd" when the user logs in.

SyslogFacility AUTH

"SyslogFacility" sets whether to give "facility code" when logging messages from sshd.

LogLevel INFO

LogLevel sets the level at which sshd log messages are logged. INFO is a good choice. Check out sshd's man help page for more information.

RhostsAuthentication no

The "RhostsAuthentication" setting only uses rhosts or "/ etc/hosts.equiv" for security verification is sufficient.

RhostsRSAAuthentication no

The "RhostsRSA" setting allows security authentication with rhosts or "/ etc/hosts.equiv" plus RSA.

RSAAuthentication yes

Whether the "RSAAuthentication" setting allows only RSA security authentication.

PasswordAuthentication yes

Whether the "PasswordAuthentication" setting allows password authentication.

PermitEmptyPasswords no

The "PermitEmptyPasswords" setting allows login with an account with an empty password.

AllowUsers admin

"AllowUsers" can be followed by any number of patterns of user names or matching strings such as user@host, separated by spaces. The hostname can be

DNS name or IP address.

Transfer files using SFTP instead of FTP

FTP (File transfer Protocol) is a widely used way to transfer files in the network, but it also has the danger of eavesdropping on the network, because it also transmits user authentication information in clear text. In fact, the SSH package already contains a secure file transfer subsystem called SFTP (Secure FTP). SFTP itself does not have a separate daemon, it must use the sshd daemon (the port number is 22 by default) to complete the corresponding connection operation, so in a sense, SFTP is not like a server program, but more like a client program. SFTP also uses encryption to transmit authentication information and transmitted data, so using SFTP is very secure. However, because this mode of transmission uses encryption / decryption technology, the transmission efficiency is much lower than ordinary FTP, if you have higher requirements for network security, you can use SFTP instead of FTP. To turn on the SFTP function, you can modify the following contents of the sshd2_config file:

The code is as follows:

# subsystem-sftp sftp-server

Remove the "#" at the beginning of the line, and then restart the SSH server so that you can use SFTP to transfer files at the same time when making a SSH connection.

About client setup

These are the settings for the server, but some client tools (such as the SSH,SFTP tool) are already included in the SSH server. However, more client users use the Windows system,

Explain the client system settings on Windows.

First download the "SSHSecureShellClient-3.2.3.exe" file from the URL given above and install it. After the installation is complete, two shortcuts will be produced on the desktop, one is "SSH"

Secure Shell Client, which is used for remote management, and SSH Secure File Transfer Client, which is used to transfer files to the server. Click

"quick connnect", enter the correct hostname and user name, and then enter the password in the pop-up dialog box to complete the login to start executing the command or transferring the file. Using SFTP

Only the contents of the user's host directory and non-hidden files can be displayed by default. However, sometimes you may have to check other directories or hide files, just by clicking the menu "eidt-"

Select "show root directory" and "show hidden file" in the options of > setting- > file transfer.

Make ordinary users only use SFTP and do not have permission to use Shell

By default, the account that the administrator adds to the system will have both SFTP and SSH permissions. Allowing ordinary users to use shell to execute commands also has great security risks, if you can prohibit the use of

If users use shell to execute commands and only use SFTP to transfer files, they can eliminate this security risk and fully realize the function of FTP.

As mentioned above, SFTP does not have a separate daemon and can only rely on the sshd daemon, so we still need to use the SSH server to keep the sshd daemon running.

The specific implementation methods are as follows:

First of all, when compiling and installing, you must have the "- enable-static" option in the compilation. After the installation is successful, execute the following command in the bin directory under the installation directory:

The code is as follows:

[root@localhost bin] # ls-l ssh-dummy-shell* sftp-server2*

You will see the following output:

The code is as follows:

-rwxr-xr-x 1 root root 1350417 Apr 28 16:30 sftp-server2

-rwxr-xr-x 1 root root 3566890 Apr 28 16:30 sftp-server2.static

-rwxr-xr-x 1 root root 72388 Apr 28 16:30 ssh-dummy-shell

-rwxr-xr-x 1 root root 1813412 Apr 28 16:30 ssh-dummy-shell.static

The two larger files with the suffix "static" are generated by adding the "- enable-static" option. We will use these two files later.

The following is to add an ordinary account test as an example to describe the specific operation steps.

1. Create a "bin" subdirectory under the "/ home" directory (or the directory where the regular user host directory will be stored), and copy two static files to this directory (rename and remove the static suffix after copy), and execute the following command:

The code is as follows:

[root@localhost bin] # cd / usr/local/ssh4.2/bin

[root@localhost bin] # cp ssh-dummy-shell.static / home/bin/ssh-dummy-shell

[root@localhost bin] # cp sftp-server2.static / home/bin/sftp-server

[root@localhost bin] # chown-R root.root / home/bin

[root@localhost bin] # chmod-R 755 / home/bin

2. Add a group so that all users who are prohibited from using shell in the future belong to this group, which makes it easier to manage more users:

[root@localhost bin] # groupadd template

3. Use the following command when adding a system account:

The code is as follows:

[root@localhost root] # useradd-s / bin/ssh-dummy-shell-g template test

[root@localhost root] # passwd test

[root@localhost root] # mkdir / home/test/bin

[root@localhost root] # cd / home/test/bin

[root@localhost bin] # ln / home/bin/ssh-dummy-shell ssh-dummy-shell

[root@localhost bin] # ln / home/bin/sftp-server sftp-server

[root@localhost bin] # chown-R root.root / home/test/bin

[root@localhost bin] # chmod-R 755 / home/test/bin

3. After the user has successfully added it, you also need to modify the / etc/ssh3/sshd2_config file to include the following:

# ChRootGroups sftp,guest

Change to:

ChRootGroups sftp,guest,template

The main purpose of modifying the above line is to prohibit ordinary users from viewing other directories of the system and limit their permissions to their own home directories. Restart the SSH server program and log in with SSH Secure File Transfer Client on the client side. Even if you choose to display the root directory, ordinary users will not see any other directories, but regard their own home directory as the root directory. Note that restrictions are used here by the group to which the user belongs, so that all users included in the template group can achieve this feature. If you only want to restrict individual users, you can modify the following:

The code is as follows:

# ChRootUsers anonymous,ftp,guest

Facts have proved that SSH is a very good network security solution, but at present, there are still many administrators using Telnet or FTP, which is a very insecure tool, hoping to transfer to SSH as soon as possible to reduce network security risks.

Thank you for your reading, the above is the content of "ubuntu configuration ssh server steps", after the study of this article, I believe you have a deeper understanding of the steps of ubuntu configuration ssh server, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.