Shulou(Shulou.com)05/31 Report--

This article mainly explains "SSH remote login Linux host how to achieve", the article explains the content is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "SSH remote login Linux host how to achieve" it!

What is SSH?

SSH is a network protocol used to encrypt logins between computers. In the earliest days, Internet communications were all plaintext communications, and once intercepted, the content was undoubtedly exposed. In 1995, Finnish scholar Tatu Ylonen designed SSH protocol, which encrypts all login information, which has become a basic solution of Internet security. It has been rapidly promoted all over the world, and has become the standard configuration of Linux system.

Principle of SSH login

Basic usage of SSH

Syntax:

Ssh-p 22 user@host

Parameters:

-p: specify the port number.

User: the user name of the login.

Host: the host to which you logged in.

The default port number is 22. When the port number is 22, you can omit it and directly use the following methods:

Ssh user@host

In addition, if the user name being used locally is the same as the remote login user name, the login user name can also be omitted, as follows:

Ssh host

SSH remote login instance

Now I have two linux virtual machines installed with centOS6.5,ip of 192.168.13.135 and 192.168.13.138 respectively, as shown below:

Now, what I need to do is log in to 192.168.13.135 via SSH above 192.168.13.138.

First, we can use the following command to see if ssh is enabled on both machines.

Netstat-ntlp | grep ssh

Use the following command to connect.

Ssh-p 22 root@192.168.13.135

If you log in to the remote host for the first time on this machine, the following interface appears.

Roughly means, can not confirm the authenticity of the host host, only know its public key fingerprint, ask you still want to continue to connect? Just enter yes.

Then enter the password to connect to ok.

To exit, type exit directly.

SSH Port Forwardin

SSH can not only automatically encrypt and decrypt the network data between the SSH client and the server, at the same time, SSH can also provide a very useful function, that is, port forwarding, that is, the network data from the TCP port will be forwarded to a designated host port, and the data will be encrypted and decrypted at the same time. If the firewall in the work environment restricts the use of some network ports, but allows SSH connections, then it is also possible to communicate through the port forwarded by SSH. Forwarding is mainly divided into two types: local forwarding and remote forwarding.

1. Forwarded parameters

-C: compressed data-f: background authentication user / password, usually used with-N, no need to log in to the remote host. -N: does not execute scripts or commands, usually used with-f. -g: in the-L/-R/-D parameter, the remote host is allowed to connect to the established forwarding port. If this parameter is not added, only the local host is allowed to establish a connection. -L: local port: destination IP: destination port-D: dynamic port forwarding-R: remote port forwarding-T: no TTY assigned for proxy only-Q: quiet mode, no error / warning message output

two。 Local forwarding

There is a port on the local network server that is forwarded to a port on the remote server. To put it bluntly, the request sent to the local port is forwarded to the target port. The format is as follows:

Ssh-L local network card address: local port: destination address: destination port user @ destination address.

Now we use local forwarding to solve a problem, for example, we have two machines, as follows:

Centos A (192.168.13.139)

Centos B (192.168.13.142)

Mysql is now installed on the centos B (192.168.13.142) machine and is set to run any host connection, as follows:

At this point, above centos A (192.168.13.139) is a mysql that can be connected to centos B (192.168.13.142), as follows:

So, now I'll start centos B (192.168.13.142) to restrict external ip connections, only 127.0.0.1 connections, as follows:

At this point, how can the mysql of centos B (192.168.13.142) be connected to centos A (192.168.13.139)?

At this point, we still use the above mysql connection method, which will definitely cause an error, as shown below:

Of course, in centos B (192.168.13.142) mysql is still accessible.

At this point, we can use the local port to forward and map a local port to the centos B (192.168.13.142) machine, as follows:

Ssh-L 127.0.0.1 3306 root@192.168.13.142

Because the address of the local network card can be omitted, the forwarding above can be abbreviated as:

Ssh-L 3306 root@192.168.13.142 127.0.0.1

Of course, when connecting to ssh, if the user names of the two machines are the same, it can also be omitted, that is, the command can be abbreviated as:

Ssh-L 3306 Virgo 127.0.0.1 Vera 3306 192.168.13.14

The above code is to forward the local port 3306 to port 3306 of 192.168.13.142. Because the mysql above centos B (192.168.13.142) uses port 3606. Of course, first of all, we have to see if the local port 3306 is occupied. If so, we can use other ports.

The flow of data is as shown in the figure:

First, the application on centos A (192.168.13.139) sends the data to port 3306 above 127.0.0.1 locally.

Centos A (192.168.13.139) then forwards the data from port 3306 to port 3306 of centos B (192.168.13.142) via SSH.

Then, centos B (192.168.13.142) returns the processed data to centos A (192.168.13.139).

If you are connecting to the cetosB machine for the first time through ssh, you will be prompted to confirm the public key and you will be given the choice of whether or not to confirm the connection.

At this point, we connect the mysql on centos An and centos B, and we can write this.

Bin/mysql-h227.0.0.1-uroot-p

As follows:

We can view the process of ssh forwarding listening on centosA with the following command.

3. Remote forwarding

It is forwarded by a port of the remote server to a port of the server of the local network. To put it bluntly, the request sent to the remote port is forwarded to the destination port. The format is as follows:

Ssh-R remote network card address: remote port: destination address: destination port

The following three machines are examples, as follows:

Centos A (192.168.13.139)

Centos B (192.168.13.142)

Win7 (10.18.78.135)

Assuming that win7 (10.18.78.135) and centos B (192.168.13.142) cannot be connected directly, but win7 (10.18.78.135) and centos A (192.168.13.139) can be connected to centos B (192.168.13.142) or centos A (192.168.13.139), then we can use the remote port to forward on centos A (192.168.13.139). Have win7 (10.18.78.135) communicate with centos B (192.168.13.142).

Ssh-R 127.0.0.1 80 root@192.168.13.142

That is, centos B (192.168.13.142) listens to its own port 80, and then sends all the data to win7 (10.18.78.135) from centos A (192.168.13.139).

Remote operation of SSH

Ssh remote operation, which is mainly used to perform an operation on a remote machine in the following format:

Ssh user@host 'command'

Case 1. Check the operating system type of Machine B (192.168.13.149) in Machine A (192.168.13.148).

Execute the following code on machine A:

Ssh dequan@192.168.13.149 'uname-a'

Case 2. Copy the test folder from machine A (192.168.13.148) to machine B (192.168.13.149).

On machine A, execute the following command:

Tar-cz test | ssh dequan@192.168.13.149 'tar-xz'

Of course, we can also use the scp command or the rz command to transfer files.

Case 3. Check machine A (192.168.13.148) to see if machine B (192.168.13.149) is listening on port 1080.

On machine A, execute the following command:

Ssh dequan@192.168.13.149 'netstat-tln | grep 1080'

Local forwarding of SSH

Local forwarding, to put it bluntly, is to forward a request sent to a local port to a remote machine. The format is as follows:

Ssh-L [local address:] local port: remote address: remote port remote user @ remote address

Case 1. Access the service of Machine A (192.168.13.148) on Machine B (192.168.13.149).

Now, we have started the Nginx service on machine A, as follows:

We hope that Machine B can use the services on Machine An in the same way. The request for port 80 on machine B needs to be forwarded to machine A. At present, this is done on machine B, and an error is reported, as follows:

You need to execute the following code on machine B:

Ssh-f-N-L 127.0.01 80 dequan@192.168.13.148 192.168.13.148

Then, on machine B, access the service of machine An as if it were your own service.

Remote forwarding of SSH

Remote forwarding, that is, forwarding a port request sent to the remote machine to the local machine. The format is as follows:

Ssh-R [remote address:] remote Port: local address: local Port remote user @ remote address

In the above case, we can also do this through remote forwarding. That is, execute the following code on machine A:

Sudo ssh-f-N-R 8081RV 127.0.0.1RV 80 dequan@192.168.13.149

We monitored the port 8081 of machine B and forwarded the request from that port to machine A.

As you can see on machine B, our monitoring is as follows:

At this point, execute the following command and it will be forwarded to port 80 of machine An at 127.0.0.1, as follows:

1. Realize the proxy function by remote forwarding.

At present, machine B can only listen and forward on port 80 of 127.0.0.1. How can machine B be used as a proxy to forward requests from other machines to machine A? For example, there is now a machine C (192.168.13.143), which cannot access A, but can access B. How to make C use B to access A?

At this point, you need to change the listening of B from 127.0.0.1 to 00.0.0, and modify the configuration of sshd / etc/ssh/sshd_config.

Vim / etc/ssh/sshd_config # if there is a GatewayPorts no # changed to GatewayPorts yes # No, just add # and restart sshd sudo service sshd restart

Then re-set dynamic forwarding as follows:

Ssh-f-g-N-R 8081 127.0.0.1 dequan@192.168.13.149

As you can see, at this time, Machine B has been listening to 0RV 0.0.0RV 8081.

On the C machine, we simulate the request through curl and use the B machine as the proxy, as follows:

Curl-x 192.168.13.149 8081 127.0.0.1

Of course, if there are other machines, you can request machine An in a similar way.

Dynamic forwarding of SSH

For both local forwarding and remote forwarding of SSH, you need to bind the local port and remote port one by one, in the following format:

Ssh-D [local address:] local port number remote user @ remote address

For example, all requests sent to machine B are forwarded to machine A to execute the request.

Problems in SSH

If someone intercepts the login request and then pretends to be a remote host and sends the fake public key to the user, it is difficult for the user to tell the authenticity from the false. Because unlike the https protocol, the public key of the SSH protocol is not notarized by the Certificate Authority (CA), that is, it is signed by itself.

It is conceivable that if an attacker intervenes between the user and the remote host (such as in the public wifi area) and uses a fake public key to obtain the user's login password. Then log in to the remote host with this password, and the security mechanism of SSH will be gone. This risk is known as man-in-the-middle attack (Man-in-the-middle attack).

Thank you for your reading, the above is the content of "SSH remote login Linux host how to achieve", after the study of this article, I believe you have a deeper understanding of how SSH remote login Linux host how to achieve this problem, the specific use of the need for you to practice and verify. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.