Shulou(Shulou.com)06/02 Report--

Blog catalogue

I. SSH remote management

Second, use SSH client program

Third, construct the SSH system of key pair verification.

I. SSH remote management

SSH is a secure channel protocol, which is mainly used to realize remote login and remote replication of character interface. SSH protocol encrypts the data transmission between the two sides of the communication, including the user password entered when the user logs in. Compared with the early applications such as Telent, RSH, RCP, etc., SSH protocol provides better security.

1. Configure the OpenSSH server

In Centos 7.4 systems, the OpenSSH server is provided by software packages such as openssh, openssh-server, and so on (installed by default), and sshd has been added as a standard system service. The sshd service can be started by executing the "systemctl start sshd" command, and most users, including root, can log in to the system remotely. The configuration file of the sshd service is located in the / etc/ssh/sshd_config directory by default. Adjusting the relevant configuration items correctly can further improve the security of sshd remote login.

1) Service monitoring options

The default port number used by the sshd service is 22. If necessary, it is recommended to modify this port number and specify the specific IP address of the listening service to improve the concealment in the network. V2 version is more secure than V1 version, and disabling DNS reverse parsing can improve the response speed of the server.

[root@centos01] # vim / etc/ssh/sshd_config 17 Port 22 19 ListenAddress 192.168.100.10 21 Protocol 2118 UseDNS no. [root@centos01 ~] # systemctl restart sshd 2) user login control

The sshd service allows root users to log in by default, but it is very insecure to use it in Internet. With regard to user login control for sshd services, you should generally prohibit root users or users with empty passwords from logging in. In addition, you can limit the time for login authentication (default is 2 minutes) and the maximum number of retries, and disconnect if you fail to log in after exceeding the limit.

[root@centos01] # vim / etc/ssh/sshd_config 37 LoginGraceTime 2m 38 PermitRootLogin yes 40 MaxAuthTries 6 67 PermitEmptyPasswords no. [root@centos01 ~] # systemctl restart sshd 2. Login verification method

For the remote management of the server, in addition to the security control of the user account, the way of login authentication is also very important. The sshd service supports two authentication methods-password authentication and key pair authentication, which can be set to use only one or both.

Password authentication: verify the login name and password of the local system user in the server. This method is the easiest to use, but from the client's point of view, the connected server may be impersonated; from the server's point of view, the defense is weak when the password is exhausted by a third party. Key pair authentication: matching key information is required to pass the verification. Typically, a pair of key files (public key, private key) are created in the client, and then the public key file is placed in a specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption / decryption association, which greatly enhances the security of remote management. This method is not easy to be counterfeited, and can log on to each other without mutual login, so it is widely used in Shell.

When password authentication and key pair authentication are enabled, the server will give priority to key pair authentication. For servers with high security requirements, it is recommended to disable password authentication and only enable key pair authentication; if there are no special requirements, both methods can be enabled.

[root@centos01] # vim / etc/ssh/sshd_config 43 PubkeyAuthentication yes 47 AuthorizedKeysFile .ssh / authorized_keys 66 PasswordAuthentication yes. [root@centos01 ~] # systemctl restart sshd

Among them, the public key file is used to save the public key text uploaded by multiple clients in order to match the local private key file of the client.

Second, use SSH client program

"on Centos 7.4 systems, the OpenSSH client is provided by the openssh-clients software package (installed by default), which includes ssh remote login commands, as well as scp, sftp remote replication and file transfer commands."

1. Command program ssh remote login

Through the ssh command, you can log in to the sshd service remotely, providing a secure Shell environment for users to manage and maintain the server. The login user and the target host address should be specified as parameters. Examples are as follows:

[root@centos02 ~] # ssh root@192.168.100.10root@192.168.100.10's password: Mon Nov 11 19:02:50 2019 from 192.168.100.254 [root@centos01 ~] # [root@centos01 ~] # [root@centos01 ~] # ssh root@192.168.100.10The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.ECDSA key fingerprint Is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.Are you sure you want to continue connecting (yes/no)? Yes Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.root@192.168.100.10's password: Mon Nov 11 19:03:08 2019 from 192.168.100.20 [root@centos01 ~] # who root pts/1 2019-11-11 19:03 (192.168.100.20) root pts/2 2019-11-11 19:04 (192.168.100.10)

If the sshd server uses a non-default port (such as 2222), you must specify the port number when logging in with the "- p" option. Examples are as follows:

[root@centos01 ~] # vim / etc/ssh/sshd_configPort 2222 [root@centos01 ~] # systemctl restart sshd [root@centos02 ~] # ssh-p 2222 root@192.168.100.10 root@192.168.100.10's password: Last login: Mon Nov 11 19:20:28 2019 from 192.168.100.10 [root@centos01 ~] # 2, scp remote replication

Through the scp command, you can use the SSH secure connection to copy files with the remote host. When using the scp command, in addition to specifying the replication source and destination, you should also specify the destination host address and login user, and enter the authentication password according to the prompts after execution. Examples are as follows:

[root@centos02 ~] # scproot@192.168.100.10:/etc/ssh/sshd_config. / root@192.168.100.10's password: sshd_config 3910 3.6MB/s 00:00 [root@centos02 ~] # scp-r. / sshd_configroot@192.168.100.10:/opt root@192.168.100.10's Password: sshd_config 100 3910 1.2MB/s 00:00 3, Sftp install FTP

Through the sftp command, we can use the SSH secure connection to upload and download files with the remote host, and adopt a login process and interactive environment similar to FTP, which is convenient for directory resource management. Examples are as follows:

[root@centos01 ~] # cd / opt/ [root@centos01 opt] # sftp root@192.168.100.20 root@192.168.100.20's password: Connected to 192.168.100.20.sftp > pwd Remote working directory: / rootsftp > put sshd_config Uploading sshd_config to / root/sshd_configsshd_config 3910 6.4MB/s 00:00 sftp > get sshd_config Fetching / root/sshd_config to sshd_config/root/sshd_config 3910 3.6MB/s 00:00 sftp > exit III. Construction of SSH system for key pair Verification

Key pair authentication can provide better security for remote login. The basic process of constructing a key pair to verify the SSH system in the Linux server and client. As shown in the figure below, the whole process consists of four steps. First, the key pair is created on the SSH client as the zhangsan user, and the created public key file is uploaded to the SSH server, then the public key information is imported into the public key database of the target user lisi on the server side, and finally, login and authentication as the server-side user lisi.

1. Create a key pair on the client

In the client, create a key pair file for the current user through the ssh-keygen tool. The available encryption algorithms are ECDSA or DSA (the "- t" option of the ssh-keygen command is used to specify the type of algorithm). Examples are as follows:

[root@centos02 ~] # ssh-keygen-t dsa Generating public/private dsa key pair.Enter file in which to save the key (/ root/.ssh/id_dsa): Created directory'/ root/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in / root/.ssh/id_dsa.Your public key has been saved in / root/.ssh/id_dsa.pub.The key fingerprint is:SHA256:zv0EdqIuOfwSovN2Dkij08y9wZ0f1+IyhY7LFNKKzkk root@centos02The key 's randomart image is:+--- [DSA 1024]-+ |. | | o. O S.+. | * *. +. =. +. = | o E. roomodyne oo+*+o. + o | = o.. ooze + + | | + + ooze. | | +-[SHA256]-+ [root@centos02 ~] # ls-lh ~ / .ssh/id_dsa*-rw- 1 root root 668 November 12 16:11 / root/.ssh/id_dsa-rw-r--r-- 1 root root 603 November 12 16:11 / root/.ssh/id_dsa.pub |

In the newly generated key pair file, id_das is the private key file, and the permission is 600 by default. The private key file must be kept properly and cannot be disclosed to others; id_dsa.pub is the public key file, which is used to provide to the ssh server.

2. Upload the public key file to the server

Upload the public key file generated in the previous step to the server and deploy it to the server-side user's public key database. When uploading public key files, you can choose SCP, FTP, HTTP or even send E-mail.

Root@centos02 ~] # ssh-copy-id-I. / .ssh / id_dsa.pub root@192.168.100.10 / usr/bin/ssh-copy-id: INFO: Source of key (s) to be installed: ". / .ssh / id_dsa.pub" The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.ECDSA key fingerprint is MD5:6d:f7:95:0e:51: 1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.Are you sure you want to continue connecting (yes/no)? Yes / usr/bin/ssh-copy-id: INFO: attempting to log in with the new key (s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key (s) remain to be installed-- if you are prompted now it is to install the new keysroot@192.168.100.10's password: Number of key (s) added: 1Now try logging into the machine With: "ssh 'root@192.168.100.10'" and check to make sure that only the key (s) you wanted were added.3, using key pair authentication on the client side

When the private key file (client) and the public key file (server) are deployed, you can test in the client. First confirm that the current user in the client is root, and then log in remotely as the server-side user root through the ssh command. If the key pair authentication method is configured successfully, a private key phrase will be required on the client to invoke the private key file for matching (if the private key phrase is not set, log in to the target server directly).

[root@centos02] # ssh root@192.168.100.10 Last login: Tue Nov 12 16:03:56 2019 from 192.168.100.254 [root@centos01] # who root pts/0 2019-11-12 17:35 (192.168.100.20) root pts/2 2019-11-12 16:03 (192.168.100.254)

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.