SSH( Remote connection tools ) Connection principle :ssh A service is a daemon (demon), The system monitors the connection of the client in the background ,ssh The process name of the server is sshd, Responsible for real-time monitoring of client requests (IP 22 port ), Including public key exchange and other information .

ssh Server side 2 Part of it is made up of : openssh( Provide ssh service )    openssl( Provide encrypted programs )

ssh The client can use XSHELL,Securecrt, Mobaxterm Wait for tools to connect

SSH How it works  

      When the server starts, it generates a key itself (768bit Public key ), The local ssh The client sends a connection request to ssh The server , The server checks the data sent by the connection point client and IP Address , After confirming the validity, send the key (768bits) To the client , At this time, the client will use the local private key (256bit) And the public key of the server (768bit) Combined into a key pair key(1024bit), Send back to the server , Establish a connection through key-pair The data transfer .       

SSH Encryption technology

Encryption technology : Transmission process , Data encryption .            
1.SSH1 The client's secret key is not verified , It's easy to plant malicious code
2.SSH2 Added a confirmation of online correctness Diffe_Hellman Mechanism , Every data transmission ,Server Will check the correctness of the data sources , avoid ******.                   
  SSH2 Support RSA and DSA secret key    
        DSA:digital signature Algorithm  digital signature
        RSA: It can be digitally signed and encrypted      

SSH A summary of knowledge           

   1.SSH It's a secure encryption protocol , For remote connection Linux The server                
   2.SSH The default port is 22, The security protocol version is SSH2               
   3.SSH The server side mainly includes 2 A service function SSH The connection and SFTP The server                
   4.SSH The client contains ssh Connect command and remote copy scp Orders, etc  

How to prevent SSH Sign in ***            

    1. Key login , Change port                
    2. Cattle array                
    3. Monitoring the local intranet IP(ListenAddress 192.168.25.*)

SSH All functions    

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

1. Sign in                    

       ssh -p22 [email protected]               

   2. Direct command execution   --> The best path                    

       ssh [email protected] ls -ltr /backup/data                       

           ==>ssh [email protected] /bin/ls -ltr /backup/data               

   3. View known hosts                     

        cat /root/.ssh/known_hosts

   4.ssh Remote execution sudo command

       ssh -t [email protected] sudo rsync hosts /etc/

 

   5.scp               

             1. function    --> Remote file security ( encryption ) Copy                    

                 scp -P22 -r -p /home/omd/h.txt [email protected]:/home/omd/               

             2.scp A summary of knowledge                    

                 scp It's encrypted remote copy ,cp For local copy                    

                  You can push it , You can also pull it over                    

                  Every time it's a full copy ( The efficiency is not high , For the first time ), Incremental copy uses rsync

 

   6.ssh Self contained sftp function                

             1.Window and Linux The transmission tools                    

                  wincp   filezip                   

               sftp  --> be based on ssh Secure encrypted transmission of                    

               samba   

             2.sftp Client connection                    

                sftp -oPort=22 [email protected]                   

                put /etc/hosts /tmp                   

                get /etc/hosts /home/omd   

            3.sftp Summary :                   

                1.linux Use command : sftp -oPort=22 [email protected]                   

                2.put Add client local path upload                   

                3.get Download server-side content to local                    

                4. Remote connection defaults to the user's home directory

ssh Common command parameters

1

2

3

4

5

6

7

usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]

           [-D [bind_address:]port] [-e escape_char] [-F configfile]

           [-i identity_file] [-L [bind_address:]port:host:hostport]

           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]

           [-R [bind_address:]port:host:hostport] [-S ctl_path]

           [-W host:port] [-w local_tun[:remote_tun]]

           [[email protected]]hostname [command]

About backstage ssh Service related

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

# Inquire about openssl Software

    rpm -qa openssh openssl

# Inquire about sshd process

    ps -ef | grep ssh

        --> /usr/sbin/sshd

# see ssh port

    netstat -lntup | grep ssh  

    ss | grep ssh                ( The effect same as above , Same as below , To use )

    netstat -a | grep ssh( Remember this )

    netstat -lnt | grep 22    ==>  see 22 Is the port open /ssh Is the service on

     skill : netstat -lnt | grep ssh | wc -l --> As long as it is greater than 2 One is ssh Service is good

# see ssh My secret key directory

    ll /root/.ssh/known_hosts  # The name of the current user's home directory .ssh Under the table of contents

# ssh Configuration file for

    cat /etc/ssh/sshd_config   

# ssh Service shutdown

    service sshd stop

# ssh Service opening :

    service sshd start

# ssh Service restart

    service sshd reload    [ Stop the process and restart ] ==> recommend

    service sshd restart   [ Kill the process and restart it ] ==> Not recommended

# ssh Remote login

    ssh 192.168.1.100      # By default, log in with the user name of the current host user

    ssh [email protected]  # Log in with the user of the remote machine

    ssh [email protected]  -o stricthostkeychecking=no # First time login is free yes Sign in

    ssh [email protected] "ls /home/omd"  # Current server A Remote login server B Then execute a command

    ssh [email protected] -t "sh /home/omd/ftl.sh"  # Current server A Remote login server B Then execute a script

 

image

ssh Security free setting

1、 Go to the user's home directory

1

2

[[email protected] ~]# cd /root/.ssh/             【root The user is in root In the catalog .ssh Catalog 】

[[email protected] ~]# cd /home/omd/.ssh/   【 Ordinary users are in the home directory .ssh Catalog 】

image

2、 according to DSA Algorithm generates private key and public key 【 By default, it is set up in the home directory of the current user 】

1

2

3

[[email protected] .ssh]# ssh-keygen -t dsa     # All the way back

                id_dsa         --> Private key ( The key )

                id_dsa.pub     --> Public key ( lock )

image

3. Copy the public key to the target server

1

2

[[email protected] .ssh]# ssh-copy-id -i id_dsa.pub [email protected]              【 Use ssh Default port for login 22】

[[email protected] .ssh]# ssh-copy-id -i id_dsa.pub –p 666 [email protected]   【 Use ssh The port of the login settings 666】

4. View the files generated by the target server

1

[[email protected] .ssh]$ ll /home/omd/.ssh/authorized_keys

image

5. Password free login to the target server

1

ssh [email protected]

6. Sum up the relationship between key and lock

1

2

3

4

5

6

1. Multiple keys to open a lock

       hold id_dsa.pub Copy to each server

 

2. A key to open duobasuo

       hold id_dsa To each server

       hold id_dsa Pass it on to yourself  

ssh Troubleshoot problems

1

2

3

1. Judge whether the physical link is connected   ping 192.168.25.130     line | A firewall | Is it the same network

            ping    Itself is icmp agreement

2. Judge whether the service is normal

1

telnet 192.168.25.130 22

1

3.Linux A firewall

1

service iptables status ==>  /etc/init.d/iptables status

1

4. open ssh And then we can observe it

1

ssh -vvv [email protected]

SSH Summary of batch distribution and management plan


1. utilize root do ssh key verification

advantage : Simple , Easy to use
    shortcoming : Poor safety performance , There is no way to ban root Remote connection


2. Using ordinary users omd                --> recommend


    Ideas : Copy the files to be distributed to the home directory of the server user , And then use it sudo Right to copy the distributed files and corresponding directories
    advantage : Security
    shortcoming : complex , Configuration trouble
    1.sudo Raise the right
        echo 'omd     All=(All)      NOPASSWD:/usr/bin/rsync' >> /etc/sudoers
        visudo -c
        grep omd /etc/sudoers
    2.ssh Distribute to the home directory of the server
        ssh -p22 -r /etc/hosts [email protected]:~
    3.ssh Use sudo Copy to the target server /etc
        ssh -t [email protected] sudo rsync hosts /etc/

3. Expansion plan 2, no need sudo, It's about setting suid Power over fixed orders

  advantage : Quite safe
        shortcoming : complex , Poor safety , Anyone can deal with suid Orders of authority
       1.which rsync
       2.chmod 4755 /usr/bin/rsync       

ssh Chapter summary             

    1.ssh Remote encrypted connection protocol , Related software openssh,openssl               
    2. Default port 22               
    3.ssh Version agreement                
    4. The server ssh Connect ,ftp Connect ,sshd Daemon , Boot up                
    5.ssh Important client commands :ssh( The user login && Remote command ),scp,sftp,               
    6. Security verification method : password , secret key   Learning principles                
    7.ssh Service optimization : Change port , Change the monitor ,no root,no empty,no DNS,
    8.ssh Key pair , The public key is on the server side , The private key is on the client

modify ssh The startup file for the service sshd A few points of

1

2

3

4

5

6

7

8

9

10

11

12

1-1 modify /etc/ssh/sshd_config<br>        GSSAPIAuthentication yes     Solve the problem of one server managing multiple ssh service

    UseDNS no  Speed up the response, because in the Intranet environment

    PermitRootLogin no  Not running root Users log in directly

    Port 11544 Change the access port number

    ListenAddress  192.168.25.130  Only monitor the intranet IP

    Match User anoncvs     Users allowed to log in in the current environment

    PermitRootLogin no      Whether to allow root The user login , Generally, it is not allowed to drive

1-2 Restart the service

    service sshd restart       Write command into memory

    service sshd reload( first )  reload It's a smooth access , Does not affect the use of users

1-3 Check the connection port

    netstat -an | grep EST

SSH skip HostKeyChecking, No input yes

SSH Skip input ssh skip RSA key fingerprint Input yes/no

In the configuration of a large number of nodes, we need ssh When connected , If you copy many nodes automatically , All need to input yes, Two nodes should communicate with each other once , It's going to cause a lot of trouble

solve 1; Modify the configuration file /etc/ssh/ssh_config

1

2

look for   To   # StrictHostKeyChecking ask  

It is amended as follows :StrictHostKeyChecking no  

solve 2:  Add parameter  –o  【o=option】

1

ssh [email protected] -o "StrictHostKeyChecking no"

1

scp -o "StrictHostKeyChecking no" newfile.txt <a href="mailto:[email protected]:/root">[email protected]:/root</a>

ssh Login with password sshpass Installation

【 Download address 】https://sourceforge.net/projects/sshpass/files/latest/download

Upload files to the server

CentOS Lower installation :

1

2

3

4

[[email protected] ~]# tar xf sshpass-1.06.tar.gz

[[email protected] ~]# cd sshpass-1.06

[[email protected] sshpass-1.06]# ./configure

[[email protected] sshpass-1.06]# make && make install

Check if the installation is successful :

1

2

[[email protected] sshpass-1.06]# which sshpass

/usr/local/bin/sshpass

Remote Login Host :

1

sshpass -p [email protected] ssh [email protected] -o "StrictHostKeyChecking no"

Be careful : If it's the first time to log in , You need to enter manual yes, here sshpass It doesn't give a hint , So login exception

Ubuntu Next installation method 1 [ recommend ]: Simple

1

[email protected]:~/sshpass-1.06$ sudo apt install sshpass

Installation successful :

1

[email protected]:~/sshpass-1.06$ which sshpass

Ubuntu Installation method 2 :

1

2

3

4

5

[email protected]:~$ tar xf sshpass-1.06.tar.gz

[email protected]:~$ cd sshpass-1.06/

omd @omd-virtual-machine:~/sshpass-1.06$ ./configure

[email protected]:~/sshpass-1.06$ sudo make && make install

The same CentOS Lower installation

 

attach ssh Configuration file for

1

/etc/ssh/sshd_config

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

[[email protected] .ssh]# cat /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

 

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

 

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

 

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

 

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

 

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

 

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

 

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

 

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

 

# Authentication:

 

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

 

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

 

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

 

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

 

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

#KerberosUseKuserok yes

 

# GSSAPI options

#GSSAPIAuthentication no

GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

 

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

UsePAM yes

 

# Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

 

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#ShowPatchLevel no

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

#ChrootDirectory none

 

# no default banner path

#Banner none

 

# override default of no subsystems

Subsystem       sftp    /usr/libexec/openssh/sftp-server

 

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server

author : Small a ninety-seven

Source :http://www.cnblogs.com/ftl1012/