SSH remote management detailed teaching (ssh remote control, sshd service password verification)

1. SSH related concepts

1.1 SSH definition

SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of a character interface.
The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. So the SSH protocol hasVery good security。

1.2 SSH advantages

• Data transmission is encrypted to prevent information leakage
• Data transmission is compressed, which can increase the transmission speed

1.3 SSH client and server

• SSH client: Putty, Xshell, CRT

• SSH server: OpenSSH

• OpenSSH is an open source software project that implements the SSH protocol, applicable to various UNIX and Linux operating systems

• CentOS 7 system has installed openssh related software packages by default, and has added the sshd service as a boot-up

• Execute the "systemctl start sshd" command to start the sshd service

• sshd service used by defaultTCPof 22port

1.4 SSH configuration file

• The default configuration file of the sshd service is /etc/ssh/sshd_config
• Both ssh_config and sshd_config are configuration files of ssh server
• The difference between the two isssh_config is the configuration file for the client, and sshd_config is the configuration file for the server
  

Two, configure the OpenSSH server

2.1 Common option settings of sshd_config configuration file

2.2 Remote login simulation experiment

2.2.1 Allowusers-only allow certain users to log in

Method 1:
①First add three new users with passwords

②Edit the server configuration file

③Restart the service

④Test
Create a new session. As a client, the purpose is to connect to the server, so if the host IP is the IP of the server, then use it to determine whether the experiment is successful (can you connect to the server).



The experiment is successful, and user zhangsan can connect to the server. The

same method is used to try whether user lisi can log in, the same success

Finally, try to see if user dingyi can log in

The server rejected the password after entering the password

Successful experiment
method 2:
ssh username@server IP

2.2.2 Denyusers-prohibit certain users from logging in, the usage is similar to AllowUsers (be careful not to use it at the same time)

① edit the server configuration file

② restart the service

③ test
user zhangsan:


user lisi:


User dingyi:


successful experiment
Method Two:

2.3 scp remote replication simulation experiment

2.3.1 Downlink copy-copy files from remote host to local machine

Copy the /etc/passwd file of the remote host to the local machine
cp [email protected]:/etc/passwd /root/passwd10.txt

2.3.2 Uplink copy: copy the local directory to the remote host

Copy the local /etc/ssh directory to the remote host
scp -r /etc/ssh/ [email protected]:/opt to

verify:

2.4 sftp secure FTP simulation experiment

Due to the use of encryption/decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher. The operating syntax sftp is almost the same as ftp.

sftp [email protected](远程服务器IP）
sftp> ls
sftp> get 文件名		#下载文件到ftp目录，下载目录需要加“ -r ”
sftp> put 文件名		#上传文件到ftp目录
sftp> quit		    #退出

Three, sshd service supports two verification methods

3.1.1 Password verification

• Password verification verifies the login name and password of the local system user in the server. Simple butMay be brute force

3.1.2 Key pair verification

• Key pair verification requires matching key information to pass verification. Usually a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the designated location of the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.

3.2 The relationship between public key and private key

• The public key and the private key are generated in pairs. The two keys are different from each other and can be mutually encrypted and decrypted.
• One key cannot be used to calculate another key.
• The public key is made public, and the private key is only known to the holder of the private key.
• When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.

vim /etc/ssh/sshd_config                        #编辑服务端主配置文件
PasswordAuthentication yes 						#启用密码验证
PubkeyAuthentication yes 						#启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys 		#指定公钥库文件

3.3 Simulation experiment

①Create a new user wangda on the server and configure a password ②Create

a new user wanger and wangda on the client to configure the key pair ③Upload


the public key file to the server ④Use the

key pair to verify


on the client ⑤Set the ssh proxy function on the client , To achieve interactive login

Four, TCP Wrappers access control

TCP Wrappers "wraps" the TCP service program, and monitors the port of the TCP service program on behalf of it, adding a security detection process. The external connection request must pass this layer of security detection first, and then can access the real service program after obtaining permission.
In most Linux distributions, TCP Wrappers is a feature provided by default.
rpm -q tcp_wrappers

4.1 Two implementations of TCP Wrapper protection mechanism

• To directly use the tcpd program to protect other service programs, you need to run the tcpd program.
• The libwrap.so. link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient.

4.2 Use the ldd command to view the program's libwrap.so.* link library

ldd $(which ssh vsftpd)

The access strategy of
TCP Wrappers The protection objects of TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.

Format:
<service program list>:<client address list>

4.2.1 Service program list

ALL: Represents all services.
Single service program: such as "vsftpd".
A list of multiple service programs: such as "vsftpd, sshd".

4.2.2 Client address list

ALL: Represents any client address.
LOCAL: represents the local address.
Multiple addresses are separated by commas

Wildcards "?" and "*" are allowed. The former represents characters of any length, and the latter represents only one character
network segment address, such as 192.168.80. or 192.168.80.0/255.255.255.0
area address, such as ".benet.com" Match all hosts in the bdqn.com domain.

4.3 Basic principles of TCP Wrappers mechanism

• First check the /etc/hosts.allow file, if a matching policy is found, then access is allowed;
• Otherwise, continue to check the /etc/hosts.deny file, and if a matching policy is found, access is denied;
• If no matching policy is found after checking the above two files, access is allowed.

"Allow all, deny individual"
just add the corresponding deny policy in the /etc/hosts.deny file

"Allow individual, deny all"
In addition to adding an allow policy in /etc/hosts.allow, you also need to set an "ALL:ALL" deny policy in the /etc/hosts.deny file.

If you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.80.0/24 network segment, other addresses will be rejected.