SSH protocol
- 1. SSH protocol
1. SSH protocol
1 Overview
SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of a character interface.
The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has very good security.
2. The advantages of SSH
Data transmission is encrypted to prevent information leakage (security)
Data transmission is compressed, which can increase the transmission speed (fast)
3. SSH client and server
SSH client: Putty, Xshell, CRT
SSH server: OpenSSH
2. OpenSSH protocol
1. Concept
OpenSSH is an open source software project that implements the SSH protocol and is suitable for various UNIX and Linux operating systems.
The CentOS 7 system has installed openssh related software packages by default, and the sshd service has been added as a self-startup after booting. (The service name of openssh is sshd)
Execute the "systemctl start sshd" command to start the sshd service
The sshd service uses TCP port 22 by default
sshd 服务的默认配置文件是 /etc/ssh/sshd_config
ssh_config和sshd_config都是ssh服务器的配置文件
ssh_config是针对客户端的配置文件
sshd_config则是针对服务端的配置文件
2. View the OpenSSH server configuration
sshd_config配置文件的常用选项设置
vim /etc/ssh/sshd_config
Port 22 #监听端口为 22
ListenAddress 0.0.0.0 #监听地址为任意网段,也可以指定OpenSSH服务器的具体IP
LoginGraceTime 2m #登录验证时间为 2 分钟
PermitRootLogin no #禁止 root 用户登录
MaxAuthTries 6 #最大重试次数为 6
PermitEmptyPasswords no #禁止空密码用户登录
UseDNS no #禁用 DNS 反向解析,以提高服务器的响应速度
3.AllowUsers和DenyUsers
AllowUsers 用户1 用户2 用户3 #仅允许登录的用户,多个用户以空格分隔
DenyUsers 用户1 # 禁止用户登录
#只允许zhangsan、lisi、wangwu用户登录,且其中wangwu用户仅能够从IP地址为10.0.0.2 的主机远程登录
AllowUsers zhangsan lisi wangwu@10.0.0.2
#禁止某些用户登录,用法于AllowUsers 类似(注意不要同时使用)
DenyUsers li
Denyusers …… #Forbid some users to log in, the usage is similar to AllowUsers (be careful not to use it at the same time)
4. Two authentication methods of sshd service
(1) Password verification Verify
the login name and password of the local system user in the server. Simple, but may be brute-forced (the same as the allowable test above)
(2) Key pair verification
The matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.
vim /etc/ssh/sshd_config
PasswordAuthentication yes #启用密码验证
PubkeyAuthentication yes #启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys #指定公钥库文件
1. Configure password authentication
Operation in the SSH client program
1) SSH remote login
ssh [选项] zhangsan@192.168.163.10
当用户第一次登录SSH服务器时,必须接受服务器发来的ECDSA密钥(根据提示输入“yes”)后才能继续验证。接收的密钥信息将保存到~/.ssh/known_hosts 文件中。密码验证成功以后,即可登录目标服务器的命令行环境中了。
-p:指定非默认的端口号,缺省时默认使用 22端口
ssh -p 20 zhangsan@192.168.163.10 #使用指定的20口访问192.168.163.10
2. scp remote replication
#从服务器上下载
scp root@192.168.163.10:/etc/passwd /root/passwd1.txt #将远程主机中的/etc/passwd文件复制到本机
#向服务器传输资料
scp -r /root/123/ root@192.168.163.10:/opt #将本机的/root/123 目录复制到远程主机
Downlink copy: copy the /etc/passwd file of the remote host to the local machine
scp [email protected]:/etc/passwd /root/passwd10.txt
Uplink copy: copy the /etc/ssh directory of the local machine to the remote host
[root@localhost ~]# scp -r /etc/passwd [email protected]:/opt
3.sftp secure FTP
Due to the use of encryption/decryption technology, the transmission efficiency is lower than ordinary FTP, but the security is higher. The operating syntax sftp is almost the same as ftp.
sftp zhangsan@192.168.163.10
zhangsan@192.168.163.10's password: #输入密码
Connected to 192.168.163.10.
sftp> pwd
sftp> ls
sftp> get 文件名 #下载文件到登录前账号的家目录,文件要加-r
sftp> put 文件名 #上传文件到登录者的家目录,文件加-r
sftp> quit #退出
Upload:
4. Configure Secret Key Pairing Verification
1) Create a key pair on the client
通过ssh-keygen工具为当前用户创建密钥对文件。可用的加密算法为RSA、ECDSA或DSA等(ssh-keygen命令的“-t”选项用于指定算法类型)。
useradd li1
echo "123456" |passwd --stdin li1
su - li1
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): #指定私钥位置,直接回车使用默认位置
Created directory '/home/admin/.ssh'. #生成的私钥、公钥文件默认存放在宿主目录中的隐藏目录.ssh/下
Enter passphrase (empty for no passphrase): #设置私钥的密码
Enter same passphrase again: #确认输入
ls -l .ssh/id_ecdsa
#id_ecdsa是私钥文件,权限默认为600;id_ecdsa.pub是公钥文件,用来提供给 SSH 服务器
1. Create user b on the client:
Then create a new user a and b on the client to configure the key pair
Method 1: This method can directly import the public key text
cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub [email protected] in the /home/zhangsan/.ssh/ directory of the server
Method 2:
Client side: first copy the public key file to the server side
scp ~/.ssh/id_ecdsa.pub [email protected]:/opt
server side:
mkdir /home/zhangsan/.ssh/ #in zhangsan's home directory Create a .ssh file under. If you don’t have this file, you need to create
cat /tmp/id_ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys #Import
the copied public key file into authorized_keys.
cat /home/zhangsan/.ssh/authorized_keys #View authorized_keys file
cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub [email protected]
2. Use key pair authentication on the client
ssh zhangsan@192.168.80.10
lisi@192.168.80.10's password: #输入私钥的密码
3. Set the ssh proxy function on the client to realize interactive login
ssh-agent bash
ssh-add
Enter passphrase for /home/li1/.ssh/id_ecdsa: #输入私钥的密码
Identity added: /home/li1/.ssh/id_ecdsa (/home/li1/.ssh/id_ecdsa)
ssh zhangsan@192.168.163.10
Last login: Sun Dec 13 13:32:47 2020 from 192.168.163.11
3. TCP Wrappers access control
TCP Wrappers, like a protective cover, protects the TCP service program. It listens to the port of the TCP service program and adds a security detection process to it. The external connection request must pass this layer of security detection before obtaining permission to access the real Service program.
In most Linux distributions, TCP Wrappers is a feature provided by default.
Use "rpm -q tcp_wrappers" to install
1. Two implementations of TCP Wrapper protection mechanism
To directly use the tcpd program to protect other service programs, you need to run the tcpd program.
The libwrap.so.* link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient.
Use the ldd command to view the program's libwrap.so.* link library
ldd $(which ssh vsftpd)
2. TCP Wrappers' access strategy
The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the access service.
The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.
Format:
<Service Program List>:<Client Address List>
(1) Service program list
ALL:代表所有的服务。
单个服务程序:如“vsftpd”。
多个服务程序组成的列表:如“vsftpd,sshd”。
(2) Client address list
ALL:代表任何客户端地址。
LOCAL:代表本机地址。
多个地址以逗号分隔
允许使用通配符 “?” 和 “*”
“*”代表任意长度字符
“?”仅代表一个字符
网段地址,如 192.168.163. 或者 192.168.163.0/255.255.255.0
区域地址,如 “.benet.com”匹配 bdqn.com 域中的所有主机。
3. Basic principles of TCP Wrappers mechanism
First check the /etc/hosts.allow file, if a matching policy is found, access is allowed;
otherwise, continue to check the /etc/hosts.deny file, if a matching policy is found, then access is denied;
if you check both of the above two files If no matching policy is found, access is allowed.
“允许所有,拒绝个别”
只需在/etc/hosts.deny文件中添加相应的拒绝策略
“允许个别,拒绝所有”
除了在/etc/hosts.allow中添加允许策略之外,还需要在/etc/hosts.deny文件中设置“ALL:ALL”的拒绝策略。
If you only want to access the sshd service from a host with an IP address of 12.0.0.1 or a host on the 192.168.163.0/24 network segment, other addresses will be rejected.
vi /etc/hosts.allow
sshd:12.0.0.1,192.168.163.*
vi /etc/hosts.deny
sshd:ALL