Table of contents
2. How to manage Linux servers
3. Make sure that the Linux server starts the SSH service normally
3.sftp: encrypted remote copy command
3. Build an ssh system for key pair verification (password-free login)
1. Introduction to ssh
1. Introduction to SSH
- SSH is an application layer protocol
- Realize remote login and replication of string interface
- Data is encrypted and compressed during transmission
- The port number of the tcp protocol is 22
- Connection Protocol----User Authentication----Transport Layer Protocol
2. How to manage Linux servers
- local management
- System installation, bug fixes
- Remote management (high frequency of use)
3. Make sure that the Linux server starts the SSH service normally
- Make sure the SSH service is running properly
- SSH service port 22/tcp
[root@localhost ~]# ps aux | grep ssh
root 937 0.0 0.4 112900 4324 ? Ss 17:56 0:00 /usr/sbin/sshd -D
root 1196 0.0 0.6 161512 6084 ? Ss 17:57 0:00sshd: root@pts/0
root 1237 0.0 0.0 112812 964 pts/0 S+ 18:20 0:00 grep --color=auto ssh
[root@localhost ~]# ps -elf |grep ssh
4 S root 937 1 0 80 0 - 28225 poll_s 17:56 ? 00:00:00 /usr/sbin/sshd -D
4 S root 1196 937 0 80 0 - 40378 poll_s 17:57 ? 00:00:00 sshd: root@pts/0
0 S root 1240 1198 0 80 0 - 28202 pipe_w 18:20 pts/0 00:00:00 grep --color=auto ssh
对应服务端软件[ root@localhost ~]# rpm -qf /usr/sbin/sshd
openssh-server-7.4p1-21.el7.x86_64
4. Client software
- Windows
- XShell
- SecureCRT
- Putty
- Linux
- ssh command
[root@localhost ~]# which ssh
/usr/bin/ssh
[root@localhost ~]# rpm -qf /usr/bin/ssh
openssh-clients-7.4p1-21.el7.x86_64
Two, ssh main command
1. ssh remote login command
- ssh root@The host ip address that needs to be logged in
2. scp remote copy command
- scp root@host address to be copied: file path to be copied/pasted file path
- scp -rP 10022@host ip address: /address to be pasted
Specify the port number (-P) and remotely copy the entire directory (-r) to the specified local directory
3.sftp: encrypted remote copy command
- sftp is based on ssh service and encrypts the process of ssh service. Although the transmission efficiency is lower than ssh, the security is higher. The downloaded file can only be saved to the current directory, and the directory cannot be specified, but the uploaded file can specify the directory
- sftp -P specifies the port number
4. openssh service
- Client configuration file location: /etc/ssh_conf
- Server configuration file location: /etc/sshd_conf (generally modify this configuration file)
- Whether it is ssh, scp or sftp, the default port number is 22 based on the openssh service
3. Build an ssh system for key pair verification (password-free login)
1. Implementation process
2. Key principle
- In ssh, it is a parameter, the parameter in the input of the algorithm that converts the file into ciphertext or converts ciphertext into plaintext
- There are three algorithms, rsa, ECDSA, and DSA represent three encryption methods
- 2.1 Symmetric key
- 2.2 Asymmetric key
- sshc: 1. User account login password
- 2. Key login
- The location of the configuration file: /etc/ssh/sshd_config
3. Create a key pair
Since the above key pair functions are enabled by default, you can directly operate
- ssh-keygen -t ## Create a key pair and specify the encryption method (algorithm type)
- Go to home directory and check
- ssh-copy-id -i id_ecdsa.pub [email protected]
- ## After the client is created, pass the specified key file (-i) public key file to the server
- ssh-agent bash ##Interactive login free
- ssh-add ##Refresh the environment to generate a key pair
- Password-free login is suitable for production environments with long passwords and frequent switching between multiple users. Quick login
Four, TCP Wrappers protection principle
1. Protection principle
- It is equivalent to a firewall, but only for the port of the service program of the transmission protocol such as tcp
2. Protection mechanism
Method 1: Packaging other service programs through the tcpd program
Mode 2: Call libwrap.so.* link library by other service programs
3. Call command
ldd $(transport service name under which tcp protocol)
4. Configuration file for access control policy
- /etc/hosts.allow/ whitelist (specified users can log in)
- /etc/hosts.deny/ blacklist (specified users are not allowed to log in)