In CenOS 7 systems, OpenSSH server is a system tray openssh, openssh-server packages provide a (installed by default), and has been added as a standard system sshd service, you can do systemctl status sshd to view services status. As long as a valid login shell, without considering security restrictions, you can telnet operating system.
sshd default service profile located / etc / ssh under / sshd_config directory, many of the configuration item to this control connection server. It can be divided into three areas as follows:
1, server monitor settings:
[root@localhost ~]# vim /etc/ssh/sshd_config
Port 22 #监听端口默认为22
ListenAddress 0.0.0.0 #默认监听所有地址
protocol 2 #使用SSH V2协议,比V1安全性更高
UseDNS no #禁用DNS反向解析
2, the control-related control user login:
LoginGraceTime 2m #登录验证时间为2分钟
PermitRootLogin no #禁止root用户登录
MaxAuthTries 6 #最大重试次数为6
PermitEmptyPasswords no #禁止空密码登录
3, authentication mode:
PasswordAuthentication yes #启用密码验证
PubkeyAuthentication yes #启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys #指定公钥库文件
In a production environment, the proposed changes to configuration items are as follows:
[root@localhost ~]# vim /etc/ssh/sshd_config
Port 2345 #监听端口默认为2345
ListenAddress 172.16.2.25 #监听某一个IP地址 ,而不是监听所有IP地址
protocol 2 #使用SSH V2协议,比V1安全性更高
UseDNS no #禁用DNS反向解析
LoginGraceTime 2m #登录验证时间为2分钟
PermitRootLogin no #禁止root用户登录
MaxAuthTries 6 #最大重试次数为6
PermitEmptyPasswords no #禁止空密码登录
PasswordAuthentication yes #启用密码验证
PubkeyAuthentication yes #启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys #指定公钥库文件
AllowUsers zhangsan [email protected] #仅允许zhangsan和admin远程登录到
#该服务器,并且admin只能从61.23.24.25这个主机登录到该服务器。
#AllowUsers表示仅允许;与之相反的还有DenyUsers:表示仅拒绝。
Use SSH client program to connect to a remote server:
[root@localhost ~]# ssh -p 2345 [email protected] #以用户zhangsan连接到192.168.1.1
# “-p”选项用来指定端口号为2345,若端口号为默认的22,那么-p选项可省略。
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is ad:a1:9b:f7:e3:41:bf:5f:da:cd:5e:3f:74:e0:8a:b9.
Are you sure you want to continue connecting (yes/no)? yes #输入“yes”
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
[email protected]'s password: #输入用户zhangsan的密码
[zhangsan@localhost ~]$ #连接成功
scp remote replication:
If the remote target is not the default port number, you need to add "-P" option to specify the port number
上传:
[root@localhost /]# scp -r /etc/passwd [email protected]:/
#将本地/etc/passwd目录上传到远程主机“/”目录下
[email protected]'s password: #输入1.1主机的root密码
passwd 100% 2893 2.8KB/s 00:00 #上传成功
下载:
[root@localhost /]# scp [email protected]:/test.txt /root/ #将1.1主机的文件下载到本地
[email protected]'s password:
test.txt 100% 20 0.0KB/s 00:00