A, SSH Overview
1, SSH Introduction
SSH (Secure Shell) is a secure channel protocol, mainly used for remote login, remote copy characters such as interface features.
SSH protocol for communication data transmission processing both encrypted, including user input when the user login password, and the TELNET (Telnet)
Compared to other applications, SSH protocol offers better security.
2, the default listening port: TCP 22
Two, OpenSSH configuration
1, OpenSSH installation package
Automatically installed Linux system default installation, if not installed, the installation package rpm disc follows:
openssh-5.3p1-94.el6.x86_64.rpm
openssh-askpass-5.3p1-94.el6.x86_64.rpm
openssh-clients-5.3p1-94.el6.x86_64.rpm
openssh-server-5.3p1-94.el6.x86_64.rpm
● Service Name: sshd
● main server: / usr / sbin / sshd
● server configuration file: / etc / ssh / sshd_config
● client configuration file: / etc / ssh / ssh_config
2, OpenSSH server configuration
[root@www ssh]# vim sshd_config
Port 22 // default port number TCP 22
AddressFamily any // specified address family, any, inet (IPv4), inet6 (IPv6)
ListenAddress 192.168.1.108 // listening IP address (address external service provider), default 0.0.0.0, listens to all (not listening 127.0.0.1, other machines not connected)
Protocol 2 // use the ssh protocol, Second Edition
LoginGraceTime 2m // 2 minutes long waiting Login
PermitRootLogin yes // default to allow root login
Before StrictModes yes // accept connection requests for user directories and associated configuration files and host authority checking
MaxAuth Tries 6 // maximum allowable number of certification
MaxSessions 10 // each network to allow the maximum number of open sessions
RSAAuthentications yes // Enable RSA algorithm
PubkeyAuthentication yes // enable key verification
AuthorizedKeysFile .ssh / authorized keys // designated public library location
PermitEmptyPasswords no // null password does not allow users to log
PasswordAuthentication yes // enable password verification
UseDNS no // disable reverse lookup
add manully
AllowUsers amber [email protected]
DenyUsers lisi
AllowUsers: amber end user can log in to any customer; user zhangsan only allowed IP address
192.168.1.51 client login. The two and only allows users to ssh remote login protocol.
DenyUsers: prohibit users to log lisi
Note: AllowUsers not be used simultaneously with DenyUsers
Third, the use SSH client program
1, the command program
(1) ssh command (secure remote login)
Format: ssh user @ host (if the client and host the same user name, eliminating the need for user @, user @ host for the user)
Port options :-p 22
[root@Server-SSH ~]# useradd amber
[root@Server-SSH ~]# echo "123123" | passwd --stdin amber
[root@Client ~]# useradd admin
[root@Client ~]# echo "123123" | passwd --stdin admin
[root@Client ~]# su - admin
[admin@Client ~]$ ssh [email protected]
The authenticity of host '192.168.66.111 (192.168.66.111)' can't be established.
ECDSA key fingerprint is SHA256:ZrMfShX/kM61XVrPIu1M75/sPgdLOe0JOPt/aC17mMQ.
ECDSA key fingerprint is MD5:71:dd:a1:af:00:a4:b8:9e:e7:a4:d7:f8:25:e5:bd:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.66.111' (ECDSA) to the list of known hosts.
[email protected]'s password: //输入服务端amber用户的密码
[amber@Server-SSH ~]$ whoami
amber
[[amber @ Server-SSH ~ ] $ logout // Ctrl + D can also be used or input Exit
Connection to 192.168.66.111 Closed.
(2) scp command (secure remote copy)
Format 1: scp user @ host: file1 file2
Format 2: scp file1 user @ host: file2
1> Copy the files from the server to the client
Server:
[root@111 ~]# mkdir /aaa
[root@111 ~]# touch /aaa/test{1..10}
[root@111 ~]# ls /aaa
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
Client:
[root@112 ~]# mkdir /bbb
[root@112 ~]# ls /bbb
[root@112 ~]# scp [email protected]:/aaa/* /bbb/
The authenticity of host '192.168.66.111 (192.168.66.111)' can't be established.
ECDSA key fingerprint is SHA256:Y8CnsgU+a3aZUMHzVYQnST9QZ69QcJxTrYw7ag2vBQs.
ECDSA key fingerprint is MD5:3f:a6:f9:c2:78:e6:32:83:bc:59:3c:06:7c:36:55:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.66.111' (ECDSA) to the list of known hosts.
[email protected]'s password:
test1 100% 0 0.0KB/s 00:00
test10 100% 0 0.0KB/s 00:00
test2 100% 0 0.0KB/s 00:00
test3 100% 0 0.0KB/s 00:00
test4 100% 0 0.0KB/s 00:00
test5 100% 0 0.0KB/s 00:00
test6 100% 0 0.0KB/s 00:00
test7 100% 0 0.0KB/s 00:00
test8 100% 0 0.0KB/s 00:00
test9 100% 0 0.0KB/s 00:00
[root@112 ~]# ls /bbb/
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
2> to copy files from the client to the server
Client:
[root@112 ~]# echo ceshi >client.txt
[root@112 ~]# scp client.txt [email protected]:~amber/client1.txt
[email protected]'s password:
client.txt 0% 0 0.0KB/s --:-- ETA
client.txt 100% 6 6. 6KB/s 00:00
Server:
[root @ 111 ~] # ll ~ amber /
total volume. 4
-rw-R & lt -. r--. 1. 6. 8 Amber Amber dated 16 20:49 client1.txt
(3) sftp command (secure FTP upload and download)
Format: sftp user @ host
Client:
[root@112 ~]# mkdir /ccc
[root@112 ~]# cd /ccc
[root@112 ccc]# ls
[root@112 ccc]# sftp [email protected]
[email protected]'s password:
Connected to 192.168.66.111.
sftp> ls /aaa
/aaa/test1 /aaa/test10 /aaa/test2 /aaa/test3 /aaa/test4 /aaa/test5 /aaa/test6 /aaa/test7 /aaa/test8 /aaa/test9
sftp> mget /aaa/*
Fetching /aaa/test1 to test1
Fetching /aaa/test10 to test10
Fetching /aaa/test2 to test2
Fetching /aaa/test3 to test3
Fetching /aaa/test4 to test4
Fetching /aaa/test5 to test5
Fetching /aaa/test6 to test6
Fetching /aaa/test7 to test7
Fetching /aaa/test8 to test8
Fetching /aaa/test9 to test9
sftp> exit
[root@112 ccc]# ls
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
Common Remote Access Tools: Xshell, CRT, Putty, Xmanager (remote graphical user interface), etc.
Fourth, the construction of key SSH authentication system for
1, create a key pair on the client side
ssh-keygen command
Available encryption algorithms: RSA or DSA (ECDSA)
root@112 ~]# su - admin
[ADMIN ~ @ 112] # SSH keygen -t-RSA
. Generating public / RSA Private Key pair
the Enter to Save File in Which The Key (/home/admin/.ssh/id_rsa): // ENTER
Enter passphrase (empty for no passphrase): // set the key code, press enter empty password
enter same passphrase again: // enter the password again
. Your Identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in / root . /.ssh/id_rsa.pub
at The Key Fingerprint IS:
SHA256: CI5FFtGP6hJt8vDG45 / XqkNEIcgw + Hx / KUs0WpzF66Y root @ 112
at The Key's randomart Image IS:
+ --- [RSA 2048] ---- +
. | * + O + .o |
| ..oo .oo |
| O OO = |.
| + .. O Oo |
| .oBoS |.
| = + = = |
| X o *. |
| . B E ... |
| + .o ++ .. |
+ ---- [SHA256] ----- +
[admin@112 ~]# ls .ssh/
id_rsa id_rsa.pub known_hosts
2, will be uploaded to the server public key
(1) Method One: Any way can (sharing, FTP, Email, SCP, ......)
Client:
[admin@112 ~]# scp .ssh/id rsa.pub [email protected]:~amber/
[email protected]'s password:
id_rsa.pub 0% 0 0.0KB/s --:-- ETA
id_rsa.pub 100% 390 273.5KB/s 00:00
Server: Importing a public key text in the server
[root@111 ~]# su - amber
[amber@111 ~]# ls -a
. .. anaconda-ks.cfg .bash_logout .bash_profile .bashrc client1.txt .cshrc id_rsa.pub .tcshrc
[amber@111 ~]# mkdir .ssh
[amber@111 ~]# cat id_rsa.pub >> .ssh/authorized_keys
[amber@111 ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+y1i3tPWr/XjjP8nLPW0albAEm83Bcb7XL85FvjSIvRArHtmrNR6chH0/5s94UQwK/YHfzddrKhaPqXOtGnTycTbhO1mTKWbcVOAYE7vN+K95ZReTYiPZJerBeasZtnEgYngvxgnfg/3wdd0y5abqqHyUlp/j2LzlYRuluzpKnlnqGYBTp6DSk4IfNAjTvF2hthPVs6SrNlb+mekba8QIQVnFVtcrMwq4uHFAUsde0mAaf6xDvjn4Xpu8AeCNyRJBw9Q3LAYQCYA/J/gE1E8dQBXZP+l62XE9vtfq0IkGEXkquQitZUVJPh4oRQpm656V04gXoHPMwxYmIydNWAYP root@112
(2) Method two: ssh-copy-id command
Server delete the previous copy of the public key file
[amber@111 ~]# rm -rf .ssh/authorized_keys
Client:
[2567@localhost ~]$ ssh-copy-id -i /home/2567/.ssh/id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/2567/.ssh/id_rsa.pub"
The authenticity of host '192.168.66.16 (192.168.66.16)' can't be established.
ECDSA key fingerprint is SHA256:G3w/74LEr26WS7zT1anbS9G9NSiTdYP2WphKJKXd0+4.
ECDSA key fingerprint is MD5:33:78:e5:88:67:80:22:b2:1d:cf:d6:d1:ee:94:d4:30.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Server:
[2567@localhost ~]$ ls .ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[2567@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCssPyyL0Z09spQVn9M92uhnamvFRn4VguBgAimcTGRF7It3LycH+aq9cdY2MWXGQjdTYUJM15yYjWBlEra/0U7aXaQ1dEbcT84bpxUC2BIqSIm6Tm7D8j7FbyOZuXLc/LiHYDEUMbTb4i3zxJTje2LZGHhGtPcjnHTWI80gBflWAH59rxm29AZWidlPX5P+Tq5S+Vt/6P3QikK5vCF92EukAO18sXQiDG/ZOtNdBP/XPtWBRcJXgHnI9OYktrTsqCCXKxpGQpSa+EEzuJV/qMN2i3MOcQnmB6sD9nwLmG1/oWnJfVoBCGgpfvCVVpGGStMAf9YGtejaa0xtCxOB5Ij [email protected]
3, using the client authentication key
(1) confirm the server configuration file / etc / ssh / sshd_config is on key certification
PubkeyAuthentication yes
(2) The client uses the key to verify the login:
[2567@localhost ~]$ ssh 192.168.66.16
Last failed login: Wed Aug 21 20:44:14 CST 2019 from 192.168.66.16 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Aug 21 17:21:01 2019