Preface Introduction to SSH
Secure Shell (SSH) protocol to establish a secure network on the basis of the application layer developed by the IETF (The Internet Engineering Task Force). It is designed for remote login session (can even use Windows remote login Linux servers each file transfer) and other network services to provide security protocol, which can effectively make up for network vulnerabilities. , Can encrypt all data transmitted via SSH, DNS spoofing can be prevented, and IP spoofing. There is an additional benefit is that data transmission is compressed, it can accelerate the speed of transmission. It has become the standard configuration of Linux systems.
SSH is just a protocol, there are a variety of implementations, both commercial implementations, there are open source implementations. This paper describes the OpenSSH free and open source software, if you are using SSH in Windows, you need to use another software PuTTY.
SSH advantages, network transmission service program there is more than SSH, there are many. FTP, Pop, and Telnet are insecure nature thereof; because they transfer data over the network in clear text, user accounts and user password, it is vulnerable to a middleman (man-in-the-middle) attack method. SSH may transmit the content is encrypted via RSA encryption, and compression, it is relatively faster, more secure.
SSH authentication in two ways: secret account verification and validation public and private key, the second approach is relatively safe.
A, SSH service program
Associated RPM packages: openssh (bottom package), openssh-clients, openssh- server
server-side installation: yum install openssh-server (installed openssh-server automatically installed OpenSSH)
Client Installation: yum install openssh-clients (install the openssh-clients automatically install OpenSSH)
uninstall: yum remove openssh (uninstalled openssh, then automatically unload openssh-server and openssh-clients)
service: / usr / sbin / sshd
service port: tcp / 22
server profile: / etc / ssh / sshd_config
client configuration file: / etc / ssh / ssh_config
usage: ssh -p 22 [email protected], if the configuration file in / etc / ssh / ssh_config is the default port number 22, you can directly ssh root @ 192.168.10.10
service on / off / reboot / boot from Kai / not open from the start: systemctl start / stop / restart / enable / disable sshd
ssh server configuration file (part): / etc / ssh / sshd_config
When #Port 22 // default port number is 22. Modify the port, uncommented #LoginGraceTime 2m // when ssh login, password authentication timeout, the default 2 minutes #PermitRootLogin yes // is allowed to log in as root #MaxAuthTries 6 // maximum number of authentication #MaxSessions days 10 // Login Sessions held #PermitEmptyPasswords no // whether to allow a blank password PasswordAuthentication yes // turn on password authentication
We need to modify the configuration of the time, the ultimate solution is to completely modify the configuration file directly on the line to restart the service sshd restart
SSH command to check whether the service is open -e PS | grep SSH
Second, the connection password
-p command to specify the connection port SSH -p 1234 name @ 192. The 168. The 0. 1
The user is then input to a surface
Connected graphical user interface easier, not tell.
Third, the public key login
On the host A, using ssh-keygen, and then enter the saved file name (default is id_rsa) and its own private key, after completion will ~ / .ssh / generated two keys: id_rsa (private key) and id_rsa .pub (public)
private (id_rsa) stored in a local host, public key (id_rsa.pub) will be automatically passed through the ssh-copy-id [email protected] the peer host B ~ / .ssh / directory and automatically rename authorized_keys
Login target host: ssh [email protected] private login using just entered
specific:
1, the unit generates a key pair
Using ssh-keygen command to generate a key pair:
ssh-keygen -t rsa # -t option indicates the type, the encryption algorithm used here rsa
then prompted a step by step Press enter (which is required to set a private key password prompt a passphrase, null is not provided, see here feeling it, if you do not worry about the security of the private key can be set), after the end of the implementation will generate a .ssh folder under / home / current user directory, which contains a public key and a private key file id_rsa file id_rsa.pub.
2, copy the public key to the remote host
Use ssh-copy-id command to copy the public key to the remote host. ~ / .Ssh / authorized_key document ssh-copy-id will write a public key of the remote host
ssh-copy-id [email protected]
Here is an example of a remote users to log in Google's cloud
Four, SSH application
1, we can use nohup + program needs to run the program running at the time of disconnection ssh connection will continue to operate in the remote host. nohup ie no hang up (not suspended).
2, scap, put, get and so on across hosts to transfer files
3, bind the local port
SSH -D the User @ 8080 $ Host
SSH creates a socket, to monitor the local 8080 port. Once the data is transmitted to a port 8080, to automatically transfer it to above the SSH connection, destined for a remote host. Imagine, if 8080 turns out to be a non-encrypted port, now becomes an encrypted port.
Grapefruit skin of an example:
Sometimes, local port binding is not enough, you must also specify the target host data transfer, so as to form a "port forwarding" point to point. To distinguish later "Remote Port Forwarding," we put it, "local port forwarding" (Local forwarding).
Assumes that the local host is host1, host2 is the remote host. For various reasons, it can not be communication between the two hosts. However, a host3 addition, the front two hosts can be in communication simultaneously. Therefore, it is natural idea is, by host3, even on the host1 host2.
We performed the following in order host1:
$ 2121 SSH -L: host2: 21 is host3
command parameter L received a total of three values, namely, "Local Port: target host: port target host", separated by a colon between them. This command means, is designated SSH bind the local port 2121, and then specify host3 all the data forwarded to port 21 of the target host host2 (assuming that host2 running FTP, the default port is 21).
As a result, as long as we connect host1 port of 2121, equivalent to 21 connected to the port of host2.
The FTP localhost $: 2121
"Local port forwarding" so that if the formation of a secret tunnel data transfer between host1 and host3, it is also known as "SSH tunnel."
Here is an interesting example.
$ Ssh -L 5900: localhost:
5900 host3 It shows a 5900 port 5900 port binding machine according host3 (localhost herein refers host3, because the target host is host3 relative terms).
Another example is host3 through port forwarding, ssh login host2.
$ Ssh -L 9001: host2: 22 host3
At this time, as long as the ssh port of the machine to log 9001, equivalent to a login host2.
$ Ssh -p 9001 localhost
The above represents the -p parameter to specify the login port.
出错处理:ssh: Could not resolve hostname 192.168.*.*:***: Name or service not known
Resolution: Specifies the port can not be used directly ip: port number, use the -p parameter to solve it.
4, the remote port forwarding (from grapefruit peel)
Remote port forwarding
since the "local port forwarding" refers to forward local port binding, then the "remote port forwarding" (remote forwarding) course, is forwarded to bind remote port.
Then look at the example above is not communication between host1 and host2, you must use host3 forward. However, special circumstances occurred, host3 is a machine within the network, it can connect host1 outside the network, but the reverse is not, host3 host1 Rom within the network outside the network. At this time, "local port forwarding" can not be used, how to do?
The solution is, since host3 can even host1, then establish a connection with SSH host1, and then use this connection on host1 on it from the host3.
We execute the following command in host3:
$ SSH -R 2121: host2: host1 21
R parameter also accepts three values are "remote host port: Target Host: target host port." This command means, is to make its own host1 monitor port 2121, then all the data via host3, forwarded to port 21 of host2. Due to host3 it, host1 is the remote host, so this situation is called "remote port binding."
After binding, we can connect in host2 host1:
$ the FTP localhost: 2121
Here it must be noted that "remote port forwarding" prerequisite, host1 and host3 two hosts have sshD and ssh client.