SSH is an abbreviation for Secure Shell, is a safe way to provide remote login protocol, is currently the preferred way to remotely manage Linux systems, developed by the IETF SSH network group (Network Working Group), SSH was established in the application layer security protocols on base, SSH is more reliable, designed to provide security protocol for remote login session, and other network services. SSH protocol can effectively prevent the use of remote management in the process of information disclosure issue.
SSH is a network protocol used to encrypt login between computers, if a user from the local computer, log on another remote computer using the SSH protocol, we can believe that this login is secure, even if they are intercepted, password will not leak. the first time, Internet communication is expressly communications, intercepted once, on the content exposed. in 1995, Finnish researchers Tatu Ylonen designed the SSH protocol, the login information of all encryption, Internet security has become a fundamental solutions, rapidly gaining promotion in the world, has now become the standard configuration of Linux systems.
SSH has been able to ensure security, that it uses a public key encryption, SSH login authentication process is as follows:
1. remote host receives the user's login request, and his own public key to the user.
2. The user acceptance and use of the public, after the password encrypted, sent to the remote host.
3. remote host with their own private key, decrypting password, if the password is correct, agreed to user login.
The process itself is safe, but there is a risk when implemented, if someone intercepts the login request, then posing as a remote host, the bogus public key to the user, then the user is difficult to distinguish the authenticity. Because, unlike https protocol, the public key of the SSH protocol is not a certificate authority (CA) notarized, all issued their own, can easily be abused.
SSH remote login
◆ ◆ login password
Log in using the password: Log remote host by using the user name and password, as follows.
[root@localhost ~]# ssh [email protected] -p 22
The authenticity of host 'host (192.168.1.5)' can't be established.
RSA key fingerprint is 94:ee:d7:e0:de:9f:ac:65:22:c1:22:2d:37:12:38:0d.
Are you sure you want to continue connecting (yes/no)?yes
[email protected]'s password:These words mean, could not confirm the authenticity of host host, only that it's public key fingerprint, the so-called "public key fingerprint" refers to a longer length of the public key (RSA algorithm used here, up to 1024), it is difficult to compare, so its MD5 calculation, turn it into a 128-bit fingerprint.
After entering your password, if the password is correct, you can log in, and when the public after the remote host is accepted, it will be saved in a file $HOME/.ssh/known_hostsin, and then connect the next host, the system will recognize its public key has stored locally, and thus skip the warning in part, directly prompted for a password.
Each user has their own SSH known_hosts file, in addition to the system have such a file, usually /etc/ssh/ssh_known_hostssave some of the public key to the remote host to all of the users are trusted.
◆ ◆ public landing
Use password, the password must be entered every time, very troublesome, and good SSH also provides public login, password input step can be omitted, so-called "public key logon", the principle is very simple, that user will own public key stored on the remote host. login time, remote host sends a random string to the user after the user with their own private key encryption, and then sent back. remote host using the public key to decrypt stored in advance, if successful, would prove the user is authentic, it allows direct login shell, no longer require a password.
1. The key pair generation command, then the system will /root/.ssh/id_rsagenerate a private key of a public key two documents below.
[root@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.2. a public-key command generated automatically copied to the other host, then the system will be copied to the other id_rsa.pub / root directory, and will automatically named authorized_keys.
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.22 (192.168.1.22)' can't be established.
ECDSA key fingerprint is SHA256:2kWFaV72YVvAl2EU2Zop4uAjP3Gy2jW92d0Va/HrSMM.
ECDSA key fingerprint is MD5:fc:6c:91:b0:02:e6:7e:98:52:af:0d:b3:47:d4:69:ef.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys3. The next time the other host using ssh login, no password to login on, if you can not make sure the landing configuration is turned on.
[root@localhost ~]# ssh [email protected]
Last login: Mon Nov 5 09:59:45 2018 from 192.168.1.8
[root@localhost ~]# vim /etc/ssh/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keysOther configurations ◆ ◆
service sshd configuration file is saved by default in the /etc/ssh/sshd_configfile, we will introduce the following parameters sshd_config configuration file.
port 22 #监听端口
addressFamily any #允许所有人链接
listenAddress 0.0.0.0 #IPV4监听IP 0.0.0.0表示监听所有
listenAddress : : #IPV6监听IP
protocol 2 #使用二代协议
syslogFacility AUTHPRIV #日志认证等级
permitRootLogin yes #是否允许root登陆
passwordAuthentication yes #是否使用密码认证
permitEmptyPasswords no #是否允许空密码
loginGraceTime 2m #2分钟不输入后自动断开连接
printMotd yes #登陆后根据/etc/motd内容打印信息
printLastLog yes #输出最后一次登录信息
useDNS yes #反查主机名,关闭后可提升登陆速度
gSSAPIAuthentication yes #GSS认证,关闭后可提升登陆速度
pidFile /var/run/sshd.pid #存放sshPID的地方
usePrivilegeSeparation sandbox/yes/no #是否允许以较低权限运行
pubkeyAuthentication yes #使用公钥认证机制
authorizedKeysFile .ssh/auth #公钥的存放位置
MaxAuthTries 5 #密码最大尝试次数
MaxSessions 10 #最大允许终端数Read the above configuration parameters, then we continue to look at the common parameters ssh command bar.
[root@localhost ~]# ssh --help
语法格式:[ ssh [选项] [用户名]@[地址] ]
-e #支持反斜线控制的字符转换
-q #静默模式
-i #指定身份文件
-o #指定配置选项
-X #开启X11转发功能
-x #关闭X11转发功能
-y #开启信任X11转发功能
-1 #强制使用ssh协议版本1
-2 #强制使用ssh协议版本2
-4 #强制使用IPv4地址
-6 #强制使用IPv6地址
-C #请求压缩所有数据
-f #后台执行ssh指令
-N #不执行远程指令
-F #指定ssh指令的配置文件
-A #开启认证代理连接转发功能
-a #关闭认证代理连接转发功能
-l #指定连接远程服务器登录用户名
-g #允许远程主机连接主机的转发端口
-p #指定远程服务器上的端口
-b #使用本机指定地址作为对应连接的源ip地址SCP data transfer
scp is a secure copy of shorthand for remote command to copy files in Linux, and it is similar to the cp command there, but cp only copy in the machine can not be cross-server, and scp transmission is encrypted, it may slightly affect what speed necessary to copy files between two hosts have to perform while copying the account and operation rights of two hosts, first we look at, scp command of the common parameters, as well as several small examples.
[root@localhost ~]# scp --help
语法格式:[ scp [选项] [用户名]@[地址] ]
-1 #强制scp命令使用协议ssh1
-2 #强制scp命令使用协议ssh2
-4 #强制scp命令只使用IPv4寻址
-6 #强制scp命令只使用IPv6寻址
-B #使用批处理模式,过程中不询问
-C #允许压缩
-p #留原文件的修改时间,访问时间和访问权限
-q #不显示传输进度条
-r #传送文件夹
-v #详细方式显示输出
-c #以cipher加密传输
-F #指定一个替代的ssh配置文件
-i #传输时指定密钥文件
-l #限制传输带宽,以Kbit/s为单位
-P #指定传输端口
-S #指定加密传输时所使用的程序Local to remote: the local /etc/passwdcopy to the remote /tmpdirectory.
[root@localhost ~]# scp /etc/passwd [email protected]:/tmp/
[email protected]'s password:
passwd 100% 898 876.6KB/s 00:00Remote to local: the remote /etc/shadowcopy to the local /tmpdirectory.
[root@localhost ~]# scp [email protected]:/etc/shadow /tmp/
[email protected]'s password:
shadow 100% 714 741.2KB/s 00:00Copy of the directory: the remote /etcentire directory is copied to the unit /tmpdirectory.
[root@localhost ~]# scp -r [email protected]:/etc/ /tmp/
[email protected]'s password:
fstab 100% 465 188.1KB/s 00:00
crypttab 100% 0 0.0KB/s 00:00
mtab 100% 0 0.0KB/s 00:00
...省略...SSH port operation
◆ ◆ bind local port
SSH can transmit data, so we can not let those encrypted network connection, all the change to go SSH connection, thus improving safety, suppose we want the data port 8080, are transmitted to a remote host via SSH, the command write.
[root@localhost ~]# ssh -D 8080 user@hostSSH creates a socket, to monitor the local 8080 port. Once the data is transmitted to the port, it is automatically transferred to the SSH connection above, sent to the remote host. Imagine, if 8080 turns out to be a non-encrypted port, now It will become an encrypted port.
◆ ◆ Local port forwarding
Sometimes, local port binding is not enough, you must also specify the target host data transfer, so as to form a "port forwarding" point to point. In order to distinguish the text after the "remote port forwarding," we put it, "local port forwarding" (Local forwarding).
Assumes that the local host is host1, host2 is the remote host. For various reasons, can not be communication between the two hosts. However, in addition to a host3, in front of two hosts can be connected at the same time. Therefore, it is natural idea is, by host3 , will connect host1 host2.
We execute the following command in host1:
[root@localhost ~]# ssh -L 2121:host2:21 host3Command parameter L received a total of three values, namely, "Local Port: target host: port target host", meaning they are separated by a colon of this order is to specify SSH bind local port 2121, and then specify host3. All data will be forwarded to the target host host2 port 21 (assuming that host2 running FTP, the default port is 21).
As a result, as long as we connect host1 port of 2121, equivalent to 21 connected to the port of host2.
[root@localhost ~]# ftp localhost:2121"Local port forwarding", so that if the tunnel is formed a secret data transmission between host1 and host3, it is also referred to as "the SSH tunnels", the following is a more interesting example.
[root@localhost ~]# ssh -L 5900:localhost:5900 host3It shows a 5900 port 5900 port binding machine according host3 (localhost herein refers host3, because the target host is host3 relative terms).
Another example is host3 through port forwarding, ssh login host2.
[root@localhost ~]# ssh -L 9001:host2:22 host3At this time, as long as the ssh port of the machine to log 9001, equivalent to a login host2.
[root@localhost ~]# ssh -p 9001 localhostThe above represents the -p parameter to specify the login port.
◆ ◆ remote port forwarding
Since the "local port forwarding" refers to forward local port binding, then the "remote port forwarding" (remote forwarding) of course, is to bind remote port forwarding, and then look at or below the above example, can not be communication between host1 and host2 , must use host3 forward. However, there was a special case, host3 is a machine within the network, it can connect host1 outside the network, but the reverse is not, host3 host1 Rom within the network outside the network. At this time, "local port forwarding" can not be used.
The solution is, since host3 can even host1, then establish a connection with SSH host1, and then use this connection on host1 on it from the host3.
We execute the following command in host3:
[root@localhost ~]# ssh -R 2121:host2:21 host1R parameter also accepts three values are. "Remote host port: Target Host: target host port" means this command is to allow host1 monitor its own port 2121, then all the data via host3, is forwarded to host2 21 port. Because for host3 it, host1 is the remote host, so this situation is called "remote port binding", after binding, we can connect in host2 host1.
[root@localhost ~]# ftp localhost:2121Here it must be noted that "remote port forwarding" prerequisite, host1 and host3 two hosts have sshD and ssh client.