SSHD service secure connection

Others 2019-11-11 20:08:36 views: null

SSHD service

  • SSH secure remote connection
  • OpenSSH tools
  • centos server packages: openssh-server
  • centos client packages: openssh-clients
  • The main configuration file is usually installed after the completion of / etc / ssh / sshd_config
  • In / usr / lib / systemd / system / lower respectively sshd.service .socket
  • Change the default access port: value after modifying the configuration file sshd_config PORT change
  • Version: updated to version v2
  • dorpbear: about a 2m-based ssh tools

  • windows client tool xshell SecureCRT putty, etc.

    Why SSH security

  • Communication process Introduction
    1. When a client connects the server, the server sends its own public key and a session ID
    1. Using the session ID and the client's public key out of the public key encryption XOR res Res then use a server, then transmits it to the server,
    1. RES get the server, using the session ID received client public key,
    1. When the two sides also have each other's public keys when you use the public key to generate a symmetric encryption key
    1. After the data transmission is to use symmetric encryption key to decrypt the data generated transmission
    1. Question: When you first connect the middle attack would be easy, so the first time you connect the device will transmit a "fingerprint", as long as the other side of the device to confirm the "fingerprint" completed the first fully guaranteed after confirmation the security of the transmission (human needs than to "fingerprint")
    1. Device "fingerprint" of origin: the results obtained by the public after hashing algorithm (sha256,512) client, and ultimately on the client's / etc / ssh_host_rsa_key.pub files in ssh

    1. If at the time of device replacement, ip not replaced, then you can clear the known_hosts file in the home directory .ssh file server, you can delete the corresponding ip in this document public row can be deleted

      SSH client configuration and usage

  • Configuration file / etc / ssh / ssh_config (StrictHostKeyChecking no modification can be set for the first time without confirming the registration confirmation of yes)
  • The default connection as root, can be added in front of the login user name to connect ip
  • And a command can be executed only in connection: ssh ip command: ssh [email protected] cat / etc / passwd, after the results are displayed in the client
  • -P port access and change access to specified network adapter address of the target -bip: ssh -b specified ip root @ ip -p port number
  • X11 Forwarding
    1. In the graphics are not essential components of the system linux, its interactive tool for the shell, said before the essay
    1. X11 working process: the client requests the server to transmit data Xclient Xserver client, a client to invoke the GPU to draw the desktop server
    1. X11-based command protocol to connect remotely execute ssh -x ip create graphics
    1. Pseudo-tty force distribution ssh -t ip ssh -t ip ssh ip (or a password to be inputted one by one)
  • SSHPASS (tool to download, and requires after the first connection, there will be half-way connection confirmation interactions)
    1. 语法:sshpass -p password ssh user@ip
    1. Call the file when the password: sshpass -f file ssh user @ ip can set file permissions to protect

    1. Environment variables export SSHPASS = password; sshopass -e ssh user @ ip command (variable name must be the environment, the connection may be performed after the command)

      Achieve full network access based on key verification

  • Instructions:
    1. All clients generate their own public and private key pair ssh-keygen (can be added - algorithms use a fixed algorithm) will generate a public key private .ssh directory in the user's home directory
      key file
    1. The default .ssh folder does not exist, so use ssh -copy-id user @ target ip and enter the password each other, it will generate .ssh folder to store your private key corresponding to the target user's machine home directory and renamed as authorized.key files, used to store all of the public, in which each row represents a public key
    1. Then their .ssh directory copied to the need to use all the machines, then you can achieve the key-based authentication (requires public and private key are placed before the next generation of anthorized.key target file and then packaged copy)

    1. Finally, the file .ssh directory contains the complete catalog at home are: id.rsa id.rsa.pub (first generation of private-public key) + anthourized.key (public library)

      SCP + rsync copies

  • Syntax: scp / [option] need to copy files user @ ip: into the directory location of the target host
    1. Copy the folder: scp -r / data / ts [email protected]: / data
    1. -q silent mode Copy
    1. -P specify the remote host port (if the other party to change the port scp)
    1. -p property remains the original file (lowercase p)
    1. Obvious defects: Copy the file when the file is not checked, even if the file has not changed in the past also copied directly replaced, occupied bandwidth to re-direct completely copied again,
  • rsync incremental replication
    1. rpm -q rsync (rsync from this package)
    1. Fast Network Copy Tool: The reason is that this tool can compare different file, and then change the file only different places,
    1. Syntax: 1 rsync -a / data / ts user @ ip / data | 2 rsync -a / data / ts / user @ ip: / data which will copy the folder itself represents a lot of options -a combination of their own search details

    1. --delete use rsync -a --delete / data / ts user @ ip / data (will be in the copy local files to the target host folder, copy the files in a folder does not exist delete)

      SSHFS remote directory is mounted:

  • sshfs: yum install sshfs (eple source) install the package (fuse-sshfs)
  • Basic grammar: sshfs ip: target directory local mount directory

  • sshfs 192.168.47.129:/data / mtda (mtda need to create a mount directory on the local machine)

    PSSH lightweight operation and maintenance of automation tools

  • yum install pssh (q pssh rpm 包)
  • The default has been based on key verification
  • Syntax: pssh -H ip command string (special command will be executed in the machine and not in the remote host, it needs to be turned into a command string, and then to the target host has since become the corresponding command)
  • Example: pssh -H 192.168.47.129 -H 192.168.47.25 -i hostname (command can be executed simultaneously with later, -i display result)
  • h using a file, the file contains ip need to be performed individually wrap: 192.168.47.129 192.168.47.25 wrap wrap ....
  • Command too long error process: pssh -h ipfile.txt -i "long command"
  • Other parameters -H: host string content format "[user @] host [: port]"
    • -h file: host list file, content format "[user @] host [: port]"
    • -A: manual input mode password
    • -i: each internal server processes information output
    • -l: log in using the username
    • -p: number of concurrent threads [optional]
    • -o: the output file directory [optional]
    • -e: error output file [optional]
    • -t: TIMEOUT timeout, 0 unlimited [optional]
    • -O: SSH options
    • -P: print out the information returned by the server
    • -v: verbose mode
    • --version: View version
  • pscp.pssh the native file copied to the remote host bulk up (pssh built-in tools)

  • pslurp Copy remote files to a local file (pssh built-in tools)

    SSH port forwarding tunnel function

  • ssh server side communication process can also be achieved with other data to be transmitted through ssh port, so the establishment of data communication is called a tunnel, the data is transmitted under this condition on the achievements of ssh through a secure ssh protocol Other functions
    1. Encrypted ssh server and client data transfer
    1. Successful breakthrough firewall restrictions, so that data can be established through ssh tunnel to transmit data outside the firewall
  • Forwarding Function: ssh -L server port number connected ultimately required: Port stepping stones (three forwarding)
  • ssh -L 9527: 192.168.47.130: 8080 192.168.47.25 -f (native ip192.168.47.15, -f running in the background) to achieve good build tunnel

  • At this time, the port will be able to access their data communication with each other via ssh service, posted here a good description for the ssh post, Portal -> https://blog.csdn.net/Yaokai_AssultMaster/article/details/ 85,773,671

Guess you like

Origin www.cnblogs.com/Justin0717/p/11837765.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com