Centos 7.4 Remote Access Control

Bowen directory
a, SSH remote management
Second, the use SSH client program
Third, the construction of key SSH authentication system for

A, SSH remote management

SSH is a secure channel protocol, mainly used for remote login, remote copy characters such as interface features. SSH protocol for communication data transmission processing both encrypted, wherein the input comprises a user password when a user logs. And early Telent, RSH, RCP, and other applications compared to, SSH protocol offers better security.

1, configure OpenSSH server

In Centos 7.4 system, OpenSSH server is provided by openssh, openssh-server package, etc. (installed by default), and sshd have been added as a standard system services. The implementation of "systemctl start sshd" command to start the sshd service, most users including root can remotely log into the system. Sshd service under the default configuration file located in / etc / ssh / sshd_config directory, correctly adjust the relevant configuration item, can further improve the safety sshd telnet.

1) service to listen Options

Sshd service uses the default port number is 22, it is recommended to modify this port number, and specify the listening service specific IP address, in order to improve hidden in the network if necessary. Security V1 V2 version than the version to be better, to disable reverse DNS can improve the response speed of the server.

[root@centos01 ~]# vim /etc/ssh/sshd_config   <!--编辑sshd主配置文件-->
17 Port 22         <!--监听端口为22-->
19 ListenAddress 192.168.100.10    <!--监听地址为192.168.100.10-->
21 Protocol 2        <!--使用SSH V2协议-->
118 UseDNS no    <!--禁用DNS反向解析-->
......             <!--此处省略部分内容-->
[root@centos01 ~]# systemctl restart sshd    <!--重启sshd服务-->

2) User login control

sshd service allowed by default root user login, but when used in the Internet is very unsafe. Sshd service on the user login control, should generally prohibit the root user or user login password is empty. Further, it is possible to limit the time of login authentication (the default is 2 minutes) and the maximum number of retries, if still not login after the limit is disconnected.

[root@centos01 ~]# vim /etc/ssh/sshd_config      <!--编辑sshd主配置文件-->
 37 LoginGraceTime 2m       <!--登录验证时间为2分钟-->
 38 PermitRootLogin yes      <!--禁止root用户登录-->
 40 MaxAuthTries 6               <!--最大重试次数为6-->
 67 PermitEmptyPasswords no       <!--禁止空密码用户登录-->
 ......             <!--此处省略部分内容-->
[root@centos01 ~]# systemctl restart sshd           <!--重启sshd服务-->

2, the authentication mode

For remote management server, in addition to the security control user accounts, login authentication mode is also very important. sshd server supports two authentication - password authentication, key verification, you can set only one way, or two methods are enabled.

• Password verification: the server in the local system user's login name and password for authentication. This way is most convenient to use, but from the perspective of the client, the server is connected are likely to be counterfeit; from the server point of view, when confronted with a third party password exhaustive defense capability is relatively weak.
• Key verification: request that matches the key information can be verified. Usually create a pair of keys file (public key, private key) in the client, then the public key file into the specified location server. Remote login, the system uses a public key, private key encryption / decryption associated with verification, greatly enhances the security of remote management. The way is not easy to counterfeit, and can avoid the interactive logon, it is widely used in the Shell.

When the password authentication, key verification is enabled, the server will use the key priority for verification. For higher security requirements server, it is recommended to disable the password authentication, allowing only enable key authentication; if there are no special requirements, two methods can be enabled.

[root@centos01 ~]# vim /etc/ssh/sshd_config <!--编辑sshd主配置文件-->
 43 PubkeyAuthentication yes         <!--启用密钥对验证-->
 47 AuthorizedKeysFile      .ssh/authorized_keys <!--指定公钥库文件-->
 66 PasswordAuthentication yes        <!--启用密码验证-->
......              <!--此处省略部分内容-->
[root@centos01 ~]# systemctl restart sshd         <!--重启sshd服务-->

Among them, the public key file is used to save the public key text to upload multiple clients, so the local customer's private key file to match end.

Second, the use SSH client program

In Centos 7.4 system, OpenSSH client by openssh-clients package provided (installed by default), including ssh remote login commands, and scp, sftp remote replication and file transfer commands.

1, the command ssh remote login program

Remote login via ssh sshd service command, to provide users with a secure Shell environment for the server management and maintenance. Should be used to specify the login user, the destination host address as an argument. Examples are as follows:

[root@centos02 ~]# ssh [email protected]
[email protected]'s password: 
Last login: Mon Nov 11 19:02:50 2019 from 192.168.100.254
[root@centos01 ~]# 
[root@centos01 ~]# 
[root@centos01 ~]# ssh [email protected]
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes   <!--接受密钥-->
Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.
[email protected]'s password:     <!--输入密码-->
Last login: Mon Nov 11 19:03:08 2019 from 192.168.100.20
[root@centos01 ~]# who         <!--确认当前用户-->
root     pts/1        2019-11-11 19:03 (192.168.100.20)
root     pts/2        2019-11-11 19:04 (192.168.100.10)

If the sshd server uses a non-default port (such as 2222), at the time of login "-p" option specifies the port number must pass. Examples are as follows:

[root@centos01 ~]# vim /etc/ssh/sshd_config<!--修改ssh主配置文件-->
Port 2222          <!--修改监听端口号为2222-->
[root@centos01 ~]# systemctl restart sshd   <!--重启sshd服务-->
[root@centos02 ~]# ssh -p 2222 [email protected]     <!--客户端登录ssh-->
[email protected]'s password:          <!--输入密码-->
Last login: Mon Nov 11 19:20:28 2019 from 192.168.100.10
[root@centos01 ~]#           <!--成功登录-->

2, scp remote copy

SSH scp command can be used by a secure connection with the remote host another copy files, use scp command, except that you must specify the copy source, destination, should also specify the destination host address, login user, you can follow the prompts to enter after performing authentication password. Examples are as follows:

[root@centos02 ~]# scp
[email protected]:/etc/ssh/sshd_config ./  
         <!--将远程主机数据复制到本地数据，保存在当前位置-->
[email protected]'s password:      <!--输入密码-->
sshd_config                   100% 3910     3.6MB/s   00:00    
[root@centos02 ~]# scp -r ./sshd_config
[email protected]:/opt     
          <!--将本地数据上传到远程主机目录的opt中-->
[email protected]'s password:      <!--输入密码-->
sshd_config                   100% 3910     1.2MB/s   00:00    

3, sftp install FTP

Sftp command can be used by SSH secure connection to the remote host upload, download files, using the FTP login process and similar interactive environment for easy directory resource management. Examples are as follows:

[root@centos01 ~]# cd /opt/       <!--进入opt目录-->
[root@centos01 opt]# sftp [email protected]    <!--登录sftp-->
[email protected]'s password:      <!--输入密码-->
Connected to 192.168.100.20.
sftp> pwd        <!--查看客户端登录sftp的位置默认在宿主目录-->
Remote working directory: /root
sftp> put sshd_config       <!--上传数据到远程主机-->
Uploading sshd_config to /root/sshd_config
sshd_config                   100% 3910     6.4MB/s   00:00    
sftp> get sshd_config         <!--下载数据到本地-->
Fetching /root/sshd_config to sshd_config
/root/sshd_config             100% 3910     3.6MB/s   00:00    
sftp> exit                  <!--退出登录-->

Third, the construction of key SSH authentication system for

Key remote login authentication can provide better security. Building a basic SSH key pair verification system in Linux server, client. As shown below, the process includes four steps, first create a key pair to zhangsan user identity SSH client, and you want to create a public key file to the SSH server, then the server you want to import the public key information of the target lisi user's public key databases, server-side user lisi last logged verification.

1, create a key pair on the client side

In the client, create a key file for the current user via ssh-keygen tool. ECDSA is available encryption algorithms or DSA (ssh-keygen command "-t" option is used to specify the type of algorithm). Examples are as follows:

[root@centos02 ~]# ssh-keygen -t dsa     <!--创建密钥对-->
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):   <!--指定私钥位置-->
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):  <!--设置私钥短语-->
Enter same passphrase again:        <!--确认所设置的短语-->
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:zv0EdqIuOfwSovN2Dkij08y9wZ0f1+IyhY7LFNKKzkk root@centos02
The key's randomart image is:
+---[DSA 1024]----+
|                 |
|                 |
|                 |
|     .           |
|  o . o S.+ .    |
| * *.+.=.+.=     |
|o E.*o+==.+ o    |
| =o..*Oo++ +     |
|  ++oo+*+o. .    |
+----[SHA256]-----+
[root@centos02 ~]# ls -lh ~/.ssh/id_dsa*  <!--确认生成的密钥文件-->
-rw------- 1 root root 668 11月 12 16:11 /root/.ssh/id_dsa
-rw-r--r-- 1 root root 603 11月 12 16:11 /root/.ssh/id_dsa.pub

New generated key pair file, id_das private key file permissions default is 600, the private key file for safekeeping must not be disclosed to others; id_dsa.pub public key file is used to provide to the ssh server.

2, upload the public key file to the server

The last step to generate the public key file to the server, and deployed to the server user's public key database. You can choose any way SCP, FTP, HTTP and even send E-mail, etc. When you upload public key file.

root@centos02 ~]# ssh-copy-id -i ./.ssh/id_dsa.pub 
[email protected] <!--将公钥文件上传至服务器并导入公钥文本-->
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "./.ssh/id_dsa.pub"
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes   <!--输入yes-->
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:      <!--输入密码-->

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

3, using the client authentication key

When the private key file (the client), public key file (server) are put in place, it can be tested in the client. First make sure the client in the current user is root, then log on remotely via ssh command as the root user on the server side. If the key way to verify the configuration is successful, the client will be asked to enter private key phrases in order to invoke the private key file to match (if not set up the private key phrases, then log in directly to the target server).

[root@centos02 ~]# ssh [email protected]      <!--登录ssh服务器-->
Last login: Tue Nov 12 16:03:56 2019 from 192.168.100.254
[root@centos01 ~]# who   <!--登录成功服务器，查看都有哪些用户-->
root     pts/0        2019-11-12 17:35 (192.168.100.20)
root     pts/2        2019-11-12 16:03 (192.168.100.254)

------ This concludes the article, thanks for reading ------