Introduction to ssh service

SSH is short for Secure Shell Protocol. Before data transmission, SSH encrypts online packets through encryption technology, and then transmits data. And ensures the security of data transmission.

SSH is a security protocol specially provided for remote login sessions and other network services. Using SSH protocol can effectively prevent information leakage in the process of remote management.

By default, SSH service mainly provides two service functions; One is to provide services similar to telnet remote online server, that is, ssh service mentioned above; The other is Sftp-server similar to FTP service, which transmits data through ssh protocol and provides more secure sftp service to remind SSH clients (SSH command). It also contains a very useful remote secure copy command scp, which also works through SSH protocol.

Summary:

1)SSH is a secure encryption protocol for remote connection to Linux servers.

2) The default port of 2)SSH is 22, and the security protocol version is SSH2. In addition to 2, ssh 1 has vulnerabilities.

3)SSH server mainly includes two server functions: SSH remote connection and SFTP service.

4)Linux ssh client includes SSH remote connection command and remote copy scp command.

Modifying the operation parameters of SSH service is realized by modifying the configuration file /etc /ssh/sshd_config.

Port 52 1 14(ssh default connection port is 22, which can be modified).

Permitroot login number (remote root login is prohibited)

PermitEmptyPasswords no (blank password prohibits login)

DNS number used (not applicable to DNS)

Listenaddress172.16.1.61:22 (port number can only be added for monitoring intranet IP).

Ssh is basically used for remote management of linux system for a simple reason: What are the transmission modes such as telnet and FTP? Transmitting user authentication information in clear text is inherently unsafe, and there is a danger of being eavesdropped by the network. SSH (Secure Shell) is a reliable protocol, which provides security for remote login sessions and other network services. Using SSH protocol can effectively prevent information leakage in the process of remote management. All transmitted data can be encrypted by SSH, and it can also prevent DNS fraud and IP fraud.

Ssh_config and Sshd_config are configuration files of SSH server. The difference between them is that the former is used for the client and the latter is used for the server. Both profiles allow you to change the way the client program runs by setting different options. Some of the most important keywords in the two profiles are listed below, and each line is "Keyword &；; Value ",where" Keyword "is case-insensitive.

1, edit the /etc/ssh/ssh_config file.

Site-wide defaults for various options

Host *

Agency number

Forwarddx11No.

Rhost authentication number

RhostsRSAAuthentication no

? RSA authentication is

Password authentication is

FallBackToRsh no

User number

Batch mode number

Check the host prompt is

StrictHostKeyChecking no

Identification file ~/. Ssh/ identity

No.22 port

Cipher puffer fish

EscapeChar ~

The following explains the above option parameters one by one:

Site-wide defaults for various options

"#" means that this sentence is not a comment, and it does not belong to the original text of the configuration file, which means that the following options are the initial default options of the system. To illustrate this point, there are many options starting with "#" in the actual configuration file. Although this means that it doesn't work, it actually means that this is the default initialization setting of the system.

Host *

"Host" is only valid for computers that match the following string, ""means all computers. As you can see from the front of the format, this is a global option, which means that all the indentation options below apply to this setting. You can specify a computer replacement number to make the following options effective only for this computer.

Agency number

"ForwardAgent" sets whether the authentication agent (if any) forwards the connection to the remote computer.

Forwarddx11No.

"ForwardDX 1 1" sets whether the X 1 1 connection is automatically redirected to the secure channel and display set.

Rhost authentication number

"RhostsAuthentication" sets whether to use rhosts-based security authentication.

RhostsRSAAuthentication no

"RhostsRSAAuthentication" sets whether RSA algorithm is used for rhosts-based security authentication.

RSA authentication is

"RSAAuthentication" sets whether RSA algorithm is used for security verification.

Password authentication is

PasswordAuthentication sets whether password authentication is used.

FallBackToRsh no

"FallBackToRsh" sets whether to automatically use Rsh when ssh connection goes wrong. This option should be set to No because rsh is not secure.

User number

"UseRsh" sets whether to use "rlogin/rsh" on this computer. For the same reason, it is set to "No".

Batch mode number

"BatchMode": batch mode, generally set to "No"; If set to Yes, prompting for interactive password input will be prohibited. This option is useful for script files and batch tasks.

Check the host prompt is

"CheckHostIP" sets whether ssh looks at the IP address of the host connected to the server to prevent DNS spoofing. It is recommended to set it to Yes.

StrictHostKeyChecking no

If StrictHostKeyChecking is set to yes, ssh will not automatically add the computer key to "$HOME/". Ssh/known_hosts file, once the computer key changes, it will refuse to connect.

Identification file ~/. Ssh/ identity

The IdentityFile setting reads the RSA security authentication identity of the user.

No.22 port

"Port" sets the port connected to the remote host, and the default port of ssh is 22.

Cipher puffer fish

"Cipher" sets the encryption key, and blowfish can set it at will.

EscapeChar ~

"EscapeChar" sets the escape character.

2. Edit the file /etc/ssh/sshd_config:

This is the ssh server system-wide configuration file.

No.22 port

List address192.168.1.1

Host key /etc/ssh/ssh _ host key

Server key bit 1024

Login time 600

Key regeneration interval 3600

PermitRootLogin login number

IgnoreRhosts is

IgnoreUserKnownHosts, yes

The strict pattern is

X 1 1 forwarding number

PrintMotd is

SyslogFacility authentication

Log level information

Rhost authentication number

RhostsRSAAuthentication no

RSA authentication is

Password authentication is

PermitEmptyPasswords number

Allow users to manage

? The following describes the above option settings line by line:

No.22 port

"Port" sets the port number that sshd listens to.

List address192.168.1.1

"ListenAddress" sets the IP address bound by the sshd server.

Host key /etc/ssh/ssh _ host key

"HostKey" sets the file containing the computer's private key.

Server key bit 1024

"Server Key Bits" defines the number of bits of the server key.

Login time 600

"LoginGraceTime" sets the time (in seconds) that the server needs to wait before disconnecting when the user cannot log in successfully.

Key regeneration interval 3600

"KeyRegenerationInterval" sets the number of seconds for the server key to be automatically regenerated (if a key is used). The purpose of regenerating the key is to prevent intercepted information from being decrypted by the stolen key.

PermitRootLogin login number

"PermitRootLogin" sets whether the root user is allowed to log in via ssh. From a security point of view, this option should be set toNo..

IgnoreRhosts is

"IgnoreRhosts" sets whether to use "hosts" and "shosts" files during verification.

IgnoreUserKnownHosts, yes

IgnoreUserKnownHosts' sets whether the ssh daemon ignores the user's' $HOME/'. Perform RhostsRSAAuthentication security verification when ssh/known_hosts ".

The strict pattern is

"StrictModes" sets whether ssh checks the permissions and ownership of the user's home directory and rhosts files before receiving the login request. This is usually necessary, because novices often set up their directories and files so that anyone has write permission.

X 1 1 forwarding number

Whether x 1 1 forwarding is allowed in the "x1forwarding" setting.

PrintMotd is

"PrintMotd" sets whether sshd displays the information in "/etc/motd" when the user logs in.

SyslogFacility authentication

"SyslogFacility" sets whether a "facility code" is given when recording messages from sshd.

Log level information

Log Level sets the level at which sshd log messages are recorded. Information is a good choice. For more information, please check the help page of sshd.

Rhost authentication number

Whether the "RhostsAuthentication" setting only uses rhosts or "/etc/hosts.equiv" for security verification is enough.

RhostsRSAAuthentication no

Whether the "RhostsRSA" setting allows using rhosts or "/etc/hosts.equiv" plus RSA for security verification.

RSA authentication is

Set whether only RSA security RSAAuthentication is allowed.

Password authentication is

"PasswordAuthentication" setting whether password authentication is allowed.

PermitEmptyPasswords number

"PermitEmptyPasswords" sets whether to allow login with an account with an empty password.

Allow users to manage

"AllowUsers" can be followed by any number of user names, which are separated by spaces. Hostnames can be domain names or IP addresses.

Under normal circumstances, when we connect to the OpenSSH server, if the UseDNS option is turned on, the server will first query the client's hostname through DNS PTR according to the client's IP address, and then query the DNS forwarding record according to the queried client's hostname, and verify whether it is consistent with the original IP address to prevent the client from cheating. Usually, we are all dynamic IP, and there will be no PTR record, so turning on this option does not have much impact. We can improve the speed of connecting to OpenSSH server by turning off this function.

1) execute the command to generate the private key and the public key ssh-keygen -t dsa, as shown in the following figure:

3) We don't need a password when switching, as shown in the figure.