当前位置:网站首页>SSH service

SSH service

2022-07-28 14:51:00 Laughter addiction

ssh service

One 、ssh Introduction to

1、ssh Definition :ssh(secure shell) Understanding is an agreement , Use in linux/unix In the system , Remote control server
2、centos6/7/8 Install the system inside , Default installation openssh
ubuntu The default is not to install , You need to specify the installation by yourself 

[[email protected] ~]# rpm -qa |grep openssh
openssh-clients-8.0p1-5.el8.x86_64		# Client program 
openssh-server-8.0p1-5.el8.x86_64		# Server side 
openssh-8.0p1-5.el8.x86_64				# Version number 

rpm yes linux There is a software management command 
	 stay redhat/centos Used in ,
rpm -qa  Query all the software installed on this machine 
	q	query
	a	all

 Install the client software openssh
 Often need to give openssh upgrade , guarantee linux Security of the system :		
	yum update openssh openssh-clients openssh-server -y

3、ssh The default listening port is :22
The protocol used is :tcp
4、 How to view sshd Whether the service starts 

	1. Look at the process -->ps aux|grep sshd
	2. Look at the port -->lsof -i:22
	3. Direct access 
	4. Log

Two 、ssh principle

1、 Data encryption : When used to transmit data , Encrypting data
2、 Algorithm :

1. Common encryption algorithms 
	RSA、Elgamal、 Knapsack algorithm 、Rabin、D-H、ECC( Elliptic curve encryption algorithm )、 ECDSA
2. Classification of encryption algorithms :
	 Symmetric encryption 
	 Asymmetric encryption ( Public key and key )

3、 digital signature :

1. effect : Used for identification 
2. principle : By generating random strings 
3. Specific flow chart :

Insert picture description here
4、 authentication :

1、 Password authentication : adopt /etc/passwd and /etc/shadow file 
2、 Key authentication

3、 ... and 、ssh Related configuration 、 file 、 Faults and commands

1、ssh Related configuration 

1、 Configure the directory of storage :/etc/ssh
2、 Related configuration files : Pass parameters to the process 
	[[email protected] ssh]# cd /etc/ssh/
	sshd_config  --》 Configuration files on the server side   server   --》 process :sshd 
	ssh_config --》ssh The configuration file used by the command  client  --》 process :ssh
	ssh_host_ecdsa_key.pub  --》ecdsa The public key of the encryption algorithm 
	ssh_host_ecdsa_key    --》ecdsa The private key of the encryption algorithm

2、ssh Related documents 

1、 Log files :/var/log/secure
2、know_hosts file :
	2.1、 produce : The client uses ssh The first time you connect to the server , On the server sshd The public key of the daemon is copied locally 
		 Store it locally ~/.ssh/known_hosts In file , Each line stores the public key of a server to verify the identity of the server 
	2.2、 effect : Data encryption + Server and client identification ( digital signature )
	2.3、 Storage path : stay ~/.ssh
3、authorized_keys file :
	3.1、 route : stay ~/.ssh
	3.2、 effect : Used for legal authentication , Prove that you are linux Legal users of the system , land linux Use

3、ssh Related faults 

1、 It is recommended to turn off the firewall , And set the boot not to start 
	systemctl stop firewalld
	systemctl disable firewalld
2、 Proposed closure selinux, And set the boot not to start 
	2.1、selinux yes linux A set of security mechanism in the system , To protect linux Security of the system ,
		 It will restrict the process to do something that threatens security .
	2.2、 Temporary adjustment selinux state 
			[[email protected] ssh]# getenforce   see selinux The state of 
			Enforcing
			[[email protected] ssh]# setenforce 0   Temporary adjustment selinux Our strategy is tolerance mode 
			[[email protected] ssh]# getenforce
			Permissive
	2.3、 Permanent modification selinux The strategy for disabled
			[[email protected] ssh]# vim /etc/selinux/config
			SELINUX=disabled

4、ssh Relevant command 

1、ssh command :
	1.1、ssh [email protected]192.168.243.132	# Use root User remote connection 192.168.243.132 This server 
	1.2、ssh 192.168.243.132			# Do not specify login user , By default, the current user name is used for remote connection 
	1.3、 Enter exit You can exit 
	1.4、 You can run scripts or commands on remote machines 
	1.5、 If it changes ssh Port of the configuration file , Connection options are required when connecting :-p 
		 To specify the port number 
2、sftp command :
	2.1、 be based on ssh Protocol implementation ftp function , Used at the bottom ssh agreement 
	2.2、 Provide file upload and download 
3、scp command :
	 Remote copy , Through the bottom layer ssh The protocol connects to other machines remotely , Copy file 
	3.1、 Transfer files locally to the server 
	scp【 Path to local file 】【 Server user name 】@【 Server address 】:【 The path where the file is stored on the server 】
	 Example :
		scp /lianxi/random.sh [email protected]192.168.243.132:/lianxi
	3.2、 Transfer folders locally to the server 
	scp -r【 Path to local file 】【 Server user name 】@【 Server address 】:【 The path where the file is stored on the server 】
	 Example :
		scp -r /lianxi/python_test [email protected]192.168.243.132:/lianxi
	3.3、 Transfer files from the server to the local 
	scp 【 Server user name 】@【 Server address 】:【 The path where the file is stored on the server 】【 Path to local file 】
	 Example :
		scp [email protected]192.168.243.132:/lianxi/liuhj.ttt /lianxi
	
	3.4、 Transfer the folders on the server to the local folder 
	scp -r 【 Server user name 】@【 Server address 】:【 The path where the file is stored on the server 】【 Path to local file 】
	 Example :
		scp -r [email protected]192.168.243.132:/lianxi/lhj /lianxi

Four 、 strengthening ssh service , Improve safety

1、 stay /etc/ssh/sshd_config Modify the port in
2、 Disable users 

 Also by modifying this configuration file /etc/ssh/sshd_config, To disable root user .

3、 Why? ssh You can't use root? After logging in, you can use root?

 Because he didn't go through the bottom ssh Detection of , But in linux A process is started inside the system , Switch to root user

4、 upgrade openssh

yum update openssh openssh-clients openssh-server -y

5、 Key authentication 

 First, modify the configuration file /etc/ssh/sshd_config, Turn on key authentication , Then configure key authentication

6、 Password authentication 

 Change your password more , Increase password complexity

5、 ... and 、 Establish a secret free channel

1. Generate key pair , stay 192.168.243.128 Upper use root User generated key pair , The key pair will be in the user's home directory 

[[email protected] ssh]# ssh-keygen -t rsa
	Generating public/private rsa key pair.
	Enter file in which to save the key (/root/.ssh/id_rsa):
	Enter passphrase (empty for no passphrase):
	Enter same passphrase again:
	Your identification has been saved in /root/.ssh/id_rsa.
	Your public key has been saved in /root/.ssh/id_rsa.pub.
	The key fingerprint is:
	SHA256:Ecds9x/kXGpjN1lXDtudEerhZyCFAJ4ugGRThdehBsM [email protected].localdomain
	The key's randomart image is:
	+---[RSA 2048]----+
	| +o+o..o++o ...o+|
	|o oEo.o..o+.o .*B|
	| . ..o o.. o ==oO|
	|    o .  .  + O*.|
	|     . .S    = *o|
	|      .       o .|
	|                 |
	|                 |
	|                 |
	+----[SHA256]-----+

2. Go to the user's home directory , Look at the public and private keys 

[[email protected] ssh]# cd /root/.ssh/ 
[[email protected] .ssh]# ls
id_rsa  Private key 
id_rsa.pub   Public key 
known_hosts
[[email protected] .ssh]# ll   It is not recommended to modify the permissions of the key file , Otherwise, the key will be invalid 
 Total usage  12
-rw-------. 1 root root 1679 7 month   27 16:46 id_rsa
-rw-r--r--. 1 root root  408 7 month   27 16:46 id_rsa.pub
-rw-r--r--. 1 root root  182 7 month   27 16:34 known_hosts

3. Upload the public key to the other party's server , Ask the server of the other party to run root The user login 

[[email protected] .ssh]# ssh-copy-id -p 2222 -i id_rsa.pub [email protected]192.168.243.132
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]192.168.243.132's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh -p '2222' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

4. Verify whether a password is required for login 

[[email protected] .ssh]# ssh -p '2222' '[email protected]'
Last failed login: Wed Jul 27 16:53:28 CST 2022 from 192.168.243.128 on ssh:notty
There were 30 failed login attempts since the last successful login.
Last login: Wed Jul 27 11:55:11 2022
[[email protected]-kafka01 ~]#
[[email protected] .ssh]# scp  -P 2222 '[email protected]':/etc/passwd  .
passwd                                                                                     100% 1217   561.0KB/s   00:00
[[email protected] .ssh]#
[[email protected] .ssh]# ssh -p ‘2222'[email protected]' mkdir /wangshuai

5. Related flow chart
Insert picture description here

原网站

版权声明
本文为[Laughter addiction]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/209/202207281355318849.html

边栏推荐

猜你喜欢

随机推荐