Detailed explanation of Linux remote management and sshd service verification knowledge points

1. SSH remote management

SSH Definition

• SSH (Secure Shell) is a secure channel protocol that is mainly used to implement functions such as remote login and remote copy in a character interface.
• The SSH protocol encrypts the data transmitted between the two communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has good security.

SSH Advantages

• Data transmission is encrypted to prevent information leakage
• Data transmission is compressed, which can increase the transmission speed

SSH Configuration File

• The default configuration file for the sshd service is /etc/ssh/sshd_config
• ssh_config and sshd_config are both configuration files for the ssh server

The difference between the two is that ssh_config is a configuration file for the client, while sshd_config is a configuration file for the server.

SSH client and server

• SSH client: Putty, Xshell, CRT
• SSH server: OpenSSH
• OpenSSH is an open source software project that implements the SSH protocol and is applicable to various UNIX and Linux operating systems.

By default, the CentOS 7 system has installed openssh-related packages and added the sshd service as a startup service.

2. Configure OpenSSH server

1. Common option settings for the shd_config configuration file

vim /etc/ssh/sshd_config
Port 22 #The listening port is 22
ListenAddress 0.0.0.0 #The listening address can be any network segment, or you can specify the specific IP of the OpenSSH server

LoginGraceTime 2m #Login verification time is 2 minutes PermitRootLogin no #Prohibit root user from logging in MaxAuthTries 6 #Maximum number of retries is 6

PermitEmptyPasswords no #Disable empty password users to log inUseDNS no #Disable DNS reverse resolution to improve the response speed of the server#Only allow zhangsan, lisi, and wangwu users to log in, and wangwu user can only log in remotely from the host with IP address 61.23.24.25AllowUsers zhangsan lisi [email protected] #Multiple users are separated by spaces#Disable certain users to log in, usage is similar to AllowUsers (be careful not to use them at the same time)
DenyUsers zhangsan

2. Allowusers and Denyusers

Allowusers...... #Only allow certain users to log in Denyusers...... #Prohibit certain users from logging in, usage is similar to AllowUsers (be careful not to use them at the same time)

3. Remote replication

scp [email protected]:/etc/passwd /root/passwd10.txt

4. sftp secure FTP

Due to the use of encryption/decryption technology, the transmission efficiency is lower than that of ordinary FTP, but the security is higher. The operation syntax of sftp is almost the same as that of ftp.

sftp [email protected]
sftp> ls
sftp> get file name #Download the file to the ftp directory sftp> put file name #Upload the file to the ftp directory sftp> quit #Exit

3. How sshd service supports authentication

Password Authentication

Verify the login name and password of the local system user in the server. Simple, but may be cracked by brute force. For brute force cracking, please refer to the previous blog for detailed description of system weak password detection

Key pair verification

Matching key information is required for verification. Usually, a pair of key files (public key and private key) are created on the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key for encryption/decryption association verification. It can enhance security and eliminate the need for interactive login.

When both password authentication and key pair authentication are enabled, the server will give priority to key pair authentication. The verification method can be set according to the actual situation.

vim /etc/ssh/sshd_config #Edit the server main configuration file PasswordAuthentication yes #Enable password authentication PubkeyAuthentication yes #Enable key pair authentication AuthorizedKeysFile .ssh/authorized_keys #Specify the public key library file

Create a key pair on the client

Use the ssh-keygen tool to create a key pair file for the current user. The available encryption algorithms are RSA, ECDSA, or DSA. (The "-t" option of the ssh-keygen command is used to specify the algorithm type.)

useradd admin
echo "123123" | passwd --stdin admin
su - admin
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): #Specify the private key location. Press Enter to use the default location.Created directory '/home/admin/.ssh'. #The generated private and public key files are stored in the hidden directory .ssh/ in the host directory by default.Enter passphrase (empty for no passphrase): #Set the password for the private key.Enter same passphrase again: #Confirm the input.ls -l .ssh/id_ecdsa*#id_ecdsa is the private key file with the default permission of 600; id_ecdsa.pub is the public key file, which is provided to the SSH server

Import the public key text in the /home/zhangsan/.ssh/ directory of the server

cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub [email protected]

Using key pair authentication on the client

ssh [email protected]
[email protected]'s password: #Enter the password for the private key

Set up the ssh proxy function on the client to achieve interactive login

ssh-agent bash
ssh-add
Enter passphrase for /home/admin/.ssh/id_ecdsa: #Enter the private key password ssh [email protected]

*Replenish

scp ~/.ssh/id_ecdsa.pub [email protected]:/opt #Upload the public key in the local ~/.ssh directory to the server's /opt directory mkdir /home/zhangsan/.ssh/ #Create a .ssh directory in the server's /home/zhangsan/ directory cat /opt/id_ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys #Append the public key file in the /opt directory to the authorzed_keys file in the /home/zhangsan/.ssh/ directory on the server cat /home/zhangsan/.ssh/authorized_keys #View the /home/zhangsan/.ssh/authorized_keys file on the server

This is the end of this article about Linux remote management and sshd service verification knowledge points. For more relevant Linux remote management and sshd service verification content, please search 123WORDPRESS.COM's previous articles or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!