Detailed installation and use of SSH in Ubuntu environment

SSH stands for Secure Shell, which is a secure transmission protocol. Ubuntu clients can access remote servers through SSH.

Introduction and working mechanism of SSH

Introduction to SSH

Traditional network service programs, such as ftp, POP and telnet, are inherently unsafe because they transmit passwords and data in plain text over the network, which can be easily intercepted by people with ulterior motives. Moreover, the security verification methods of these service programs also have their weaknesses, that is, they are easily attacked by "man-in-the-middle" methods. The so-called "man-in-the-middle" attack method is that the "man-in-the-middle" pretends to be the real server to receive the data you send to the server, and then pretends to be you to send the data to the real server. Once the data transmission between the server and you is tampered with by the "middleman", serious problems will arise.

Once upon a time, a Finnish programmer named Tatu Yl?nen developed a network protocol and service software called SSH (short for Secure SHell). By using SSH, you can encrypt all transmitted data, making "man-in-the-middle" attacks impossible, and also preventing DNS and IP spoofing. An additional benefit is that the transmitted data is compressed, so the transmission speed can be accelerated. SSH has many features, and although many people think of Secure Shell as just a Telnet replacement, you can use it to secure your network connections. You can forward other network communications such as POP, X, PPP, and FTP through Secure Shell on local or remote systems. You can also forward other types of network traffic, including CVS and any other TCP traffic. Additionally, you can use Secure Shell with TCP wrappers to enhance the security of the connection. In addition, Secure Shell has some other convenient features that can be used for applications such as Oracle, and you can also use it for remote backup and additional authentication like SecurID cards.

How SSH works

SSH is divided into two parts: the client part and the server part.

The server is a daemon process that runs in the background and responds to connection requests from clients. The server is usually the sshd process, which provides processing for remote connections, generally including public key authentication, key exchange, symmetric key encryption, and insecure connections.

The client includes the ssh program and other applications such as scp (remote copy), slogin (remote login), sftp (secure file transfer), etc.

Their working mechanism is roughly that the local client sends a connection request to the remote server. The server checks the request package and IP address and then sends the key to the SSH client. The local client then sends the key back to the server, and the connection is established. What I just talked about is just the general process of SSH connection. There are some differences in the connection protocols between SSH 1.x and SSH 2.x.

SSH is designed to work on its own basis without using a super server (inetd). Although it is possible to run the SSH process through tcpd on inetd, it is completely unnecessary. After starting the SSH server, sshd runs and listens on the default port 22 (you can use # ps -waux | grep sshd to check whether sshd has been running correctly). If SSH is not started through inetd, then SSH will keep waiting for connection requests. When a request comes in, the SSH daemon will generate a child process, which will handle the connection.

However, due to restrictions on copyright and encryption algorithms, many people now switch to OpenSSH. OpenSSH is a free alternative to SSH.

SSH is composed of client and server software, and there are two incompatible versions: 1.x and 2.x. You cannot use an SSH 2.x client program to connect to an SSH 1.x server program. OpenSSH 2.x supports both SSH 1.x and 2.x.

SSH client openssh-client and openssh-server

If you just want to log in to another machine's SSH, you only need to install openssh-client (Ubuntu has it installed by default, if not, then sudoapt-get install openssh-client). If you want to open the SSH service on this machine, you need to install openssh-server.

1. Install the client

Ubuntu has the ssh client installed by default.

sudo apt-get install ssh or sudo apt-get install openssh-client
ssh-keygen 

(Press Enter to set default value)

By default, id_rsa and id_rsa.pub files are generated, which are the private key and public key respectively.

Note: If an error occurs during the sudo apt-get installsall ssh command and the installation fails, you can use sudo apt-get install openssh-client to install it.

Assume that the server IP is 192.168.1.1, the port number of the ssh service is 22, and there is a user named root on the server;

The command to log in to the server using ssh is:

>ssh –p 22 [email protected]
>Enter the root user's password

2. Install the server

Ubuntu does not have SSH Server installed by default. Use the following command to install it:

sudo apt-get install openssh-server

Then confirm whether sshserver is started: (or use the "netstat -tlp" command)

ps -e|grep ssh

If there is only ssh-agent, then ssh-server has not started yet. You need to run /etc/init.d/ssh start. If you see sshd, then ssh-server has started.

If not, you can start it like this:

sudo /etc/init.d/ssh start

In fact, if there is no special requirement, OpenSSH Server is installed here. But with further configuration, you can make OpenSSH login time shorter and more secure. All of this is achieved by modifying the openssh configuration file sshd_config.

SSH Configuration

The ssh-server configuration file is located in /etc/ssh/sshd_config, where you can define the SSH service port. The default port is 22, and you can define it to other port numbers, such as 222. Then restart the SSH service:

sudo /etc/init.d/sshresart

By modifying the configuration file /etc/ssh/sshd_config, you can change the ssh login port and prohibit root login. Changing the port can prevent port scanning.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudochmod aw /etc/ssh/sshd_config.original

Edit the configuration file:

gedit /etc/ssh/sshd_config

Find #Port 22, uncomment it, and change it to a five-digit port number: Port 22333

Find #PermitRootLogin yes, uncomment it and change it to: PermitRootLogin no

After the configuration is complete, restart:

sudo /etc/init.d/ssh restart

4. SSH service commands

Stop the service: sudo /etc/init.d/ssh stop

Start the service: sudo /etc/init.d/ssh start

Restart the service: sudo /etc/init.d/sshresart

Disconnect: exit

Login: [email protected]

root is the user on the 192.168.0.100 machine and needs to enter a password.

5. SSH login command

Common format: ssh [-llogin_name] [-p port] [user@]hostname

You can use ssh -h to view more details.

Example

Without specifying a user: ssh 192.168.0.1

Specified User:

ssh -l root 192.168.0.1
ssh [email protected] 

If you have modified the ssh login port:

ssh -p 22333 192.168.0.111
ssh -l root -p 22333 216.230.230.105
ssh -p 22333 [email protected]

6. Improve login speed

When logging in remotely, you may find that after entering your username, you have to wait a long time before being prompted to enter your password. In fact, this is because sshd needs to reverse query the client's dns information. You can significantly increase login speed by disabling this feature. First, open the sshd_config file:

sudo nano /etc/ssh/sshd_config

Find the GSSAPI options section and comment out the following two lines:

#GSSAPIAuthentication yes #GSSAPIDelegateCredentials no Then restart the ssh service:

sudo /etc/init.d/ssh restart

Try logging in again, it should be very fast.

7. Use PuTTy to log in to the server through certificate authentication

In the SSH service, all content is transmitted in encrypted form, and security is basically guaranteed. However, if certificate authentication can be used, security will be further improved, and after certain settings, the effect of automatic login through certificate authentication can also be achieved.

First modify the sshd_config file and enable the certificate authentication option:

RSAAuthentication yes PubkeyAuthentication yesAuthorizedKeysFile %h/.ssh/authorized_keysAfter the modification is complete, restart the ssh service.

Next we need to create private and public keys for the SSH user. First, log in to the account for which you need to create a key. Remember to exit the root user and use the su command to switch to another user if necessary. Then run:

ssh-keygen

Here, we just store the generated key in the default directory. During the creation process, you will be prompted to enter a passphrase, which is equivalent to adding a password to the certificate. It is also a measure to improve security, so that you don’t have to worry even if the certificate is accidentally copied by someone. Of course, if this is left blank, PuTTy can automatically log in via certificate authentication later.

The ssh-keygen command will generate two keys. First, we need to rename the public key and leave it on the server:

cd ~/.ssh mv id_rsa.pub authorized_keys

Then copy the private key id_rsa from the server and delete the id_rsa file on the server.

The settings on the server are complete, and the following steps need to be done on the client computer. First, we need to convert the id_rsa file to a format supported by PuTTy. Here we need to use the PuTTyGEN tool:

Click the Load button in the PuTTyGen interface, select the id_rsa file, enter the passphrase (if any), and then click the Save PrivateKey button. The private key accepted by PuTTy is ready.

Open PuTTy, enter the server's IP address in Session, click the Browse button under Connection->SSH->Auth, and select the private key you just generated. Then go back to the Connection option and enter the username to which the certificate belongs in Auto-login username. Go back to the Session tab, enter a name and click Save to save the Session. Click Open at the bottom and you should be able to log in to the server through certificate authentication. If there is a passphrase, you will be asked to enter the passphrase during the login process, otherwise you will be logged in directly to the server, which is very convenient.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.