linux ssh USES depth resolution for of key login details

SSH full name Secure SHell, as the name implies, means very safe shell. SSH protocol is a protocol made by Network Working Group of IETF (Internet Engineering Task Force). The main purpose of SSH is to replace the traditional telnet and R command series (rlogin,rsh,rexec, etc.) remote login and remote command execution tools, to achieve the remote login and remote command execution encryption. Prevent the password leakage due to network monitoring, posing a threat to the system.

The ssh protocol currently includes SSH1 and SSH2, and SSH2 is compatible with SSH1. Currently, OpenSSH and SSH Communications Security Corporation SSH Communications are the main software to implement the SSH1 and SSH2 protocols. The former is a free SSH software developed by OpenBSD, while the latter is commercial software. Therefore, OpenSSH is used as the implementation software of SSH protocol in linux, FreeBSD, OpenBSD, NetBSD and other free UNIX systems. Therefore, this article focuses on the use of OpenSSH below 1. It should be noted that OpenSSH and SSH Communications have different login public/private key formats. If you want to use the SSH Communications generated private/public key pair to log into linux system using OpenSSH, you need to convert the public/private key formats.

Before the emergence of SSH, the system administrator needed to log on to the remote server to perform system administration tasks, which were all realized by telnet. telnet protocol adopted plaintext password transmission, and did not encrypt the data in the process of transmission, so it was easy for malicious people to monitor the password on the network. Likewise in SSH tools before R series of commands are also popular, because of all the commands start with letters r call these commands command R means remote R series), such as rexec is used to perform remote commands on the server, and is the difference between telnet telnet need to log in to a remote server to execute related commands, and R series command can log in and execute commands and logout operation integration in 1. This eliminates the need to log in to the server specifically to execute a command on the remote server.
SSH is a kind of encryption protocol, which not only encrypts the password during the login process, but also encrypts the data of the command executed after login, so that even if someone listens on the network and intercepts your data packets, he cannot see the contents. OpenSSH is already a standard component of most current linux and BSD operating systems (even cygwin), so I won't cover how to install OpenSSH in this article. If you're not surprised, OpenSSH is already installed on your system.

The OpenSSH package contains the following commands:

sshd, SSH server program
sftp-server server program (a protocol similar to FTP but providing data encryption)
scp - a non-interactive client of sftp-server used to upload/download files to the server
sftp interactive sftp-server client, usage and ftp command 1 sample.
Alias for slogin
The client program of the ssh protocol, used to log into a remote system or execute commands remotely
To add dsakey to the SSH agent, add dsakey to the SSH agent
ssh-agent, ssh agent
ssh-keyscan, sshpublic, key generator

The most common use of SSH is to log in remotely instead of telnet. Different from the password login of telnet, SSH also supports multiple login methods such as Publickey, Keybord Interactive, GSSAPI, etc., instead of only one way to enter the system password like telnet. At present, the most commonly used ways of landing are the traditional Password and Publickey. Let's take RedhatAS4 as an example to illustrate the use of these two login methods.

[root@mail ~]# ssh 172.18.6.227
The authenticity of host '172.18.6.227 (172.18.6.227)' can't be established.
RSA key fingerprint is 43:80:f2:e1:9b:b6:6e:c0:e2:dd:57:8f:ed:89:b3:81.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.6.227 '(RSA) to the list of known hosts
root@172.18.6.227 's password:
Last login: Thu Jul 12 18:47:47 2007 from 172.18.6.130
[root@qmail ~]#

After the first login, ssh will store the login ssh fingerprint in the home directory.ssh directory know_hosts file. If the remote system has been reinstalled, ssh fingerprint has been changed. Please note that the ssh directory is a hidden directory beginning with ". ", which requires the ls and a parameters to be visible. Moreover, the permission of this directory must be 700, and the user's home directory cannot write permission to other users, otherwise the ssh server will refuse to log in. If you cannot log in, see the log file /var/log/secure on the server. It's usually pretty quick to figure out why you can't log in.

ssh remote execution command:

[root@mail ~]# ssh 172.18.6.227 ls -l /
root@172.18.6.227 's password:
total 1244
drwxr-xr-x 2 root root 4096 Jun 26 04:02 bin
drwxr-xr-x 4 root root 4096 Mar 29 11:17 boot
drwxr-xr-x 2 root root 4096 Jan 25 11:26 command
drwxr-xr-x 15 root root 4096 Jun 12 20:09 data
drwxr-xr-x 9 root root 5360 Jul 2 13:38 dev
drwxr-xr-x 87 root root 12288 Jul 11 04:02 etc
drwxr-xr-x 20 root root 4096 Apr 10 10:54 home
drwxr-xr-x 2 root root 4096 Aug 13 2004 initrd

After entering the correct password, ssh will link to the sshd server program on the remote server and then execute the sshd server program on the remote server
ls, l/command, and pass the input results to the local server. You log in to the remote server, then execute the command ls, l /, and finally log out of the server. It is important to note that if you need to log on to the server and execute more than one command, you must enclose the command in single or double quotation marks:

ssh 172.18.6.227 "cd /root && ls"

The remote command function of ssh was used to replace the original R series of commands. Before the advent of ssh, system administrators had to use insecure remote command tools such as rexec and rsh to perform the same operation. This is useful when managing a large number of machines. For example, if I want to restart all the servers in the 10.0.0.0/24 network segment, I only need to type 1 command:

for i in $(seq 1 254) ; do ssh 10.0.0.${i} reboot ; done

You can complete the operation of restarting all the servers, you may say, although this does not need to log in every server, but still have to enter the password every time, how troublesome ah. Don't worry, the next thing you need to do is log in ssh public key to solve the problem.

Login using public key:

The ssh-keygen command of openssh is used to generate such private and public keys.

[root@mail ~]# ssh-keygen -b 1024 -t dsa -C gucuiwen@myserver.com
Generating public/private dsa key pair.
The # tip is being generated and may take a long time if 4096 is selected
Enter file in which to save the key (/root/.ssh/id_dsa):
Put the public and private keys there and go back to the default location
Enter passphrase (empty for no passphrase):
Enter the private key password, in order to achieve automatic login, you should not use the password, directly enter
Enter same passphrase again:
Prompt for the password again, press enter again
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
# indicates that the public and private keys are already in the /root/.ssh/directory
The key fingerprint is:
71:e5:cb:15:d3:8c:05:ed:05:84:85:32:ce:b1:31:ce gucuiwen@myserver.com
# indicates key's fingerprint

Description:
-b 1024 USES a public/private key pair of 1024 bytes in length, with a maximum length of 4096 bytes. 1024 or 2048 is enough. If it is too long, it will take a long time for encryption and decryption.
-t dsa USES dsa encrypted public/private key pairs. In addition to dsa, rsa also has rsa. rsa cannot be shorter than 768 bytes.
-C gucuiwen@myserver.com a comment and description of this public/private key pair, 1 normally replaced by an email from the owner. You can omit it, but for more information, please man ssh-keygen.

[root@mail ~]# ls -l /root/.ssh
total 16
-rw -- -1 root root 668 Jul 12 20:07 id_dsa
-rw-r, r, root, root, 611 Jul, 12 20:07 id_dsa.pub
-rw-r, r, 1 root root 222 Jul 12 19:37 known_hosts

The public/private key file in user home directory. ssh directory, including id_dsa. pub is public key, the produce need to plug in the server's public key to the corresponding user directory home directory. ssh directory, once again stressed the user own directory (home directory) must not have others to write permissions,. ssh directory permissions must be 700, but the users themselves, others do not have any read and write to examine the directory permissions, Otherwise, the ssh server will refuse to log in. ssh home public key file is the user directory by default. ssh authorized_keys files in the directory, so you need to put the public key to the filename in the server/root /. ssh/directory, the file can hold more than one client public key file, like a lot of locks on the door can, can have different keys to unlock, as long as there is a lock is opened, the door will be opened. It should look like this on the server:

The private key must be 600 permissions, otherwise the ssh server will deny the user access.

So it looks something like this. Now let's talk about the configuration of /etc/ssh/ssh_config and /etc/ssh/sshd_config.

/etc/ssh/ssh_config:

Host *
The option "Host" only works on computers that can match the following string. "*" stands for all computers.

ForwardAgent no
"ForwardAgent" sets whether the connection is forwarded to the remote computer by an authenticated agent (if it exists).

ForwardX11 no
"ForwardX11" sets whether the X11 connection is automatically redirected to a secure channel and display set (DISPLAY set).

RhostsAuthentication no
The "RhostsAuthentication" setting USES security verification based on rhosts.

RhostsRSAAuthentication no
"RhostsRSAAuthentication" setting whether to use rhosts based security verification using the RSA algorithm.

RSAAuthentication yes
"RSAAuthentication" setting whether to use the RSA algorithm for security verification.

PasswordAuthentication yes
"PasswordAuthentication" sets whether to use password authentication.

FallBackToRsh no
"FallBackToRsh" sets whether to automatically use rsh if an error occurs with the ssh connection.

UseRsh no
"UseRsh" sets whether "rlogin/rsh" is used on this computer.

BatchMode no
If "BatchMode" is set to "yes", the prompt for passphrase/password (interactive password entry) will be disabled. This option is useful for script files and batch tasks when you cannot interactively enter your password.

CheckHostIP yes
"CheckHostIP" sets whether ssh views the IP address of the host connected to the server to prevent DNS spoofing. Recommended setting to "yes".

StrictHostKeyChecking no
If "StrictHostKeyChecking" is set to "yes", ssh will not automatically add the computer's key to the "$HOME/.ssh /known_hosts" file, and once the computer's key has changed, it will refuse to connect.

IdentityFile ~/.ssh/identity
"IdentityFile" sets which file to read the user's RSA security verification identity.

Port 22
"Port" sets the port to connect to the remote host.

Cipher blowfish
"Cipher" sets the password for encryption.

EscapeChar ~
"EscapeChar" sets escape characters.

/etc/ssh/sshd_config:

Port 22
"Port" sets the port number to which sshd is listening.

ListenAddress 192.168.1.1
"ListenAddress" sets the IP address for the sshd server binding.

HostKey /etc/ssh/ssh_host_key

The "HostKey" setting contains a file with the computer's private key.

ServerKeyBits 1024
"ServerKeyBits" defines the number of digits of the server key.

LoginGraceTime 600
"LoginGraceTime" sets the amount of time (in seconds) the server needs to wait before severing the connection if the user is unable to log in successfully.

KeyRegenerationInterval 3600
"KeyRegenerationInterval" is set to automatically regenerate the server's key (if used) after how many seconds. The key is regenerated to prevent the use of stolen keys to decrypt intercepted information.

PermitRootLogin no
"PermitRootLogin" sets whether root can be logged in with ssh. This option 1 must not be set to "yes".

IgnoreRhosts yes
Whether the "rhosts" and "shosts" files are used when setting up validation for "IgnoreRhosts".

IgnoreUserKnownHosts yes
Does ssh daemon ignore the user's "$HOME/.ssh /known_hosts" when performing RhostsRSAAuthentication security verification?

StrictModes yes
"StrictModes" sets whether ssh checks the permissions and ownership of the user's home directory and rhosts files before receiving the login request. This is often necessary, as novices often set their directories and files to allow anyone to write.

X11Forwarding no
"X11Forwarding" setting whether X11 forwarding is allowed.

PrintMotd yes
"PrintMotd" sets whether sshd displays the information in "/etc/motd" when the user logs in.

SyslogFacility AUTH
"SyslogFacility" sets whether "facility code" is given when recording messages from sshd.

LogLevel INFO
"LogLevel" sets the level at which sshd log messages are logged. INFO is a good choice. See the man help page at sshd for more information.

RhostsAuthentication no
The "RhostsAuthentication" setting USES only rhosts or "/etc/ hosts.equiv" for security verification.

RhostsRSAAuthentication no
The "RhostsRSA" setting allows security verification with rhosts or "/etc/ hosts.equiv" plus RSA.

RSAAuthentication yes
The "RSAAuthentication" setting allows only RSA security validation.

PasswordAuthentication yes
"PasswordAuthentication" sets whether password validation is allowed.

PermitEmptyPasswords no
The "PermitEmptyPasswords" setting allows you to log in with an account with an empty password.

AllowUsers admin
"AllowUsers" can be followed by a matching string for any number of usernames (patterns) or user@host, separated by Spaces. The host name can be either the DNS name or the IP address.

Convert the public key in SSH2 compatible format to Openssh compatible format

ssh-keygen -i -f Identity.pub > > /root/.ssh/authorized_keys2