What are the methods used by linux ssh?

openssh software package contains the following commands:

sshd —— ssh server program
sftp-server —— sftp server program (similar to ftp but provides data encryption) protocol)
scp - Non-interactive sftp-server client, used to upload/download files to the server
sftp - Interactive sftp-server client, usage is the same as the ftp command.
slogin —— Alias ​​of ssh
ssh —— The client program of ssh protocol, used to log in to the remote system or execute commands remotely
ssh-add —— ssh agent related program, used to add to the ssh agent dsakey
ssh-agent ―― ssh agent
ssh-keyscan ―― ssh public key generator

The most commonly used way to use ssh is to replace telnet for remote login. Different from telnet's password login, ssh also supports multiple login methods such as publickey, keybord interactive, gssapi, etc. Unlike telnet, which only has one way to enter the system password. Currently, the most commonly used login methods are the traditional password and publickey login methods. The following takes redhat as4 as an example to illustrate the usage of these two login methods.

[root@mail ~]# ssh 172.18.6.227
the authenticity of host '172.18.6.227 (172.18.6.227)' can't be established.
rsa key fingerprint is 43:80 :f2:e1:9b:b6:6e:c0:e2:dd:57:8f:ed:89:b3:81.
are you sure you want to continue connecting (yes/no)? yes
warning: permanently added '172.18.6.227′ (rsa) to the list of known hosts.
root@172.18.6.227's password:
last login: thu jul 12 18:47:47 2007 from 172.18.6.130
[root@qmail ~]

#After logging in for the first time, ssh will store the login ssh fingerprint in the know_hosts file of the .ssh directory in the user's home directory. If the remote system has been reinstalled System, the ssh fingerprint has been changed. You need to delete the corresponding fingerprint in know_hosts in the .ssh directory, then log in and answer yes before logging in. Please note that the .ssh directory is a hidden directory starting with "." and requires the ls –a parameter to see it. Moreover, the permissions of this directory must be 700, and the user's home directory cannot give other users write permissions, otherwise the ssh server will refuse to log in. If you are unable to log in, please check the log file /var/log/secure on the server. The reason why you can't log in can usually be found quickly.

ssh remote execution command:

[root@mail ~]# ssh 172.18.6.227 ls -l /
root@172.18.6.227's password:
total 1244
drwxr-xr-x 2 root root 4096 jun 26 04:02 bin
drwxr-xr-x 4 root root 4096 mar 29 11:17 boot
drwxr-xr-x 2 root root 4096 jan 25 11:26 command
drwxr-xr-x 15 root root 4096 jun 12 20:09 data
drwxr-xr-x 9 root root 5360 jul 2 13:38 dev
drwxr- xr-x 87 root root 12288 jul 11 ​​04:02 etc
drwxr-xr-x 20 root root 4096 apr 10 10:54 home
drwxr-xr-x 2 root root 4096 aug 13 2004 initrd

After entering the correct password, ssh will connect to the sshd server program of the remote server, then execute the
ls –l / command on the remote server, and transmit the input results to the local server. It is equivalent to logging in to the remote server first, then executing the command ls –l /, and finally logging out of the server. It should be reminded that if you need to log in to the server and execute more than one command, you must enclose the command in single quotes or double quotes:

ssh 172.18.6.227 “cd /root && ls “

The remote execution command function of ssh is used to replace the original r series commands. Before the emergence of ssh, system administrators had to use unsafe remote execution command tools such as rexec and rsh to complete the same operation. This function is very useful when managing a large number of machines. For example, if I want to restart all servers in the 10.0.0.0/24 network segment, I only need to enter a command:

for i in $(seq 1 254); do ssh 10.0.0.${i} reboot ; done

can complete the operation of restarting all servers. Maybe you will say that although you don’t need to log in to each server anymore, you still need to log in to each server every time. How troublesome it is to enter your password for the first time. Don't worry, what I will talk about below is to use the ssh public key method to log in to solve the problem.

Use public key to log in:

The ssh-keygen command of openssh is used to generate such private and public keys.

[root@mail ~]# ssh-keygen -b 1024 -t dsa -c gucuiwen@myserver.com
generating public/private dsa key pair.
#The prompt is being generated. If you select the 4096 length, It may take a long time
enter file in which to save the key (/root/.ssh/id_dsa):
#Ask where to put the public key and private key, press Enter and use the default location
enter passphrase (empty for no passphrase):
#Ask to enter the private key password. In order to achieve automatic login, you should not enter the password, just press Enter
enter same passphrase again:
#Prompt to enter the password again, again Enter directly
your identification has been saved in /root/.ssh/id_dsa.
your public key has been saved in /root/.ssh/id_dsa.pub.
#Prompt for public key and private key Already stored in the /root/.ssh/ directory
the key fingerprint is:
71:e5:cb:15:d3:8c:05:ed:05:84:85:32:ce:b1: 31:ce gucuiwen@myserver.com
#Prompt key fingerprint

Instructions:
-b 1024 Use a public key/private key pair with a length of 1024 bytes, with a maximum length of 4096 bytes. Generally, 1024 or 2048 is enough. If it is too long, encryption and decryption will take a long time.
-t dsa The public key/private key pair using dsa encryption method. In addition to dsa, there is also rsa method. The minimum length of rsa method cannot be less than 768 bytes.
-c gucuiwen@myserver.com A comment and description of this public key/private key pair, usually replaced by the owner's email. You can omit it. For more other parameters, please man ssh-keygen.

[root@mail ~]# ls -l /root/.ssh
total 16
-rw——- 1 root root 668 jul 12 20:07 id_dsa
-rw- r–r– 1 root root 611 jul 12 20:07 id_dsa.pub
-rw-r–r– 1 root root 222 jul 12 19:37 public key/private key file generated by known_hosts

In the .ssh directory of the user's home directory, id_dsa.pub is the public key. Upload the generated public key to the .ssh directory of the home directory of the corresponding user directory of the server to be logged in. Once again, the user's own directory ( home directory) must not have writable permissions by others. The permissions of the .ssh directory must be 700, that is, no one else has any permission to read, write or view the directory except the user himself, otherwise the ssh server will refuse to log in. The default public key file of ssh is the authorized_keys file in the .ssh directory in the user's home directory. Therefore, the generated public key needs to be placed in the /root/.ssh/ directory of the server under this file name. Multiple files can be stored in this file. The public key file of a client is like a door that can have many locks and different keys to try to open the lock. As long as one lock is opened, the door can be opened. It should look like this when placed on the server:

The private key must have 600 permissions, otherwise the ssh server will refuse the user to log in.

This is roughly what it looks like. Now let’s talk about the configuration of /etc/ssh/ssh_config and /etc/ssh/sshd_config.

/etc/ssh/ssh_config:

host *
The option "host" is only valid for computers that can match the following string. "*" indicates all computers.

forwardagent no
"forwardagent" sets whether the connection is forwarded to the remote computer through an authentication agent (if one exists).

forwardx11 no
"forwardx11" sets whether x11 connections are automatically redirected to secure channels and display sets.

rhostsauthentication no
"rhostsauthentication" sets whether to use rhosts-based security authentication.

rhostsrsaauthentication no
"rhostsrsaauthentication" sets whether to use rhosts-based security authentication using the rsa algorithm.

rsaauthentication yes
"rsaauthentication" sets whether to use the rsa algorithm for security verification.

passwordauthentication yes
"passwordauthentication" sets whether to use password authentication.

fallbacktorsh no
"fallbacktorsh" sets whether to automatically use rsh if an error occurs when connecting with ssh.

usersh no
"usersh" sets whether to use "rlogin/rsh" on this computer.

batchmode no
If "batchmode" is set to "yes", the passphrase/password (interactive password input) prompt will be disabled. This option is useful for script files and batch tasks when interactive password entry is not possible.

checkhostip yes
"checkhostip" sets whether ssh checks the IP address of the host connected to the server to prevent dns spoofing. It is recommended to set it to "yes".

stricthostkeychecking no
If "stricthostkeychecking" is set to "yes", ssh will not automatically add the computer's key to the "$home/.ssh/known_hosts" file, and once the computer's key is generated If there is a change, the connection will be refused.

identityfile ~/.ssh/identity
"identityfile" sets the file from which to read the user's rsa security verification identification.

port 22
"port" sets the port to connect to the remote host.

cipher blowfish
"cipher" sets the password for encryption.

escapechar ~
"escapechar" sets the escape character.

/etc/ssh/sshd_config:

port 22
"port" sets the port number for sshd listening.

listenaddress 192.168.1.1
"listenaddress" sets the ip address bound to the sshd server.

hostkey /etc/ssh/ssh_host_key

"hostkey" sets the file containing the computer's private key.

serverkeybits 1024
"serverkeybits" defines the number of bits in the server key.

loggingracetime 600
"loggingracetime" sets the amount of time (in seconds) the server needs to wait before cutting off the connection if the user cannot successfully log in.

keyregenerationinterval 3600
"keyregenerationinterval" sets the number of seconds after which the server's key will be automatically regenerated (if a key is used). The key is regenerated to prevent intercepted information from being decrypted with a stolen key.

permitrootlogin no
"permitrootlogin" sets whether root can log in using ssh. This option must not be set to "yes".

ignorerhosts yes
"ignorerhosts" sets whether to use the "rhosts" and "shosts" files during verification.

ignoreuserknownhosts yes
"ignoreuserknownhosts" sets whether the ssh daemon ignores the user's "$home/.ssh/known_hosts" when performing rhostsrsaauthentication security verification

strictmodes yes
"strictmodes "Set whether ssh checks the permissions and ownership of the user's home directory and rhosts file before receiving a login request. This is often necessary because newbies often set their directories and files so that everyone has write access.

x11forwarding no
"x11forwarding" sets whether to allow x11 forwarding.

printmotd yes
"printmotd" sets whether sshd displays the information in "/etc/motd" when the user logs in.

syslogfacility auth
"syslogfacility" sets whether to give "facility code" when logging messages from sshd.

loglevel info
"loglevel" sets the level at which sshd log messages are recorded. info is a good choice. Check out the sshd man page for more information.

rhostsauthentication no
Is the "rhostsauthentication" setting sufficient to use only rhosts or "/etc/hosts.equiv" for security verification.

rhostsrsaauthentication no
"rhostsrsa" setting whether to allow security verification using rhosts or "/etc/hosts.equiv" plus rsa.

rsaauthentication yes
The "rsaauthentication" setting allows only rsa security verification.

passwordauthentication yes
"passwordauthentication" sets whether to allow password authentication.

permitemptypasswords no
"permitemptypasswords" sets whether to allow logging in with an account with an empty password.

allowusers admin
"allowusers" can be followed by any number of user name matching strings (patterns) or matching strings such as user@host, these strings are separated by spaces. The hostname can be a DNS name or an IP address.

Convert the public key in ssh2 compatible format to openssh compatible format

ssh-keygen -i -f identity.pub >> /root/.ssh/ authorized_keys2

The above is the detailed content of What are the methods used by linux ssh?. For more information, please follow other related articles on the PHP Chinese website!