Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Linux remote connectivity tools -OpenSSH     - Android Studio commonly used shortcuts and how to follow the Eclipse Shortcuts (Linux)

- Linux development environment to build and use the directory structure and file --Linux (Linux)

- About Linux operating system security (Linux)

- PostgreSQL Source Customization: Online global read only (Database)

- Install Ubuntu text editor KKEdit 0.2.10 (Linux)

- Oracle database with test data insertion speed (Database)

- Writing Better Bash build script 8 (Programming)

- Linux kernel modules related to the management Comments (Linux)

- Security Configuration SQL Server 2000 database tutorial (Linux)

- Polymorphism of the C ++ compiler and run-time polymorphism (Programming)

- Spring3 + SpringMVC + Hibernate4 full annotation environment configuration (Server)

- Sorting Algorithm (1) Quick Sort C ++ implementation (Programming)

- Ubuntu 14.04 Configuring cuda-convnet (Linux)

- Java by Spy Memcached to cache data (Programming)

- C language keywords Comments (Programming)

- CentOS / Debian configuration Gitlab 7.1x to build self Git repository (Linux)

- Mac OS X 10.9 build Nginx + MySQL + php-fpm environment (Server)

- SA weak password security system of the security risks posed (Linux)

- C + + secondary pointer memory model (pointer array) (Programming)

- CentOS permanently banned from running in the background PackageKit (Linux)

  Linux remote connectivity tools -OpenSSH
  Add Date : 2018-11-21      
  In our daily management and maintenance of a server process, we require the use of remote connectivity tools, today we have come together under Linux summarize common secure remote connectivity tools -OpenSSH.

[Remote login protocol]

1, telnet: is the TCP / IP protocol suite one, is the main way Internet standard protocols and remote login service. It provides users with the ability to complete the work of the remote host on the local computer. The default uses TCP port 23, using C / S structure, in the process of user login information is transmitted in plaintext, security can not be guaranteed, it is not recommended to use telnet.

2, ssh: Secure Shell is an abbreviation from the IETF Network Working Group developed; SSH is based on the application layer and the transport layer on the basis of security protocols. SSH is more reliable, designed to provide security protocol for remote login session, and other network services. SSH protocol can effectively prevent the use of remote management in the process of information disclosure. The default is to use TCP port 22, also based on C / S architecture, SSH has two versions v1 and v2.

sshv1: based on CRC-32 do MAC (message digest authentication), insecurity is strongly recommended not to use;

sshv2: Based on the negotiating parties choose to use the host MAC safest way, which has the following characteristics: 1, the encryption and MAC mechanism negotiated by the parties selected; 2, based on DH key exchange to achieve, to achieve authentication based on RSA or DSA; 3, the client through the server host key checking to determine whether to continue the communication;

Description [OpenSSH]

OpenSSH is a set of connectivity tools for secure access to remote computers. It can be used as rlogin, rsh rcp and telnet direct use of alternatives. Furthermore, any other TCP / IP connections can be tunneled securely through SSH / forwarding. OpenSSH encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by the OpenBSD project.

Login using rlogin or telnet session was established. When connecting, SSH utilizes a key fingerprint system for verifying the authenticity of the server. Only when the first connection, the user is prompted to enter yes to confirm, after the connection will be verified against the saved fingerprint key. If you save the login fingerprint match received, then it will be given a warning. The fingerprints are saved in ~ / .ssh / known_hosts, for SSHv2 fingerprint, it is ~ / .ssh / known_hosts2.

By default, newer versions of OpenSSH accept only SSHv2 connections. If you use version 2 client program automatically, otherwise it will fall back to version 1. In addition, you can also command line parameter to -1 or -2 accordingly forced to use version 1 or 2. Maintaining the client version 1 is the ability to consider an earlier version of compatibility, it is recommended to make use of version 2.

[SSH server and client workflow]

OpenSSH using C / S architecture:

Server tool (S): sshd

Client Tools (C): ssh command, putty, xshell, securecrt, sshshellclient;

[OpenSSH client components -ssh]

    Configure text: / etc / ssh / ssh_config
    ssh [username @] host [COMMAND] or ssh -l username host [COMMAND]
        -p PORT: Specifies the remote server port;
        -l username: Specifies the user login to remote host, do not specify the current user;
        username @: equivalent to -l username;
        If the COMMAND, that the use username account login remote host perform a specified command and returns the result, will not stay on a remote host;
[Root @ www ~] # ssh # logged in as root;
The authenticity of host ' (' can not be established.
RSA key fingerprint is 01: 2e: 43: cc: bc: 1d: f1: e5: f0: f4: 89: 78: 74: a9: 49: 44.
Are you sure you want to continue connecting (yes / no) yes # the first connection, you need to manually confirm?;
Warning: Permanently added '' (RSA) to the list of known hosts.
root@'s password: # Enter the root password for the remote host account;
Last login: Mon May 11 16:44:52 2015 from
[Root @ mailCentOS6 ~] # # successful login, the remote host name mailCentOS6;
[Root @ mailCentOS6 ~] # ls # displays the remote host root home directory of the file;
2.sh boot.iso install.log sdb.mbr test1
anaconda-ks.cfg crontab install.log.syslog \ temp \ test
[Root @ mailCentOS6 ~] # exit # Log;
Connection to closed.
[Root @ www ~] # ssh root@ ls # Log in as root remote host, perform a ls command, and returns the result then exit;
root@'s password: # second connection, you need to enter yes, and directly enter the password;
\ Temp \ test
[Root @ www ~] # # See, we are not currently registered in the remote host;

[OpenSSH server-side components -sshd]
    Configuration file: / etc / ssh / sshd_config (this file can be modified by modifying the default ssh listen port and other parameters)
    Service script: /etc/rc.d/init.d/sshd
        Service start | stop | restart: serveice sshd start | stop | restart
    Script configuration file: / etc / sysconfig / sshd

    Configuration parameters
# Man sshd_config See description of configuration parameters;
        # Vim / etc / sysconfig / sshd to modify configuration parameters by editing a configuration file;
          # + Space + text: A line beginning with this format change the behavior of notes;
          # + Text: A line beginning with this format can enable the option, does not change the default settings that the use of this option, whereas the use of the set value "#" to get rid of Oh!
            Example: #Port 22 and # 22, if not remove the same, that the use of the default port 22;
                If the #Port 22 into port 7777, represents the sshd listening port changed to 7777;
        NOTE: After modifying the configuration parameters, you must restart the service (service sshd restart).
  Often you need to modify the parameters:
[Root @ www ~] # cat / etc / ssh / sshd_config
# $ OpenBSD: sshd_config, v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# Sshd_config (5) for more information.
# This sshd was compiled with PATH = / usr / local / bin: / bin: / usr / bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# Possible, but leave them commented. Uncommented options change a
# Default value.
#Port 22 # to change the default listening port;
port 7777 # to sshd listening port changed to 7777;
#AddressFamily Any # listening address family specified is listening in on the upper or IPV6 IPV4, any means all;
#ListenAddress # specify the listening address ( indicates all address of the machine);
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# Installations. In future the default will change to require explicit
# Activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey / Etc / ssh / ssh_host_key # use shhv1 use host key;
# HostKeys for protocol version 2
#HostKey / Etc / ssh / ssh_host_rsa_key
#HostKey / Etc / ssh / ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024 # key length;
# Logging
# Obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m # login grace period;
#PermitRootLogin Yes # allow administrators to log;
#StrictModes Yes
#MaxAuthTries 6 # maximum number of incorrect passwords entered;
#MaxSessions 10 # maximum number of sessions;
#RSAAuthentication Yes # Allow to use RSA authentication mechanisms;
#PubkeyAuthentication Yes
# -------- Intermediate not long to change configuration parameters slightly ----------
Subsystem sftp / usr / libexec / openssh / sftp-server # indicates whether to start the sftp function;
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

  sshd authentication:
      1, password-based authentication;
      2, key-based authentication;
        # Ssh-keygen -t rsa rsa algorithm used to generate the key, default key is id_rsa (private), id_rsa.pub (public key)
        # Ssh-keygen -f / path / to / somefile -P oldpassword generate the key from an existing key file
            -f / path / to / somefile: Key file is saved in the location;
            -P '': Specifies the password used to generate the old key;
          Method One: the local host-generated public key id_rsa.pub copy to a remote host using scp on the remote host using the cat id_rsa.pub >> ssh / authorized_keys append the public key information so that you can implement key-based authentication the ssh login;
          Method Two: # ssh-copy-id -i .ssh / id_rsa.pub USERNAME @ HOST
[Root @ www ~] # ssh-keygen -t rsa # rsa algorithm used to generate the key;
Generating public / private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # Specify the key storage path and name, and generally do not
# Modification, just press Enter;
Enter passphrase (empty for no passphrase): # Enter the private key password;
Enter same passphrase again: # Confirm the private key password;
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c2: f9: c2: 3d: 4d: ca: 52: 39: 7a: a7: 33: de: 42: 11: d3: 8f root@www.99.com
The key's randomart image is:
+ - [RSA 2048] ---- +
|. |
| O. |
| O o |
|. ... E. |
| + S .. |
|. B. = |
| = .B O |
| ++ = |
| .o +. |
+ ----------------- +
[Root @ www ~] # ssh-keygen -f .ssh / id_rsa -P '' # rekeying based on existing key file;
Generating public / private rsa key pair.
.ssh / id_rsa already exists.
? Overwrite (y / n) y # prompt Are you sure you want to overwrite;
Your identification has been saved in .ssh / id_rsa.
Your public key has been saved in .ssh / id_rsa.pub.
The key fingerprint is:
bf: 55: f0: 0b: a5: ee: 4e: 4a: 1d: d3: b1: 0e: 66: ee: 55: 9b root@www.99.com
The key's randomart image is:
+ - [RSA 2048] ---- +
| |
| |
|. O |
| * O |
| S O =. |
|. * B oo |
| O * + E |
|. B. |
| O +. |
+ ----------------- +
# ----- Use a: to achieve complete authentication key file (no password) -----
[Root @ www ~] # scp .ssh / id_rsa.pub root@ / root / # Use spc command to copy the public key file to the remote
.ss / path # host the user's home directory under;
root@'s password: # Enter the login password for the remote host;
id_rsa.pub 100% 397 0.4KB / s 00:00 # prompt copy success;
[Root @ mailCentOS6 ~] # ls .ssh / # verification confirmation file copied successfully;
id_rsa.pub known_hosts
[Root @ mailCentOS6 ~] within # touch .ssh / authorized_keys # key path does not automatically validate files, create a;
[Root @ mailCentOS6 ~] # cat .ssh / id_rsa.pub >> .ssh / authorized_keys # append the public key to verify that the key files automatically;
[Root @ www ~] # ssh
Last login: Mon May 11 20:45:10 2015 from
[Root @ mailCentOS6 ~] # #OK, and see not, we do not directly enter a password can remotely log in! !
# ----- Use Method Two: Achieving complete the authentication key file (no password) -----
[Root @ mailCentOS6 ~] # rm -f .ssh / authorized_keys # delete the original saved automatically validate key file;
[Root @ www ~] # ssh-copy-id -i .ssh / id_rsa.pub root@ # use command to automatically generate automatic transmission verification key file;
root@'s password:
Now try logging into the machine, with "ssh 'root@'", and check in:
  .ssh / authorized_keys # prompt generated files;
to make sure we have not added extra keys that you were not expecting.
[Root @ www ~] # ssh # verify and see if you can log;
Last login: Mon May 11 21:02:29 2015 from
[Root @ mailCentOS6 ~] # ls .ssh / # see not, we are now logged on to the mailCentOS6 this host;
authorized_keys known_hosts

Syntax added]

    scp: use the ssh protocol between the host for secure file transfer tool
      scp SRC1 ... DEST
      Two cases:
          1, the source file in the machine, the target for the remote host
            # Scp / path / to / somefile ... USERNAME @ HOST: / path / to / somewhere
            Source can be a directory or file has more than, the target must be a directory
        2, the source file in the remote and local target
            # Scp USERNAME @ HOST: / path / to / somewhere / path / to / somewhere
            -r: using (recursive copy) when copying directories, scp can not copy the default directory;
            -p: to maintain the source file's metadata, including mode and timestamp
            -q: Quiet mode, the copying process does not show the status information;
            -p PORT: Specifies the ssh protocol monitor port (remote host).
- Editor of the popular Linux Gvim (Linux)
- The correct way to open Xcode - Debugging (Programming)
- Oriented C ++ test-driven development (Programming)
- Linux install Samba file sharing server (Server)
- How to install Kernel 4.0.2 on CentOS 7 (Linux)
- VMware virtual machine to install CentOS 6.2 (Linux)
- Linux variable learning experience (Linux)
- Implement firewall function on a closed Linux machine (Linux)
- Android Custom View step (Programming)
- How Datadog monitor Nginx (Server)
- Linux Getting Started Tutorial: How to set up a static MAC address on VMware ESXi virtual machine (Mobile)
- Docker Basic and Advanced (Linux)
- About Git (Linux)
- Install Oracle database error process of [INS-35172] (Database)
- Ubuntu 14.10 PPA installed Android Studio (Linux)
- Linux startup and logon security settings (Linux)
- jobs command example (Linux)
- Java concurrent programming combat (using synchronized synchronization method) (Programming)
- Phoenix agents use P2P WebRTC development (Programming)
- Arduino UNO simulation development environment set up and run simulation (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.