SSH remote principle
SSH remote management
Definition of SSH
SSH (Secure Shell) is a secure channel protocol, which is mainly used to implement remote login and remote copy functions of a character interface.
The SSH protocol encrypts the data transmission between the communicating parties, including the user password entered when the user logs in. Therefore, the SSH protocol has very good security.
SSH client: Putty, Xshell, CRT
SSH server: OpenSSH
OpenSSH
OpenSSH 是实现 SSH 协议的开源软件项目,适用于各种 UNIX、Linux 操作系统。
sshd 服务默认使用的是TCP的 22端口
Service name: sshd
server main program: /usr/sbin/sshd
server main program: /usr/sbin/sshd
server configuration file: /etc/ssh/sshd_config
Configure OpenSSH server
Common option settings of sshd_config configuration file
vim /etc/ssh/sshd_config
Port 22 #监听端口为 22
ListenAddress 0.0.0.0 #监听地址为任意网段,也可以指定OpenSSH服务器的具体IP
LoginGraceTime 2m #登录验证时间为 2 分钟
PermitRootLogin no #禁止 root 用户登录
MaxAuthTries 6 #最大重试次数为 6
PermitEmptyPasswords no #禁止空密码用户登录
UseDNS no #禁用 DNS 反向解析,以提高服务器的响应速度
#只允许zzz用户登录,且其中zzz用户仅能够从IP地址为192.168.232.20的主机远程登录
AllowUsers [email protected] #多个用户以空格分隔
#禁止某些用户登录,用法于AllowUsers 类似(注意不要同时使用)
DenyUsers xxx
The sshd service supports two authentication methods:
Password validation
Verify the login name and password of the local system user in the server. Simple, but may be brute-forced
Key pair verification
The matching key information is required to pass the verification. Usually, a pair of key files (public key, private key) are created in the client first, and then the public key file is placed in the specified location on the server. When logging in remotely, the system will use the public key and private key to verify the encryption/decryption association. Can enhance security, and can avoid interactive login.
When both password verification and key pair verification are enabled, the server will preferentially use key pair verification. The verification method can be set according to the actual situation.
vim /etc/ssh/sshd_config
PasswordAuthentication yes #启用密码验证
PubkeyAuthentication yes #启用密钥对验证
AuthorizedKeysFile .ssh/authorized_keys #指定公钥库文件
Use SSH client program
ssh remote login
scp remote replication
下行复制
scp [email protected]:/etc/passwd /root/passwd10.txt #将远程主机中的/etc/passwd文件复制到本机
上行复制
scp -r /etc/ssh/ [email protected]:/opt #将本机的/etc/ssh 目录复制到远程主机
sftp
sftp [email protected]
Connecting to 192.168.232.20...
[email protected]'s password: #输入密码
sftp> ls
sftp> get 文件名 #下载文件到ftp目录
sftp> put 文件名 #上传文件到ftp目录
sftp> quit #退出
Configure key pair verification
Create a key pair on the client
Create a key pair file for the current user through the ssh-keygen tool. The available encryption algorithms are RSA, ECDSA, or DSA, etc. (The "-t" option of the ssh-keygen command is used to specify the algorithm type).
ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_ecdsa): #指定私钥位置,直接回车使用默认位置
Created directory '/home/admin/.ssh'. #生成的私钥、公钥文件默认存放在宿主目录中的隐藏目录.ssh/下
Enter passphrase (empty for no passphrase): #设置私钥的密码
Enter same passphrase again: #确认输入
ls -l .ssh/id_ecdsa*
#id_ecdsa是私钥文件,权限默认为600;id_ecdsa.pub是公钥文件,用来提供给 SSH 服务器
Upload the public key file to the server
scp ~/.ssh/id_ecdsa.pub [email protected]:/opt
或
#此方法可直接在服务器的/home/root/.ssh/目录中导入公钥文本
cd ~/.ssh/
ssh-copy-id -i id_ecdsa.pub [email protected]
Import the public key text in the server
This method is used to upload the public key file. The first method
mkdir /home/zhangsan/.ssh/
cat /tmp/id_ecdsa.pub >> /home/zhangsan/.ssh/authorized_keys
cat /home/zhangsan/.ssh/authorized_keys
Use key pair authentication on the client
ssh [email protected]
[email protected]'s password: #Enter the password of the private key
Set the ssh proxy function on the client to realize interactive login
ssh-agent bash
ssh-add
Enter passphrase for /home/admin/.ssh/id_ecdsa: #输入私钥的密码
ssh [email protected]
TCP Wrappers access control
TCP Wrappers "wraps" the TCP service program, and monitors the port of the TCP service program on behalf of it, adding a security detection process. The external connection request must pass this layer of security detection first, and then can access the real service program after obtaining permission.
In most Linux distributions, TCP Wrappers is a feature provided by default. rpm -q tcp_wrappers
Two implementation methods of TCP Wrapper protection mechanism
1. Use the tcpd program directly to protect other service programs, and you need to run the tcpd program.
2. The libwrap.so.* link library is called by other network service programs without running the tcpd program. This method is more widely used and more efficient.
* Use the ldd command to view the program's libwrap.so. Link library
ldd $(which ssh vsftpd)
Access policy of TCP Wrappers
The protection objects of the TCP Wrappers mechanism are various network service programs, and access control is performed on the client address of the service.
The corresponding two policy files are /etc/hosts.allow and /etc/hosts.deny, which are used to set allow and deny policies respectively.
The basic principle of the TCP Wrappers mechanism:
first check the /etc/hosts.allow file, if a matching policy is found, then access is allowed;
otherwise, continue to check the /etc/hosts.deny file, and if a matching policy is found, access is denied;
If no matching policy is found after checking the above two files, then access is allowed.
“允许所有,拒绝个别”
只需在/etc/hosts.deny文件中添加相应的拒绝策略
“允许个别,拒绝所有”
除了在/etc/hosts.allow中添加允许策略之外,还需要在/etc/hosts.deny文件中设置“ALL:ALL”的拒绝策略。