CentOS6 under ssh and openssh Application Profile

1. ssh and openssl Summary:

 

SSH:

ssh is the secure shell, is used to provide secure remote access via the network tools, C / S structure, before the ssh, the first remote computer connectivity tools are telnet

telnet is cleartext communication, so security is poor, except in an emergency, do not use telnet.

ssh telnet is safer than many, but openssl is an open source implementation of ssh,

 

OPENSSH

 

It can be used as rlogin, rsh rcp and telnet direct use of alternatives. Furthermore, any other TCP / IP connections can be tunneled securely via SSH / forwarding. OpenSSH encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by the OpenBSD project.

Login using rlogin or telnet session was established. When connecting, SSH utilizes a key fingerprint system for verifying the authenticity of the server. Only when the first connection, the user will be asked to enter yes. After the connection will be verified against the saved fingerprint key. If you save the login does not match the fingerprint received, then it will be given a warning. Fingerprint is stored in ~ / .ssh / known_hosts, for SSH v2 fingerprints is ~ / .ssh / known_hosts2.

 

By default, the newer version of OpenSSH only accept SSH v2 connections. If you use version 2 client program automatically, otherwise it will fall back to version 1. In addition, you can also command line parameter to -1 or -2 respectively enforce using version 1 or 2. Maintaining the client’s version of an ability to consider an earlier version of compatibility.

 

 

SSH has two versions:

1. sshv1

sshv1 do CRC-32 based MAC (integrity check), without encryption, just check code, it is strongly recommended not to use. Very unsafe

 

2. sshv2

 

sshv2 based on the negotiation host MAC choose the safest way

Encryption and MAC mechanism negotiated by the parties selected:

DH-based algorithm, key exchange, authentication implement RSA or DSA based

The client to determine whether to continue to communicate through a host key checking server

 

 

Actual use, command line parameters can be correspondingly Protocol 2,1 forced to use version 1 or 2.

Maintaining the client’s version of an ability to consider an earlier version of compatibility.

You can also write only two, and give compatible unsafe sshv1

 

 

2. OPENSSH clients:

 

openssh is C / S structure, so there is the server and client of two parts, used under linux client software ssh, windows under the commonly used putty, xshell, secrecrt, sshshellclient etc.

 

2.1 openssh client components:

 

2.1.1 ssh configuration file is / etc / ssh / ssh_config

 

Syntax:
ssh [username]host [COMMAND] [-p PORT]
ssh -l username host [COMMAND]

 

# If you do not specify username, the user tries to log in using the local current, if the remote host does not exist this user will get an error

#COMMAND, Is not remote login, COMMAND is executed on the remote host, and then returns the results to the machine.

 

For instance:

192.168.229.202 host ifconfig need to obtain information, ssh port to listen on port 2222:
  
#ssh root@192.168.229.202 ifconfig -p 7767

 

 

2.1.2 scp: use ssh protocol between the host secure file transfer tool

 

Syntax:

scp SRC1 … DEST

 

Two cases:

1. the original document in the machine, the target for the remote
  
#scp / path / to / somefile … USERNAME @ HOST: / path / to / somewhere

Is the local / path / to / somefile file to USERNAME user login to the remote host HOST, copied to the remote host / path / to / somewhere

 

For instance:

Copy the local / etc / fstab file to www.881027.com host / under tmp, note www.881027.com host ssh port 2222
#scp -P 2222 / etc / fstab root@www.881027.com: / tmp
# Note that the parameter -P location must immediately follow the scp command, and -P specify the remote host ssh port
# Note that if the current user is logged in this unit root, then root@www.881027.com the root @ can be omitted

 

2. The source file in the remote and local target
#scp USERNAME @ HOST: / path / to / somewhere / path / to / somewhere
-r: When copying catalog
-p: maintaining metadata information source file, including the owner, is a group, mode, timestamp (if the remote host does not exist the user, nor)
-q: silent mode
-P PORT: Specifies the ssh protocol listening port
For instance:
The remote host / tmp / fstab file downloaded to the machine / etc
#scp -P 2222 root@www.881027.com / etc

2.1.3 sftp: ssh on the ftp service

sftp landed in, you can use a lot of bash commands, such as ls, cd, mkdir, put, get and other ftp commands

 

Usage: sftp USERNAME @ HOST

 

For instance:

sftp login to www.881027.com, ssh port 2222, and download www.881027.com host / etc / fstab file to your local
#sftp -oPort = 2222 sbi.881027.com
# -oPort To specify the remote port, do not specify a default 22

 

3. openssh server-side: sshd

 

Configuration file: / etc / ssh / sshd_config

ssh port sshd service control various operating parameters, the following best practices, there are many applications

This command can be issued

#man sshd_config

To see a detailed description of each parameter and Help

 

Service Script: /etc/rc.d/init.d/sshd

Control sshd service status, start, stop, restart, view status

Script configuration file: / etc / sysconfig / sshd

 

 

3.1 often need to modify the parameters:
PORT: Modify the default listening port
ListenAddress 0.0.0.0; default listening on all local addresses may be set to listen only on specific ip address
Protocol 2,1; 2 preference, backward compatible sshv1
HostKey / etc / ssh / ssh_host_rsa_key; When a client connects, the send key
HostKey / etc / ssh / ssh_host_dsa_key; When a client connects, the send key, DSA can only do authentication
KeyRegenerationInterval 1h; key exchange interval, the server automatically performed
LoginGraceTime 2m; grace login window is the pop-up login window, to the time you enter the account password
PermitRootLogin yes
    yes: allows the first direct ssh root user login
    no: do not allow the first direct ssh root user login, but if necessary, from ordinary users su – root
MaxAuthTries 6; maximum number of failed login
MaxSessions 10; the number of session up support
RSAAuthentication yes; whether to enable the RSA Authentication
PubkeyAuthentication yes; whether to enable public key authentication (asymmetric encryption)
AuthorizedKeysFile .ssh / authorized_keys; authorized key file, we can append the public key information to the authorized_keys, to avoid password
ClientAliveInterval 0; time server to the client request message interval, 0 to not send
ClientAliveCountMax 300; the number of client server does not respond after issuing a request reaches a certain value
And so on

I only list some common options, there are a lot of options not list them all, you can look through the document #man sshd_config it.

 

 

4. sshd authentication:

1. password-based authentication:

Nothing to say, user name, password authentication

 

2. Based on the key (the public key of the key) certification:

 

Logic:

a. requires a pair of children key local retention private key,

. b The public key into the user’s home directory on the remote host: ~ / .ssh /

c. Set the local public key is appended to the remote host home directory ~ / .ssh / authorized_users

 

Steps:
        # Ssh-keygen -t rsa generate the key pair
        The default key for id_rsa, id_rsa.pub
        -f path / to / somefile: key file location
        -p ” designated oldpasswd

 

 

You can also use the tool to generate the key pair children directly, and upload them directly to the remote host:
        # Ssh-copy-id -i ~ / .ssh / id_rsa.pub USERNAME @ HOST
        ssh-copy-id -i id_rsa.pub “-p 7767 root@sbi.881027.com”
        ssh -p 222 hostname

 

5. ssh best practice service:

 

1. Do not use the default port 22

2. Do not use protocol 1

3. Restrictions can be found on the user

White-list:

AllowUsers user1 user2 user3 …

AllowGroups grp1 grp2 ….

Blacklist:

DenyUsers user1 user2

DenyGroups grp1 grp2

 

# Black list can not be used, only use one

 

4. Set idle session timeout period

ClientAliveInterval 300 # number of seconds

ClientAliveCountMAX 0 # idle count a maximum of 0

 

5. Use the firewall settings ssh access policy:

 

6. Listen-only on a specific IP address, rather than all of the IP address of the machine

 

7. Use a strong password policy

#tr -dc A-Za-z0-9

Leave a Reply

Your email address will not be published. Required fields are marked *