What are the methods used by linux ssh?


The openssh package contains the following commands:

SSHD-SSH server program Sftp-server-Sftp server program (similar to FTP but providing a protocol for data encryption) SCP-non-interactive sftp-server client, used to upload/download files to the server SFTP-interactive sftp-server client, with the same usage as FTP command. Slogin-another name for ssh-a client program of SSH protocol, which is used to log in to a remote system or remotely execute the command SSH-Add-SSH proxy related programs, and to add DSA key SSH-Agent-SSH proxy program SSH-KeyScan-SSH public key generator to SSH proxy.

The most common use of ssh is remote login instead of telnet. Different from the password login of telnet, ssh also supports many login methods, such as publickey, keybord interactive, gssapi, etc. Unlike telnet, there is only one way to enter the system password. At present, the most commonly used login methods are the traditional password method and publickey method. Take redhat as4 as an example to illustrate the usage of these two login methods.

[root@mail ~]# ssh authenticity of host ' ( ' can't be established.rsa key fingerprint is 43:80:f2:e1:9b:b6:6e:c0:e2:dd:57:8f:ed:89:b3:81.are you sure you want to continue connecting (yes/no)? yeswarning: permanently added '′ (rsa) to the list of known [email protected]‘s password:last login: thu jul 12 18:47:47 2007 from[root@qmail ~]#

After logging in for the first time, ssh will store the logged-in ssh fingerprint in the know_hosts file in the. ssh directory of the user's home directory. If the remote reinstall the system has passed the system and the ssh fingerprint has changed, you need to delete the corresponding fingerprint in the know_hosts directory in the. ssh directory before logging in. Please note that the. ssh directory is a hidden directory that starts with. You need the ls–a parameter to see it. Moreover, the permission of this directory must be 700, and the user's home directory cannot write permission to other users, otherwise the ssh server will refuse to log in. If you can't log in, please check the log file /var/log/secure on the server. You can usually find out the reason why you can't log in quickly.

Ssh remote execution command:

[root@mail ~]# ssh ls -l / [email protected]‘s password:total 1244drwxr-xr-x 2 root root 4096 jun 26 04:02 bindrwxr-xr-x 4 root root 4096 mar 29 11:17 bootdrwxr-xr-x 2 root root 4096 jan 25 11:26 commanddrwxr-xr-x 15 root root 4096 jun 12 20:09 datadrwxr-xr-x 9 root root 5360 jul 2 13:38 devdrwxr-xr-x 87 root root 12288 jul 11 04:02 etcdrwxr-xr-x 20 root root 4096 apr 10 10:54 homedrwxr-xr-x 2 root root 4096 aug 13 2004 initrd

After entering the correct password, ssh will link the sshd server program of the remote server, and then execute the ls -l/command on the remote server, and transmit the input result to the local server. It is equivalent to logging in to the remote server first, then executing the command ls -l/,and finally logging out of the server. Need to be reminded that if you need to log on to the server and execute more than one command, you must enclose the command in single or double quotation marks:

ssh cd /root && ls

The remote command execution function of ssh is used to replace the original R series commands. Before ssh appeared, system administrators had to use unsafe remote command execution tools such as Rexec and RSH to complete the same operation. This function is very useful when managing a large number of machines. For example, if I want to restart all servers in the network segment, I just need to enter a command:

for i in $(seq 1 254) ; do ssh 10.0.0.${i} reboot ; done

You can complete the operation of restarting all servers. Maybe you will say that although you don't need to log in to every server, you still have to enter the password every time. How troublesome it is. Don't worry, the following login with ssh public key is to solve the problem.

Login with public key:

Openssh's ssh-keygen command is used to generate such private keys and public keys.

[root @ mail ~] # ssh-keygen-b1024-t DSA-c gucuiwen @ myserver.comgeneratingpublic/private DSA keypair. # Prompt is being generated. If the length is 4096, It may take a long time to enter file in which to save the key (/root/.ssh/ID _ DSA): # Ask where to put the public key and private key, and enter the pass phrase (empty for no pass phrase) with the default location when you enter: # Ask for the private key password, in order to realize automatic login, There should be no password, just enter enter same pass phrase again: # Prompt for password again, Enter your identification has been saved in /root/.ssh/ ID _ DSA. Your public key has been saved in/root/.ssh/ID _ DSA. pub. # to indicate that the public key and private key have been stored in/root/.ssh/ The key fingerprint is: 71: E5: CB: 15: D3: 8c: 05: ED: 05: 84: 85: 32: CE: B1: 31: CE [email protected] # Hint Key's fingerprint.

Note: -b 1024 uses a public key/private key pair with a length of 1024 bytes, with a maximum length of 4096 bytes, generally 1024 or 2048 is enough, if it is too long, it will take a long time to encrypt and decrypt. -t dsa adopts the public key/private key pair encrypted by dsa. In addition to dsa, there is rsa, and the shortest length of rsa cannot be less than 768 bytes. -c [email protected]'s comment and explanation on this public/private key pair is generally replaced by the mail of the owner. You can omit it, and please man ssh-keygen for more other parameters.

[root@mail ~]# ls -l /root/.sshtotal 16-rw——- 1 root root 668 jul 12 20:07 id_dsa-rw-r–r– 1 root root 611 jul 12 20:07 id_dsa.pub-rw-r–r– 1 root root 222 jul 12 19:37 known_hosts

The generated public/private key file is in the. ssh directory of the user's home directory, where id_dsa.pub is the public key. Upload the generated public key to the. ssh directory of the corresponding user directory of the server that needs to log in. Once again, it is emphasized that the user's own directory (home directory) must not have the permission of others to write, and the permission of the. ssh directory must be 700, that is, no one except the user has any permission to read and write the directory. The default public key file of ssh is the authorized_keys file in the. ssh directory of the user's home directory, so it is necessary to put the generated public key in the server's /root/.ssh/ directory with this file name. This file can store the public key files of multiple clients, just like many locks can be locked on a door, and different keys can be used to try to unlock it. As long as one lock is opened, the door can be opened. It should look like this on the server:

The private key must be 600 permissions, otherwise the ssh server will refuse the user to log in.

That's about it. Now let's talk about the configurations of /etc/ssh/ssh_config and /etc/ssh/sshd_config.


The host * option host is only valid for computers that can match the following string. * means all computers.

The forwardagent noforwardagent sets whether the connection is forwarded to the remote computer by the authentication agent (if it exists).

Forwardx11 noforwardx11 sets whether x11 connections are automatically redirected to a secure channel and display set.

Whether the rhostsauthentication norhostsauthentication setting uses rhosts-based security authentication.

Rhostsrsaauthentication norhostsrsaauthentication sets whether to use rhosts-based security authentication using rsa algorithm.

Rsaauthentication yesrsauthentication sets whether rsa algorithm is used for security verification.

Passwordauthentication yespasswordauthentication sets whether password authentication is used.

Fallbacktorsh nofallbacktorsh sets whether to use rsh automatically if there is an error in connecting with ssh.

Usersh nousersh sets whether to use rlogin/rsh on this computer.

If batchmode nobatchmode is set to yes, the prompt for passphrase/password will be prohibited. This option is useful for script files and batch tasks when passwords cannot be entered interactively.

Checkhostip yescheckhostip Sets whether ssh looks at the ip address of the host connected to the server to prevent dns spoofing. It is recommended to set it to yes.

If strict hostkeychecking nostricthostkeychecking is set to yes, ssh will not automatically add the computer key to the $home/.ssh/known_hosts file, and will refuse to connect once the computer key changes.

IdentityFile ~/.ssh/identityIdentityFile sets the file from which the user's rsa security authentication identity is read.

Port 22port sets the port to connect to the remote host.

Cipher blowfishcipher sets the password for encryption.

Escapechar ~escapechar sets escape characters.


Port 22port sets the port number for sshd listening.

Listenaddress Listenaddress sets the ip address bound by the sshd server.

hostkey /etc/ssh/ssh_host_key

Hostkey sets the file containing the computer's private key.

Serverkeybits 1024serverkeybits define the number of digits of the server key.

LoggingRaceTime 600 LoggingRaceTime sets the time (in seconds) that the server needs to wait before disconnecting if the user cannot log in successfully.

KeyRegenerationInterval 3600 KeyRegenerationInterval Sets the number of seconds after which the server's key is automatically regenerated (if a key is used). The purpose of regenerating the key is to prevent the intercepted information from being decrypted with the stolen key.

Permitrootlogin nopermitrootlogin sets whether root can log in with ssh. This option must not be set to yes.

Ignorerhosts yesignorerhosts sets whether rhosts and shosts files are used for verification.

Ignoreuserknownhosts Yesignoreuserknownhosts Set whether ssh daemon ignores the user' s $home/.ssh/known_hosts when performing rhostsrsaauthentication security verification.

Strictmodes yesstrictmodes sets whether ssh checks the permissions and ownership of the user's home directory and rhosts file before receiving the login request. This is usually necessary, because novices often set their directories and files so that anyone has write permission.

X11forwarding nox11forwarding sets whether x11 forwarding is allowed.

Printmotd yesprintmotd sets whether sshd displays the information in /etc/motd when the user logs in.

Syslogfacility authsyslogfacility sets whether to give a facility code when recording messages from sshd.

Loglevel infologlevel sets the level at which sshd log messages are recorded. Info is a good choice. Check the man help page of sshd for more information.

Whether it is enough for rhostsauthentication norhostsauthentication to only use rhosts or /etc/hosts.equiv for security verification.

Whether the rhostsrsaauthentication norhostsrsa setting allows security verification with rhosts or /etc/hosts.equiv plus rsa.

Whether the rsaAuthentication YesrSAAuthentication setting allows only RSA security authentication.

Passwordauthentication yespasswordauthentication sets whether password authentication is allowed.

PermitemTypePasswords NoPermitemTypePasswords Sets whether to allow login with an account with an empty password.

Allowusers adminallowusers can be followed by any number of user name patterns or user@host matching strings, which are separated by spaces. The hostname can be a dns name or an ip address.

Convert the public key of ssh2 compatible format into openssh compatible format.

ssh-keygen -i -f identity.pub >> /root/.ssh/authorized_keys2

Copyright Description:No reproduction without permission。

Knowledge sharing community for developers。

Let more developers benefit from it。

Help developers share knowledge through the Internet。

Follow us