Overview Many network programs, such as Telnet, RSH, Rlogin or REXEC, using the plain text, information, which can be used to listen to the communication between these programs and servers using any computer that connects to the network and acquires communication between these programs and servers. And secret information. Now, Telnet program is essential for daily management, but it is not safe, then what is it replaced? OpenSSH is those outdated, unsafe remote login programs such as: telnet, rlogin, RSH, RDIST or RCP alternatives.
In the OpenSSH's ReadMe file mentioned: SSH (Secure Shell) program can log in to the remote host over the network and execute the command. It provides a strong security verification that can be securely communicated in an unsafe network.
We configure OpenSSH to support TCP-Wrappers (inetd super server), which can further improve security and it is not necessary to run OpenSSH as a daemon (daemon) in the background. When the client's program proposes a connection request, the TCP-Wrappers daemon verifies and authorizes the connection request before redirecting the connection to OpenSsh. OpenSSH is free software and uses an encryption algorithm that is not subject to patented. Therefore, I suggest you use OpenSSH (free and fixing some bugs) without using SSH1 (free but BUG) and SSH2 (now using the commercial license agreement).
Precautions All the commands below are Unix compatible commands.
The source path is "/ var / tmp" (of course, other paths can also be used in the actual situation).
Installed under Redhat Linux 6.1 and 6.2 test.
To install with the "root" user.
The version of OpenSSH is 1.2.3.
Source of the package OpenSSH: http://violet.ibs.com.au/openssh/.
Download: OpenSSH-1.2.3.Tar.gz.
Preparation of work Compile OpenSSH Requires Zlib-Devel Package, this package includes header files and a library. To compile the compression and decompression functions of ZLIB, you should install this package in advance. You can install using RedHat 6.1 or 6.2.
l Verify if the following command is installed in the system already installed the Zlib-Devel package:
[root @ weep /] # rpm -qi zlib-deb
l Install the ZLIB-DEVEL package in the system with the following command:
[root @ deep /] # mount / dev / cdrom / mnt / cdrom / [root @ deep /] # cd / mnt / cdrom / redhat / rpms / [root @ deep rpms] # rpm -uvh zlib-wevel-version. I386.rpm gd ################################################################################ #### [root @ Deep rpms] # rpm -uvh gd-design - version.i386.rpm zlib-devel ############################################################################################################################################################################################################################################################# #################### [root @ deep rpms] # CD /; umount / mnt / cdrom /
OpenSSL must be installed before using OpenSSH. Because even if you don't use OpenSSL to create or save encrypted files, OpenSSH needs to use OpenSSL's library files to run normally.
Installing a package requires awareness that is best to make a list of all files in a system before compiling, and then use the "DIFF" command to compare them, find out where the difference is to be installed. Where is the software installed? Just simply run the command "Find / *> OpenSSH1" before compiling, run the command "Find / *> OpenSSH2" after compiling and installing the software, and finally identify changes in the command "Diff OpenSSH1 OpenSSH2> OpenSSH-INSTALLED". Compile and install the package (tar.gz) to decompress:
[root @ deep /] # cp openssh-version.tar.gz / var / tmp [root @ desk /] # cd / var / tmp [root @ Deep TMP] # tar xzpf openssh-version.tar.gz
Compilation and optimization first step
Go to the new directory of OpenSSH, first set the compilation parameters of the compiler:
CC = "EGCS" / cflags = "- o9 -funroll-loops -ffast-math-malign-double-morcpu = pentiumpro-march = pentiumpro -ft- FRAME- POINTER -FNO-EXCEPTIONS" / ./configure / --PREFIX = / usr / --sysconfdir = / etc / ssh / --with-tcp-wrappers / --With-IPv4-default / --with-ssl-dir = / usr / include / openssl
These settings tell the compiler how to compile OpenSSH:
l Link on the libwrap function library and plus support for TCP Wrappers
l Disable Linux / GLIBC-2.1.2 latency, shorten the time to establish a connection
l Set the path to the OpenSSL function library, so OpenSS can run normally
Second step
Now, compile and install OpenSSH:
[root @ Deep OpenSSH-1.2.3] # Make [root @ Deep OpenSSH-1.2.3] # make install [root @ Deep openssh-1.2.3] # Make Host-key [root @ Deep OpenSSH-1.2.3] # Install -m644 control / redhat / sshd.pam /etc/pam.d/sshd
The "make" command compiles the source file into an executable binary, "make install" puts the binary file and configuration file in the appropriate directory. "Make Host-Key" generates a host key, the "install" command installs PAM support to OpenSSH on Redhat Linux.
Clear unnecessary files Use the following command to delete unnecessary files:
[root @ deep /] # CD / var / tmp [root @ deep tmp] # rm -rf openssh-version / openssh-version.tar.gz
The "RM" command deletes all the source programs required to compile and install OpenSS, and delete the compressed package of the OpenSSH software.
Configuration can go to this to download "Floppy.tgz" file: http://www.openna.com/books/floppy.tgz. After unlocked the "FLOPPY.TGZ" file, you can discover all the profiles of all the software introduced in this book in the appropriate directory. This is not necessary to manually regenerate these files, or paste them into the configuration file with a copy of the paste. Whether it is intended to generate a configuration file or a copy, you have to learn to modify the configuration file and copy the configuration file to the correct directory. The details will be specifically described below. In order to run OpenSSH, you must create or copy the following files to the appropriate directory:
l Copy the "SSHD_CONFIG" file to "/ etc / ssh" directory
l Copy the "SSH_CONFIG" file to "/ etc / ssh" directory
l Copy the "SSH" file to "/etc/pam.d/" directory
After the "floppy.tgz" can be decompressed, find the files listed above and copy it to the appropriate directory, or use a copy of the paste to paste it directly from this book.
Configuring the "/ etc / ssh / ssh_config" file "/ etc / ssh / ssh_config" file is the OpenSSH system range profile, allowing you to change the way the client program is running by setting different options. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. The most important keywords listed below, use the Man command to view the help page (SSH (1)) can get a detailed list.
Edit the "SSH_CONFIG" file (VI / etc / ssh / ssh_config), add or change the following parameters:
# Site-wide defaults for various options Host * ForwardAgent no ForwardX11 no RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication yes FallBackToRsh no UseRsh no BatchMode no CheckHostIP yes StrictHostKeyChecking no IdentityFile ~ / .ssh / identity Port 22 Cipher blowfish EscapeChar ~
The following one by line explains the option settings above:
Host * Options "Host" is only valid for computers that match the rear string. "*" Means all the computer.
Forwardagent No "ForwardAgent" Sets whether the connection is forwarded to the remote computer (if present).
Forwardx11 No "Forwardx11 Set whether the X11 connection is automatically redirected to a secure channel and Display Set.
RhostSauthentication no "rhostsauthentication" settings whether to use Rhosts-based security verification.
RHOSTSRSAAUTHENTICATION NO "rhostsrsaauthentication" settings whether RHOSTS-based security validation with RSA algorithms is used.
Rsaauthentication Yes "Rsaauthentication" settings whether to use the RSA algorithm for secure verification.
PasswordAuthentication Yes "PasswordAuthentication" settings if password verification.
FallbackTorsh No "FallbackTorsh" setting If an error occurs with an SSH connection, whether it is automatically used by RSH.
UserSh no "UserSH" settings whether to use "rlogin / RSH" on this computer.
BatchMode No "BatchMode" If set to "YES", the prompt of the passphrase / password (interactive input password) will be disabled. This option is very useful when you cannot interactively enter your password. CheckHostip YES "Checkhostip" Set whether SSH is viewed to the IP address of the host connected to the server to prevent DNS spoof. It is recommended to be "Yes".
StricthostKeyChecking no "stricthostKeyChecking" If set to "Yes", SSH will not automatically add the computer's key to the "$ home / .ssh / knower_hosts" file, and once the computer's key changes, it refuses to connect.
IdentityFile ~ / .ssh / identity "identity" setting which file reads the user's RSA security verification ID.
Port 22 "Port" settings are connected to the port of the remote host.
Cipher Blowfish "Cipher" sets the password encrypted with.
Escapechar ~ "escapecha" Sets the Escape character.
Configure "/ etc / ssh / sshd_config" file "/ etc / ssh / sshd_config" is OpenSSH's configuration file, allowing the setting option to change this Daemon's run. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. The most important keywords listed below, use the Man command to view the help page (SSHD (8)) can get a detailed list.
Edit the "SSHD_CONFIG" file (Vi / etc / ssh / sshd_config), add or change the following parameters:
# This is ssh server systemwide configuration file. Port 22 ListenAddress 192.168.1.1 HostKey / etc / ssh / ssh_host_key ServerKeyBits 1024 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts yes IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no PrintMotd yes SyslogFacility AUTH LogLevel INFO RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication Yes PermiteMptyPasswords no allowusers admin
The following one by line explains the option settings above:
Port 22 "Port" Sets the port number of SSHD listening.
ListenAddress 192.168.1.1 "listenAddress" sets the IP address bound by the SSHD server.
HostKey / etc / ssh / ssh_host_key
"Hostkey" setting files containing computer private keys.
ServerKeyBITS 1024 "ServerKeyBITS" Defines the number of bits of the server key.
LogingRacetime 600 "LogingRacetime" setting If the user cannot log in successfully, the server needs to wait for the time (in seconds) before cutting the connection.
KeyRegenerationInterval 3600 "KeyRegenerationInterval" is set to automatically regenerate the server's key after how many seconds is set. Regeneration The key is to prevent the intercepted information to be decrypted with the stolen key. PermitRootLogin No "PermitrootLogin" Setting Root Can not log in with SSH. This option must not be set to "Yes".
Ignorerhosts YES "Ignorerhosts" settings if the "rhosts" and "shost" files are used when verify.
Ignoreuserknownhosts YES "Ignoreuserknownhosts" Set whether SSH daemon ignores the user's "$ home / .ssh / knower_hosts" when RhostsrsaAuthentication is safely verified.
StricTModes YES "strictmodes" Set whether SSH checks if the user directory and RHOSTS files are received before receiving the login request. This is usually necessary because novices often set their own directory and files to anyone.
X11Forwarding No "x11forwarding" settings if the X11 is allowed to forward.
PrintMotd Yes "PrintMotd" sets whether SSHD displays information in "/ etc / motd" when the user is logged in.
Syslogfacility Auth "syslogfacility" is set to give "Facility Code" when recording messages from sshd.
Loglevel Info "Loglevel" Set the hierarchy of the SSHD log message. INFO is a good choice. View SSHD's Man Help page, get more information.
RhostSauthentication no "rhostsauthentication" settings are only secure authentication with rhosts or "/etc/hosts.equiv".
Rhostsrsaauthentication no "rhostsrsa" settings are allowed to use rhosts or "/etc/hosts.equiv" plus RSA for security verification.
Rsaauthentication Yes "Rsaauthentication" settings are allowed to only RSA security verification.
PasswordAuthentication Yes "PasswordAuthentication" settings whether password verification is allowed.
PermiteMptyPasswords no "permitemptypasswords" settings if you are allowed to log in with your empty account.
AllowUsers admin "allowusers" can follow the matching string of any number of usernames or User @ Host, which is separated by spaces. The host name can be a DNS name or an IP address.
Configure OpenSSH to make it used to start and stop SSHD1 services using TCP-WrapPers INETD Super Server TCP-Wrappers. When inetd runs, it will read configuration information from the configuration file (default "/etc/inetd.conf"). Different items in each line in the configuration file are separated by Tab or space.
first step
Edit the "inetd.conf" file (vi /etc/inetd.conf) and join this line:
SSH Stream TCP NOWAIT ROOT / USR / SBIN / TCPD SSHD-I
Note: "- i" parameters are important, it shows that SSHD is running by inetd. After adding this line, update the "inetd.conf" file by sending a SIGHUP signal (KILLALL-HUP INETD).
[root @ deep / root] # killall -hup inetd
Second step
Edit "Hosts.allow" file (vi /etc/hosts.allow) and join this line: sshd: 192.168.1.4 win.openarch.com
This line indicates that the IP address is "192.168.1.4", and the host name "win.openarch.com" allows the server to access the server with the SSH.
These "daemon" strings (for tcp-wrappers) are used by SSHD1:
SSHDFWD-X11 (Allow / Disable X11 Forward). SSHDFWD- (TCP Forward). Sshdfwd- (Port-name is defined in / etc / services. Used for TCP forwarding).
Note: If you are ready to use SSH, you must use on all servers. If the ten secure servers and an unsafe server are all together, they will not talk about any security.
More information If you want to find a detailed information, you can use the Man command to check the help page, read the relevant information:
$ Man ssh (1) - OpenSSH secure shell client (remote login program) $ man ssh [slogin] (1) - OpenSSH secure shell client (remote login program) $ man ssh-add (1) - adds identities for the authentication agent $ Man ssh-agent (1) - Authentication agent $ man ssh-keygen (1) - Authentication Key Generation $ man sshd (8) - Secure shell daemon
SSH1 Configure the first step per user
Create a private and public key for the local server, perform the following command:
[root @ Deep] # SU Username [username @ deep] $ ssh-keygen1
For example, the results displayed may be:
Initializing Random Number Generator ... generating p: ........................... (Distance 430) generating Q: ... ................. (Distance 456) Computing the key ... testing the key ... key generation completion. Enter file in which to save the key / HOME/Username/.ssh/identity: Enter Passphrase: Enter The Same Passphrase Again: Your Identification Has Been Saved In /Home/Username/.ssh/identity. Your Public Key IS: 1024 37 14937757511251955533691120318477293862290049394715136511145806108870001764378494676831 29757784315853227236120610062314604405364871843677484233240919418480988907860997175244 46977589647127757030728779973708569993017043141563536333068888944038178461608592483844 590202154102756903055846534063365635584899765402181 username@deep.openarch.com Your public key has been saved in /home/username/.ssh/identity.pub Note: If you have multiple accounts for each account you need to create a key.
You may have to create a key for the following servers:
l Mail server
l web server
l gateway server
This allows for limited access to these servers, for example, not allowing an account of the Mail server to access the web server or gateway server. This can increase the overall security, even because some reason has a key to leak, nor does it affect other servers.
Second step
Copy the utility of this unit to the "/home/username/.ssh" directory of the remote host, for example, using the name of "Authorized_Keys".
Note: A method of copying files uses the ftp command, and another means to send the utility with Email (containing the contents of "~ / .sssh / identity.pub" file to the system administrator.
Change Pass-Phrase
The pass-phrase can be changed at any time by adding the "SSH-Key" command of the "-P" parameter. Use the following command to change Pass-phrase:
[root @ deskp] # SU Username [username @ deep] $ ssh-keygen1 -p
Enter file key is in (/Home/Username/.ssh/identity): [Press the Enter key] Enter Old Passphrase: Key Has Comment.com Enter New Passphrase: Enter The Same Passphrase Again: Your iDentification HAS been Saved with the new passphrase.
OpenSSH User Tools Listed below is some of the commands we often use, and of course there are still many other commands, more detailed information can view the Man Help page or other documentation. SSH SSH (Secure Shell) is a program used to log in to the remote computer and execute the command on the remote computer. It is used to replace Rlogin and RSH, and provide security and encryption information exchange between two computers in an insecure network environment. The X11 connection and TCP / IP ports can be forwarded to a secure channel.
Use the following command to log in to the remote computer:
[root @ Deep] # ssh
E.g:
[root @ Deep] # SSH username www.openarch.com username@deep.openarch.com's password: Last Login: Tue Oct 19 1999 18:13:00 -0400 from get.openarch.com Welcome to www.openarch.com on Deepforest.
Is the username used to log in to the SSH server is the address of the SSH server host.
SCP can use this command to copy the file from the local computer to the remote computer, or in turn, can even copy the file with the "SCP" command between two remote computers. Copy the file on the remote host to a simple method of the current directory is as follows.
Use the following command to copy the file from the remote host on the local host:
[root @ deep /] # SU admin [admin @ deep /] $ scp -p: / div / file localdir / to / filelocation
E.g:
[username @ deep] $ scp -p username @ mail: / etc / test1 / tmp enter passphrase for @ detement.com: TEST1 | 2 KB | 2.0 Kb / s | eta: 00:00:00 | 100%
Use the following command to copy the file from the local host on the remote host:
[root @ deep /] # SU admin [admin @ desk /] $ scp -p localdir / to / filelocation: / dir / for / file
E.g:
[username @ deep] $ scp -p / usr / bin / test2 username @ mail: / var / tmp usrname @ mails password: test2 | 7 KB | 7.9 KB / S | ETA: 00:00:00 | 100%
Note: "- P" option indicates the change and access time properties of the file, and the permissions are retained during the copy. It is usually in this way.
Files mounted to the system> / etc / ssh> / etc / ssh / ssh_config> / etc / ssh / sshd_config> / etc / ssh_host_key> /etc/ssh_host_key.pub> / usr / bin / ssh> / usr / bin / Slogin> /usr/man/man1/ssh.1> /usr/man/man1/scp.1> /usr/man/man1/ssh-add.1> /usr/man/man1/ssh-agent.1> /usr/man/man1/ssh-keygen.1> / usr / bin / scp> / usr / bin / ssh-add> / usr / bin / ssh-agent> / usr / bin / ssh-keygen> / usr / Man / man1 / slogin.1> /usr/man/man8/sshd.8> / usr / sbin / sshdwindows platform homepage: http://www.chiark.greenend.org.uk /~sgtatham/putty.html
TERA TERM Pro: Home: http://hp.vector.co.jp/authors/va002416/teraterm.html
TTSSH HomePage: http://www.zip.com.au/~roca/download.html
Copyright Description This article translated and adapted from Gerhard Mourani's "Securing and Optimizing Linux: Redhat Edition", the original text and its copyright agreement, please refer to: www.openna.com.
The copyright of the Chinese version belongs to the author brimmer and www.linuxaid.com.cn.
