23:29 2004-3-12 My evaluation: This book is a book that introduces communication security. If you want to protect your communication security, this book can give you a good solution. This book introduces the SSH protocol to specific open source implementation and business implementation. But this book also introduces open source implementation and business implementation, which makes people feel more chaotic.
Note: Since OpenSSH is open source software, all editions of configuration methods and setting parameters may be different, so when setting, you should be on the latest version of the manual, do not set the book.
Chapter 1 SSH Introduction SSH (Secure Shell) is a generic, powerful software-based network security solution that automatically encrypts it when the computer sends data to the network each time. When the data arrives at the destination, the SSH automatically decrypts the encrypted data. The whole process is transparent. It uses a modern security encryption algorithm, enough to compete for the requirements of the task of large companies.
The SSH protocol content involves authentication Authentication, encryption encryption, and integrity integrity that transmitted data on the network.
SSH Features Overview 1. Remote Log in $ ssh -l root.example.com2, secure file Transfer $ SCP MyFile Metoo@secondacount.com3, secure the remote command to ensure the transferred data security. 4, the key and proxy key-based authentication method does not need to remember multiple account passwords. 5, access control, can authorize others to access the account. 6, port forwarding $ ssh -l 3002: localhost: 119 xxx.xxx.com
Related Security Technology RSH Commands, RSH, Rlogin and RCP. The connection is not encrypted and the authentication model is very fragile. PGP encryption program. It is based on file. The Kerberos authentication system is used for networks that may be monitored, and the computer is not a central control environment. Athena project based on the Massachusetts Institute of Technology. It SSH is not, SSH is lightweight, easy to deploy. Some important foundations must be built before Kerberos use. IPsec, Internet Security Agreement. SRP, secure remote password protocol is developed by Stanford University. It is a dedicated authentication agreement. SSL, security socket. Stunnel is an SSL tool that adds SSL protection for the unix environment-based TCP-based service (POP, IMAP, etc.) without modifying the server source program.
Chapter 2's Basic Usage of the SSH Client The most common function, 1, log in to the remote computer via a secure connection. 2. Copy files between computers by securely attached.
When you first connect to the SSH server, you should answer "Yes" when you ask questions, and copy a common part of the key of the known host's key. After you connect this server, you will use this public key to verify the remote host. It is best to get this public before the first connection, otherwise you may have been attacked by the middle.
Authentication with the key, SSH supports public key authentication, and the encryption key can be used, the key is safer than the password. SSH certificate uses a pair of keys, a private key, a public key, and private key only some of your unique secret information. SSH uses it to prove its own identity to the server. The public key is disclosed, and it is possible to place it in the SSH server. In the account number, the private key and public key negotiation, if the identity is proved, the authentication is successful if the identity is proved.
Before using public key authentication, you must first make some settings: 1, a pair of keys need to be used to protect their own private keys. Generate a pair of keys using the SSH-KEYGEN program. If there is no SSH directory, the program is automatically created a local SSH directory ~ / .ssh, and divides the generated key into two file storage, the public part Identity.pub, private parts Identity, or ID_DSA_1024_A, ID_DSA_1024_A.PUB (SSH2 ). 2, you need to install your own public key on the SSH server. By configuring a file in the SSH directory, this file is ~ / .ssh / authorized_keys for SSH1 and OpenSSH. For SSH2 is ~ / .ssh2 / authorization. The SSH-2 connection in OpenSSH is also used as an Authorized_Keys file together from version 3.0. Use Authorized_Keys2 before version 3.0. Add the user's local machine to generate the contents of Identity.pub files. For SSH2, the user needs to edit two files, one client is on the server side, on the client, to create or edit the file ~ / .ssh2 / identification and insert a line in one line, explain the own private key file name: IDKey ID_DSA_1024_A. On the server side, you want to create or edit files ~ / .ssh2 / authorization, this file contains public key information, one, but with SSH1's authorized_keys file (authorized_keys contains a copy of public key), Authorization Only the public key file name is given: Key ID_DSA_1024_A.Pub. Finally, this file is copied from the local machine to the server ~ / .ssh2. For security, make sure that the SSH directory is safe, only the owner has the right to write. If the permission of the remote user's SSH configuration file is not properly set, the server may reject authentication. Public key authentication is safer than password authentication, because: 1, public key authentication requires two encryption parts (Identify files on disk and passwords in the user's mind), the invasion must be 2, and there are two conditions. Password authentication only needs one part, that is, password, it may be more likely to be stealing. 3. In public key authentication, the password and key are not sent to the remote host, as long as the authenticator from the previously discussed is sent to the remote main 4, the machine is OK, so there is no secret information to pass the client. 3, the key generated by the machine is impossible to guess, and the password generated by the person is easily attacked. By disabling password authentication and only allows key authentication to greatly improve the security of the host.
If you want to modify the key If a key pair has been generated, copy the public key to multiple SSH servers, the user has decided to modify their own identity because it runs SSH-KEYGEN. In this way, it will cover the IDentify and identify.pub file. If the user before the user is useless, the new public key must be copied to each server again. This is a headache, so it is recommended: 1. It is not limited to using only one key pair, and can be used to generate a key pair, save it in a different file, and use it as a different purpose. 3. If you just want to modify your password, you don't have to regenerate a key pair, SSH-Keygen has a command line option to 4, replace the existing key password. SSH1 and openssh is -p, and for SSH2 is -e. Thus, because the private key has not changed, so 5, the public key is still inactive, and the private key is required to decrypt the private key.
SSH agent can save private keys in memory, providing services for authentication, without repeating the password. Until the user exits. The agent is SSH-Agent. Can be manually run to edit ~ / .login or ~ / .xsession runs. $ SSH-Agent $ shell where shell is the environment variable of the user logged in to the shell. After running this command, open another shell and you can access the agent in this shell. Then be loaded with the SSH-Add command. This way, use the SSH and SCP commands without reminding the input password. The password is loaded into memory. If the user is running the X WINDOW system and sets the Display environment variable, the standard input is not a terminal, then SSH-Add uses a graphical X program SSH-Askpass to read the password. To force SSH-Add to read the password using X, enter SSH-Add
Connecting to connect to the password or password 1, use the agent's public key authentication. 2, trusted host authentication. 3, Kerberos certification. The advantages and disadvantages of these methods will be discussed later.
SFTP is a separate file transfer tool on the SSH, and the operation is similar to FTP, and multiple commands can be called in a session to make file copy and processing, and the SCP will open a session every time you call. SFTP does not distinguish the ASCII and Binary transfer mode, only binary mode, so if you use it to copy the ASCII file between Windows and UNIX, you cannot correctly turn the row end.
Chapter III SSH The main features and advantages of the insider SSH protocol: 1. Use strong encryption technology to ensure the privateness of the data. End to the end-to-end credit random key is encrypted, the random key is a safety negotiation for sessions, and is discarded after the session. Supported algorithms include ArcFour, Blowfish, DES, IDEA, 3DES, etc. 2, communication integrity, make sure communication will not be modified. The encryption hash algorithm based on MD5 and SHA-1. 3, certification, the identification of the sender and the recipient. Client and server two-way authentication. 4, authorization, the account is accessed. 5. Use forward or tunneling techniques to encrypt other TCP / IP-based sessions. Support three forwarding, TCP port forwarding, X forwarding, proxy forwarding. SSH can prevent attack 1, network eavesdrop, SSH communication is encrypted, even if the session content is intercepted, it cannot decrypt it. 2, name service and IP camouflage, SSH can avoid such risk via encryption verification server host identity. 3, the connection hijacking, the integrity detection of SSH is responsible for determining whether the session is modified, if modified, turn off the connection. 4, middleman attack, SSH uses two methods to prevent this attack, the first is the server host authentication. Unless the attacker has successfully attacked the server host, get the server's private host key. The second is to limit the use of an authentication method that is easy to be affected by this attack. The password authentication is easily attacked by middleman, and the public key and host / RHOSTSRSA will be immunized to the intermediary attack. 5. Insert an attack, this attack can insert any data between the body data sent between the client and the server. After SSH1 1.2.25, all versions of OpenSSH are specifically designed to detect and prevent this attack. This detection program increases the difficulty of inserting an attack, but does not completely prevent it. SSH2 uses strong encryption integrity detection means to prevent this problem. This attack can be used to prevent this attack with a 3DES algorithm.
SSH cannot prevent attack 1, password crash, password authentication is a fragile authentication form, try to use public key authentication mode. If you must pass code authentication, you can consider the one-time cryptographic mechanism such as S / KEY. 2, IP and TCP attack, since SSH is operated on top of TCP, it is easy to be attacked for TCP and IP defects. SYN FLOOD, TCP is different from steps and TCP hijacking. Can only be protected by lower-level protection measures. 3, flow analysis. 4, the secret channel. 5, careless. Safety is a process instead of a product, don't think it is safe to install SSH.
Chapter 4 SSH installation and compile time configuration
Chapter 5 Server Range Configuration SSHD can be configured at three levels, the first level is the above installation and compile configuration; the second level is the server range configuration in this chapter; the third level is the accounts per account (Chapter 8) ), The former is the server compile to specify which specific functions, which functions are not included, the latter is the behavior of the server used by the end user to modify the server used by the account.
Run the SSH server 1 as a normal user to get the administrator license. 2, generate a host key. $ ssh-keygen -n '' -b 1024 -f ~ / myserver / hostkey generates two files 3, select the port number. To select a port greater than or equal 1024, because only super users have the right to use ports that are less than 1024. 4. Creating a Server Profile (optional) Create your own profile, otherwise, the service uses built-in features or uses configuration files using the server range. Start server mode: $ sshd -h ~ / myserver / hostKey -p 2345 -f ~ / myserver / config has some disadvantages: 1. Since it is not running under the UID of root, only connect to users Self-already account. 2. It needs to be manually called and cannot be started. 3, log users have no right to see, because the server writes it to the Syslog log system, but can run the service 4 in debug mode, so information is displayed on the terminal. Server profile SSH1 and OpenSSH configuration files are usually / etc / sshd_config, while SSH2's configuration file is usually / etc / ssh2 / sshd2_config.
Call SSHD with a non-default configuration file, you can use the command -f option. $ sshd -f / usr / local / ssh / my_config.
The name of * as the label will be ignored by SSHD.
After modifying the configuration, modification will not immediately affect the server, restart the server or send a SIGHUP signal. $ Kill-Hup `Cat / etc / sshd.pid`
If the configuration is changed in the command line, restart the server with the SIGHUP signal cannot override the configuration line configuration, which is high.
The host key, the SSHD Host Key to the SSH client identifies the SSH server. The Host Key is saved in a pair of files, and a file contains private keys, and a file contains public keys. For SSH1 and OpenSSH, it is / etc / ssh_host_key. File location You can modify hostKey / usr / local / ssh / key with HostKey keyword. The public key of the server is saved in the .pub file. The OpenSSH server has an SSH-2 host key. The default is in / etc / ssh_host_dsa_key. Its location can be modified with Hostdsakey / USR / local / OpenSsh / key2.
For SSH2, if the server is running by a superuser, the default private key file is / etc / ssh2 / hostkey. If it is running other users, then ~ / .ssh2 / hostkey. You can modify HostKeyFile / etc / local / ssh / key. The public key is a hostkey.pub file that can be modified with the publichostkeyfile keyword.
You can specify a private key file with a command line option: $ sshd -h / usr / local / ssh / key.
Random numerous seed files If there is a random source in the user's system, such as / dev / urandom, then OpenSS cannot create a random number of seed files.
Server profiles are typically / etc / sshd_config / etc / ssh2 / ssh2_config, you can re-specify its configuration file with the -f option. It can be used in a machine to run multiple SSHDs.
Each account authentication file. ~ / .ssh / authorized_keys.
File permissions Due to the permissions of the configuration file, the system's security is reduced, so you can set the strictModes YES / NO keyword, check the right to use important files and directories of SSHD. If the check fails, the server refuses to the user. SSH connection.
On the multi-hosted host, use listenaddress xxx.xxx.xxx.xxx to limit SSH only to listen to a network interface. Idle connection time, IDletimeout XX If it is 0 to represent anything, keep the connection. Otherwise, the timeout is turned off, and S, M, H, D, W can be used.
Keepalive Yes / NO can disconnect the failure, such as the client crashes.
Failure login LogingGraceTime 60 defines whether the user must successfully authenticate within 60 seconds. The 0 value table is disabled. Command line option with -g
PasswordGuesses 5 If the connection request is authenticated, SSHD2 only allows the client to try five times. (SSH2)
Limit concurrent connection MaxConnections 32 up to 32 connections (SSH2)
The reverse IP mapping SSH2 server can be reverse DNS queries according to the client address to ensure that the client's address is this address. If the check failed, the connection refused. RequireReverseMapping Yes (SSH2)
Forward Allowtcp-Forwarding Yes X11Forwarding Yes
The server key generates this key to protect communication between client / servers. It is temporary and will never be saved on disk. The server generates this key at startup. And regenerate in a fixed cycle. The default length is 768 bits, the minimum is 512, and the length can be specified by ServerKeyBITS 2048. Use the KeyRegenerationInterval 1200 specified period. Command line options: -k
Encryption Algorithm Ciphers Any Allows All Support Algorithms. Other algorithms include 3DES-CBC, Blowfish-CBC, Twofish-CBC, ArcFour, None
The MAC algorithm MAC keyword allows users to select SSHD2 to perform integrity detection, called message authentication code. HMAC-SHA1, HMAC-MD5, HMAC-MD5-96 for SSHD2.
In OpenSSH, users can use the protocol keyword to support SSH-1 and SSH-2, 1 represents SSH-1, 2 represents SSH-2, 1, 2 representatives.
Allow users to log in: authentication and access control 1. Authentication is responsible for verifying the identity of the user initiated connection request. Password authentication PasswordAuthentication yes AllowedAuthentications password (ssh2) public key authentication RSAAuthentication yes (ssh1, openssh / 1) AllowedAuthentications publickey (ssh2) DEAAuthentication yes (openssh / 2) Rhosts certification, trusted-host authentication is achieved by checking the remote host name and the associated user name Applicable to the client. RhostSauthentication Yes (SSH1, OpenSSH) Ignorerhosts Yes (SSH1, SSH2, OpenSSH) Does Hosts.equiv and ~ / .rhosts for the system, using SSH-specific /etc/shosts.equiv and ~ / .shosts strong letter of host authentication. Rhostsrsaauthentication Yes SSH1, OpenSshallowedAuthentications HostBased SSH2 Extracts the public key of the known host Userknownhosts No ssh2ignoreuserknownhosts Yes OpenSHPGP Certification Kerberos Certification S / Key Certification Securid Certified PAM Certification
2. Access control is responsible for allowing or disabling SSH from a particular user, machine or an Internet domain to connect to the server. Typically, as long as the setting is correct, any account can receive the SSH connection, which can be overwritten using the server keywords and DenyUsers. ALLOWUSERS Smith If an AllowUsers appears separately in the configuration file, there is no content, indicating that all user connections are prohibited, and if there is no allowusers, all users can connect. DenyUsers represents a prohibition. Available wildcards, you can use group access control allowGroups DenyGroups
Host Name Access Control ALLOWHOSTS HOSTNAMEDENYHOSTS HOSTNAME
Super User Access Control SSHD specifically uses a special access mechanism for superuser, PermiroTLogin to allow or disable to use SSH to access root accounts.
Welcome to Use PrintMotd Yes / No Default Is Yes
Show mail information Checkmail Yes / no default is YES
Empty Password PermiteMptyPasswords Yes / No If you use a password authentication, and have an account does not set a password, then the server can refuse to access this account.
If there is / etc / noLogin in the system, SSHD only allows root users to log in, and others cannot log in. Therefore, Touch / etc / nologin is a quick way to give access to the system administrator. This does not need to be reconfigured SSH. Needless to restart SSH.
Subsystem defines and call an abstraction layer of the remote command, users can call remote commands by giving commands in the client command line, such as: ssh server.examply.com / bin / tar c / Home This command call tar, remote Copy / Home to the tape. The subsystem is a set of remote commands predefined on the server machine, so that it can be easily performed. Define in the server configuration document: Subsystem Backups / Bin / Tar C / Home, you want to run the command on the server to use the -s option. ssh -s backups server.example.com. By default, a subsystem is defined in sshd_config, subsystem sftp. Do not delete this subsystem, this is SCP2 and SFTP must be.
Log Fascisl Logging Mode Prints debugging information to the system log file, you can use the FascistLogging keyword. Debug mode You can use the -D command option to enable quiet mode. You can only output a serious error without outputting a normal log. You can use the quietmode keyword or the -q command line to enable. The log configuration key in OpenSsh is Syslogfacility and Loglevel. Syslogfacility Sets Syslog's Facility (Kern, Daemon, User, Auth, Mail, etc.), the loglevel log log provides the level of detail, which is: Quiet, Fatal, Error, Info, Verbose, Debug, use Debug Vetering the privacy of the user, this level can only be used for diagnosis, and cannot be used for normal operation.
Chapter 6 Key Management and Agent An identity identity consists of two parts, called a private key, a public key, a key pair.
SSH1, SSH2 and OpenSSH identity identification files are different. SSH1 default settings, private key is stored in file Identity, and public key is stored in file Identity.pub. This key is stored in ~ / .sssh directory, copy the public key to a authentication file on the server, such as the ~ / .ssh / authorized_keys in ssh1 and openssh, after which the customer request is connected When the account on your server is used, a private key is used as an identification of the certificate identity, and the server is looking for the public key that matches it in the Authorized_Keys file. The SSH2 key is naming the file nammon to the nature of the encryption algorithm used in this key, such as a 1024-bit key generated with a DSA encrypted, its default file name is ID_DSA_1024_A and ID_DSA_1024_A.Pub. The user must put the private key in the IDentification file, the default is ~ / .sssh2 / directory, one private key occupies a line in this file, in the public key authentication, the beginning of each line has a keyword IDkey, followed by one The private key file name. Such as: idkey id_dsa_1024_aidKey my-other-ssh2-key In the server-side authentication file ~ / .ssh2 / authorization, SSH2 does not include the actual copy of the public key, just list the public key file, with the keyword KEY ID. Such as: key id_dsa_1024_a.pubkey something-ELSE.Pub is easier and more convenient.
OpenSSH is identified and authorized to SSH-1 is identical to SSH1. For SSH-2 connections, the default key is stored in ~ / .ssh / id_dsa (private key) and ~ / .ssh / id_dsa.pub In the public key, the license file on the server is ~ / .ssh / authorized_keys.
Create an identity identification with the ssh-keygen command.
OpenSSH's SSH-KEYGEN supports all functions and options in SSH1, which also adds to the ability of the SSH-2 connection to generate the DSA key. $ ssh-keygen -t dsa -b 1024-e-t option converts the key storage format of the OpenSSSH format to SSH2 format (directly enter, press the prompt input conversion file name) -i -x option to put the SSH2 format The key is converted to the OpenSSH format. This can be connected to the OpenSSH server with the SSH2 client. (Direct Enter, press the prompt input conversion file name) -y If you accidentally delete the public key of OpenSSH, you can use -y recovery. -l The fingerprint of the public key can be calculated, and the fingerprint is a common type of cryptographic technique that is the same as the two keys different from the different position. This technique is used to compare two keys in one position. Both OpenSSH AND SSH2 calculates a fingerprint. It calculates a value of a shorter length according to the key, which is the principle and checksum, which is used to verify the irreplaceability of a string information (in our example is a key).
Start the agent 1, single shell mode, use the current login shell. $ Eval `ssh-agent`2, child shell mode, derived a child shell, and inherits some environment variables of the parent shell. $ SSH-Agent $ shell Don't want to run $ ssh-agent so that the client cannot contact it. Deleting an agent can be used with a kill command.
SSH-1 and SSH-2 agent compatibility SSH-1 proxy cannot handle SSH-2 agents, SSH-2 agents can process SSH-1 proxy requests.
Chapter VII Client Advanced Usage $ SSH -A -P 220-C Blowfish -l Sally-i myself server.example.com You can simplify the command to enter the Host MyServer ForwardAgent No Port 220 Cipher Blowfish User Sally IdentifyFile Myself Hostname Server. After eXample.com configured the file, you can simply enter $ SSH MyServer on the client.
Global files and local file global files are typically created by administrators to maintain customer behavior on the entire computer. This file is usually located in / etc / ssh_config or / etc / ssh2 / ssh2_config. Each customer can also create a local customer profile in an account, usually ~ / .ssh / config or ~ / .ssh2 / ssh2_config. The local configuration file priority is higher than the global configuration file. The priority of the command line option is higher than the local configuration file.
SCP related command parameters -R recursive copy catalog -P keep file permissions and timestamp -u copy completion delete source file -D prevent overwriting file -n description operation -Q does not display statistics
Chapter 8 Each account server Configuring this configuration allows the SSH server to distinguish the individual users on each server. Use the authentication file (Authorized_Keys) configured with the server target account. There are two points, it cannot override the security measures adopted by the compile time configuration and server range configuration, second, if public key authentication is used, each account configuration is very flexible, if you use trusted host and password authentication, the option is provided The range is small.
Based on public key configuration 1. The full format of the authentication file contains three items, some options, public keys, and comments. Multiple options are separated by commas. 2. Force commands for restricting clients that the client can call on the server. If the client requests execution / bin / ls command, the server-side force command runs / bin / who command, it is very useful, which can be used to strengthen security, which is convenient for authorization. If you want your assistant to run the email command Pine each time you are connected, you can: command = "/ usr / local / bin / pine" ... key .... You can associate a forced command up to each key. To associate multiple commands, you can put these commands into a script of the remote host and run the script as a forced command. If there is a shell exit if it is forced command, there is a security problem, it is equal to no forced, the customer can run any program. The following rules can be used to determine if a program is suitable for forced commands. A to avoid using procedures with shell outlets (such as file editor vi, emacs; paging program more, less; call division b, page man, news reading program RN, mail reading program Pine, debugger ADB, non-interactive) Program Find, Xargsc, etc.). b, avoid using compilers, interpreters, or other programs that allow users to generate and run any code. C. Create or delete the files, such as CP, MV, RM, SCP, FTP, etc. D, avoid using the program of SETUID or setgid, especially the setuid is the ROOT program. D. If you use scripts as a forced command, you must follow the traditional rules of the security script, within a script, to limit the use of relative paths as search paths, you should use the absolute path to call all the programs; do not blindly provide users The string is executed as a command; do not let the script work for any setuid. Do not call programs with shell outlets. E, consider using a restricted shell. f. For a separate, dedicated SSH key (do not use the key you logged in) to associate a forced command. This will not affect your login capability to easily disable this key. g, disable unnecessary SSH characteristics. Such as NO-Port-Forwarding, No-agent-Forwarding, NO-PTY (Disable TTY Assignment). Several commonly used forced commands: Use custom messages to refuse to connect: command = "/ bin / echo sorry, buddy, but you've terminate!" ... Key ... Don't use the pagination such as more and less Program Display Command Menu: Using the script check the original program of the client: command = "/ bin / echo you tried to invoke $ ssh_original_command" ... KEY ... $ ssh_original_command environment variable saves the original command running when the client is connected. Limit the client's original command, create a script, which selects a different operation according to the content of $ ssh_original_command. Record the original command of the client in the log: is also based on a script made by $ ssh_original_command variable. Script content as one: #! / Bin / shif [-n "$ ssh_original_command"] Then Echo "` / bin / date`: $ ssh_original_command >> $ homen / ssh-command-log exec $ ssh_original_commandfi
3, limit the connection from a particular host. Finished by the from option. From = "client.example.com" ... key .... Forced connections must come from client.example.com. Otherwise it will be disconnected. From = "! client.example.com" ... Key ... Represents the connection to reject the address. Support wildcard. This feature does not support SSH2. However, the customer IP can be extracted by the $ ssh2_client variable, and the mandatory command script has achieved the same effect. 4, set environment variables for remote programs. Environment = "Editor = Emacs" ... key ..., modify the default environment variable for each connection. 5, set the idle timeout, so that if the client user does no longer send data, it is enforced to disconnect it. IDLE-TIMEOUT = 5M, which overrides the server range configuration. 6, the SSH connection to arrive is disabled, such as port forwarding and TTY assignment. Disabling TTY assignments will make the client do not have the ability to interact with the session. $ SSH_TTTTTY variable shows TTY case. The user's RC file SSH server calls shell scripts / etc / sshrc when each connection arrives, and users can write some scripts that you want to run after you want to run in this file. Users can define a similar script in their own directory, if there is a custom ~ / .sssh / rc / etc / sshrc will not be executed.
Chapter 9 Port Forward and X Forward Use SSH to encrypt and decrypt other applications on other applications, this process is called port forwarding, and most of its operations are transparent, functional Very powerful. Telnet, SMTP, NNTP, IMAP, and some TCP-based unsafe protocols can become secure, as long as they are converted to SSH. Port Forward Sometimes called tunnel transmission. Example: A server S running IMAP, running an email program on the host h at home, and now use SSH to protect the IMAP connection. $ ssh -l2001: localhost: 143 SL indicates local forwarding, the above command can complete the function of logging in to S, and now this SSH session forwards H's 2001 port to the 143 port of S, which has been valid before exiting the session. . And inform the Email program to use the forwarded port, usually the mail program is connected to the server's 143 port, that is, the socket (S, 143). Now let it connect to the local host H self-2001 port, which is the socket word (localhost, 2001). You can use the localforward key in the client configuration file when creating a local forwarding. Localforward 2001 localhost: 143 SSH1 OpenSshlocalforward "2001: localhost: 143" ssh2
-g Options and GatewayPorts Yes / NO keywords can configure whether the machine except the local host can use local port forwarding capabilities. This feature is prohibited for security issues.
The remote forwarding port is almost identical to the local forwarding, just the opposite direction. At this point, the server is locally, and the forwarding connection is initiated by the remote host. Suppose you have logged into the server S. Then $ ssh -r2001: localhost: 143 H-R represents remote forwarding. After the command is executed, a security tunnel from the 2001 port of the remote host H to the 143 port of the server S will be established. Any procedure on H can use this security tunnel by connecting (LocalHost, 2001). In the client configuration file, use the RemoteForward keyword. Remoteforward 2001 S: 143 SSH OpenSshRemoteforward "2001: S: 143" SSH2
$ ssh -o clearyLorwardings = yes server.example.com Blocks the second command to establish a tunnel local forwarding and remote forwarding in local forwarding, the application client is along with the SSH client, the application server and the connection The SSH server is together. In remote forwarding, the application client is along with the SSH server with the listener, and the application server is along with the SSH client.
Port forwarding with remote login, connect -f parameters. Disposable Forward-FO, SSH1 and OpenSSH do not support this feature, but the following statement can be implemented: $ ssh -f -l2001: localhost: 143 Server Sleep 10
Termination If an SSH session is still in the event, it will be wrong. In SSH2, if you exit the session of the active forwarding connection, the session will be turned on, but it will go to the background. Until the forward connection termination. SSH1 and OpenSSH is the opposite, if you want to disconnect the session in the event, a warning will be running in the front desk.
Time_wait problem. In some cases, the TCP connection is disconnected, and the sockets of the end becomes unavailable in a short period of time, so that the port cannot be used for TCP forwarding before the end of the discrete process.
Chapter 10 Recommendation Configuration Server Scope Configuration 1, disable other access methods. Turn off the R-command, the method is as follows: Delete the /etc/hosts.equiv file, or change to only empty files. Disable RSHD, RLogind and Rexecd, by modifying the inetd.conf file. 2, / etc / sshd_config configuration hostKey / etc / ssh_host_keypidfile /etc/sshd.pidrandomseed / etc / ssh_random_seed
StrictModes YES requires users to protect their files related to SSH and directory umask 0077 guarantee that all SSHD1 creation is file and directory that can only be read by its owner (UID running in SSHD)
Port 22 Listenaddress 0.0.0.0.0.0.0.0IDletimeout 15m 15m The connection will be terminated when the Keepalive Yes client is dead, not long-term hanging.
LogingRacetime 30 The time limit for successfully authentication is 30 seconds.
ServerkeyBITS 768 server key length KeyRegenerationInterval 3600 server key is regenerated once an hour
PasswordAuthentication NO Disable Password Certification RhostSauthentication NO Disables Trusted Host Certification RhostsRsaauthentication No Disables Enhanced Trustworthy Host Certification Rsaauthentication YES Enables public key authentication
Ignorerhosts YES is completely banned SSHD to use. Rhosts file Ignorerootrhosts YES
Useelogin No disables USELOGIN to prevent other login programs in case
ALLOWHOSTS XXX is set as needed for any connection to the Denyhosts refusal to return messages to the user without having to tell the attacker what happens, which can increase the difficulty of troubleshooting.
PermitRootLogin NOPWD allows superusers to connect through SSH, but cannot be certified by password
FascistLogging No disables the FascistLogging log mode because it records user-specific information in the log and is useful to attackers. Quietmode No disables quietmode log mode, use logs more detailed, low sensitivity
AllowTcpForwarding yes allows tcp port forwarding and X forwarding, to protect other tcp connection X11Forwarding yes3, / etc / ssh2 / sshd2_config arranged HostKeyFile / etc / ssh2 / hostkeyPublicHostKeyFile /etc/ssh2/hostkey.pubRandmoSeedFile / etc / ssh2 / random_seed
UserConfigDirectoryIdentityFileAuthorizstionFile
Strictmodes YES
Port 22ListenAddress 0.0.0.0keepalive YESREQUIREVERSEMAPPING NO
LogingRacetime 30
Since SSHD2 does not set the keyword of the bit number of the server key, the user has to use the -b option when starting $ sshd2 -b 1024 ....
AllowedAuthentications PublickeyRequiredAuthentications Publickey, ALOWEDAUTHENTINTICATIONS PUBLICKEY
Ignorerhosts YESUSERKNOWNHOSTS NO Disables this item prevents users from providing trust privileges for unknown hosts.
PermitRootlogin Nopwd
Ciphers Any can't choose NONE
Quietmode Noverbosemode Yes
SSH1COMPATIBILITY NO Disables SSH-1 Compatibility Mode # ssh1path / usr / local / ssh1 / sshd1 For use, this mode can also be enabled before indicating that the SSH1 server executable
4, each account configuration For each key in SSH1 and OpenSSH, ~ / .ssh / authorized_keys must be restricted with the appropriate option, and the from option limits only the specific key can only be accessed from a particular host. For example, assume that the file contains the public key of your home PC (MyHome.isp.net), and other machines cannot be authenticated with that key, we can clearly limit this relationship: from = "myhome.isp .NET "... Key .... Also set the free timeout for the appropriate key: from = "myhome.isp.net", idle-timeout = 5m ... key .... Finally, consider whether each key needs to be reached using port forwarding, proxy forwarding, and assign TTY, if not, you can use no-port-forwarding, no-agent-forwarding and no-pty to disable these features. .
5, the key management creates at least 1024-bit user keys and protects the key with a good password.
6. When the client is configured away from the SSH client that is running, you must use password protection. Enable certain security features in the client configuration file and set it to the strongest Host * FallBackTorsh No forbidden to use unsafe R- commands (SSH2) without this problem. UserSh No Gatewayports No Board Remote Client Connect Local Forward Port StriceostKeyChecking ASK reminds you when the host key changes. Ask your handling opinion. Configuring the "/ etc / ssh / ssh_config" file "/ etc / ssh / ssh_config" file is the OpenSSH system range profile, allowing you to change the way the client program is running by setting different options. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. The most important keywords listed below, use the Man command to view the help page (SSH (1)) can get a detailed list.
Edit "ssh_config" file (vi / etc / ssh / ssh_config), add or change the following parameters: # Site-wide defaults for various options Host * ForwardAgent no ForwardX11 no RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication yes FallBackToRsh no UseRsh no BatchMode no Checkhostip Yes stricthostKeyChecking no IdentityFile ~ / .ssh / identity port 22 cipher blowfish escapechar ~
The following one by line explains the option settings above:
Host * Options "Host" is only valid for computers that match the rear string. "*" Means all the computer.
Forwardagent No "ForwardAgent" Sets whether the connection is forwarded to the remote computer (if present).
Forwardx11 No "Forwardx11 Set whether the X11 connection is automatically redirected to a secure channel and Display Set.
RhostSauthentication no "rhostsauthentication" settings whether to use Rhosts-based security verification.
RHOSTSRSAAUTHENTICATION NO "rhostsrsaauthentication" settings whether RHOSTS-based security validation with RSA algorithms is used.
Rsaauthentication Yes "Rsaauthentication" settings whether to use the RSA algorithm for secure verification.
PasswordAuthentication Yes "PasswordAuthentication" settings if password verification.
FallbackTorsh No "FallbackTorsh" setting If an error occurs with an SSH connection, whether it is automatically used by RSH.
UserSh no "UserSH" settings whether to use "rlogin / RSH" on this computer.
BatchMode No "BatchMode" If set to "YES", the prompt of the passphrase / password (interactive input password) will be disabled. This option is very useful when you cannot interactively enter your password.
Checkhostip YES
"Checkhostip" sets whether SSH is viewed to the IP address of the host connected to the server to prevent DNS spoof. It is recommended to be "Yes".
StricthostKeyChecking no "stricthostKeyChecking" If set to "Yes", SSH will not automatically add the computer's key to the "$ home / .ssh / knower_hosts" file, and once the computer's key changes, it refuses to connect.
IdentityFile ~ / .ssh / identity "identity" setting which file reads the user's RSA security verification ID.
Port 22 "Port" settings are connected to the port of the remote host.
Cipher Blowfish "Cipher" sets the password encrypted with.
Escapechar ~ "escapecha" Sets the Escape character.
Configure "/ etc / ssh / sshd_config" file "/ etc / ssh / sshd_config" is OpenSSH's configuration file, allowing the setting option to change this Daemon's run. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. The most important keywords listed below, use the Man command to view the help page (SSHD (8)) can get a detailed list.
Edit "sshd_config" file (vi / etc / ssh / sshd_config), join or change the following parameters: # This is ssh server systemwide configuration file Port 22 ListenAddress 192.168.1.1 HostKey / etc / ssh / ssh_host_key ServerKeyBits 1024 LoginGraceTime 600 KeyRegenerationInterval 3600. PermitRootLogin no IgnoreRhosts yes IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no PrintMotd yes SyslogFacility AUTH LogLevel INFO RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no AllowUsers admin
The following one by line explains the option settings above:
Port 22 "Port" Sets the port number of SSHD listening.
ListenAddress 192.168.1.1 "listenAddress" sets the IP address bound by the SSHD server.
HostKey / etc / ssh / ssh_host_key
"Hostkey" setting files containing computer private keys.
ServerKeyBITS 1024 "ServerKeyBITS" Defines the number of bits of the server key.
LogingRacetime 600 "LogingRacetime" setting If the user cannot log in successfully, the server needs to wait for the time (in seconds) before cutting the connection.
KeyRegenerationInterval 3600 "KeyRegenerationInterval" is set to automatically regenerate the server's key after how many seconds is set. Regeneration The key is to prevent the intercepted information to be decrypted with the stolen key.
PermitRootLogin No "PermitrootLogin" Setting Root Can not log in with SSH. This option must not be set to "Yes".
Ignorerhosts YES "Ignorerhosts" settings if the "rhosts" and "shost" files are used when verify.
Ignoreuserknownhosts YES "Ignoreuserknownhosts" Set whether SSH daemon ignores the user's "$ home / .ssh / knower_hosts" when RhostsrsaAuthentication is safely verified.
StricTModes YES "strictmodes" Set whether SSH checks if the user directory and RHOSTS files are received before receiving the login request. This is usually necessary because novices often set their own directory and files to anyone.
X11Forwarding No "x11forwarding" settings if the X11 is allowed to forward.
PrintMotd Yes "PrintMotd" sets whether SSHD displays information in "/ etc / motd" when the user is logged in.
Syslogfacility Auth "syslogfacility" is set to give "Facility Code" when recording messages from sshd.
Loglevel Info "Loglevel" Set the hierarchy of the SSHD log message. INFO is a good choice. View SSHD's Man Help page, get more information.
RhostSauthentication no "rhostsauthentication" settings are only secure authentication with rhosts or "/etc/hosts.equiv".
Rhostsrsaauthentication no "rhostsrsa" settings are allowed to use rhosts or "/etc/hosts.equiv" plus RSA for security verification. Rsaauthentication Yes "Rsaauthentication" settings are allowed to only RSA security verification.
PasswordAuthentication Yes "PasswordAuthentication" settings whether password verification is allowed.
PermiteMptyPasswords no "permitemptypasswords" settings if you are allowed to log in with your empty account.
AllowUsers admin "allowusers" can follow the matching string of any number of usernames or User @ Host, which is separated by spaces. The host name can be a DNS name or an IP address.
