SSH Remote Management Service
1. Introduction of Remote Management Service Knowledge
# 1.1 SSH Introduction to Remote Login Service
SSH yes Secure Shell Protocol Abbreviation, by IETF Network Working Group( Network Working Group)Formulate;
//Before data transmission, SSH encrypts online data packets through encryption technology, and then transmits data after encryption. It ensures the security of data transmitted.
SSH It is a security protocol for remote login sessions and other network services.
//Using SSH protocol can effectively prevent information leakage in remote management process. In the current production environment operation and maintenance work,
//Most enterprises generally use SSH protocol service to replace the traditional unsafe remote online service software, such as telnet(23 ports, non-encrypted) and so on.
//By default, SSH services provide two main service functions:
a One is to provide similar services. telnet The services of remote online servers, as mentioned above SSH Service;
b The other is similar. FTP Service sftp-server,With the help SSH Protocol to transmit data to provide more secure SFTP service(vsftp,proftp).
# 1.2 SSH Ideas for Error Removal of Remote Login Service
01. Check whether the link is unobstructed---ping(icmp Agreement)/tracert/traceroute
02. Check if the link is blocked---Turn off firewall functionality
03. Check if the service is open---ss/netstat -lntup(Server side check) /telnet/nmap/nc(Client Check)
# Contrast description of remote management services:
# install telnet Client software: yum install -y telnet
# install telnet Server-side software (backup server): yum install -y telnet-server
[root@backup ~]# yum install -y telnet-server telnet
...
[root@backup ~]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no # hold disable By default yes Change to no ,Express telnet Can from xinetd service
}
[root@backup ~]# /etc/init.d/xinetd restart # Restart xinetd service
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@backup ~]#
# At this point telnet The service is started
Type `help' to learn how to use Xshell prompt.
Xshell:\> telnet 10.0.0.41 # use telnet Connect to remote server( telnet Out-of-service root User Connection; Use telnet ip Before you do that, you have to xinetd Service Opening)
Type `help' to learn how to use Xshell prompt.
Xshell:\> ssh 10.0.0.41 # ssh Connecting remote servers is available root Users can also use ordinary users
2. Detailed concept of remote management service
2.1 SSH Encryption Technology of Remote Management Service
ssh Connect login process:
①. ssh Client side issue(m01 Host)Outgoing connection request
②. ssh The server will send a confirmation message asking the client if you really want to connect me.
③. ssh Client input completion yes,Wait until a public key message
[root@m01 /]# cat /root/.ssh/known_hosts
10.0.0.41 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxk0wkLuvRML5GrK8p+EU6yLAvLf5aOsnu2ydGzvn8mXuE4EdhGzGC1h9cwvMYwY7xD47aBRP/q+13T6Jh8/A580m6AaZmagS/OawtcVaseTMJEehysIqPBOD9xqPGOWK5c3vWFcW0yC1rp64axYAbrXgOEX8TddxF4rPAyinOpqMPe1ncF6hY8Zq3VxCDKIFJk//RPpO1eqM8eXLl7P1tLCLYHVvRWdjDQ2k275cPOAXiLr2Wc+KuzQUMAeLV0e/41DtMHHdI8bkrMfMMFXFPR04nZv+uv4DvX7Md/5NoGB6PkH9ozvDyqLFS7Z2m0hpomhqkaM5OtbN6rm+YrJXqQ==
[root@m01 /]#
④. ssh The server (e.g. backup server) sends the public key information to the server ssh Client
[root@backup ~]# cd /etc/ssh # Public Key, Key Storage Path
[root@backup ssh]# ll
total 160
-rw-------. 1 root root 125811 Mar 22 2017 moduli
-rw-r--r--. 1 root root 2047 Mar 22 2017 ssh_config
-rw------- 1 root root 3876 Apr 30 18:43 sshd_config
-rw-------. 1 root root 3879 Mar 22 2017 sshd_config.bak
-rw-------. 1 root root 668 Oct 16 2018 ssh_host_dsa_key
-rw-r--r--. 1 root root 590 Oct 16 2018 ssh_host_dsa_key.pub
-rw-------. 1 root root 963 Oct 16 2018 ssh_host_key
-rw-r--r--. 1 root root 627 Oct 16 2018 ssh_host_key.pub
-rw-------. 1 root root 1675 Oct 16 2018 ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Oct 16 2018 ssh_host_rsa_key.pub
[root@backup ssh]# cat ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxk0wkLuvRML5GrK8p+EU6yLAvLf5aOsnu2ydGzvn8mXuE4EdhGzGC1h9cwvMYwY7xD47aBRP/q+13T6Jh8/A580m6AaZmagS/OawtcVaseTMJEehysIqPBOD9xqPGOWK5c3vWFcW0yC1rp64axYAbrXgOEX8TddxF4rPAyinOpqMPe1ncF6hY8Zq3VxCDKIFJk//RPpO1eqM8eXLl7P1tLCLYHVvRWdjDQ2k275cPOAXiLr2Wc+KuzQUMAeLV0e/41DtMHHdI8bkrMfMMFXFPR04nZv+uv4DvX7Md/5NoGB6PkH9ozvDyqLFS7Z2m0hpomhqkaM5OtbN6rm+YrJXqQ==
[root@backup ssh]#
⑤. ssh Client logs in with password
//Encryption technology is divided into v1 and v2 versions
sshv1 Versions don't change locks and keys very often, so there are security risks.
sshv2 Versions often change locks and keys, thus improving remote connection security
3. SSH Remote Management Service Authentication Type
# Realization of remote login based on key mode
Create key pair information (public key and private key) on ssh management server (m01 host)
(2) ssh management server sends public key to managed server (such as backup server)
(3) ssh management server sends connection request to managed server
(4) ssh managed server sends public key challenge to management server
_. ssh management server processes public key query requests and sends the results of public key query to the managed host
_. ssh is managed by the server to receive public key challenge response information to confirm the success of authentication
_. ssh management server can establish key-based connection login with managed server
4. Deployment process based on key login
# The first mileage: in the management of the host(as m01 Host)Create key pair information on
[root@m01 ~]# ssh-keygen -t dsa <-- Create key pair commands -t dsa Represents the encryption type of the specified key pair
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): <-- Confirm the path saved by the private key file
/root/.ssh/id_dsa already exists.
Overwrite (y/n)? y <-- If the key pair information already exists, whether to overwrite it
Enter passphrase (empty for no passphrase): <-- Verify whether password information is set for the private key (usually empty)
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
46:c8:21:b9:99:6e:0c:59:39:66:38:7a:97:29:51:76 root@m01
The key's randomart image is:
+--[ DSA 1024]----+
| o+oE |
| +.B+ o |
| . B Bo . |
|. = B . |
| . * S |
| + . |
| . |
| |
| |
+-----------------+
# Second mileage: Send the public key information on the managed host to the managed host
[root@m01 ~]# ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.31 # Send the public key on the managed host to the managed host; if the managed host wants to connect the managed host with the intranet, the IP will be written as the intranet ip, and vice versa, the external network ip; at this time, the public key will be distributed with the root identity, so it can only be managed with the root identity; if you want ordinary users such as oldboy to manage, add the common user name before the ip.
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
RSA key fingerprint is 22:07:4d:36:3c:5e:eb:46:80:a2:ef:40:45:8c:93:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.31' (RSA) to the list of known hosts.
root@172.16.1.31's password:
Now try logging into the machine, with "ssh '172.16.1.31'", and check in:
.ssh/authorized_keys # The public key file is saved in 172.16.1.31 Host root User Home Catalog .ssh/ Directory
to make sure we haven't added extra keys that you weren't expecting.
[root@m01 ~]#
# The public key file is saved in 172.16.1.31 Host root User Home Catalog .ssh/ Directory
[root@nfs01 ~]# cd /root/.ssh/
[root@nfs01 .ssh]# ll
total 4
-rw------- 1 root root 598 May 24 14:17 authorized_keys
[root@nfs01 .ssh]#
# Third mileage: remote management testing (key-based remote management)
[root@m01 ~]# ssh 172.16.1.31 # No password required to log on to the managed host directly
Last login: Fri May 24 14:15:34 2019 from 10.0.0.253
[root@nfs01 ~]#
[root@m01 ~]# ssh 172.16.1.31 uptime # Do not log in to the managed host to check the status of the managed host
14:31:30 up 26 min, 1 user, load average: 0.00, 0.00, 0.00
[root@m01 ~]#
5. SSH Profile
# SSH server configuration file: / etc/ssh/sshd_config
# SSH client configuration file: / etc/ssh/ssh_config
# SSH Server Profile Information Description (/etc/ssh/sshd_config)
Port 52113 < - Modify SSH service port number information (port number after 1024); Modify the connection mode of port number: ssh-p port number ip
Listen Address 0.0.0 < - Specify which address to establish network connection: 0.0.0.0 indicates that all network cards are in the monitored state, that is, they can respond; 10.0.0.31 indicates that only the network card is in the monitored state; the main role is to improve network connection security.
PS: Sniffer addresses can only be configured as addresses owned on server network cards
PermitRootLogin no < - Allows root users to log in remotely (generally set to no in enterprise environments)
PermitEmpty Passwords no < - Allows empty passwords
UseDNS no < - Does DNS reverse parse improve ssh Remote Connection efficiency?
GSSAPI Authentication No < - Whether to Authenticate Remote GSSAPI (Improve the Efficiency of ssh Remote Connection)
# Restart the ssh server service after modifying the configuration file: / etc/init.d/sshd restart
6. SSH remote transmission method - sftp
# Orders such as: sftp -oPort=52113 oldboy@10.0.0.41
# sftp Summary of Common Operating Commands
bye Quit sftp <-- Exit sftp transmission mode
cd path Change remote directory to 'path' <-- Changing remote directory information
pwd Display remote working directory <-- Display the current directory information of the remote host
lcd path Change local directory to 'path' <-- Changing local directory path information
lpwd Print local working directory <-- Output local directory path information
get [-P] remote-path [local-path]
Download file <-- Download File Command
put [-P] local-path [remote-path] <-- Upload File Command
Upload file