In the CenOS 7 system, openssh server is provided by openssh, openssh server and other software packages (installed by default), and sshd has been added as a standard system service. You can execute systemctl status sshd to view the status of the service. As long as you have a legal login shell, you can log in to the operating system remotely without considering the security restrictions.
The configuration file of the sshd service is located in the / etc/ssh/sshd_config directory by default, and there are many configuration items used to control the connection to the server. It can be roughly divided into three aspects, as follows:
1. Server monitoring related settings:
[root@localhost ~]# vim /etc/ssh/sshd_config Port 22 #The default listening port is 22 ListenAddress 0.0.0.0 #Listen to all addresses by default protocol 2 #Using SSH V2 protocol, higher security than V1 UseDNS no #Disable DNS reverse resolution
2. Control of user login:
LoginGraceTime 2m #Login authentication time is 2 minutes PermitRootLogin no #Disable root login MaxAuthTries 6 #The maximum number of retries is 6 PermitEmptyPasswords no #No blank password login
3. Login verification method:
PasswordAuthentication yes #Enable password authentication PubkeyAuthentication yes #Enable key pair validation AuthorizedKeysFile .ssh/authorized_keys #Specify public key library file
In a production environment, the recommended configuration changes are as follows:
[root@localhost ~]# vim /etc/ssh/sshd_config Port 2345 #The default listening port is 2345 ListenAddress 172.16.2.25 #Listen to an IP address instead of all IP addresses protocol 2 #Using SSH V2 protocol, higher security than V1 UseDNS no #Disable DNS reverse resolution LoginGraceTime 2m #Login authentication time is 2 minutes PermitRootLogin no #Disable root login MaxAuthTries 6 #The maximum number of retries is 6 PermitEmptyPasswords no #No blank password login PasswordAuthentication yes #Enable password authentication PubkeyAuthentication yes #Enable key pair validation AuthorizedKeysFile .ssh/authorized_keys #Specify public key library file AllowUsers zhangsan admin@61.23.24.25 #Only zhangsan and admin are allowed to log in remotely to #This server, and admin can only log in to this server from 61.23.24.25. #AllowUsers means only allowed; on the contrary, DenyUsers means only denied.
Using the SSH client, connect to the server remotely:
[root@localhost ~]# ssh -p 2345 zhangsan@192.168.1.1 #Connect to 192.168.1.1 as user zhangsan # The "- p" option is used to specify the port number as 2345. If the port number is the default 22, then the - p option can be omitted. The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. ECDSA key fingerprint is ad:a1:9b:f7:e3:41:bf:5f:da:cd:5e:3f:74:e0:8a:b9. Are you sure you want to continue connecting (yes/no)? yes #Enter "yes" Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts. zhangsan@192.168.1.1's password: #Enter the password of user zhangsan [zhangsan@localhost ~]$ #Successful connection
scp remote replication:
If the remote target is not the default port number, you need to add "- P" option to specify the port number
Upload: [root@localhost /]# scp -r /etc/passwd root@192.168.1.1:/ #Upload the local / etc/passwd directory to the remote host "/" directory root@192.168.1.1's password: #Enter the root password of 1.1 host passwd 100% 2893 2.8KB/s 00:00 #Upload success //Download: [root@localhost /]# scp root@192.168.1.1:/test.txt /root/ #Download the file of 1.1 host to local root@192.168.1.1's password: test.txt 100% 20 0.0KB/s 00:00