Detailed explanation of Linux SSH command. If you don't even know the SSH command, don't say you can use Linux

Northward travel 2022-06-24 05:52:03 阅读数:809

detailedexplanationlinuxsshcommand.

# Preface

ssh amount to windows Remote desktop connection on , But no desktop , Only text terminals .ssh It's a lot of Linux A command that users must learn when getting started . With the help of ssh, Developers can easily connect to remote or other computers on the LAN , Develop directly on it .

Take my own workflow as an example , Open the lab every day mac Upper item2 terminal , Connect two expansion screens , Again ssh Connect to several servers , Switch to tmux, Most of the work can be done on one terminal .

so to speak , Use it well ssh, We can connect to the remote more comfortably ; Use the terminal well , Developers can complete their development work more smoothly ,** I sorted out some about Linux The books and notes for study are all here , If you want to go whoring for nothing, just click to get it .**

- [**Linux Study a collection of books and notes **](https://mp.weixin.qq.com/s?__biz=MzkzNjE1NTcyNQ==&mid=2247484482&idx=1&sn=00b0d901e54138676e93efba888cc037&chksm=c2a24b60f5d5c276b8d81c354293fd13413ef50e5425f1dda832f96a1dba5e3a2f19804a1d7e&token=1354826097&lang=zh_CN#rd)

Let's have a deep understanding of this article SSH, The general content is as follows :

* ** Working mechanism **

* ** Encryption technology **

* ** Prevent invasion **

* ** Function inventory **

* ** Common parameters **

* ** Service related **

* ** Security free setting **

* ** Troubleshoot problems **

* ** Batch distribution and management scheme **

* ** File configuration **

SSH( Remote connection tools ) Connection principle :ssh A service is a daemon (demon), The system monitors the connection of the client in the background ,ssh The process name of the server is sshd, Responsible for real-time monitoring of client requests (IP 22 port ), Including public key exchange and other information .

ssh Server side 2 Part of it is made up of : openssh( Provide ssh service ) openssl( Provide encrypted programs )

ssh The client can use XSHELL,Securecrt, Mobaxterm Wait for tools to connect

# SSH How it works

When the server starts, it generates a key itself (768bit Public key ), The local ssh The client sends a connection request to ssh The server , The server checks the data sent by the connection point client and IP Address , After confirming the validity, send the key (768bits) To the client , At this time, the client will use the local private key (256bit) And the public key of the server (768bit) Combined into a key pair key(1024bit), Send back to the server , Establish a connection through key-pair The data transfer .

![image](https://upload-images.jianshu.io/upload_images/24923247-22b36c9397aa1e27?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

* 1. long-range Server received Client End user TopGun Login request for ,Server Send your public key to the user .

* 2.Client Use this public key , Encrypt password .

* 3.Client Send the encrypted password to Server End .

* 4. long-range Server Use your own private key , Decrypt login password , Then verify its legitimacy .

* 5. If the verification result , to Client Corresponding response

**Client How to ensure that the received public key is the target Server Terminal ?**

* 1.Client Store your public key in Server On , Append to file authorized_keys in .

* 2.Server Termination received Client After the connection request , Will be in authorized_keys Match to Client The public key pubKey, And generate random numbers R, use Client The random number is encrypted with the public key of pubKey(R)

, Then send the encrypted information to Client.

* 3.Client The client decrypts the private key to obtain the random number R, Then for random numbers R And this conversation SessionKey utilize MD5 Generate summary Digest1, Send to Server End .

* 4.Server The end will also be right R and SessionKey Use the same digest algorithm to generate Digest2.

* 5.Server The end will finally compare Digest1 and Digest2 Are they the same? , Complete the certification process .

Learn more ...

# SSH Encryption technology

![image](https://upload-images.jianshu.io/upload_images/24923247-fe5a9ae676aa7254?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

Encryption technology : Transmission process , Data encryption .

1.SSH1 The client's secret key is not verified , It's easy to plant malicious code

2.SSH2 Added a confirmation of online correctness Diffe_Hellman Mechanism , Every data transmission ,Server Will check the correctness of the data sources , Avoid hacking .

SSH2 Support RSA and DSA secret key

DSA:digital signature Algorithm digital signature

RSA: It can be digitally signed and encrypted

# SSH A summary of knowledge

1.SSH It's a secure encryption protocol , For remote connection Linux The server

2.SSH The default port is 22, The security protocol version is SSH2

3.SSH The server side mainly includes 2 A service function SSH The connection and SFTP The server

4.SSH The client contains ssh Connect command and remote copy scp Orders, etc

# How to prevent SSH Login intrusion

1. Key login , Change port

2. Cattle array

3. Monitoring the local intranet IP(ListenAddress 192.168.25.*)

# SSH All functions

```

1. Sign in

ssh -p22 [email protected]

2. Direct command execution --> The best path

ssh [email protected] ls -ltr /backup/data

==>ssh [email protected] /bin/ls -ltr /backup/data

3. View known hosts

cat /root/.ssh/known_hosts

4.ssh Remote execution sudo command

ssh -t [email protected] sudo rsync hosts /etc/

5.scp

1. function --> Remote file security ( encryption ) Copy

scp -P22 -r -p /home/omd/h.txt [email protected]:/home/omd/

2.scp A summary of knowledge

scp It's encrypted remote copy ,cp For local copy

You can push it , You can also pull it over

Every time it's a full copy ( The efficiency is not high , For the first time ), Incremental copy uses rsync

6.ssh Self contained sftp function

1.Window and Linux The transmission tools

wincp filezip

sftp --> be based on ssh Secure encrypted transmission of

samba

2.sftp Client connection

sftp -oPort=22 [email protected]

put /etc/hosts /tmp

get /etc/hosts /home/omd

3.sftp Summary :

1.linux Use command : sftp -oPort=22 [email protected]

2.put Add client local path upload

3.get Download server-side content to local

4. Remote connection defaults to the user's home directory

```

# ssh Common command parameters

```

usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]

[-D [bind_address:]port] [-e escape_char] [-F configfile]

[-i identity_file] [-L [bind_address:]port:host:hostport]

[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]

[-R [bind_address:]port:host:hostport] [-S ctl_path]

[-W host:port] [-w local_tun[:remote_tun]]

[[email protected]]hostname [command]

```

# About backstage ssh Service related

```

# Inquire about openssl Software

rpm -qa openssh openssl

# Inquire about sshd process

ps -ef | grep ssh

--> /usr/sbin/sshd

# see ssh port

netstat -lntup | grep ssh

ss | grep ssh ( The effect same as above , Same as below , To use )

netstat -a | grep ssh( Remember this )

netstat -lnt | grep 22 ==> see 22 Is the port open /ssh Is the service on

skill : netstat -lnt | grep ssh | wc -l --> As long as it is greater than 2 One is ssh Service is good

# see ssh My secret key directory

ll /root/.ssh/known_hosts # The name of the current user's home directory .ssh Under the table of contents

# ssh Configuration file for

cat /etc/ssh/sshd_config

# ssh Service shutdown

service sshd stop

# ssh Service opening :

service sshd start

# ssh Service restart

service sshd reload [ Stop the process and restart ] ==> recommend

service sshd restart [ Kill the process and restart it ] ==> Not recommended

# ssh Remote login

ssh 192.168.1.100 # By default, log in with the user name of the current host user

ssh [email protected] # Log in with the user of the remote machine

ssh [email protected] -o stricthostkeychecking=no # First time login is free yes Sign in

ssh [email protected] "ls /home/omd" # Current server A Remote login server B Then execute a command

ssh [email protected] -t "sh /home/omd/ftl.sh" # Current server A Remote login server B Then execute a script

```

# ssh Security free setting

![image](https://upload-images.jianshu.io/upload_images/24923247-6b9e41cf2baab640?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

**1、 Go to the user's home directory **

```

[[email protected] ~]# cd /root/.ssh/ 【root The user is in root In the catalog .ssh Catalog 】

[[email protected] ~]# cd /home/omd/.ssh/ 【 Ordinary users are in the home directory .ssh Catalog 】

```

**2、 according to DSA Algorithm generates private key and public key 【 By default, it is set up in the home directory of the current user 】**

```

[[email protected] .ssh]# ssh-keygen -t dsa # All the way back

id_dsa --> Private key ( The key )

id_dsa.pub --> Public key ( lock )

```

**3. Copy the public key to the target server **

```

[[email protected] .ssh]# ssh-copy-id -i id_dsa.pub [email protected] 【 Use ssh Default port for login 22】

[[email protected] .ssh]# ssh-copy-id -i id_dsa.pub –p 666 [email protected] 【 Use ssh The port of the login settings 666】

```

**4\. View the files generated by the target server **

```

[[email protected] .ssh]$ ll /home/omd/.ssh/authorized_keys

```

**5\. Password free login to the target server **

```

ssh [email protected]

```

6\. Sum up the relationship between key and lock

```

1. Multiple keys to open a lock

hold id_dsa.pub Copy to each server

2. A key to open duobasuo

hold id_dsa To each server

hold id_dsa Pass it on to yourself

```

# ssh Troubleshoot problems

```

1. Judge whether the physical link is connected ping 192.168.25.130 line | A firewall | Is it the same network

ping Itself is icmp agreement

2. Judge whether the service is normal

telnet 192.168.25.130 22

3.Linux A firewall

service iptables status ==> /etc/init.d/iptables status

4. open ssh And then we can observe it

ssh -vvv [email protected]

```

# SSH Summary of batch distribution and management plan

![image](https://upload-images.jianshu.io/upload_images/24923247-185b2c571d8248cf?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

**1. utilize root do ssh key verification **

> advantage : Simple , Easy to use

> shortcoming : Poor safety performance , There is no way to ban root Remote connection

**2. Using ordinary users omd ( recommend )**

> Ideas : Copy the files to be distributed to the home directory of the server user , And then use it sudo Right to copy the distributed files and corresponding directories

> advantage : Security

> shortcoming : complex , Configuration trouble

> 1.sudo Raise the right

> echo 'omd All=(All) NOPASSWD:/usr/bin/rsync' >> /etc/sudoers

> visudo -c

> grep omd /etc/sudoers

> 2.ssh Distribute to the home directory of the server

> ssh -p22 -r /etc/hosts [email protected]:~

> 3.ssh Use sudo Copy to the target server /etc

> ssh -t [email protected] sudo rsync hosts /etc/

**3. Expansion plan 2, no need sudo, It's about setting suid Power over fixed orders **

```

advantage : Quite safe

shortcoming : complex , Poor safety , Anyone can deal with suid Orders of authority

1.which rsync

2.chmod 4755 /usr/bin/rsync

```

# ssh Chapter summary

1.ssh Remote encrypted connection protocol , Related software openssh,openssl

2. Default port 22

3.ssh Version agreement

4. The server ssh Connect ,ftp Connect ,sshd Daemon , Boot up

5.ssh Important client commands :ssh( The user login && Remote command ),scp,sftp,

6. Security verification method : password , secret key Learning principles

7.ssh Service optimization : Change port , Change the monitor ,no root,no empty,no DNS,

8.ssh Key pair , The public key is on the server side , The private key is on the client

# modify ssh The startup file for the service sshd A few points of

```

1-1 modify /etc/ssh/sshd_config<br> GSSAPIAuthentication yes Solve the problem of one server managing multiple ssh service

UseDNS no Speed up the response, because in the Intranet environment

PermitRootLogin no Not running root Users log in directly

Port 11544 Change the access port number

ListenAddress 192.168.25.130 Only monitor the intranet IP

Match User anoncvs Users allowed to log in in the current environment

PermitRootLogin no Whether to allow root The user login , Generally, it is not allowed to drive

1-2 Restart the service

service sshd restart Write command into memory

service sshd reload( first ) reload It's a smooth access , Does not affect the use of users

1-3 Check the connection port

netstat -an | grep EST

```

# SSH skip HostKeyChecking, No input yes

SSH Skip input ssh skip RSA key fingerprint Input yes/no

In the configuration of a large number of nodes, we need ssh When connected , If you copy many nodes automatically , All need to input yes, Two nodes should communicate with each other once , It's going to cause a lot of trouble

** solve 1;** Modify the configuration file /etc/ssh/ssh_config

```

look for To # StrictHostKeyChecking ask

It is amended as follows :StrictHostKeyChecking no

```

** solve 2:** Add parameter –o 【o=option】

```

ssh [email protected] -o "StrictHostKeyChecking no"

```

**ssh Login with password sshpass Installation **

【 Download address 】[https://sourceforge.net/projects/sshpass/files/latest/download](https://sourceforge.net/projects/sshpass/files/latest/download)

Upload files to the server

**CentOS Lower installation :**

```

[[email protected] ~]# tar xf sshpass-1.06.tar.gz

[[email protected] ~]# cd sshpass-1.06

[[email protected] sshpass-1.06]# ./configure

[[email protected] sshpass-1.06]# make && make install

```

Check if the installation is successful :

```

[[email protected] sshpass-1.06]# which sshpass

/usr/local/bin/sshpass

```

Remote Login Host :

```

sshpass -p [email protected] ssh [email protected] -o "StrictHostKeyChecking no"

```

Be careful : If it's the first time to log in , You need to enter manual yes, here sshpass It doesn't give a hint , So login exception **Ubuntu Next installation method 1 [ recommend ]: Simple **

```

[email protected]-virtual-machine:~/sshpass-1.06$ sudo apt install sshpass

```

Installation successful :

```

[email protected]:~/sshpass-1.06$ which sshpass

```

**Ubuntu Installation method 2 :**

```

[email protected]:~$ tar xf sshpass-1.06.tar.gz

[email protected]:~$ cd sshpass-1.06/

omd @omd-virtual-machine:~/sshpass-1.06$ ./configure

[email protected]:~/sshpass-1.06$ sudo make && make install

The same CentOS Lower installation

```

# attach ssh Configuration file for

The configuration file is not posted here , Lest you say my water word number , I sorted this 《Linux The command of 》 There's... In it , There are other things about Linux Learning materials , You can share it for free , Click the blue word below to receive it directly

[**Linux Study a collection of books and notes **](https://mp.weixin.qq.com/s?__biz=MzkzNjE1NTcyNQ==&mid=2247484482&idx=1&sn=00b0d901e54138676e93efba888cc037&chksm=c2a24b60f5d5c276b8d81c354293fd13413ef50e5425f1dda832f96a1dba5e3a2f19804a1d7e&token=1354826097&lang=zh_CN#rd)

# end

Won't! , Don't you like it when you see here ? Is that reasonable? ? It's not reasonable !!!

copyright:author[Northward travel],Please bring the original link to reprint, thank you. https://en.javamana.com/2022/175/20210731203629343a.html