OpenSSH

Posted 吃饭睡觉打豆豆

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OpenSSH相关的知识,希望对你有一定的参考价值。

命令:netstat -tnl   查看当前主机监听端口

#选项
-n或--numeric 直接使用IP地址,而不通过域名服务器
-t或--tcp 显示TCP传输协议的连线状况
-u或--udp 显示UDP传输协议的连线状况
-l或--listening 显示监控中的服务器的Socket
-p或--programs 显示正在使用Socket的程序识别码和程序名称

Telnet协议

  • TCP/23
  • 明文传输
  • 远程登录协议

什么是SSH

  • Secure Shell 的缩写
  • 加密传输
  • TCP/22

什么是OpenSSH

OpenSSH是安全Shell协议族(SSH)的一个免费版本


 

配置文件

  服务端  / etc / ssh / sshd_config

  客户端  / etc / ssh / ssh_config

  服务器配置文件   

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22        监听端口
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2    版本,目前只支持v2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key    密钥
HostKey /etc/ssh/ssh_host_dsa_key     密钥
HostKey /etc/ssh/ssh_host_ecdsa_key    密钥
HostKey /etc/ssh/ssh_host_ed25519_key   密钥
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600   客户端对称密钥重新生成间隔
ServerKeyBits 1024      服务器端密钥长度

# Logging
SyslogFacility AUTH     
LogLevel INFO      日志级别

# Authentication:
LoginGraceTime 120      登录宽容期
#PermitRootLogin prohibit-password
PermitRootLogin yes        是否允许管理员直接登录
StrictModes yes              是否使用严格限定模式

RSAAuthentication yes             是不是支持RSA认证
PubkeyAuthentication yes        基于密钥登录
#AuthorizedKeysFile     %h/.ssh/authorized_keys    密钥存放位置

# Dont read the users ~/.rhosts and ~/.shosts files    
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no    主机认证
# Uncomment if you dont trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes       是否开启口令认证

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes      是否显示上一次登录信息
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server      

# Set this to yes to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to no.
UsePAM yes           

 

以上是关于OpenSSH的主要内容,如果未能解决你的问题,请参考以下文章

在 OpenSSH 中重定向调试输出

Centos6/Centos5下openssh升级到openssh-7.5p1

Linux下OpenSSH奇葩运用

为 ARM 交叉编译 OpenSSH

Linux OpenSSH后门的添加与防范

Linux OpenSSH后门的添加与防范