Chapter 2 remote login service in linux

Posted by jallard on Sat, 23 Oct 2021 15:17:22 +0200

Experimental environment:

westos-vmctl reset nodea
westos-vmctl reset nodeb  

In the virtual machine nodea:

  Perform the same operation in the virtual machine nodeb:

  hostnamectl set-hostname      ## Modify virtual machine name

1, Openssh features

1. Purpose of sshd service

Function: it can open the safe shell in the remote host through the network

Secure SHell                       ===> ssh         ## client
Secure SHell   daemon       ===> sshd        ## Server

2. Installation package: openssh server

3. Master profile:    / etc/ssh/sshd_conf

4. Default port: 22

5. Client command: ssh

2, Basic usage of ssh

ssh [-l Remote host user] <ip | hostname>

ssh -l root  ##Open the remote shell as root in the 139 host through the ssh command

First connection or execution   After rm -fr /root/.ssh /, the ID generation process will be confirmed. Log in again and directly enter passwd:


##When the revenue is < yes >, host 139 will send the identity public key to the current host and save the public key to ~ /. ssh/know_hosts
##139 the host holds the private key and authenticates the client host when the client host connects again.

On the server( nodea139 Host)
cd /etc/ssh/
cat  ##Sent from server storage client
rm -fr ssh_host_*
systemctl restart sshd     ##Restart sshd
cat   ##Check it again. It's different from the previous one

  After the server restarts sshd, the client is rejected. The effect is as follows:

  Solution: delete / root /. SSH / known_ The specified line in the hosts file

vim /root/.ssh/know_hosts ##Delete the line corresponding to the error prompt in this file
ssh -l root ##Connect again

  ssh common parameters:

-lDesignated login user
-iSpecify private key
-XOpen graphics
-fBackground operation

Specify connection parameters

# ssh -l root@172.25.254.x -O "stricthostkeychecking = no" you do not need to enter yes for the first connection


Specify connection springboard

# ssh -l root  -t  ssh -l root

  Specific operation:

-Xl open the drawing and specify the user

 - f   ## Background operation


-o specify connection parameters

  ssh -l root@172.25.254.x -o "StrictHostKeyChecking=no"    You do not need to enter yes for the first connection

 - t    ## Specify connection springboard

## ssh -l root -t ssh -l root

  Check in host 139: you can see that the ip address of remote login is

3, sshd key authentication

1. Type of certification

  • Symmetric encryption: encryption and decryption are the same string of characters. Easy to leak, can be brutally cracked, easy to forget
  • Asymmetric encryption:   The public key for encryption and the private key for decryption will not be stolen. The attacker cannot log in to the server without a key

2. Generate asymmetric encryption key

On the server (139 host)
cd /root/.ssh/
rm -fr /root/.ssh/
ssh-keyen -f /root/.ssh/id_rsa -P ""  ##Command to obtain the lock, - f file where the key is saved / root /. SSH / ID_ RSA - P password is empty
ssh-copy-id -i /root/.ssh/ root@  ##Encrypt server
scp /root/.ssh/id_rsa root@  ##Pass the key to nodeb

Log in the client (239 host) without secret:
ssh -l root  ##By default, the key is read from / root/.ssh /

Method 1: SSH keygen

  Method 2: SSH keygen - F / root /. SSH / ID_ rsa -P ""

  3. Encrypt the server

 ssh-copy-id -i /root/.ssh/  username@serverip

ssh-copy-id -i /root/.ssh/ root@

 # Testing#

ssh   - l root@    ## No password is required to log in as root user

  4, Detailed explanation of sshd security optimization parameters

setenforce 0
systemctl disable --now firewalld

Port 2222                     ##Set port to 2222
PermitRootLogin yes|no        ##Is super user login prohibited
PasswordAuthentication yes|no ##Enable the original password authentication method
AllowUsers lee                ##User whitelist
DenyUsers lee                 ##User blacklist

1. PasswordAuthentication no    ## Do not turn on the original password authentication method

Test: other clients cannot log in remotely through password authentication:

2. PermitRootLogin no         ## Prohibit super user login

Test: super users are forbidden to log in, while ordinary users can log in:


  3.DenyUsers westos   ## User blacklist

  Test: westos users cannot log in, and other users can log in remotely

4.AllowUsers lee                 ## User whitelist

Test: except that users in the white list can log in, other users cannot log in remotely, nor can root user


  5.Port 2222           ## Set port to 2222


  Test: you need to specify a port to log in remotely (the default port is 22)

5, Construction of bridge

Experimental environment:

At In the host, first shut down all virtual machines and execute the following command:
westos-network common ##Clear the previously set network configuration in the host
ifconfig          ##see

1. In the nodeb of the virtual machine, delete the previous network card and add a new network card (NAT)

2. Enter nodeb:

nmcli connection add con-name westos ifname ens3 ipv4.method auto type ethernet
nmcli connection reload
nmcli connection  show


3. Build a bridge in the host:  

cd /etc/sysconfig/network-scripts/
vim ifcfg-enp2s0
cat ifcfg-enp2s0
vim ifcfg-br0
cat ifcfg-br0
nmcli connection reload 
nmcli connection up br0
nmcli connection up enp2s0
bridge link
systemctl restart libvirtd

4. Test: check nodeb network card (not only NAT but also Bridage bridge)


Topics: Linux Operation & Maintenance ssh