Remote Access Control in Centos 7.4

Bowen catalog
1. SSH Remote Management
2. Use SSH client program
3. Construct SH system for key pair verification

1. SSH Remote Management

SSH is a secure channel protocol, which mainly implements the functions of remote login and remote copy of character interface.The SSH protocol encrypts the data transmission of both sides of the communication, including the user password that the user enters at the time of login.The SSH protocol provides better security than earlier Telent, RSH, RCP, and other applications.

1. Configure OpenSSH server

In Centos 7.4, OpenSSH servers are provided by packages such as openssh, openssh-server, which are installed by default, and sshd has been added as a standard system service.The sshd service can be started by executing the command "systemctl start sshd". Most users, including root, can log on to the system remotely.The configuration file for sshd service is located in the / etc/ssh/sshd_config directory by default. Correct adjustment of the configuration items can further improve the security of sshd remote login.

1) Service monitoring options

The default port number used by the sshd service is 22. It is recommended that you modify this port number if necessary and specify the specific IP address of the listening service to improve concealment in the network.The V2 version is more secure than the V1 version, and disabling DNS reverse resolution can improve the response speed of the server.

[root@centos01 ~]# Vim/etc/ssh/sshd_config <!--Edit the sshd master profile-->
17 Port 22         <!--Listening port is 22-->
19 ListenAddress 192.168.100.10    <!--The listening address is 192.168.100.10-->
21 Protocol 2        <!--Use SSH V2 Agreement-->
118 UseDNS no    <!--Disable DNS Reverse Resolution-->
......             <!--Omit some content here-->
[root@centos01 ~]# Systemctl restart sshd <!--Restart sshd service-->

2) User login control

The sshd service allows root users to log on by default, but it is very insecure for use on the Internet.With regard to user login control for sshd services, root users or users with empty passwords should generally be prohibited from logging in.In addition, you can limit the time for login validation (default is 2 minutes) and the maximum number of retries, and disconnect if you fail to log in after exceeding the limit.

[root@centos01 ~]# Vim/etc/ssh/sshd_config <!--Edit the sshd master profile-->
 37 LoginGraceTime 2m       <!--Logon verification takes 2 minutes-->
 38 PermitRootLogin yes      <!--prohibit root User Login-->
 40 MaxAuthTries 6               <!--Maximum number of retries is 6-->
 67 PermitEmptyPasswords no       <!--Prevent empty password users from logging on-->
 ......             <!--Omit some content here-->
[root@centos01 ~]# Systemctl restart sshd <!--Restart sshd service-->

2. Logon Authentication Method

In addition to the security control of user accounts, the way of login authentication is also important for server remote management.The sshd service supports two authentication methods - password and key pair verification, which can be set to use only one or both.

  • Password authentication: Verify the login name and password of the local system user on the server.This is the easiest way to use it, but from the client's point of view, the server you are connecting to may be counterfeited; from the server's point of view, you are less defensive when you encounter a third party with an exhaustive password.
  • Key pair validation: Require matching key information to pass validation.Typically, a pair of key files (public key, private key) is created in the client, and then the public key file is placed in the specified location on the server.When logging on remotely, the system will use the public key and the private key to authenticate the encryption/decryption association, which greatly enhances the security of remote management.This method is not easily counterfeited, avoids interactive login, and is widely used in Shell.

When password validation and key pair validation are enabled, the server will take precedence over key pair validation.For servers with higher security requirements, it is recommended that password authentication be disabled and only key pair authentication be enabled; both methods can be enabled without special requirements.

[root@centos01 ~]# Vim/etc/ssh/sshd_config <!--Edit the sshd master profile-->
 43 PubkeyAuthentication yes         <!--Enable key pair validation-->
 47 AuthorizedKeysFile      .ssh/authorized_keys <!--Specify Public Key Library File-->
 66 PasswordAuthentication yes        <!--Enable password validation-->
......              <!--Omit some content here-->
[root@centos01 ~]# Systemctl restart sshd <!--Restart sshd service-->

The public key file is used to save the public key text uploaded by multiple clients to match the local private key file of the client.

2. Use SSH client program

In Centos 7.4, OpenSSH clients are provided by the openssh-clients package (installed by default), including ssh Remote Login commands, scp, sftp remote replication and file transfer commands.

1. Command program ssh Remote Login

The ssh command allows you to login to the sshd service remotely, providing a secure Shell environment for users to manage and maintain the server.Logon user and destination host address should be specified as parameters when using.Examples are as follows:

[root@centos02 ~]# ssh root@192.168.100.10
root@192.168.100.10's password: 
Last login: Mon Nov 11 19:02:50 2019 from 192.168.100.254
[root@centos01 ~]# 
[root@centos01 ~]# 
[root@centos01 ~]# ssh root@192.168.100.10
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes   <!--Accept Key-->
Warning: Permanently added '192.168.100.10' (ECDSA) to the list of known hosts.
root@192.168.100.10's password:     <!--Input password-->
Last login: Mon Nov 11 19:03:08 2019 from 192.168.100.20
[root@centos01 ~]# Who <!--Confirm the current user-->
root     pts/1        2019-11-11 19:03 (192.168.100.20)
root     pts/2        2019-11-11 19:04 (192.168.100.10)

If the sshd server uses a non-default port (such as 2222), you must specify the port number through the'-p'option when logging in.Examples are as follows:

[root@centos01 ~]# Vim/etc/ssh/sshd_config<!--Modify SSH master profile-->
Port 2222          <!--Modify listen port number 2222-->
[root@centos01 ~]# Systemctl restart sshd <!--Restart sshd service-->
[root@centos02 ~]# Ssh-p 2222 root@192.168.100.10 <!--Client login ssh-->
root@192.168.100.10's password:          <!--Input password-->
Last login: Mon Nov 11 19:20:28 2019 from 192.168.100.10
[root@centos01 ~]#           <!--Successful login-->

2. scp remote replication

With the scp command, files can be copied with remote hosts through SSH secure connection. When using the scp command, in addition to the source and destination of the copy, the destination host address and the logon user should be specified. After execution, the authentication password can be entered as prompted.Examples are as follows:

[root@centos02 ~]# scp
root@192.168.100.10:/etc/ssh/sshd_config ./  
         <!--Copy remote host data to local data, save in current location-->
root@192.168.100.10's password:      <!--Input password-->
sshd_config                   100% 3910     3.6MB/s   00:00    
[root@centos02 ~]# scp -r ./sshd_config
root@192.168.100.10:/opt     
          <!--Uploading local data to remote host directory opt in-->
root@192.168.100.10's password:      <!--Input password-->
sshd_config                   100% 3910     1.2MB/s   00:00    

3. sftp Install FTP

With the sftp command, files can be uploaded and downloaded with the remote host by using SSH security connection. The login process and interaction environment similar to FTP are used to facilitate directory resource management.Examples are as follows:

[root@centos01 ~]# Cd/opt/ <!--Enter opt directory-->
[root@centos01 opt]# SFTP root@192.168.100.20 <!--Log on to sftp-->
root@192.168.100.20's password:      <!--Input password-->
Connected to 192.168.100.20.
sftp> pwd        <!--View Client Login sftp Location defaults to Host Directory-->
Remote working directory: /root
sftp> put sshd_config       <!--Upload data to remote host-->
Uploading sshd_config to /root/sshd_config
sshd_config                   100% 3910     6.4MB/s   00:00    
sftp> get sshd_config         <!--Download data locally-->
Fetching /root/sshd_config to sshd_config
/root/sshd_config             100% 3910     3.6MB/s   00:00    
sftp> exit                  <!--Log out-->

3. Construct SH system for key pair verification

Key pair authentication provides better security for remote login.The basic process of building key pairs in Linux server and client to verify SSH system.As shown in the figure below, the process consists of four steps: first, creating a key pair as a zhangsan user in the SSH client, then uploading the created public key file to the SSH server, then importing the public key information into the server-side public key database of the target user lisi, and finally logging in as the server-side user lisi.

1. Create key pairs on clients

On the client side, create a key pair file for the current user using the ssh-keygen tool.The available encryption algorithms are ECDSA or DSA (the'-t'option of the ssh-keygen command is used to specify the algorithm type).Examples are as follows:

[root@centos02 ~]# Ssh-keygen-t DSA <!--Create key pair-->
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):   <!--Specify Private Key Location-->
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):  <!--Set private key phrase-->
Enter same passphrase again:        <!--Confirm the phrase you set-->
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:zv0EdqIuOfwSovN2Dkij08y9wZ0f1+IyhY7LFNKKzkk root@centos02
The key's randomart image is:
+---[DSA 1024]----+
|                 |
|                 |
|                 |
|     .           |
|  o . o S.+ .    |
| * *.+.=.+.=     |
|o E.*o+==.+ o    |
| =o..*Oo++ +     |
|  ++oo+*+o. .    |
+----[SHA256]-----+
[root@centos02 ~]# Ls-lh ~/.ssh/id_dsa* <!--Confirm generated key file-->
-rw------- 1 root root 668 11 January 1216:11 /root/.ssh/id_dsa
-rw-r--r-- 1 root root 603 11 January 1216:11 /root/.ssh/id_dsa.pub

In the newly generated key pair file, id_das is a private key file with the default permissions of 600. The private key file must be properly stored and cannot be leaked to others; id_dsa.pub is a public key file used to provide the ssh server.

2. Upload the public key file to the server

Upload the public key file generated in the previous step to the server and deploy it to the server-side user's public key database.When uploading a public key file, you can choose any method, such as SCP, FTP, HTTP, or even E-mail.

root@centos02 ~]# ssh-copy-id -i ./.ssh/id_dsa.pub 
root@192.168.100.10 <!--Upload the public key file to the server and import the public key text-->
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "./.ssh/id_dsa.pub"
The authenticity of host '192.168.100.10 (192.168.100.10)' can't be established.
ECDSA key fingerprint is SHA256:PUueT9fU9QbsyNB5NC5hbSXzaWxxQavBxXmfoknXl4I.
ECDSA key fingerprint is MD5:6d:f7:95:0e:51:1a:d8:9e:7b:b6:3f:58:51:51:4b:3b.
Are you sure you want to continue connecting (yes/no)? yes   <!--input yes-->
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.10's password:      <!--Input password-->

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.100.10'"
and check to make sure that only the key(s) you wanted were added.

3. Validate using key pairs on clients

When the private key file (client) and public key file (server) are deployed in place, they can be tested in the client.First confirm that the current user in the client is root, then login remotely as the server-side user root using the ssh command.If the key pair validation method is configured successfully, the client will require a private key phrase to be entered in order to invoke the private key file to match (if the private key phrase is not set, log on to the target server directly).

[root@centos02 ~]# ssh root@192.168.100.10 <!--Log on to ssh server-->
Last login: Tue Nov 12 16:03:56 2019 from 192.168.100.254
[root@centos01 ~]# Who <!--Log on to the successful server and see who users are there-->
root     pts/0        2019-11-12 17:35 (192.168.100.20)
root     pts/2        2019-11-12 16:03 (192.168.100.254)

- This is the end of the article. Thank you for reading ---

Tags: Linux ssh sftp openssh vim

Posted on Tue, 12 Nov 2019 16:00:33 -0500 by FRSH