SSH server

Introduction

The architecture of SSH is a server/client mode, and the software running on both ends is different. The client software of OpenSSH is ssh, and the server software is sshd. This chapter introduces various knowledge of sshd.

If sshd is not installed, you can install it with the following command.

# Debian
$ sudo aptitude install openssh-server

# Red Hat
$ sudo yum install openssh-server

Generally speaking, sshd will start with the system after installation. If the current sshd is not started, you can start it with the following command.

$ sshd

After the above command is run, if it prompts "sshd re-exec requires execution with an absolute path", you need to use the absolute path to start. This is to prevent someone from placing the software of the same name in the directory pointed to by the $PATH variable for various purposes, instead of the real sshd.

# Centos, Ubuntu, OS X
$ /usr/sbin/sshd

After the above command is run, sshd automatically enters the background, so there is no need to add & after the command.

In addition to running executable files directly, you can also start sshd through Systemd.

# start up
$ sudo systemctl start sshd.service

# Stop
$ sudo systemctl stop sshd.service

# Restart
$ sudo systemctl restart sshd.service

The following command will make sshd run automatically the next time the computer is started.

$ sudo systemctl enable sshd.service

sshd configuration file

The sshd configuration file is in the /etc/ssh directory, the main configuration file is sshd_config, and there are some keys generated during installation.

-/etc/ssh/sshd_config: configuration file -/etc/ssh/ssh_host_ecdsa_key: ECDSA private key. -/etc/ssh/ssh_host_ecdsa_key.pub: ECDSA public key. -/etc/ssh/ssh_host_key: RSA private key for SSH 1 protocol version. -/etc/ssh/ssh_host_key.pub: RSA public key for SSH 1 protocol version. -/etc/ssh/ssh_host_rsa_key: RSA private key for SSH 2 protocol version. -/etc/ssh/ssh_host_rsa_key.pub: RSA public key for SSH 2 protocol version. -/etc/pam.d/sshd: PAM configuration file.

Note that if sshd is reinstalled, the above keys will be regenerated. When the client reconnects to the ssh server, a warning will pop up and the connection will be refused. To avoid this situation, you can back up the /etc/ssh directory when reinstalling sshd, and then restore this directory after reinstalling.

The format of the configuration file sshd_config is that each command occupies one line. Each line is a configuration item and the corresponding value. The case of the configuration item is not sensitive and is separated from the value by a space.

Port 2034

The above configuration command specifies that the value of the configuration item Port is 2034. Port can also be written as port.

There is another format of the configuration file, that is, there is an equal sign between the configuration item and the value, and the spaces before and after the equal sign are optional.

Port = 2034

In the configuration file, lines beginning with # indicate comments.

# This is a line of comment

Note that comments can only be placed at the beginning of a line, not at the end of a line.

Port 2034 # Comments are not allowed here

The above wording is wrong.

In addition, blank lines are equivalent to comments.

When sshd starts, it will automatically read the default configuration file. If you want to use another configuration file, you can specify it with the -f parameter of the sshd command.

$ sshd -f /usr/local/ssh/my_config

The above command specifies sshd to use another configuration file my_config.

After modifying the configuration file, you can use the -t (test) of the sshd command to check for syntax errors.

$ sshd -t

After the configuration file is modified, it will not take effect automatically, and sshd must be restarted.

$ sudo systemctl restart sshd.service

sshd key

sshd has its own one or more pairs of keys. It uses the key to prove its identity to the client. All keys are a pair of public and private keys. The file name of the public key is usually the file name of the private key plus the suffix .pub.

The default key file in DSA format is /etc/ssh/ssh_host_dsa_key (the public key is ssh_host_dsa_key.pub), and the key in RSA format is /etc/ssh/ssh_host_rsa_key (the public key is ssh_host_rsa_key.pub ). If you need to support the SSH 1 protocol, you must have the key /etc/ssh/ssh_host_key.

If the key is not the default file, it can be specified by the HostKey configuration item of the configuration file sshd_config. The default key HostKey is set as follows.

# HostKey for protocol version 1
# HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_dsa_ke

The # in front of the above command means that these lines are all comments, because this is the default value, and whether these lines are the same.

If you want to modify the key, you must remove the # at the beginning of the line and specify another key.

HostKey /usr/local/ssh/my_dsa_key
HostKey /usr/local/ssh/my_rsa_key
HostKey /usr/local/ssh/my_old_ssh1_key

sshd configuration items

The following are the configuration items in the /etc/ssh/sshd_config file.

AcceptEnv

AcceptEnv specifies which environment variables that the client is allowed to send through the SendEnv command, that is, the client is allowed to set the server's environment variable list, and the variable names are separated by spaces (AcceptEnv PATH TERM).

AllowGroups

AllowGroups specifies the user groups allowed to log in (AllowGroups groupName, multiple groups are separated by spaces. If this option is not used, all user groups are allowed to log in.

AllowUsers

AllowUsers specifies the users who are allowed to log in. The user names are separated by spaces (AllowUsers user1 user2), or they can be specified by the multi-line AllowUsers command. User names support wildcards. If this item is not used, all users are allowed to log in. This item can also use the format of username@domain name (such as AllowUsers jones@example.com).

AllowTcpForwarding

AllowTcpForwarding specifies whether to allow port forwarding, the default value is yes (AllowTcpForwarding yes), local means that only local port forwarding is allowed, and remote means that only remote port forwarding is allowed.

AuthorizedKeysFile

AuthorizedKeysFile specifies the directory where the user's public key is stored. The default is the ssh/authorized_keys directory of the user's home directory (AuthorizedKeysFile .ssh/authorized_keys).

Banner

Banner specifies the information file (Banner /usr/local/etc/warning.txt) displayed by sshd after the user logs in. By default, nothing is displayed.

ChallengeResponseAuthentication

ChallengeResponseAuthentication specifies whether to use the "keyboard interaction" authentication scheme, the default value is yes (ChallengeResponseAuthentication yes).

In theory, the "keyboard interactive" authentication scheme can ask the user multiple questions, but in practice, it usually only asks the user's password. If you want to completely disable password-based authentication, set both PasswordAuthentication and ChallengeResponseAuthentication to no.

Ciphers

Ciphers specifies the encryption algorithms that sshd can accept (Ciphers 3des-cbc), and multiple algorithms are separated by commas.

ClientAliveCountMax

ClientAliveCountMax specifies the number of times the server attempts to connect when the client loses response after the connection is established (ClientAliveCountMax 8).

ClientAliveInterval

ClientAliveInterval specifies the time that the client is allowed to be in a daze, in seconds (ClientAliveInterval 180). If the client does not send any signal during this period of time, the SSH connection will be closed.

Compression

Compression specifies whether the data transmission between the client and the server is compressed. The default value is yes (Compression yes)

DenyGroups

DenyGroups specifies user groups that are not allowed to log in (DenyGroups groupName).

DenyUsers

DenyUsers specifies the users who are not allowed to log in (DenyUsers user1), and the user names are separated by spaces, or they can be specified using the multi-line DenyUsers command.

FascistLogging

Only for SSH 1 version, the designated log outputs all Debug information (FascistLogging yes).

HostKey

HostKey specifies the key of the sshd server, see above for details.

KeyRegenerationInterval

KeyRegenerationInterval specifies the key regeneration interval of SSH version 1, in seconds, the default is 3600 seconds (KeyRegenerationInterval 3600).

ListenAddress

ListenAddress specifies the local IP address monitored by sshd, that is, the IP address enabled by sshd. The default is 0.0.0.0 (ListenAddress 0.0.0.0) which means it is enabled on all network interfaces of the machine. It can be changed to enable it only on a certain network interface (such as ListenAddress 192.168.10.23), or it can be enabled by specifying a domain name (such as ListenAddress server.example.com).

If you want to listen to multiple specified IP addresses, you can use the multi-line ListenAddress command.

ListenAddress 172.16.1.1
ListenAddress 192.168.0.1

LoginGraceTime

LoginGraceTime specifies the maximum time that the client is allowed to log in in a daze. For example, if the user does not enter a password, the connection will be automatically disconnected, in seconds (LoginGraceTime 60). If it is set to 0, it means there is no limit.

LogLevel

LogLevel specifies the level of detail of the log, the possible values ​​are in order of QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3, The default is INFO (LogLevel INFO).

MACs

MACs specifies the data verification algorithm that sshd can accept (MACs hmac-sha1), and multiple algorithms are separated by commas.

MaxAuthTries

MaxAuthTries specifies the maximum number of SSH login attempts (MaxAuthTries 3). If the password is entered incorrectly for the specified number of times, the SSH connection will be closed.

MaxStartups

MaxStartups specifies the number of concurrent SSH connections allowed (MaxStartups). If it is set to 0, it means there is no limit.

This attribute can also be set to the form of A:B:C, such as MaxStartups 10:50:20, which means that if there are 10 concurrent connections, the following connection will be rejected with a 50% probability; if it reaches 20 Concurrent connection, the subsequent connection will be 100% rejected.

PasswordAuthentication

PasswordAuthentication specifies whether to allow password login, the default value is yes (PasswordAuthentication yes), it is recommended to change to no (password login is prohibited, only key login is allowed).

PermitEmptyPasswords

PermitEmptyPasswords specifies whether to allow login with an empty password, that is, whether the user's password can be empty, the default is yes (PermitEmptyPasswords yes), it is recommended to change to no (no password login is prohibited).

PermitRootLogin

PermitRootLogin specifies whether to allow root user login, the default is yes (PermitRootLogin yes), it is recommended to change to no (root user login is prohibited).

There is another way to write it as prohibit-password, which means that the root user cannot log in with a password, but can log in with a key.

PermitRootLogin prohibit-password

PermitUserEnvironment

PermitUserEnvironment specifies whether to allow sshd to load the client's ~/.ssh/environment file and the environment= options environment variable setting in the ~/.ssh/authorized_keys file. The default value is no (PermitUserEnvironment no).

Port

Port specifies the port that sshd listens to, that is, the port that the client connects to. The default is 22 (Port 22). For security reasons, you can change this port (such as Port 8822).

The configuration file can use multiple Port commands to monitor multiple ports at the same time.

Port 22
Port 80
Port 443
Port 8080

The above example indicates that 4 ports are monitored at the same time.

PrintMotd

PrintMotd specifies whether to show the information file /etc/motd of the system's motd (Message of the day) to the user after logging in. This file is used to inform all users of some important matters, such as system maintenance time, security issues, and so on. The default value is yes (PrintMotd yes). Since Shell usually displays this information file, it can be changed to no here.

PrintLastLog

PrintLastLog specifies whether to print the last user login time, the default value is yes (PrintLastLog yes).

Protocol

Protocol specifies the protocol used by sshd. Protocol 1 means to use SSH 1 protocol, it is recommended to change to Protocol 2 (using SSH 2 protocol). Protocol 2,1 means that two versions of the protocol are supported at the same time.

PubKeyAuthentication

PubKeyAuthentication specifies whether to allow public key login, the default value is yes (PubKeyAuthentication yes).

QuietMode

Only for SSH 1 version, only fatal error messages (QuietMode yes) are output in the specified log.

RSAAuthentication

RSAAuthentication specifies that RSA authentication is allowed, and the default value is yes (RSAAuthentication yes).

ServerKeyBits

ServerKeyBits specifies the number of bits when the SSH version 1 key is regenerated. The default is 768 (ServerKeyBits 768).

StrictModes

StrictModes specifies whether sshd checks the permissions of some important files and directories of the user. The default is yes (StrictModes yes), that is, for the user's SSH configuration file, key file, and directory, SSH requires the owner to be the root user or the user himself, and the user group and other people's write permissions must be closed.

SyslogFacility

SyslogFacility specifies how Syslog processes sshd logs. The default is Auth (SyslogFacility AUTH).

TCPKeepAlive

TCPKeepAlive specifies the keepalive parameter (TCPKeepAlive yes) to open the TCP connection between sshd and the client.

UseDNS

UseDNS specifies whether the server uses DNS when the user logs in a domain name through SSH, and confirms that the IP address corresponding to the domain name contains the machine (UseDNS yes). Turning on this option is of little significance, and if the DNS update is not timely, there may be misjudgments, and it is recommended to turn it off.

UseLogin

UseLogin specifies whether to use /usr/bin/login instead of SSH tool in user authentication. The default is no (UseLogin no).

UserPrivilegeSeparation

UserPrivilegeSeparation specifies that after the user is authenticated, another sub-thread is used to process user privilege-related operations, which is beneficial to improve security. The default value is yes (UsePrivilegeSeparation yes).

VerboseMode

Only for SSH 2 version, specify the log to output detailed Debug information (VerboseMode yes).

X11Forwarding

X11Forwarding specifies whether to open X window forwarding, the default value is no (X11Forwarding no).

After modifying the configuration file, you can use the following command to verify whether the configuration file has syntax errors.

$ sshd -t

The new configuration file takes effect and sshd must be restarted.

$ sudo systemctl restart sshd

sshd command line configuration items

The sshd command has some configuration items. These configuration items are specified when invoking and can override the settings of the configuration file.

(1) -d

The -d parameter is used to display debug information.

$ sshd -d

(2) -D

The -D parameter specifies that sshd does not run as a background daemon.

$ sshd -D

(3) -e

The -e parameter causes sshd to write the content of the system log syslog to standard error.

(4) -f

The -f parameter specifies the location of the configuration file.

(5) -h

The -h parameter is used to specify the key.

$ sshd -h /usr/local/ssh/my_rsa_key

(6) -o

The -o parameter specifies a configuration item and corresponding value of the configuration file.

$ sshd -o "Port 2034"

An equal sign can be used between configuration items and corresponding values.

$ sshd -o "Port = 2034"

If you omit the spaces before and after the equal sign, you can also omit the quotation marks.

$ sshd -o Port=2034

Multiple -o parameters can be used together to specify multiple configuration keywords.

(7) -p

The -p parameter specifies the service port of sshd.

$ sshd -p 2034

The above command specifies that sshd is started on port 2034.

The -p parameter can specify multiple ports.

$ sshd -p 2222 -p 3333

(8) -t

The -t parameter checks whether the syntax of the configuration file is correct.