SSH server
Introduction
The architecture of SSH is a server/client mode, and the software running on both ends is different. The client software of OpenSSH is ssh, and the server software is sshd. This chapter introduces various knowledge of sshd.
If sshd is not installed, you can install it with the following command.
# Debian
$ sudo aptitude install openssh-server
# Red Hat
$ sudo yum install openssh-server
Generally speaking, sshd will start with the system after installation. If the current sshd is not started, you can start it with the following command.
$ sshd
After the above command is run, if it prompts "sshd re-exec requires execution with an absolute path", you need to use the absolute path to start. This is to prevent someone from placing the software of the same name in the directory pointed to by the $PATH
variable for various purposes, instead of the real sshd.
# Centos, Ubuntu, OS X
$ /usr/sbin/sshd
After the above command is run, sshd automatically enters the background, so there is no need to add &
after the command.
In addition to running executable files directly, you can also start sshd through Systemd.
# start up
$ sudo systemctl start sshd.service
# Stop
$ sudo systemctl stop sshd.service
# Restart
$ sudo systemctl restart sshd.service
The following command will make sshd run automatically the next time the computer is started.
$ sudo systemctl enable sshd.service
sshd configuration file
The sshd configuration file is in the /etc/ssh
directory, the main configuration file is sshd_config
, and there are some keys generated during installation.
-/etc/ssh/sshd_config
: configuration file -/etc/ssh/ssh_host_ecdsa_key
: ECDSA private key. -/etc/ssh/ssh_host_ecdsa_key.pub
: ECDSA public key. -/etc/ssh/ssh_host_key
: RSA private key for SSH 1 protocol version. -/etc/ssh/ssh_host_key.pub
: RSA public key for SSH 1 protocol version. -/etc/ssh/ssh_host_rsa_key
: RSA private key for SSH 2 protocol version. -/etc/ssh/ssh_host_rsa_key.pub
: RSA public key for SSH 2 protocol version. -/etc/pam.d/sshd
: PAM configuration file.
Note that if sshd is reinstalled, the above keys will be regenerated. When the client reconnects to the ssh server, a warning will pop up and the connection will be refused. To avoid this situation, you can back up the /etc/ssh
directory when reinstalling sshd, and then restore this directory after reinstalling.
The format of the configuration file sshd_config
is that each command occupies one line. Each line is a configuration item and the corresponding value. The case of the configuration item is not sensitive and is separated from the value by a space.
Port 2034
The above configuration command specifies that the value of the configuration item Port
is 2034
. Port
can also be written as port
.
There is another format of the configuration file, that is, there is an equal sign between the configuration item and the value, and the spaces before and after the equal sign are optional.
Port = 2034
In the configuration file, lines beginning with #
indicate comments.
# This is a line of comment
Note that comments can only be placed at the beginning of a line, not at the end of a line.
Port 2034 # Comments are not allowed here
The above wording is wrong.
In addition, blank lines are equivalent to comments.
When sshd starts, it will automatically read the default configuration file. If you want to use another configuration file, you can specify it with the -f
parameter of the sshd command.
$ sshd -f /usr/local/ssh/my_config
The above command specifies sshd to use another configuration file my_config
.
After modifying the configuration file, you can use the -t
(test) of the sshd command to check for syntax errors.
$ sshd -t
After the configuration file is modified, it will not take effect automatically, and sshd must be restarted.
$ sudo systemctl restart sshd.service
sshd key
sshd has its own one or more pairs of keys. It uses the key to prove its identity to the client. All keys are a pair of public and private keys. The file name of the public key is usually the file name of the private key plus the suffix .pub
.
The default key file in DSA format is /etc/ssh/ssh_host_dsa_key
(the public key is ssh_host_dsa_key.pub
), and the key in RSA format is /etc/ssh/ssh_host_rsa_key
(the public key is ssh_host_rsa_key.pub
). If you need to support the SSH 1 protocol, you must have the key /etc/ssh/ssh_host_key
.
If the key is not the default file, it can be specified by the HostKey
configuration item of the configuration file sshd_config
. The default key HostKey
is set as follows.
# HostKey for protocol version 1
# HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_dsa_ke
The #
in front of the above command means that these lines are all comments, because this is the default value, and whether these lines are the same.
If you want to modify the key, you must remove the #
at the beginning of the line and specify another key.
HostKey /usr/local/ssh/my_dsa_key
HostKey /usr/local/ssh/my_rsa_key
HostKey /usr/local/ssh/my_old_ssh1_key
sshd configuration items
The following are the configuration items in the /etc/ssh/sshd_config
file.
AcceptEnv
AcceptEnv
specifies which environment variables that the client is allowed to send through the SendEnv
command, that is, the client is allowed to set the server's environment variable list, and the variable names are separated by spaces (AcceptEnv PATH TERM
).
AllowGroups
AllowGroups
specifies the user groups allowed to log in (AllowGroups groupName
, multiple groups are separated by spaces. If this option is not used, all user groups are allowed to log in.
AllowUsers
AllowUsers
specifies the users who are allowed to log in. The user names are separated by spaces (AllowUsers user1 user2
), or they can be specified by the multi-line AllowUsers
command. User names support wildcards. If this item is not used, all users are allowed to log in. This item can also use the format of username@domain name
(such as AllowUsers jones@example.com
).
AllowTcpForwarding
AllowTcpForwarding
specifies whether to allow port forwarding, the default value is yes
(AllowTcpForwarding yes
), local
means that only local port forwarding is allowed, and remote
means that only remote port forwarding is allowed.
AuthorizedKeysFile
AuthorizedKeysFile
specifies the directory where the user's public key is stored. The default is the ssh/authorized_keys
directory of the user's home directory (AuthorizedKeysFile .ssh/authorized_keys
).
Banner
Banner
specifies the information file (Banner /usr/local/etc/warning.txt
) displayed by sshd after the user logs in. By default, nothing is displayed.
ChallengeResponseAuthentication
ChallengeResponseAuthentication
specifies whether to use the "keyboard interaction" authentication scheme, the default value is yes
(ChallengeResponseAuthentication yes
).
In theory, the "keyboard interactive" authentication scheme can ask the user multiple questions, but in practice, it usually only asks the user's password. If you want to completely disable password-based authentication, set both PasswordAuthentication
and ChallengeResponseAuthentication
to no
.
Ciphers
Ciphers
specifies the encryption algorithms that sshd can accept (Ciphers 3des-cbc
), and multiple algorithms are separated by commas.
ClientAliveCountMax
ClientAliveCountMax
specifies the number of times the server attempts to connect when the client loses response after the connection is established (ClientAliveCountMax 8
).
ClientAliveInterval
ClientAliveInterval
specifies the time that the client is allowed to be in a daze, in seconds (ClientAliveInterval 180
). If the client does not send any signal during this period of time, the SSH connection will be closed.
Compression
Compression
specifies whether the data transmission between the client and the server is compressed. The default value is yes
(Compression yes
)
DenyGroups
DenyGroups
specifies user groups that are not allowed to log in (DenyGroups groupName
).
DenyUsers
DenyUsers
specifies the users who are not allowed to log in (DenyUsers user1
), and the user names are separated by spaces, or they can be specified using the multi-line DenyUsers
command.
FascistLogging
Only for SSH 1 version, the designated log outputs all Debug information (FascistLogging yes
).
HostKey
HostKey
specifies the key of the sshd server, see above for details.
KeyRegenerationInterval
KeyRegenerationInterval
specifies the key regeneration interval of SSH version 1, in seconds, the default is 3600 seconds (KeyRegenerationInterval 3600
).
ListenAddress
ListenAddress
specifies the local IP address monitored by sshd, that is, the IP address enabled by sshd. The default is 0.0.0.0 (ListenAddress 0.0.0.0
) which means it is enabled on all network interfaces of the machine. It can be changed to enable it only on a certain network interface (such as ListenAddress 192.168.10.23
), or it can be enabled by specifying a domain name (such as ListenAddress server.example.com
).
If you want to listen to multiple specified IP addresses, you can use the multi-line ListenAddress
command.
ListenAddress 172.16.1.1
ListenAddress 192.168.0.1
LoginGraceTime
LoginGraceTime
specifies the maximum time that the client is allowed to log in in a daze. For example, if the user does not enter a password, the connection will be automatically disconnected, in seconds (LoginGraceTime 60
). If it is set to 0
, it means there is no limit.
LogLevel
LogLevel
specifies the level of detail of the log, the possible values are in order of QUIET
, FATAL
, ERROR
, INFO
, VERBOSE
, DEBUG
, DEBUG1
, DEBUG2
, DEBUG3
, The default is INFO
(LogLevel INFO
).
MACs
MACs
specifies the data verification algorithm that sshd can accept (MACs hmac-sha1
), and multiple algorithms are separated by commas.
MaxAuthTries
MaxAuthTries
specifies the maximum number of SSH login attempts (MaxAuthTries 3
). If the password is entered incorrectly for the specified number of times, the SSH connection will be closed.
MaxStartups
MaxStartups
specifies the number of concurrent SSH connections allowed (MaxStartups). If it is set to 0
, it means there is no limit.
This attribute can also be set to the form of A:B:C
, such as MaxStartups 10:50:20
, which means that if there are 10 concurrent connections, the following connection will be rejected with a 50% probability; if it reaches 20 Concurrent connection, the subsequent connection will be 100% rejected.
PasswordAuthentication
PasswordAuthentication
specifies whether to allow password login, the default value is yes
(PasswordAuthentication yes
), it is recommended to change to no
(password login is prohibited, only key login is allowed).
PermitEmptyPasswords
PermitEmptyPasswords
specifies whether to allow login with an empty password, that is, whether the user's password can be empty, the default is yes
(PermitEmptyPasswords yes
), it is recommended to change to no
(no password login is prohibited).
PermitRootLogin
PermitRootLogin
specifies whether to allow root user login, the default is yes
(PermitRootLogin yes
), it is recommended to change to no
(root user login is prohibited).
There is another way to write it as prohibit-password
, which means that the root user cannot log in with a password, but can log in with a key.
PermitRootLogin prohibit-password
PermitUserEnvironment
PermitUserEnvironment
specifies whether to allow sshd to load the client's ~/.ssh/environment
file and the environment= options
environment variable setting in the ~/.ssh/authorized_keys
file. The default value is no
(PermitUserEnvironment no
).
Port
Port
specifies the port that sshd listens to, that is, the port that the client connects to. The default is 22 (Port 22
). For security reasons, you can change this port (such as Port 8822
).
The configuration file can use multiple Port
commands to monitor multiple ports at the same time.
Port 22
Port 80
Port 443
Port 8080
The above example indicates that 4 ports are monitored at the same time.
PrintMotd
PrintMotd
specifies whether to show the information file /etc/motd
of the system's motd (Message of the day) to the user after logging in. This file is used to inform all users of some important matters, such as system maintenance time, security issues, and so on. The default value is yes
(PrintMotd yes
). Since Shell usually displays this information file, it can be changed to no
here.
PrintLastLog
PrintLastLog
specifies whether to print the last user login time, the default value is yes
(PrintLastLog yes
).
Protocol
Protocol
specifies the protocol used by sshd. Protocol 1
means to use SSH 1 protocol, it is recommended to change to Protocol 2
(using SSH 2 protocol). Protocol 2,1
means that two versions of the protocol are supported at the same time.
PubKeyAuthentication
PubKeyAuthentication
specifies whether to allow public key login, the default value is yes
(PubKeyAuthentication yes
).
QuietMode
Only for SSH 1 version, only fatal error messages (QuietMode yes
) are output in the specified log.
RSAAuthentication
RSAAuthentication
specifies that RSA authentication is allowed, and the default value is yes
(RSAAuthentication yes
).
ServerKeyBits
ServerKeyBits
specifies the number of bits when the SSH version 1 key is regenerated. The default is 768 (ServerKeyBits 768
).
StrictModes
StrictModes
specifies whether sshd checks the permissions of some important files and directories of the user. The default is yes
(StrictModes yes
), that is, for the user's SSH configuration file, key file, and directory, SSH requires the owner to be the root user or the user himself, and the user group and other people's write permissions must be closed.
SyslogFacility
SyslogFacility
specifies how Syslog processes sshd logs. The default is Auth (SyslogFacility AUTH
).
TCPKeepAlive
TCPKeepAlive
specifies the keepalive parameter (TCPKeepAlive yes
) to open the TCP connection between sshd and the client.
UseDNS
UseDNS
specifies whether the server uses DNS when the user logs in a domain name through SSH, and confirms that the IP address corresponding to the domain name contains the machine (UseDNS yes
). Turning on this option is of little significance, and if the DNS update is not timely, there may be misjudgments, and it is recommended to turn it off.
UseLogin
UseLogin
specifies whether to use /usr/bin/login
instead of SSH tool in user authentication. The default is no
(UseLogin no
).
UserPrivilegeSeparation
UserPrivilegeSeparation
specifies that after the user is authenticated, another sub-thread is used to process user privilege-related operations, which is beneficial to improve security. The default value is yes
(UsePrivilegeSeparation yes
).
VerboseMode
Only for SSH 2 version, specify the log to output detailed Debug information (VerboseMode yes
).
X11Forwarding
X11Forwarding
specifies whether to open X window forwarding, the default value is no (X11Forwarding no
).
After modifying the configuration file, you can use the following command to verify whether the configuration file has syntax errors.
$ sshd -t
The new configuration file takes effect and sshd must be restarted.
$ sudo systemctl restart sshd
sshd command line configuration items
The sshd command has some configuration items. These configuration items are specified when invoking and can override the settings of the configuration file.
(1) -d
The -d
parameter is used to display debug information.
$ sshd -d
(2) -D
The -D
parameter specifies that sshd does not run as a background daemon.
$ sshd -D
(3) -e
The -e
parameter causes sshd to write the content of the system log syslog to standard error.
(4) -f
The -f
parameter specifies the location of the configuration file.
(5) -h
The -h
parameter is used to specify the key.
$ sshd -h /usr/local/ssh/my_rsa_key
(6) -o
The -o
parameter specifies a configuration item and corresponding value of the configuration file.
$ sshd -o "Port 2034"
An equal sign can be used between configuration items and corresponding values.
$ sshd -o "Port = 2034"
If you omit the spaces before and after the equal sign, you can also omit the quotation marks.
$ sshd -o Port=2034
Multiple -o
parameters can be used together to specify multiple configuration keywords.
(7) -p
The -p
parameter specifies the service port of sshd.
$ sshd -p 2034
The above command specifies that sshd is started on port 2034
.
The -p
parameter can specify multiple ports.
$ sshd -p 2222 -p 3333
(8) -t
The -t
parameter checks whether the syntax of the configuration file is correct.