SSH (Secure SHell) is an application-level network protocol that allows remote control of the operating system and tunneling of TCP connections (for example, for transferring files).
Ubuntu installation command:
sudo apt-get install ssh
In CentOS (the second command activates autostart of the SSH server at system startup):
sudo yum install openssh-server sudo chkconfig sshd on sudo service sshd start
To check, you can type:
An example of connecting from server to server (the default port 22 can be omitted):
ssh -l USERNAME ip -p22 ssh username@ip -p22
Copying the file to the server in the user directory:
scp -P 22 /home/user/file.zip firstname.lastname@example.org:/
To disconnect from the ssh server, use the exit command, so that you do not type it, you can press the key combination Ctrl+D.
We edit the standard configuration file:
sudo nano /etc/ssh/sshd_config
I will describe several parameters:
Port – the port on which the server will accept connections. It is necessary to write at the very beginning of the config.
Protocol – the protocol version by which you can connect, the standard value = 2, you can specify several separated by commas. Version 2 is more secure than 1.
HostKey – a file with private keys of a host. sshd will not accept read attribute files for everyone.
UsePrivilegeSeparation – The preferred value is yes. For security purposes, when passing authentication to the server, a child process is created with the lowest rights, if successful, the user receives the rights that correspond to him.
KeyRegenerationInterval – key regeneration time, it is necessary for the attacker to intercept the key not to decrypt it. A value of 0 disables regeneration.
ServerKeyBits – The length of the server key.
SyslogFacility – message code for syslog server. The standard value is AUTH, in this case the log server will enter the information provided by the sshd server into the /var/log/auth.log file.
LogLevel – the level of information displayed in the logs. Possible values: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, DEBUG3. Standard is INFO.
LoginGraceTime – timeout in seconds user authentication in the system. If the user did not manage to enter the login and password, the connection is terminated.
PermitRootLogin – for security reasons, the preferred value is no. This parameter allows or denies root user access to the server.
StrictModes – this parameter allows checking the sshd server attributes and owner of configuration files and user directories before allowing access to the server. The default value is yes.
RSAAuthentication – allows connection to the server only by RSA key, used for protocol 1.
PubkeyAuthentication – allows connection to the server using the public key, used for protocol 2.
IgnoreRhosts – ignoring the contents of .rhosts and .shosts files during authentication of RhostsRSAAuthentication and HostbasedAuthentication. Only /etc/hosts.equiv and /etc/shosts.equiv will be counted.
RhostsRSAAuthentication – parameter that allows authentication with .rhosts or /etc/hosts.equiv files, used for protocol 1.
Some additional parameters that are not in the standard configuration file:
ListenAddress – the parameter indicates the port specifically for each interface. Example:
PermitEmptyPasswords – the parameter prohibits or allows users with empty passwords to connect to the server.
PasswordAuthentication – allows or denies password authentication. In case of disconnection, you need to enable authentication by public key (PubkeyAuthentication yes) and specify the path to the file with keys with the AuthorizedKeysFile parameter, this method allows you to protect yourself from direct password cracking by attackers.
MaxStartups 10:30:60 – setting the maximum number of concurrent unauthorized connections. If the number exceeds the specified, then all of the following connections will be dropped.
Parameters allow or prohibit connecting to the server only to users or groups specified by a space:
For example, you can specify:
AllowUsers user1 user2 email@example.com
AddressFamily – Indicate which family of ip addresses you are using. Possible parameters: any, inet (IPv4 only), inet6 (IPv6 only).
TCPKeepAlive – Possible yes/no. Sends TCP messages to the client, thereby supporting the connection. In case of a bad Internet connection, packets may not reach and the client will be disconnected from the server.
PrintMotd no – Indicates whether the text of the / etc / motd file should be displayed.
Banner – indicates the path to the text file, the contents of which are displayed on the screen at the time of authentication.
Subsystem sftp /usr/lib/openssh/sftp-server – enable file transfer protocol. By default, it is enabled.
We reboot the SSH server for the changes to take effect:
sudo /etc/init.d/ssh restart
To connect to an ssh server from a Windows environment, you can use the Putty program.