If you log on to a server from your computer and run the scp commands to upload and download files, your bastion host cannot audit these operations. To allow the bastion host to audit the operations, you must configure your computer.

Prerequisites

Procedure

  1. Log on to the terminal interface of your computer.
  2. Run the following command to create a .ssh directory:
    mkdir ~/.ssh
  3. Store the ssh_config file in the ~/.ssh directory.
    If the ssh_config file does not exist on your computer, you must create an ssh_config file.
  4. Run the following command to modify the ssh_config file. Edit
    vi ~/.ssh/ssh_config
    The following sample code provides a template for you to modify the ssh_config file. You can copy and paste the following code to the file and then modify the file:
    # The alias of the bastion host. If the bastion host does not have an alias, delete this configuration.
    Host __USM__
    # The username of the bastion host. The value can be a local account, an AD account, an LDAP account, or a RAM user.
    User 136xxxxxxxx
    # The IP address of the bastion host.
    Hostname 120.55.xx.xx
    # The port.
    Port 60022
    
    # Server 1.
    # The alias of Server 1. If the server does not have an alias, delete this configuration.
          Host cylinux123
    # The IP address of Server 1.
         Hostname 192.168.21.98
    # The port of Server 1.
         Port 22
    
    # Server 2 . If you have only one server, delete this server.
    # The alias of Server 2. If the server does not have an alias, delete this configuration.
          Host cylinux123
    # The IP address of Server 2
         Hostname 192.168.21.98
    # The port of Server 2
         Port 22
    
    # The destination server.
    Host 1* 2* 3* 4* 5* 6* 7* 8* 9*
    # Disable key verification.
    PubkeyAuthentication no
    
    # Set the bastion host as a proxy. You can copy the following proxy configurations: 
    ProxyCommand ssh -F /root/.ssh/ssh_config -A -q __USM__ -W %h:%p
    Host a* b* c* d* e* f* h* i* j* k* l* m* n* o* p* q* r* s* t* u* v* w* x* y* z*
    PubkeyAuthentication no
    ProxyCommand ssh -F /root/.ssh/ssh_config -A -q __USM__ -W %h:%p
    Host A* B* C* D* E* F* H* I* J* K* L* M* N* O* P* Q* R* S* T* U* V* W* X* Y* Z*
    PubkeyAuthentication no
    You must modify the following configurations:
    • Configurations of the bastion host
      • The username of the bastion host.
      • The O&M address of the bastion host.
      • The O&M port of the bastion host. The default value is 60022.
    • Configurations of the servers
      • If you do not specify an alias for the bastion host on your computer, you must modify the IP addresses and ports of the servers. By default, port 22 is used for SSH connections.
      • If you specified an alias for a single server on you computer, you must modify the alias, IP address, and port of the server. By default, port 22 is used for SSH connections.
      • If you specified aliases for multiple servers on your computer, you must specify the alias, IP address, and port of each server as a whole, and modify the configurations for each server in sequence.
  5. Run the following commands to upload or download the ssh_config file to a server: Upload
    scp -F .ssh/ssh_config filename root@192.168.XX.XX:/
    Note If the "ssh_exchange_identification: Connection closed by remote host" error message appears when you connect to the server from your computer, delete the ~/.ssh/known_hosts directory and run the preceding command to reconnect to the server.
    Related commands
    • ssh command for O&M:
      ssh -F ~/.ssh/ssh_config root@xx.xx.xx.xx (The value is in the following format: Server account @IP address or alias.)
    • scp command for uploading:
      scp -F ~/.ssh/ssh_config filename root@xx.xx.xx.xx:/ (By default, the uploaded file is in the root directory.)
    • scp command for downloading:
      scp -F ~/.ssh/ssh_config root@xx.xx.xx.xx:/filename /root
    • rsync command for uploading:
      rsync -e "ssh -F /root/.ssh/ssh_config" -avp filename root@xx.xx.xx.xx:/
    • rsync command for downloading:
      rsync -e "ssh -F /root/.ssh/ssh_config" -avp root@xx.xx.xx.xx:/filename /root

Result

After you complete the preceding configurations on your computer, the bastion host audits the operations that are performed on your computer to upload and download files to a server by using scp commands. You can log on to the bastion host to view the audit logs. For more information, see Search for sessions and view session details. Audit logs