zoukankan      html  css  js  c++  java
  • ssh服务介绍

    ssh配置文件
    /etc/ssh/sshd_config   服务端配置文件,#号注释的内容表示默认设置
    /etc/ssh/ssh_config    客户端配置文件,#号注释的内容表示默认设置
    ~/.ssh/known_hosts   已知主机信息 ,对应用户家目录中
    /root/.ssh/id_rsa     私钥文件
    /root/.ssh/id_rsa.pub   公钥文件
    ~/.ssh/authorized_keys   来自其他主机的公钥信息

    ssh客户端(linux)

    [root@nfs01 ~]$ rpm -ql openssh-clients 
    /etc/ssh/ssh_config
    /usr/bin/scp      #远程拷贝文件,加密传输
    /usr/bin/sftp     #ftp服务,加密传输
    /usr/bin/slogin
    /usr/bin/ssh      #远程连接
    /usr/bin/ssh-add
    /usr/bin/ssh-agent
    /usr/bin/ssh-copy-id #拷贝密钥中的公钥文件
    /usr/bin/ssh-keyscan
    

    ssh ssh协议连接命令

    -p 指定端口

    ssh -p 10022 172.24.184.31     #登录主机172.24.184.31,该主机ssh协议端口为10022
    

    scp 安全、远程复制

    -P(大写)指定ssh服务端口
    -r     递归复制,用于复制目录
    -p      保持文件属性
    -l      限制传输速度

    scp -P 10022 -rp /data  root@172.16.1.7:/tmp
    

    sftp 安全ftp,缺点是不能锁定用户家目录

    -o     使用ssh服务协议参数
    -oPort   指定sftp访问端口,即ssh服务端口
    -P(大写)作用同上,指定sftp访问端口,即ssh服务端口

    sftp -P 10022 172.24.184.31
    sftp -oPort=10022 172.24.184.31
    

     put 上传文件

    sftp> put dd.txt /tmp           #将当前目录中dd.txt上传到远程主机/tmp目录中
    Uploading dd.txt to /tmp/dd.txt
    dd.txt 100% 242 32.6KB/s 00:00
    

    get 下载文件

    sftp> get /tmp/rsync_fail_log.sh     #将远程主机/tmp/rsync_fail_log.sh下载到本机/opt/目录中
    Fetching /tmp/rsync_fail_log.sh to /opt/rsync_fail_log.sh
    

    ls 查看远程服务器工作目录内容,即sftp登录后工作目录
    lls 查看本地主机工作目录内容,local list


    pwd 查看远程服务器工作目录,即sftp登录后工作目录
    lpwd 查看本地主机工作目录,loacl pwd


    !command
    在本地主机执行命令

    sftp> !hostname
    m01
    

    ssh服务配置优化: 

    [root@56test ~]# cat /etc/ssh/sshd_config
    #	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
    
    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.
    
    # This sshd was compiled with PATH=/usr/local/bin:/usr/bin
    
    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options override the
    # default value.
    
    # If you want to change the port on a SELinux system, you have to tell 
    # SELinux about this change.
    # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER         #端口修改的selinux
    #
    Port 22 #ssh协议端口
    port 10022
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress :: #ssh协议监听IP
    
    HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    
    # Ciphers and keying
    #RekeyLimit default none
    
    # Logging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO
    
    # Authentication:
    
    #LoginGraceTime 2m
    #PermitRootLogin yes         #允许root远程登录
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    
    #PubkeyAuthentication yes
    
    # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
    # but this is overridden so installations will only check .ssh/authorized_keys
    AuthorizedKeysFile	.ssh/authorized_keys
    
    #AuthorizedPrincipalsFile none
    
    #AuthorizedKeysCommand none
    #AuthorizedKeysCommandUser nobody
    
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no             #允许空密码
    PasswordAuthentication yes
    
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no
    #KerberosUseKuserok yes
    
    # GSSAPI options
    GSSAPIAuthentication yes
    GSSAPICleanupCredentials no
    #GSSAPIStrictAcceptorCheck yes
    #GSSAPIKeyExchange no
    #GSSAPIEnablek5users no
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication. Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
    # problems.
    UsePAM yes
    
    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PermitTTY yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation sandbox
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #ShowPatchLevel no
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10:30:100
    #PermitTunnel no
    #ChrootDirectory none
    #VersionAddendum none
    
    # no default banner path
    #Banner none
    
    # Accept locale-related environment variables
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS
    
    # override default of no subsystems
    Subsystem	sftp	/usr/libexec/openssh/sftp-server
    
    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    #	X11Forwarding no
    #	AllowTcpForwarding no
    #	PermitTTY no
    #	ForceCommand cvs server
    

    推荐优化选项

    Port 52113              #使用大于10000的端口
    PermitRootLogin no          #禁止root远程登录,可以su - root,C7需要改yes为no
    PermitEmptyPasswords no         #禁止空密码登录,C7默认就是
    UseDNS no             #不使用dns解析,yes改为no
    GSSAPIAuthentication no       #优化连接速度
    ListenAddress 172.16.1.61:52113    #只允许内网IP连接(内网网卡未配置网关)


    服务器间通过ssh连接后,会存储对方秘钥信息到 ~/.ssh/known_hosts 文件中
    [root@web01 ~]# cat ~/.ssh/known_hosts

    [172.31.62.41]:10022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFkPPQyLkwi1xVIs8xANcE0RwEPolmI8UgJru3ZESneHI3wn0G+fQouYBqqv8ZTMhsyvLFcAjlRwIgymHdGsDLo=
    [172.24.184.41]:10022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFkPPQyLkwi1xVIs8xANcE0RwEPolmI8UgJru3ZESneHI3wn0G+fQouYBqqv8ZTMhsyvLFcAjlRwIgymHdGsDLo=
    

     

    生成秘钥ssh-keygen

    [root@m01 ~]# ssh-keygen                             #生成秘钥文件
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa):          #生成秘钥文件名,默认/root/.ssh/id_rsa
    Enter passphrase (empty for no passphrase):                  #秘钥文件的密码
    Enter same passphrase again: 
    Your identification has been saved in /root/.ssh/id_rsa.         #私钥文件/root/.ssh/id_rsa
    Your public key has been saved in /root/.ssh/id_rsa.pub.         #公钥文件/root/.ssh/id_rsa.pub
    The key fingerprint is:
    SHA256:QvNT/abrd6CiCY3iRCva4eVIqyixF9XHtTfL1LS1E14 root@m01
    The key's randomart image is:
    +---[RSA 2048]----+
    | |
    | .. ..E|
    | .o. ....o.o+|
    | ...oo.. +.o+ |
    | .. ..S + oo .|
    |. .. . + . oo. |
    | o+.= o . .. . |
    |+=.X . . .. ... .|
    |=o= o o. oo. . |
    +----[SHA256]-----+
    

     公钥文件分发 ssh-copy-id

    [root@m01 ~]# ssh-copy-id -p 10022 -i ~/.ssh/id_rsa.pub 172.24.184.7         #将公钥/root/.ssh/id_rsa.pub分发远程服务器的/root/.ssh/authorized_keys,-i指定公钥文件
    
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
    The authenticity of host '[172.24.184.7]:10022 ([172.24.184.7]:10022)' can't be established.
    ECDSA key fingerprint is SHA256:mMM4HsJ75/XqhqgN3rJMrRXburh6FZ1ps33RV4cxrus.
    ECDSA key fingerprint is MD5:b1:8e:69:5c:70:0e:3d:3f:69:d7:44:7b:67:98:fe:27.
    Are you sure you want to continue connecting (yes/no)? yes
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@172.24.184.7's password:
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with: "ssh -p '10022' '172.24.184.7'"
    and check to make sure that only the key(s) you wanted were added.
    

     

    非交互式创建、分发秘钥对:


    ssh-keygen 密钥对创建工具

    -P   密码
    -f    输出的秘钥文件
    -q   不输出信息
    -t    指定秘钥类型,通常默认rsa

    ssh-keygen -f ~/.ssh/id_rsa -P '' -q     #为当前用户生成 无密码的~/.ssh/id_rsa秘钥文件,不输出提示信息
    

    ssh-copy-id 公钥分发

    -f   force mode 强制,不检查远程主机是否已安装本机公钥
    -i   指定秘钥文件
    -o   <ssh -o options>指定ssh参数选项,StrictHostKeyChecking=no 表示不检查hostkey,即远程连接时不检查远程主机指纹信息    

    ssh-copy-id -f -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no 172.16.1.8

    sshpass 非交互方式ssh密码验证工具

    sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
    

      

    ssh-keygen -f ~/.ssh/id_rsa -P '' -q
    ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
    sshpass -p123456 ssh-copy-id -f -i ~/.ssh/id_rsa.pub "-o StrictHostKeyChecking=no" 172.16.1.7
    

      

    君子务本,本立而道生
  • 相关阅读:
    sfs2x 连接 mongodb
    java websocket
    webstorm 4.0 注册码
    解决 sfs2 admin tool 找不到扩展
    window 注册表五大类
    opengl 学习第二日
    java google Protobuf
    扩展 java sencha touch PhonegapPlugin
    sencha touch2 kryonet socket phonegap 通信 作者:围城
    sencha touch2 layout 笔记
  • 原文地址:https://www.cnblogs.com/00huajiang/p/11403657.html
Copyright © 2011-2022 走看看