zoukankan      html  css  js  c++  java
  • 远程访问及控制

    一、SSH概述

    1、SSH简介

                        SSH(Secure Shell)是一种安全通道协议,主要用来实现字符界面的远程登录,远程复制等功能。

    SSH协议对通信双方的数据传输进行了加密处理,其中包括用户登录时输入的用户口令,与TELNET(远程登录)

    等应用相比,SSH协议提供了更好的安全性。

    2、默认监听端口:TCP 22

    二、OpenSSH 的配置

    1、OpenSSH 安装包

           默认安装Linux系统时自动安装,若未安装,安装光盘中的如下rpm包:

                       openssh-5.3p1-94.el6.x86_64.rpm

                       openssh-askpass-5.3p1-94.el6.x86_64.rpm

                       openssh-clients-5.3p1-94.el6.x86_64.rpm

                       openssh-server-5.3p1-94.el6.x86_64.rpm

         ●服务名称:sshd

         ●服务端主程序:/usr/sbin/sshd

         ●服务端配置文件:/etc/ssh/sshd_config

         ●客户端配置文件:/etc/ssh/ssh_config

    2、服务端OpenSSH配置

    [root@www  ssh]# vim sshd_config

    Port 22    //默认端口号TCP 22

    AddressFamily any   //指定地址族,any、inet(IPv4)、inet6(IPv6)

    ListenAddress 192.168.1.108  //监听IP地址(对外提供服务的地址),默认0.0.0.0,监听所有(不能监听 127.0.0.1,其它机器连接不上)

    Protocol 2     //使用ssh协议第二版

    LoginGraceTime 2m   //等待登录时长 2分钟

    PermitRootLogin yes   //默认允许root登录

    StrictModes yes   //接受连接请求前对用户的目录和相关配置文件进行宿主化和权限检查

    MaxAuth Tries 6    //最大允许认证次数

    MaxSessions 10     //每个网络允许打开会话的最大数量

    RSAAuthentications yes     //启用RSA算法

    PubkeyAuthentication yes    //启用密钥对验证

    AuthorizedKeysFile .ssh/authorized keys     //指定公钥库位置

    PermitEmptyPasswords no        //不允许空密码用户登录

    PasswordAuthentication yes      //启用密码验证

    UseDNS no          //禁用反向解析

    手动添加 

    AllowUsers amber zhangsan@192.168.1.51

    DenyUsers lisi

    AllowUsers:用户amber在任何客户端均可登录;用户zhangsan只允许在IP地址为

                       192.168.1.51的客户端登录。且仅允许此二用户通过ssh协议远程登录。

    DenyUsers:禁止用户 lisi 登录

    注意:AllowUsers 不要与 DenyUsers 同时使用

    三、使用SSH客户端程序

    1、命令程序

        (1)ssh 命令(远程安全登录)

           格式:ssh user@host (若客户机与主机用户名相同,可省去user@,user@为主机用户)

           端口选项:-p 22

    [root@Server-SSH ~]# useradd amber

    [root@Server-SSH ~]# echo "123123" | passwd --stdin amber

    [root@Client ~]# useradd admin

    [root@Client ~]#  echo "123123" | passwd --stdin admin

    [root@Client ~]# su - admin

    [admin@Client ~]$ ssh amber@192.168.66.111

    The authenticity of host '192.168.66.111 (192.168.66.111)' can't be established.
    ECDSA key fingerprint is SHA256:ZrMfShX/kM61XVrPIu1M75/sPgdLOe0JOPt/aC17mMQ.
    ECDSA key fingerprint is MD5:71:dd:a1:af:00:a4:b8:9e:e7:a4:d7:f8:25:e5:bd:bc.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.66.111' (ECDSA) to the list of known hosts.
    amber@192.168.66.111's password:             //输入服务端amber用户的密码

    [amber@Server-SSH ~]$ whoami
    amber

    [[amber@Server-SSH ~]$ logout                   //也可以用   Ctrl + D 或输入 exit
    Connection to 192.168.66.111 closed.

    (2)scp 命令 (远程安全复制)

    格式1:scp user@host:file1 file2

    格式2:scp file1 user@host:file2

    1>从服务端复制文件到客户端

    服务端:

    [root@111 ~]# mkdir /aaa
    [root@111 ~]# touch /aaa/test{1..10}
    [root@111 ~]# ls /aaa
    test1 test10 test2 test3 test4 test5 test6 test7 test8 test9

    客户端:

    [root@112 ~]# mkdir /bbb

    [root@112 ~]# ls /bbb

    [root@112 ~]# scp amber@192.168.66.111:/aaa/* /bbb/
    The authenticity of host '192.168.66.111 (192.168.66.111)' can't be established.
    ECDSA key fingerprint is SHA256:Y8CnsgU+a3aZUMHzVYQnST9QZ69QcJxTrYw7ag2vBQs.
    ECDSA key fingerprint is MD5:3f:a6:f9:c2:78:e6:32:83:bc:59:3c:06:7c:36:55:b5.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.66.111' (ECDSA) to the list of known hosts. 
    amber@192.168.66.111's password: 
    test1   100%   0   0.0KB/s   00:00 
    test10    100%   0   0.0KB/s   00:00 
    test2   100%   0   0.0KB/s   00:00 
    test3   100%   0   0.0KB/s   00:00 
    test4   100%   0   0.0KB/s   00:00 
    test5   100%   0   0.0KB/s   00:00 
    test6   100%   0   0.0KB/s   00:00 
    test7   100%   0   0.0KB/s   00:00 
    test8   100%   0   0.0KB/s   00:00 
    test9   100%   0   0.0KB/s   00:00 
    [root@112 ~]# ls /bbb/
    test1 test10 test2 test3 test4 test5 test6 test7 test8 test9

    2>从客户端复制文件到服务端

    客户端:

    [root@112 ~]# echo ceshi >client.txt
    [root@112 ~]# scp client.txt amber@192.168.66.111:~amber/client1.txt
    amber@192.168.66.111's password: 
    client.txt   0%   0   0.0KB/s   --:-- ETA

    client.txt   100%   6 6.  6KB/s   00:00 

    服务端:

    [root@111 ~]# ll ~amber/ 
    总用量 4
    -rw-r--r--. 1 amber amber 6 8月 16 20:49 client1.txt

    (3)sftp 命令 (安全FTP上传下载)

    格式: sftp user@host

    客户端:

    [root@112 ~]# mkdir /ccc
    [root@112 ~]# cd /ccc
    [root@112 ccc]# ls
    [root@112 ccc]# sftp amber@192.168.66.111
    amber@192.168.66.111's password: 
    Connected to 192.168.66.111.
    sftp> ls /aaa
    /aaa/test1 /aaa/test10 /aaa/test2 /aaa/test3 /aaa/test4 /aaa/test5 /aaa/test6 /aaa/test7 /aaa/test8 /aaa/test9 
    sftp> mget /aaa/*
    Fetching /aaa/test1 to test1
    Fetching /aaa/test10 to test10
    Fetching /aaa/test2 to test2
    Fetching /aaa/test3 to test3
    Fetching /aaa/test4 to test4
    Fetching /aaa/test5 to test5
    Fetching /aaa/test6 to test6
    Fetching /aaa/test7 to test7
    Fetching /aaa/test8 to test8
    Fetching /aaa/test9 to test9
    sftp> exit
    [root@112 ccc]# ls
    test1 test10 test2 test3 test4 test5 test6 test7 test8 test9

    常见远程访问工具:Xshell、CRT、Putty、Xmanager(远程图形化界面)等

    四、构建密钥对验证的SSH体系

    1、在客户端创建密钥对

      ssh-keygen 命令

      可用的加密算法:RSA 或 DSA(ECDSA)

    root@112 ~]# su - admin

    [admin@112 ~]# ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/admin/.ssh/id_rsa):           //回车 
    Enter passphrase (empty for no passphrase):                        //设置密钥密码,按回车为空密码
    Enter same passphrase again:                                               //再次输入密码
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:CI5FFtGP6hJt8vDG45/XqkNEIcgw+Hx/KUs0WpzF66Y root@112
    The key's randomart image is:
    +---[RSA 2048]----+
    |+o .*+.o |
    |..oo .o o |
    | o oo = . |
    | o+..O.o |
    | .o.B.oS. |
    | + = = = |
    | X o * . |
    | . B E.. . |
    | +.o++.. |
    +----[SHA256]-----+

    [admin@112 ~]# ls .ssh/
    id_rsa id_rsa.pub known_hosts

    2、将公钥上传至服务器

      (1)方法一:任何方式均可(共享、FTP、Email、SCP、......)

    客户端:

    [admin@112 ~]# scp .ssh/id rsa.pub amber@192.168.66.111:~amber/
    amber@192.168.66.111's password: 
    id_rsa.pub       0%   0     0.0KB/s   --:-- ETA

    id_rsa.pub   100%   390   273.5KB/s   00:00 

    服务端:在服务器中导入公钥文本

    [root@111 ~]# su - amber

    [amber@111 ~]# ls -a
    . .. anaconda-ks.cfg .bash_logout .bash_profile .bashrc client1.txt .cshrc id_rsa.pub .tcshrc
    [amber@111 ~]# mkdir .ssh
    [amber@111 ~]# cat id_rsa.pub >> .ssh/authorized_keys
    [amber@111 ~]# cat .ssh/authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+y1i3tPWr/XjjP8nLPW0albAEm83Bcb7XL85FvjSIvRArHtmrNR6chH0/5s94UQwK/YHfzddrKhaPqXOtGnTycTbhO1mTKWbcVOAYE7vN+K95ZReTYiPZJerBeasZtnEgYngvxgnfg/3wdd0y5abqqHyUlp/j2LzlYRuluzpKnlnqGYBTp6DSk4IfNAjTvF2hthPVs6SrNlb+mekba8QIQVnFVtcrMwq4uHFAUsde0mAaf6xDvjn4Xpu8AeCNyRJBw9Q3LAYQCYA/J/gE1E8dQBXZP+l62XE9vtfq0IkGEXkquQitZUVJPh4oRQpm656V04gXoHPMwxYmIydNWAYP root@112

    (2)方法二:ssh-copy-id 命令

    服务器删除前面拷贝的公钥文件

    [amber@111 ~]# rm -rf .ssh/authorized_keys

    客户端:

    [2567@localhost ~]$ ssh-copy-id -i /home/2567/.ssh/id_rsa.pub 2567@192.168.66.16
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/2567/.ssh/id_rsa.pub"
    The authenticity of host '192.168.66.16 (192.168.66.16)' can't be established.
    ECDSA key fingerprint is SHA256:G3w/74LEr26WS7zT1anbS9G9NSiTdYP2WphKJKXd0+4.
    ECDSA key fingerprint is MD5:33:78:e5:88:67:80:22:b2:1d:cf:d6:d1:ee:94:d4:30.
    Are you sure you want to continue connecting (yes/no)? yes
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    2567@192.168.66.16's password:
    Permission denied, please try again.
    2567@192.168.66.16's password:
    Permission denied, please try again.
    2567@192.168.66.16's password:

    Number of key(s) added: 1

    Now try logging into the machine, with: "ssh '2567@192.168.66.16'"
    and check to make sure that only the key(s) you wanted were added.

    服务端:

    [2567@localhost ~]$ ls .ssh/
    authorized_keys id_rsa id_rsa.pub known_hosts
    [2567@localhost ~]$ cat .ssh/authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCssPyyL0Z09spQVn9M92uhnamvFRn4VguBgAimcTGRF7It3LycH+aq9cdY2MWXGQjdTYUJM15yYjWBlEra/0U7aXaQ1dEbcT84bpxUC2BIqSIm6Tm7D8j7FbyOZuXLc/LiHYDEUMbTb4i3zxJTje2LZGHhGtPcjnHTWI80gBflWAH59rxm29AZWidlPX5P+Tq5S+Vt/6P3QikK5vCF92EukAO18sXQiDG/ZOtNdBP/XPtWBRcJXgHnI9OYktrTsqCCXKxpGQpSa+EEzuJV/qMN2i3MOcQnmB6sD9nwLmG1/oWnJfVoBCGgpfvCVVpGGStMAf9YGtejaa0xtCxOB5Ij 2567@localhost.localdomain

    3、在客户端使用密钥对验证

    (1)确认服务端配置文件 /etc/ssh/sshd_config 已开启密钥对认证

    PubkeyAuthentication yes

    (2)客户端使用密钥对验证登录:

    [2567@localhost ~]$ ssh 192.168.66.16
    Last failed login: Wed Aug 21 20:44:14 CST 2019 from 192.168.66.16 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    Last login: Wed Aug 21 17:21:01 2019



  • 相关阅读:
    JSP页面重定向与页面内容转发
    tomcat访问所有的资源,都是用Servlet来实现的
    War包是什么??
    jsp中include的两种用法
    TED #05# How we can face the future without fear, together
    TED #04#
    学写网页 #03# 固定在某个角落
    TED #03# 10 ways to have a better conversation
    TED #02#
    学写网页 #02# 无题
  • 原文地址:https://www.cnblogs.com/2567xl/p/11366168.html
Copyright © 2011-2022 走看看