一、SSH概述
1、SSH简介
SSH(Secure Shell)是一种安全通道协议,主要用来实现字符界面的远程登录,远程复制等功能。
SSH协议对通信双方的数据传输进行了加密处理,其中包括用户登录时输入的用户口令,与TELNET(远程登录)
等应用相比,SSH协议提供了更好的安全性。
2、默认监听端口:TCP 22
二、OpenSSH 的配置
1、OpenSSH 安装包
默认安装Linux系统时自动安装,若未安装,安装光盘中的如下rpm包:
openssh-5.3p1-94.el6.x86_64.rpm
openssh-askpass-5.3p1-94.el6.x86_64.rpm
openssh-clients-5.3p1-94.el6.x86_64.rpm
openssh-server-5.3p1-94.el6.x86_64.rpm
●服务名称:sshd
●服务端主程序:/usr/sbin/sshd
●服务端配置文件:/etc/ssh/sshd_config
●客户端配置文件:/etc/ssh/ssh_config
2、服务端OpenSSH配置
[root@www ssh]# vim sshd_config
Port 22 //默认端口号TCP 22
AddressFamily any //指定地址族,any、inet(IPv4)、inet6(IPv6)
ListenAddress 192.168.1.108 //监听IP地址(对外提供服务的地址),默认0.0.0.0,监听所有(不能监听 127.0.0.1,其它机器连接不上)
Protocol 2 //使用ssh协议第二版
LoginGraceTime 2m //等待登录时长 2分钟
PermitRootLogin yes //默认允许root登录
StrictModes yes //接受连接请求前对用户的目录和相关配置文件进行宿主化和权限检查
MaxAuth Tries 6 //最大允许认证次数
MaxSessions 10 //每个网络允许打开会话的最大数量
RSAAuthentications yes //启用RSA算法
PubkeyAuthentication yes //启用密钥对验证
AuthorizedKeysFile .ssh/authorized keys //指定公钥库位置
PermitEmptyPasswords no //不允许空密码用户登录
PasswordAuthentication yes //启用密码验证
UseDNS no //禁用反向解析
手动添加
AllowUsers amber zhangsan@192.168.1.51
DenyUsers lisi
AllowUsers:用户amber在任何客户端均可登录;用户zhangsan只允许在IP地址为
192.168.1.51的客户端登录。且仅允许此二用户通过ssh协议远程登录。
DenyUsers:禁止用户 lisi 登录
注意:AllowUsers 不要与 DenyUsers 同时使用
三、使用SSH客户端程序
1、命令程序
(1)ssh 命令(远程安全登录)
格式:ssh user@host (若客户机与主机用户名相同,可省去user@,user@为主机用户)
端口选项:-p 22
[root@Server-SSH ~]# useradd amber
[root@Server-SSH ~]# echo "123123" | passwd --stdin amber
[root@Client ~]# useradd admin
[root@Client ~]# echo "123123" | passwd --stdin admin
[root@Client ~]# su - admin
[admin@Client ~]$ ssh amber@192.168.66.111
The authenticity of host '192.168.66.111 (192.168.66.111)' can't be established.
ECDSA key fingerprint is SHA256:ZrMfShX/kM61XVrPIu1M75/sPgdLOe0JOPt/aC17mMQ.
ECDSA key fingerprint is MD5:71:dd:a1:af:00:a4:b8:9e:e7:a4:d7:f8:25:e5:bd:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.66.111' (ECDSA) to the list of known hosts.
amber@192.168.66.111's password: //输入服务端amber用户的密码
[amber@Server-SSH ~]$ whoami
amber
[[amber@Server-SSH ~]$ logout //也可以用 Ctrl + D 或输入 exit
Connection to 192.168.66.111 closed.
(2)scp 命令 (远程安全复制)
格式1:scp user@host:file1 file2
格式2:scp file1 user@host:file2
1>从服务端复制文件到客户端
服务端:
[root@111 ~]# mkdir /aaa
[root@111 ~]# touch /aaa/test{1..10}
[root@111 ~]# ls /aaa
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
客户端:
[root@112 ~]# mkdir /bbb
[root@112 ~]# ls /bbb
[root@112 ~]# scp amber@192.168.66.111:/aaa/* /bbb/
The authenticity of host '192.168.66.111 (192.168.66.111)' can't be established.
ECDSA key fingerprint is SHA256:Y8CnsgU+a3aZUMHzVYQnST9QZ69QcJxTrYw7ag2vBQs.
ECDSA key fingerprint is MD5:3f:a6:f9:c2:78:e6:32:83:bc:59:3c:06:7c:36:55:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.66.111' (ECDSA) to the list of known hosts.
amber@192.168.66.111's password:
test1 100% 0 0.0KB/s 00:00
test10 100% 0 0.0KB/s 00:00
test2 100% 0 0.0KB/s 00:00
test3 100% 0 0.0KB/s 00:00
test4 100% 0 0.0KB/s 00:00
test5 100% 0 0.0KB/s 00:00
test6 100% 0 0.0KB/s 00:00
test7 100% 0 0.0KB/s 00:00
test8 100% 0 0.0KB/s 00:00
test9 100% 0 0.0KB/s 00:00
[root@112 ~]# ls /bbb/
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
2>从客户端复制文件到服务端
客户端:
[root@112 ~]# echo ceshi >client.txt
[root@112 ~]# scp client.txt amber@192.168.66.111:~amber/client1.txt
amber@192.168.66.111's password:
client.txt 0% 0 0.0KB/s --:-- ETA
client.txt 100% 6 6. 6KB/s 00:00
服务端:
[root@111 ~]# ll ~amber/
总用量 4
-rw-r--r--. 1 amber amber 6 8月 16 20:49 client1.txt
(3)sftp 命令 (安全FTP上传下载)
格式: sftp user@host
客户端:
[root@112 ~]# mkdir /ccc
[root@112 ~]# cd /ccc
[root@112 ccc]# ls
[root@112 ccc]# sftp amber@192.168.66.111
amber@192.168.66.111's password:
Connected to 192.168.66.111.
sftp> ls /aaa
/aaa/test1 /aaa/test10 /aaa/test2 /aaa/test3 /aaa/test4 /aaa/test5 /aaa/test6 /aaa/test7 /aaa/test8 /aaa/test9
sftp> mget /aaa/*
Fetching /aaa/test1 to test1
Fetching /aaa/test10 to test10
Fetching /aaa/test2 to test2
Fetching /aaa/test3 to test3
Fetching /aaa/test4 to test4
Fetching /aaa/test5 to test5
Fetching /aaa/test6 to test6
Fetching /aaa/test7 to test7
Fetching /aaa/test8 to test8
Fetching /aaa/test9 to test9
sftp> exit
[root@112 ccc]# ls
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
常见远程访问工具:Xshell、CRT、Putty、Xmanager(远程图形化界面)等
四、构建密钥对验证的SSH体系
1、在客户端创建密钥对
ssh-keygen 命令
可用的加密算法:RSA 或 DSA(ECDSA)
root@112 ~]# su - admin
[admin@112 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa): //回车
Enter passphrase (empty for no passphrase): //设置密钥密码,按回车为空密码
Enter same passphrase again: //再次输入密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:CI5FFtGP6hJt8vDG45/XqkNEIcgw+Hx/KUs0WpzF66Y root@112
The key's randomart image is:
+---[RSA 2048]----+
|+o .*+.o |
|..oo .o o |
| o oo = . |
| o+..O.o |
| .o.B.oS. |
| + = = = |
| X o * . |
| . B E.. . |
| +.o++.. |
+----[SHA256]-----+
[admin@112 ~]# ls .ssh/
id_rsa id_rsa.pub known_hosts
2、将公钥上传至服务器
(1)方法一:任何方式均可(共享、FTP、Email、SCP、......)
客户端:
[admin@112 ~]# scp .ssh/id rsa.pub amber@192.168.66.111:~amber/
amber@192.168.66.111's password:
id_rsa.pub 0% 0 0.0KB/s --:-- ETA
id_rsa.pub 100% 390 273.5KB/s 00:00
服务端:在服务器中导入公钥文本
[root@111 ~]# su - amber
[amber@111 ~]# ls -a
. .. anaconda-ks.cfg .bash_logout .bash_profile .bashrc client1.txt .cshrc id_rsa.pub .tcshrc
[amber@111 ~]# mkdir .ssh
[amber@111 ~]# cat id_rsa.pub >> .ssh/authorized_keys
[amber@111 ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+y1i3tPWr/XjjP8nLPW0albAEm83Bcb7XL85FvjSIvRArHtmrNR6chH0/5s94UQwK/YHfzddrKhaPqXOtGnTycTbhO1mTKWbcVOAYE7vN+K95ZReTYiPZJerBeasZtnEgYngvxgnfg/3wdd0y5abqqHyUlp/j2LzlYRuluzpKnlnqGYBTp6DSk4IfNAjTvF2hthPVs6SrNlb+mekba8QIQVnFVtcrMwq4uHFAUsde0mAaf6xDvjn4Xpu8AeCNyRJBw9Q3LAYQCYA/J/gE1E8dQBXZP+l62XE9vtfq0IkGEXkquQitZUVJPh4oRQpm656V04gXoHPMwxYmIydNWAYP root@112
(2)方法二:ssh-copy-id 命令
服务器删除前面拷贝的公钥文件
[amber@111 ~]# rm -rf .ssh/authorized_keys
客户端:
[2567@localhost ~]$ ssh-copy-id -i /home/2567/.ssh/id_rsa.pub 2567@192.168.66.16
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/2567/.ssh/id_rsa.pub"
The authenticity of host '192.168.66.16 (192.168.66.16)' can't be established.
ECDSA key fingerprint is SHA256:G3w/74LEr26WS7zT1anbS9G9NSiTdYP2WphKJKXd0+4.
ECDSA key fingerprint is MD5:33:78:e5:88:67:80:22:b2:1d:cf:d6:d1:ee:94:d4:30.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
2567@192.168.66.16's password:
Permission denied, please try again.
2567@192.168.66.16's password:
Permission denied, please try again.
2567@192.168.66.16's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '2567@192.168.66.16'"
and check to make sure that only the key(s) you wanted were added.
服务端:
[2567@localhost ~]$ ls .ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[2567@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCssPyyL0Z09spQVn9M92uhnamvFRn4VguBgAimcTGRF7It3LycH+aq9cdY2MWXGQjdTYUJM15yYjWBlEra/0U7aXaQ1dEbcT84bpxUC2BIqSIm6Tm7D8j7FbyOZuXLc/LiHYDEUMbTb4i3zxJTje2LZGHhGtPcjnHTWI80gBflWAH59rxm29AZWidlPX5P+Tq5S+Vt/6P3QikK5vCF92EukAO18sXQiDG/ZOtNdBP/XPtWBRcJXgHnI9OYktrTsqCCXKxpGQpSa+EEzuJV/qMN2i3MOcQnmB6sD9nwLmG1/oWnJfVoBCGgpfvCVVpGGStMAf9YGtejaa0xtCxOB5Ij 2567@localhost.localdomain
3、在客户端使用密钥对验证
(1)确认服务端配置文件 /etc/ssh/sshd_config 已开启密钥对认证
PubkeyAuthentication yes
(2)客户端使用密钥对验证登录:
[2567@localhost ~]$ ssh 192.168.66.16
Last failed login: Wed Aug 21 20:44:14 CST 2019 from 192.168.66.16 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Aug 21 17:21:01 2019