SSH远程访问及控制

远程连接 

ssh（tcp/22端口，密文传输）

telnet(tcp/23端口，明文传输）

SSH   (Secure Shell) 

是一种安全通道协议

对通信数据进行了加密处理，用于远程管理

OpenSSH （一般Linux系统自动安装，乌邦图除外）

服务名称:sshd
服务端主程序:/usr/sbin/sshd
服务端配置文件:/etc/ssh/sshd config 

客户端配置文件：/etc/ssh/ssh_config

服务端重要配置

port	#监听端口
ListenAddress	#监听地址为任意网段，也可以指定OpenSSH服务器的具体IP
LoginGraceTime 2m	#登录验证时间为 2 分钟
MaxAuthTries 6	#最大重试次数为 6
PermintRootLogin  no	#禁止 root 用户登录
PermitEmptyPasswords  no	#禁止空密码用户登录
UseDNS no	#禁用 DNS 反向解析，以加快远程连接速度
AllowUsers	#只允许某些用户登录,多个用户以空格分隔
DenyUsers	#禁止某些用户登录，用法于AllowUsers 类似
（AllowUsers  ,DenyUsers 注意不要同时使用）

SSH客户端应用的使用

1）ssh 远程登录

ssh [-p 端口] 用户名@目标主机IP 
ssh [-p 端口] 用户名@目标主机IP  命令         #临时登录目标主机执行命令后退出

[root@l1 ~]# ssh -p 22 root@192.168.18.20
The authenticity of host '192.168.18.20 (192.168.18.20)' can't be established.
ECDSA key fingerprint is SHA256:hIq1L3NtDQTdmNbTzwy8cxFTjAgMXiaTvH6gsYxr4NE.
ECDSA key fingerprint is MD5:23:f3:10:40:17:d1:c4:52:c9:5c:0d:7c:f5:67:30:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.20' (ECDSA) to the list of known hosts.
root@192.168.18.20's password: 
Last login: Fri May  3 15:56:20 2024
[root@l2 ~]# 

[root@l2 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.18.20  netmask 255.255.255.0  broadcast 192.168.18.255
        inet6 fe80::ef42:44d7:112c:7393  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:66:38:ff  txqueuelen 1000  (Ethernet)
        RX packets 225269  bytes 320467265 (305.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22864  bytes 1386531 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.122.1  netmask 255.255.255.0  broadcast 192.168.122.255
        ether 52:54:00:0f:a7:1a  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@l2 ~]# 

[root@l2 ~]# ssh -p 22 root@192.168.18.20 mkdir /opt/cywl
The authenticity of host '192.168.18.20 (192.168.18.20)' can't be established.
ECDSA key fingerprint is SHA256:hIq1L3NtDQTdmNbTzwy8cxFTjAgMXiaTvH6gsYxr4NE.
ECDSA key fingerprint is MD5:23:f3:10:40:17:d1:c4:52:c9:5c:0d:7c:f5:67:30:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.20' (ECDSA) to the list of known hosts.
root@192.168.18.20's password: 
[root@l2 ~]#

 

2）scp 远程复制

scp -P 端口  [-r] 本机文件/目录路径... 用户名@目标主机IP地址:绝对路径

#将本地主机的文件/目录复制到目标主机，不用绝对路径默认是以目标主机用户的家目录
                     -P：指定端口    -r：复制目录

scp -P端口 [-r] 用户名@目标主机IP地址:绝对路径 本机路径

#将目标主机的文件/目录复制到本机

-P：指定端口    -r：复制目录

 在本机的/opt的目录中新建一个cywl.txt的文件，并在其输入tgcf，

然后通过scp远程复制给IP192.168.18.20主机的root用户的/opt目录中

[root@l1 opt]# cd /opt
[root@l1 opt]# echo tgcf > cywl.txt
[root@l1 opt]# ll
总用量 4
-rw-r--r--. 1 root root 5 5月   3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh

[root@l1 opt]# cat cywl.txt  //查看cywl文件内容
tgcf
[root@l1 opt]# 
[root@l1 opt]# scp -p 22 /opt/cywl.txt root@192.168.18.20:/opt
                       //通过scp远程复制给IP20.0.0.20主机的root用户的/opt目录中
root@192.168.18.20's password: 
22: No such file or directory
cywl.txt                        100%    5     9.7KB/s   00:00    
[root@l1 opt]# ll
总用量 4
-rw-r--r--. 1 root root 5 5月   3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh

 在目标主机创建一个abc.txt文件，然后将目标主机文件复制到本机

[root@l1 opt]# ssh -p 22 root@192.168.18.20 //远程登录192.168.20.20主机
root@192.168.18.20's password: 
Last login: Fri May  3 16:06:50 2024 from 192.168.18.10
[root@l2 ~]# 
[root@l2 ~]# cd /opt
[root@l2 opt]# ll
总用量 4
drwxr-xr-x. 2 root root 6 5月   3 15:58 cywl
-rw-r--r--. 1 root root 5 5月   3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh
[root@l2 opt]# 
[root@l2 opt]# echo 123 > /opt/abc.txt /opt/  //创建abc文件
[root@l2 opt]# ll
总用量 8
-rw-r--r--. 1 root root 10 5月   3 16:18 abc.txt
drwxr-xr-x. 2 root root  6 5月   3 15:58 cywl
-rw-r--r--. 1 root root  5 5月   3 16:09 cywl.txt
drwxr-xr-x. 2 root root  6 10月 31 2018 rh

[root@l1 ~]# scp -P 22 root@192.168.18.20:/opt/abc.txt /opt/  
               //将目标主机192.168.18.20的文件/目录复制到本机
root@192.168.18.20's password: 
Permission denied, please try again.
root@192.168.18.20's password: 
abc.txt                         100%   10    17.6KB/s   00:00    
[root@l1 ~]# cd /opt
[root@l1 opt]# ll  //查看
总用量 8
-rw-r--r--. 1 root root 10 5月   3 16:25 abc.txt
-rw-r--r--. 1 root root  5 5月   3 16:09 cywl.txt
drwxr-xr-x. 2 root root  6 10月 31 2018 rh
[root@l1 opt]# 

 

3）sftp 文件传输

sftp [-P 端口]  用户名@目标主机IP
> get  put  cd  ls 

[root@l1 opt]# sftp -P 22 root@192.168.18.20
root@192.168.18.20's password: 
Connected to 192.168.18.20.
sftp> cd /opt
sftp> ls
abc.txt    cywl       cywl.txt   rh         
sftp> get abc.txt
Fetching /opt/abc.txt to abc.txt
/opt/abc.txt                    100%   10    16.4KB/s   00:00    
sftp> put /opt/cywl.txt /opt/
Uploading /opt/cywl.txt to /opt/cywl.txt
/opt/cywl.txt                   100%    5    10.0KB/s   00:00    
sftp> ll
Invalid command.
sftp> ls
abc.txt    cywl       cywl.txt   rh         
sftp> 

SSH的验证方式

1）密码验证：使用账号和密码进行验证 

PasswordAuthentication yes

2）密钥对验证：使用客户端创建的密钥对进行验证

PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys           #服务端的公钥文件默认保存路径

ssh密钥对的创建和使用：

1）确保服务端开启了ssh密钥对验证

/etc/ssh/sshd_config   -->  PubkeyAuthentication yes

 

 2）在客户端创建密钥对  

ssh-keygen [-t rsa/dsa/ecdsa]  

#生成的密钥对默认存放在当前用户家目录的 .ssh/ 目录中，

私钥是留给自己使用的，公钥(XXX.pub)是给服务端使用的 

[root@l2 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IpZp7D9K+XOKBu/fzihXCWT5JhtTZo8I1RysEvrgOoc root@l2
The key's randomart image is:
+---[RSA 2048]----+
|     ..=..       |
|    o + B        |
|   . = B o       |
|  o..oB + .      |
| . oB..BS.       |
|  o+.o..o        |
| o o+  .         |
|E ..++++.        |
| o o+=**+        |
+----[SHA256]-----+
[root@l2 ~]# 

3）上传公钥至服务端 

ssh-copy-id [-i 公钥文件]  用户名@目标主机IP    

#公钥信息会自动保存到服务端的 ~/.ssh/authorized_keys 文件里

[root@l2 ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.18.20
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.18.20's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.18.20'"
and check to make sure that only the key(s) you wanted were added.

[root@l2 ~]# 

[root@l2 ~]# cd .ssh/
[root@l2 .ssh]# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
[root@l2 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvTb63k9nr9m28KjRdXCv4AxhbXixfpR7svG5cY+F+26ZdfNm1pozf8a0q7Ks8IEZ5dLicuymBsQi5cBn6cWl81AWFwiNtjAMwu/FHk2Yz2mzEy2rn69o//BHhxviMNYjur/bUKoOstYjMs43Jun8bk140ZUdE5CiIsLNJuxX99c96mIJnpv1L4dwQezRZqq94aOpsInPfCBI7eaUODE+klb+k6VsBkmmVnZX7YyrYji0FYLgljqiCeLDw5nyphbz1QbQ3d1DI8sGm++G4O+5gvz3FtX+19Mo44EYg7bHrRPVPabHpqGoTSLbiQQNwDen4iObxO4UnjXUsvPqAKZV7 root@l2
[root@l2 .ssh]# 

4）客户端 ssh 远程登录，使用密钥对的密码进行验证 

注：密钥对在客户端是谁创建的，只能谁使用；密钥对上传给服务端的哪个用户，那么就只能使用那个用户去登录

[root@l1 opt]# 
[root@l1 opt]# ssh -p 22 root@192.168.18.20

root@192.168.18.20's password: 
Last login: Fri May  3 22:59:36 2024 from 192.168.18.10
[root@l2 ~]# 
[root@l2 ~]# cd /opt/
[root@l2 opt]# ls
abc.txt  cywl  cywl.txt  rh
[root@l2 opt]# 

ssh密钥对免交互登录：

1）使用空密码的密钥对

ssh-keygen      一路回车，不设置密码
ssh-copy-id

[root@l2 opt]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:igmcr5Gmkc1L5U53u7W4YICof6xDU8bS1yZm66tktO8 root@l2
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|   o   .         |
| o.o= = o        |
|. =+++ +S        |
|.+oB =..         |
|+.BoX.= . .      |
| *.Oo+.o + .     |
|. =+ooE.=o.      |
+----[SHA256]-----+
[root@l2 opt]# 

2）创建ssh会话代理（只能在当前会话中有效）

ssh-agent bash
ssh-add

[root@l2 opt]# ssh-agent bash
[root@l2 opt]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@l2 opt]# ssh -p 22 root@192.168.18.10
root@192.168.18.10's password: 
Last login: Fri May  3 16:23:39 2024 from 192.168.18.1
[root@l1 ~]# 

一键操作的命令：

ssh-keygen -t rsa -P '' -f  ~/.ssh/id_rsa
sshpass -p 'abc1234' ssh-copy-id -o StrictHostKeyChecking=no root@192.168.80.20 

TCP Wrappers  为支持TCP Wrappers的服务程序提供访问控制的功能，要么允许访问，要么拒绝访问

判断是否支持TCP Wrappers：  

执行命令 ldd $(which 程序名称) | grep libwrap  查看是否有 libwrap.so.0 => /lib64/libwrap.so.0                                  

访问策略原则：

先看 /etc/hosts.allow 是否有匹配的策略，有则直接允许访问
再看 /etc/hosts.deny  是否有匹配的策略，有则拒绝访问
如果以上两个文件都没有匹配的策略，则默认允许访问

策略格式：  

<程序列表>:<客户端地址列表>
            sshd,vsftpd:192.168.80.13,192.168.80.14
            ALL:ALL
            sshd:192.168.80.*
            sshd:192.168.80.0/255.255.255.128