远程连接
ssh(tcp/22端口,密文传输)
telnet(tcp/23端口,明文传输)
SSH (Secure Shell)
是一种安全通道协议
对通信数据进行了加密处理,用于远程管理
OpenSSH (一般Linux系统自动安装,乌邦图除外)
服务名称:sshd
服务端主程序:/usr/sbin/sshd
服务端配置文件:/etc/ssh/sshd config客户端配置文件:/etc/ssh/ssh_config
服务端重要配置
port | #监听端口 |
ListenAddress | #监听地址为任意网段,也可以指定OpenSSH服务器的具体IP |
LoginGraceTime 2m | #登录验证时间为 2 分钟 |
MaxAuthTries 6 | #最大重试次数为 6 |
PermintRootLogin no | #禁止 root 用户登录 |
PermitEmptyPasswords no | #禁止空密码用户登录 |
UseDNS no | #禁用 DNS 反向解析,以加快远程连接速度 |
AllowUsers | #只允许某些用户登录,多个用户以空格分隔 |
DenyUsers | #禁止某些用户登录,用法于AllowUsers 类似 |
(AllowUsers ,DenyUsers 注意不要同时使用) |
SSH客户端应用的使用
1)ssh 远程登录
ssh [-p 端口] 用户名@目标主机IP
ssh [-p 端口] 用户名@目标主机IP 命令 #临时登录目标主机执行命令后退出
[root@l1 ~]# ssh -p 22 root@192.168.18.20
The authenticity of host '192.168.18.20 (192.168.18.20)' can't be established.
ECDSA key fingerprint is SHA256:hIq1L3NtDQTdmNbTzwy8cxFTjAgMXiaTvH6gsYxr4NE.
ECDSA key fingerprint is MD5:23:f3:10:40:17:d1:c4:52:c9:5c:0d:7c:f5:67:30:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.20' (ECDSA) to the list of known hosts.
root@192.168.18.20's password:
Last login: Fri May 3 15:56:20 2024
[root@l2 ~]#
[root@l2 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.18.20 netmask 255.255.255.0 broadcast 192.168.18.255
inet6 fe80::ef42:44d7:112c:7393 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:66:38:ff txqueuelen 1000 (Ethernet)
RX packets 225269 bytes 320467265 (305.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 22864 bytes 1386531 (1.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:0f:a7:1a txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@l2 ~]#
[root@l2 ~]# ssh -p 22 root@192.168.18.20 mkdir /opt/cywl
The authenticity of host '192.168.18.20 (192.168.18.20)' can't be established.
ECDSA key fingerprint is SHA256:hIq1L3NtDQTdmNbTzwy8cxFTjAgMXiaTvH6gsYxr4NE.
ECDSA key fingerprint is MD5:23:f3:10:40:17:d1:c4:52:c9:5c:0d:7c:f5:67:30:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.18.20' (ECDSA) to the list of known hosts.
root@192.168.18.20's password:
[root@l2 ~]#
2)scp 远程复制
scp -P 端口 [-r] 本机文件/目录路径... 用户名@目标主机IP地址:绝对路径
#将本地主机的文件/目录复制到目标主机,不用绝对路径默认是以目标主机用户的家目录
-P:指定端口 -r:复制目录scp -P端口 [-r] 用户名@目标主机IP地址:绝对路径 本机路径
#将目标主机的文件/目录复制到本机
-P:指定端口 -r:复制目录
在本机的/opt的目录中新建一个cywl.txt的文件,并在其输入tgcf,
然后通过scp远程复制给IP192.168.18.20主机的root用户的/opt目录中
[root@l1 opt]# cd /opt
[root@l1 opt]# echo tgcf > cywl.txt
[root@l1 opt]# ll
总用量 4
-rw-r--r--. 1 root root 5 5月 3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh
[root@l1 opt]# cat cywl.txt //查看cywl文件内容
tgcf
[root@l1 opt]#
[root@l1 opt]# scp -p 22 /opt/cywl.txt root@192.168.18.20:/opt
//通过scp远程复制给IP20.0.0.20主机的root用户的/opt目录中
root@192.168.18.20's password:
22: No such file or directory
cywl.txt 100% 5 9.7KB/s 00:00
[root@l1 opt]# ll
总用量 4
-rw-r--r--. 1 root root 5 5月 3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh
在目标主机创建一个abc.txt文件,然后将目标主机文件复制到本机
[root@l1 opt]# ssh -p 22 root@192.168.18.20 //远程登录192.168.20.20主机
root@192.168.18.20's password:
Last login: Fri May 3 16:06:50 2024 from 192.168.18.10
[root@l2 ~]#
[root@l2 ~]# cd /opt
[root@l2 opt]# ll
总用量 4
drwxr-xr-x. 2 root root 6 5月 3 15:58 cywl
-rw-r--r--. 1 root root 5 5月 3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh
[root@l2 opt]#
[root@l2 opt]# echo 123 > /opt/abc.txt /opt/ //创建abc文件
[root@l2 opt]# ll
总用量 8
-rw-r--r--. 1 root root 10 5月 3 16:18 abc.txt
drwxr-xr-x. 2 root root 6 5月 3 15:58 cywl
-rw-r--r--. 1 root root 5 5月 3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh
[root@l1 ~]# scp -P 22 root@192.168.18.20:/opt/abc.txt /opt/
//将目标主机192.168.18.20的文件/目录复制到本机
root@192.168.18.20's password:
Permission denied, please try again.
root@192.168.18.20's password:
abc.txt 100% 10 17.6KB/s 00:00
[root@l1 ~]# cd /opt
[root@l1 opt]# ll //查看
总用量 8
-rw-r--r--. 1 root root 10 5月 3 16:25 abc.txt
-rw-r--r--. 1 root root 5 5月 3 16:09 cywl.txt
drwxr-xr-x. 2 root root 6 10月 31 2018 rh
[root@l1 opt]#
3)sftp 文件传输
sftp [-P 端口] 用户名@目标主机IP
> get put cd ls
[root@l1 opt]# sftp -P 22 root@192.168.18.20
root@192.168.18.20's password:
Connected to 192.168.18.20.
sftp> cd /opt
sftp> ls
abc.txt cywl cywl.txt rh
sftp> get abc.txt
Fetching /opt/abc.txt to abc.txt
/opt/abc.txt 100% 10 16.4KB/s 00:00
sftp> put /opt/cywl.txt /opt/
Uploading /opt/cywl.txt to /opt/cywl.txt
/opt/cywl.txt 100% 5 10.0KB/s 00:00
sftp> ll
Invalid command.
sftp> ls
abc.txt cywl cywl.txt rh
sftp>
SSH的验证方式
1)密码验证:使用账号和密码进行验证
PasswordAuthentication yes
2)密钥对验证:使用客户端创建的密钥对进行验证
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys #服务端的公钥文件默认保存路径
ssh密钥对的创建和使用:
1)确保服务端开启了ssh密钥对验证
/etc/ssh/sshd_config --> PubkeyAuthentication yes
2)在客户端创建密钥对
ssh-keygen [-t rsa/dsa/ecdsa]
#生成的密钥对默认存放在当前用户家目录的 .ssh/ 目录中,
私钥是留给自己使用的,公钥(XXX.pub)是给服务端使用的
[root@l2 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IpZp7D9K+XOKBu/fzihXCWT5JhtTZo8I1RysEvrgOoc root@l2
The key's randomart image is:
+---[RSA 2048]----+
| ..=.. |
| o + B |
| . = B o |
| o..oB + . |
| . oB..BS. |
| o+.o..o |
| o o+ . |
|E ..++++. |
| o o+=**+ |
+----[SHA256]-----+
[root@l2 ~]#
3)上传公钥至服务端
ssh-copy-id [-i 公钥文件] 用户名@目标主机IP
#公钥信息会自动保存到服务端的 ~/.ssh/authorized_keys 文件里
[root@l2 ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.18.20
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.18.20's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.18.20'"
and check to make sure that only the key(s) you wanted were added.
[root@l2 ~]#
[root@l2 ~]# cd .ssh/
[root@l2 .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@l2 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvTb63k9nr9m28KjRdXCv4AxhbXixfpR7svG5cY+F+26ZdfNm1pozf8a0q7Ks8IEZ5dLicuymBsQi5cBn6cWl81AWFwiNtjAMwu/FHk2Yz2mzEy2rn69o//BHhxviMNYjur/bUKoOstYjMs43Jun8bk140ZUdE5CiIsLNJuxX99c96mIJnpv1L4dwQezRZqq94aOpsInPfCBI7eaUODE+klb+k6VsBkmmVnZX7YyrYji0FYLgljqiCeLDw5nyphbz1QbQ3d1DI8sGm++G4O+5gvz3FtX+19Mo44EYg7bHrRPVPabHpqGoTSLbiQQNwDen4iObxO4UnjXUsvPqAKZV7 root@l2
[root@l2 .ssh]#
4)客户端 ssh 远程登录,使用密钥对的密码进行验证
注:密钥对在客户端是谁创建的,只能谁使用;密钥对上传给服务端的哪个用户,那么就只能使用那个用户去登录
[root@l1 opt]#
[root@l1 opt]# ssh -p 22 root@192.168.18.20
root@192.168.18.20's password:
Last login: Fri May 3 22:59:36 2024 from 192.168.18.10
[root@l2 ~]#
[root@l2 ~]# cd /opt/
[root@l2 opt]# ls
abc.txt cywl cywl.txt rh
[root@l2 opt]#
ssh密钥对免交互登录:
1)使用空密码的密钥对
ssh-keygen 一路回车,不设置密码
ssh-copy-id
[root@l2 opt]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:igmcr5Gmkc1L5U53u7W4YICof6xDU8bS1yZm66tktO8 root@l2
The key's randomart image is:
+---[RSA 2048]----+
| |
| |
| o . |
| o.o= = o |
|. =+++ +S |
|.+oB =.. |
|+.BoX.= . . |
| *.Oo+.o + . |
|. =+ooE.=o. |
+----[SHA256]-----+
[root@l2 opt]#
2)创建ssh会话代理(只能在当前会话中有效)
ssh-agent bash
ssh-add
[root@l2 opt]# ssh-agent bash
[root@l2 opt]# ssh-add
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@l2 opt]# ssh -p 22 root@192.168.18.10
root@192.168.18.10's password:
Last login: Fri May 3 16:23:39 2024 from 192.168.18.1
[root@l1 ~]#
一键操作的命令:
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
sshpass -p 'abc1234' ssh-copy-id -o StrictHostKeyChecking=no root@192.168.80.20
TCP Wrappers 为支持TCP Wrappers的服务程序提供访问控制的功能,要么允许访问,要么拒绝访问
判断是否支持TCP Wrappers:
执行命令 ldd $(which 程序名称) | grep libwrap 查看是否有 libwrap.so.0 => /lib64/libwrap.so.0
访问策略原则:
先看 /etc/hosts.allow 是否有匹配的策略,有则直接允许访问
再看 /etc/hosts.deny 是否有匹配的策略,有则拒绝访问
如果以上两个文件都没有匹配的策略,则默认允许访问
策略格式:
<程序列表>:<客户端地址列表>
sshd,vsftpd:192.168.80.13,192.168.80.14
ALL:ALL
sshd:192.168.80.*
sshd:192.168.80.0/255.255.255.128