目录
一、SSH 概述
1、SSH 简介
SSH(Secure Shell)是一种安全通道协议,主要用来实现字符界面的远程登录、远程复制等功能。SSH 协议对通信双方的数据传输进行了加密处理,其中包括用户登录时输入的用 户口令,语 TELNET(远程登录)等应用相比,SSH 协议提供了更好的安全性。
2、默认监听端口:
TCP 22
二、OpenSSH 的配置
1、OpenSSH 安装包
默认安装 Linux 系统时自动安装,若未安装,安装光盘中的如下 rpm 包:
openssh-5.3p1-94.el6.x86_64.rpm
openssh-askpass-5.3p1-94.el6.x86_64.rpm
openssh-clients-5.3p1-94.el6.x86_64.rpm
openssh-server-5.3p1-94.el6.x86_64.rpm
- 服务名称:sshd
- 服务端主程序:/usr/sbin/sshd
- 服务端配置文件:/etc/ssh/sshd_config
- 客户端配置文件:/etc/ssh/ssh_config
2、服务端 OpenSSH 配置
[root@Rz ~]# cd /etc/ssh/
[root@Rz ssh]# ls
moduli ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key
sshd_config ssh_host_ed25519_key ssh_host_rsa_key.pub
[root@Rz ssh]# cp -p sshd_config sshd_config.$(date +%F-%T)
[root@Rz ssh]# vim sshd_config
17 #Port 22 //默认端口,tcp22
18 #AddressFamily any //指定地址簇,any,inet(ipv4),inet6(ipv6)
19 ListenAddress 192.168.100.100 //监听IP,默认0.0.0.0,监听所有
37 LoginGraceTime 2m //等待登录时长2分钟
38 PermitRootLogin yes //默认允许root用户登录
39 StrictModes yes //接受连接请求前,对用户的目录和相关配置文件进行宿主化和权限检查
40 MaxAuthTries 6 //最大允许认证次数
41 MaxSessions 10 //每个网络允许打开会话的最大数量
42 RSAAuthentication yes //启用RSA验证
43 PubkeyAuthentication yes //启用密钥对验证
47 AuthorizedKeysFile .ssh/authorized_keys//指定公钥库位置
64 PermitEmptyPasswords no //不允许空密码用户登录
65 PasswordAuthentication yes //启用密码验证
115 UseDNS no //禁用反向解析
手动添加:
140 AllowUsers Rz zhangsan@192.168.100.2
141 #DenyUsers lisi
AllowUsers:用户 amber 在任何客户端均可登录;用户 zhangsan 只允许在 IP 地址为 192.168.1.51 的客户端登录。且仅允许此二用户通过 ssh 协议远程登录。
DenyUsers:禁止用户 lisi 登录 注意:AllowUsers 不要与 DenyUsers 同时使用修改配置文件后,重启 sshd 服务
[root@Rz ssh]# systemctl restart sshd
三、使用 SSH 客户端程序
1、命令程序:
(1).ssh 命令(远程安全登录)
格式:ssh user@host (若客户机与主机用户名相同,可省去 user@)
端口选项:-p 22
服务端:
[root@Rz ssh]# hostnamectl set-hostname server-SSH.Rz.com
[root@Rz ssh]# bash
[root@server-ssh ssh]# useradd Rz
[root@server-ssh ssh]# echo "123123" |passwd --stdin Rz &>/dev/null
客户端:
[root@client ~]# useradd admin
[root@client ~]# echo "123123" |passwd --stdin admin &>/dev/null
[root@client ~]# su - admin
[admin@client ~]$ ssh linuxli@192.168.100.100
The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
ECDSA key fingerprint is SHA256:kyJL6c7K/v7dx8X+/ye5VEoJFVNQwaZSZJshODNWVu8.
ECDSA key fingerprint is MD5:ba:ce:ef:43:3b:99:98:77:6e:b8:60:0e:50:50:fb:15.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.100' (ECDSA) to the list of known hosts.
Rz@192.168.100.100's password:
[Rz@server-ssh ~]$ 登出
Connection to 192.168.100.100 closed.
(2).scp 命令(远程安全复制)
格式 1:scp user@host:file1 file2
格式 2:scp file1 user@host:file2
1>从服务端复制文件到客户端
服务端:
[root@server-ssh ~]# mkdir /aaa
[root@server-ssh ~]# touch /aaa/test{1..10}
[root@server-ssh ~]# ls /aaa/
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
客户端:
[root@client ~]# mkdir /bbb
[root@client ~]# ls /bbb/
[root@client ~]# scp linuxli@192.168.100.100:/aaa/* /bbb/
The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
ECDSA key fingerprint is SHA256:kyJL6c7K/v7dx8X+/ye5VEoJFVNQwaZSZJshODNWVu8.
ECDSA key fingerprint is MD5:ba:ce:ef:43:3b:99:98:77:6e:b8:60:0e:50:50:fb:15.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.100' (ECDSA) to the list of known hosts.
linuxli@192.168.100.100's password:
test1 100% 0 0.0KB/s 00:00
test10 100% 0 0.0KB/s 00:00
test2 100% 0 0.0KB/s 00:00
test3 100% 0 0.0KB/s 00:00
test4 100% 0 0.0KB/s 00:00
test5 100% 0 0.0KB/s 00:00
test6 100% 0 0.0KB/s 00:00
test7 100% 0 0.0KB/s 00:00
test8 100% 0 0.0KB/s 00:00
test9 100% 0 0.0KB/s 00:00
[root@client ~]# ls /bbb/
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
2>从客户端复制文件到服务端:
客户端:
[root@client ~]# echo ceshi >client.txt
[root@client ~]# scp client.txt Rz@192.168.100.100:~Rz/client1.txt
Rz@192.168.100.100's password:
client.txt 100% 6 4.8KB/s 00:00
服务端:
[root@server-ssh ~]# ll ~Rz/
总用量 4
-rw-r--r-- 1 Rz Rz 22 7月 8 22:34 client1.txt
(3).sftp 命令(安全 FTP 上传下载)
格式:sftp user@host
客户端:
[root@client ~]# mkdir /ccc
[root@client ~]# cd /ccc/
[root@client ccc]# ls
[root@client ccc]# sftp linuxli@192.168.100.100
linuxli@192.168.100.100's password:
Connected to 192.168.100.100.
sftp> ls /aaa/
/aaa/test1 /aaa/test10 /aaa/test2 /aaa/test3 /aaa/test4 /aaa/test5 /aaa/test6
/aaa/test7 /aaa/test8 /aaa/test9
sftp> mget /aaa/*
Fetching /aaa/test1 to test1
Fetching /aaa/test10 to test10
Fetching /aaa/test2 to test2
Fetching /aaa/test3 to test3
Fetching /aaa/test4 to test4
Fetching /aaa/test5 to test5
Fetching /aaa/test6 to test6
Fetching /aaa/test7 to test7
Fetching /aaa/test8 to test8
Fetching /aaa/test9 to test9
sftp> exit
[root@client ccc]# ls
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
四、SSH免密登录
可实现机器之间不需要输入密码即可登录
1、服务端创建密钥对:
[root@node1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Z5FcBGBFUGGES5LtY6RMrPa7gf4JnIxX7hzdvKglRq0 root@node1
The key's randomart image is:
+---[RSA 2048]----+
| . o+OO+o |
| =.=o o |
| + * .+ |
| o o.= . |
| . .o.S.o |
| + *.o = |
| . B E.o o |
| o =.* . . |
| ..Bo. . |
+----[SHA256]-----+
2、将公钥上传至客户端
(1).方法一:任何方式均可(共享、FTP、Email、SCP、……)
服务端:
客户端查看:
(2).方法二:ssh-copy-id 命令
客户端删除前面拷贝的文件
服务端拷贝公钥给客户端:
客户端验证:
(3).免密验证:
服务端登录客户端:(node1登录node2)
注意:如需要客户端免密登录服务端,去客户端按照步骤再来一次即可~~~