2.2 SSH服务器与OpenSSH

SSH服务器

配置SSH服务器配置文件 /etc/ssh/sshd_config

[root@CentOS7 ~]# cat /etc/ssh/sshd_config 
#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22   #默认监听端口,建议修改
#AddressFamily any  #支持IP协议,默认v4、v6都支持
#ListenAddress 0.0.0.0   #默认监听的IP地址,建议修改为内网地址
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key   #密钥文件名
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging    #日志的配置,默认存放在/var/log/secure
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes   #是否允许root直接登陆,建议no
#StrictModes yes       #是否检查密钥文件的权限
#MaxAuthTries 6        #最大尝试登录次数,实际为二分之一
#MaxSessions 10        #相同会话最多同时连接次数

#PubkeyAuthentication yes   #是否允许基于Key验证连接

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys    #公钥文件存放路径

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes   #是否允许通过用户口令进行连接

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication no   #是否使用此类验证,建议no
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0   #客户端连接活动间隔,单位是秒
#ClientAliveCountMax 3   #客户端活动间隔探测次数,超出即断开连接
#ShowPatchLevel no
UseDNS no   #是否使用DNS反向解析,建议no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100    #支持最大的未验证连接数,10个未验证连接:超过后,断开30%未验证连接:超过100个时断开所有未验证连接
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none    #提示信息

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

    添加 AllowUsers 用户... 可以限制远程主机允许通过那些用户登陆 ssh 服务器,不再此列表中的用户,远程主机皆不能访问包括 root 用户
    添加 DenyUsers 用户... 可以限制远程主机不能通过那些用户登陆 ssh 服务器。

当一个用户同时出现在 AllowUsers 与 DenyUsers 列表中时,ssh 会拒绝远程主机通过此用户访问 ssh 服务器。


    sftp命令类似与传统的 ftp 工具,但是在链接基于在 SSH 协议,可以安全的传输数据。

[root@CentOS6 ~]# sftp root@192.168.30.74   #sftp是交互式命令
Connecting to 192.168.30.74...
sftp> ls
11                     Desktop                Documents              Downloads              Music                  Pictures               Public                 Templates              
Videos                 aa                     anaconda-ks.cfg        app                    bin                    initial-setup-ks.cfg   user.txt               useradd                
sftp> pwd
Remote working directory: /root
sftp> get /etc/fstab /data
Fetching /etc/fstab to /data/fstab
/etc/fstab                                                                                                                                                 100%  595     0.6KB/s   00:00    
sftp> exit

pssh工具

    pssh命令用于在多台主机上通过 SSH 连接并发执行命令。

    语法:pssh 目标主机 [选项] 动作

[root@CentOS6 ~]# pssh -H 192.168.30.74 -H 192.168.30.75 -A -i pwd
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
[1] 13:50:51 [SUCCESS] 192.168.30.74
/root
[2] 13:50:57 [SUCCESS] 192.168.30.75
/root
[root@CentOS6 ~]# pssh -H 192.168.30.74 -H 192.168.30.75 -i pwd
[1] 13:52:55 [SUCCESS] 192.168.30.74
/root
[2] 13:52:56 [SUCCESS] 192.168.30.75
/root

    选项

-h:主机文件列表,内容格式每行为”[user@]host[:port]
-H:主机字符串
-l:登录使用的用户名
-p:并发的线程数
-o:输出的文件目录,输出时会覆盖原文件内容
-e:错误输入文件
-t:TIMEOUT 超时时间设置,0无限制
-O:SSH的选项
-v:详细模式
-A:手动输入密码模式,不使用 -A 选项需要两台主机已完成基于Key验证
-x:额外的命令行参数使用空白符号,引号,反斜线处理
-X:额外的命令行参数,单个参数模式,同-x
-i:每个服务器内部处理信息输出
-P:打印出服务器返回信息

[root@CentOS7 err.log]#⮀ssh root@192.168.30.74 'echo $PATH'
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
[root@CentOS7 err.log]#⮀ssh root@192.168.30.75 'echo $PATH'
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
[root@CentOS7 err.log]#⮀ssh root@192.168.30.69 'echo $PATH'
/app/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

由此可见,在当需要执行的命令或者脚本不再上述 PATH变量 中,则需要使用绝对路径

    pscp.pssh命令用于向多台主机推送文件。

    语法:pscp.pssh 目标主机 [选项] 本地文件 远程目录

[root@CentOS7 data]# pscp.pssh -H 192.168.30.75 -H 192.168.30.69 host.sh /root/bin
[1] 14:32:29 [SUCCESS] 192.168.30.69
[2] 14:32:30 [SUCCESS] 192.168.30.75

    选项:与 pssh 差别不大,多了 -r 递归复制

-r:递归复制
-h:主机文件列表,内容格式每行为”[user@]host[:port]”
-H:主机字符串
-O:SSH的选项
-o:输出的文件目录,输出时会覆盖原文件内容
-e:错误输入文件
-t:TIMEOUT 超时时间设置,0无限制
-x:额外的命令行参数使用空白符号,引号,反斜线处理
-X:额外的命令行参数,单个参数模式,同-x

    pslurp命令用于从多台主机拉取文件。

    语法:pslurp.pssh 目标主机 [选项] -L 本地目录 远程文件 [输出文件名]

[root@CentOS7 err.log]#⮀pslurp -H root@192.168.30.75 -H 192.168.30.69 -L /data/ /var/log/messages maa
[1] 16:02:27 [SUCCESS] 192.168.30.69
[2] 16:02:28 [SUCCESS] root@192.168.30.75

SSH端口转发

    搭建实验环境

1、创建iptables,拒绝 192.168.30.69 连接 192.168.30.75

[root@CentOS7 ~]# iptables -A INPUT -s 192.168.30.69 -j REJECT
[root@CentOS7 ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 92 packets, 15050 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       192.168.30.69        0.0.0.0/0            reject-with icmp-port-unreachable

2、启用 192.168.30.75 上的 telnet 服务端口

[root@CentOS7 ~]# systemctl status telnet.socket 
● telnet.socket - Telnet Server Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
   Active: active (listening) since Fri 2018-05-25 00:19:27 CST; 8min ago
     Docs: man:telnetd(8)
   Listen: [::]:23 (Stream)
 Accepted: 0; Connected: 0

May 25 00:19:27 CentOS7.Miriam systemd[1]: Listening on Telnet Server Activation Socket.
May 25 00:19:27 CentOS7.Miriam systemd[1]: Starting Telnet Server Activation Socket.

    本地端口转发

本地主机是192.168.30.69

    语法:ssh -L 本地端口:目标主机地址:目标端口 SSH服务器地址

[root@CentOS6 ~]# ssh -L 1024:192.168.30.75:23 192.168.30.74   #建立192.168.30.69与192.168.30.74的ssh端口转发连接
Last login: Thu May 24 13:51:17 2018 from 192.168.30.69
[root@CentOS7 ~]#  
[root@CentOS6 ~]# telnet 127.0.0.1 1024   #使用本地1024端口连接telnet服务
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: jiangbowen
Password: 
[jiangbowen@CentOS7 ~]$   #连接成功
[root@CentOS7 ~]# ss -nt   #查看192.168.30.74的端口状态
State       Recv-Q Send-Q                                                 Local Address:Port                                                                Peer Address:Port              
ESTAB       0      0                                                      192.168.30.74:22                                                                 192.168.30.69:55416              
ESTAB       0      0                                                      192.168.30.74:54308                                                              192.168.30.75:23                 
ESTAB       0      52                                                     192.168.30.74:22                                                                  192.168.30.1:1799        

    选项

-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能

转发过程:data<->localhost:1024<->localhost:XXXXX<->sshsrv:22 <->sshsrv:YYYYY<->telnetsrv:23

    远程端口转发

本地主机是192.168.30.74

    语法:ssh -R 远程端口:目标主机地址:目标端口 SSH服务器地址

[root@CentOS7 ~]# ssh -R 1024:192.168.30.75:23 192.168.30.69   #建立192.168.30.74与192.168.30.69的ssh端口转发连接
Last login: Thu May 24 17:14:38 2018 from 192.168.30.74
[root@CentOS6 ~]#
[root@CentOS6 ~]# ss -nt    #192.168.30.69上的端口状态
State       Recv-Q Send-Q                                                              Local Address:Port                                                                Peer Address:Port 
ESTAB       0      0                                                                   192.168.30.69:22                                                                  192.168.30.1:1796  
ESTAB       0      0                                                                   192.168.30.69:22                                                                 192.168.30.74:50658 
[root@CentOS6 ~]# ss -ntl   #本地1024端口已经处于监听状态
State       Recv-Q Send-Q                                                              Local Address:Port                                                                Peer Address:Port 
LISTEN      0      128                                                                     127.0.0.1:1024                                                                           *:*     
LISTEN      0      128                                                                           ::1:1024                                                                          :::*     
LISTEN      0      128                                                                            :::33959                                                                         :::*     
LISTEN      0      128                                                                            :::111                                                                           :::*     
LISTEN      0      128                                                                             *:111                                                                            *:*     
LISTEN      0      128                                                                            :::22                                                                            :::*     
LISTEN      0      128                                                                             *:22                                                                             *:*     
LISTEN      0      128                                                                     127.0.0.1:631                                                                            *:*     
LISTEN      0      128                                                                           ::1:631                                                                           :::*     
LISTEN      0      100                                                                           ::1:25                                                                            :::*     
LISTEN      0      100                                                                     127.0.0.1:25                                                                             *:*     
LISTEN      0      128                                                                             *:44351                                                                          *:*     
[root@CentOS6 ~]# telnet 127.0.0.1 1024   #使用telney访问本地的1024端口
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: jiangbowen
Password: 
Last login: Fri May 25 00:54:56 from ::ffff:192.168.30.74
[jiangbowen@CentOS7 ~]$    #连接成功

转发过程:data<->sshsrv:1024<->sshsrv:22<->localhost:XXXXX<->localhost:YYYYY<->telnetsrv:23



评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值