第5章 远程访问及控制

终端

终端：接受用户的指令

• TTY终端
• 虚拟终端：
  • ssh：22，可以把通信双发的信息加密
  • telnet：23，不加密

解释器：shell

OpenSSH服务器

• SSH（Secure Shell）协议

  • 安全外壳协议
  • 是一种安全通道协议
  • 对通信数据进行了加密处理，用于远程管理

• OpenSSH

  • 服务名称：sshd
  • 服务端主程序：/usr/sbin/sshd
  • 服务端配置文件：/etc/ssh/sshd_config

• 服务监听选项

  • 端口号、协议版本、监听IP地址
    • 一切网络程序都有对应的端口号
  • 禁用反向解析

[root@localhost ~]# vim /etc/ssh/sshd config
Port 22                        //监听端口为 22
ListenAddress 172.16.16.22    //监听地址为172.16.16.22
Protocol 2                    //使用 SSH V2 协议
......                        //省略部分内容
UseDNS no                       //禁用 DNS 反向解析

构建密钥对验证的SSH体系

在客户端创建密钥对

[zhangsan@localhost ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id ecdsa):    
                                                                //指定私钥位置
Created directory 'home/zhangsan/.ssh'
Enter passphrase (empty for no passphrase):            //设置私钥短语
Enter same passphrase again:    //确认所设置的短语
Your identification has been saved in /home/zhangsan/.ssh/id ecdsa.
Your public key has been saved in /home/zhangsan/.ssh/id ecdsa.pub
The key fingerprint is:        //省略部分内容
[zhangsan@localhost ~]$ ls -lh ~/.ssh/id ecdsa*    //确认生成的密钥文件
-mw-1 zhangsan zhangsan 227 8月14 19:45 /home/zhangsan.ssh/id ecdsa
-rw-r--r--1 zhangsan zhangsan 1928月 1419:45 /home/zhangsan/.ssh/id ecdsa.pub

将公钥文件上传至服务器

[zhangsan@localhost ~]$ scp ~.ssh/id ecdsa.pub root@172.16.16.22:/tmp
[root@localhost ~]# mkdir /home/lisi/.ssh/
[root@localhost ~]# cat /tmp/id ecdsa.pub >>/home/lisi/.sshauthorized keys
[root@localhost ~]# tail -1 /home/lisil.ssh/authorized keys
ecdsa-sha2-nistp256
AAAAE2ViZHNhLXNOYTItbmIzdHAyNTYAAAAIbmIzdHAYNTYAAABBBLJSnBhscYBfnnHxSYAJEBD4SNKTLMF7itCFGM33RdeXU89QNQKMnCrCJHZAIZURrzDXG6Mp62mz9aRXUnARk8s
zhangsan@localhost

在客户端使用密钥验证

[zhangsan@localhost ~]$ ssh lisi@192.168.10.101
[lisi@localhost ~]$ whoami
lisi    //成功登录服务器
[zhangsan@locahost ~]$ ssh-copy-id -i~/.ssh/id_ecdsa.pub lisi@192.168.10.101
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter
out any that are already installed/bin/ssh-copy-id: lNFO: 1 key(s) remain to be installed -- if you are
prompted now it is to install the new keys
lisi@192.168.10.101's password:            //输入 lisi 的密码
Number of key(s) added: 1
Now try logging into the machine, with:"ssh 'lisi@192.168.10.101'"
\and check to make sure that only the key(s) you wanted were added.