一、理论概念
1.OPENSSH概念
OpenSSH是SSH(Secure Shell)协议的免费开源实现。SSH协议族可以用来进行远程控制,或在计算机之间传送文件。而实现此功能的传统方式,如telnet、 rcp ftp、 rlogin、rsh都是极为不安全的,并且会使用明 文传送密码。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据, 并由此来代替原来的类似服务。目前OpenSSHOpenBSD的子项目
2.OPENSSH工作原理
- 服务器端开启SSH服务,在端口22监听客户端请求
- 客户端发出请求,如果是第一次与服务器建立连接,服务器端会向客户端发送一个rsa key
- 客户端接收到服务器端发送过来的rsa key后,就会采用与服务器端协商好的加密算法,生成会话密钥(此会话 密钥用于加密客户端与服务器端之间的会话),并用rsa key加密会话密钥,并发送给服务器端
- 服务器端就用对应的私钥解密已加密的会话密钥,然后用此会话密钥加密确认信息,发送给客户端。客户端 用会话密钥解密加密的确认信息,到此,密钥交换成功和服务器认证成功
3.OPENSSH协议
SSH是一种协议标准,其目的是实现安全远程登录以及其它安全网络服务。
SSH1协议:由单个协议提供密钥交换、身份认证与加密的功能
SSH2协议:
- 传输层协议(主要提供密钥交换与服务器端认证功能)
- 认证协议(主要提供密钥交换与服务器端认证功能)
- 连接协议(主要提供远程执行命令功能)
4.OPENSSH端口:TCP 22
5.OPENSSH常用客户端工具
SecureCRT
Xshell
Xmanager
MobaXterm
6.DROPBEAR
Dropbear是一个相对较小的SSH服务器和客户端。是另一款ssh协议的开源实现
它类似SSH,实现完整的SSH客户端和服务器版本2协议。
但它不支持SSH版本1,以节省空间和资源,并避免在 SSH版本1的固有的安全漏洞。
它支持scp。
二、OPENSSH服务安装配置
服务端IP:192.168.192.133
客户端IP:192.168.192.223
未配置前,每次服务端登录客户端都要输入密码
1.关闭防火墙和Selinux
[root@mail ~]# systemctl stop firewalld
[root@mail ~]# setenforce 0
2.安装OPENSSH服务器
[root@mail ~]# yum install openssh-server -y
3.OPENSSH服务器、客户端的配置文件
- /etc/ssh/sshd_config #服务端配置文件!!!
- /etc/ssh/ssh_config #客户端配置文件!!!
4.OPENSSH基于密钥的认证(仅限于双管理员用户或单管理员到普通用户)
服务端:
[root@mail ~]# cd .ssh/
[root@mail .ssh]# ls
id_rsa id_rsa.pub
[root@mail .ssh]# ssh-keygen #普通主机
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)?
[root@mail .ssh]# ls
id_rsa id_rsa.pub
[root@mail .ssh]# cat id_rsa.pub > authorized_keys #此种方式 针对多台主机时,采用此方式较好
[root@mail .ssh]# ls
authorized_keys id_rsa id_rsa.pub
[root@mail .ssh]# scp authorized_keys 192.168.192.223:/root/.ssh/ #此种方式 针对多台主机时,采用此方式较好
The authenticity of host '192.168.192.223 (192.168.192.223)' can't be established.
ECDSA key fingerprint is SHA256:ZUnrgOjaa1LqFlxTcgwFQesY6GyOVXGtxZrsHtVmNdU.
ECDSA key fingerprint is MD5:3e:60:cf:7b:1d:8c:c7:45:5a:42:33:dc:43:da:4b:05.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.192.223' (ECDSA) to the list of known hosts.
root@192.168.192.223's password:
authorized_keys 100% 400 472.2KB/s 00:00
[root@mail .ssh]# ssh root@192.168.192.223
Last login: Tue Dec 4 02:32:04 2018 from 192.168.192.133
[root@c66 ~]#
#此时登录客户端192.168.192.223的管理员用户不需要输入密码,但客户端登录服务端的管理员用户需要密码
客户端:
[root@c66 ~]# ls .ssh/
authorized_keys
[root@c66 ~]# ssh root@192.168.192.133
The authenticity of host '192.168.192.133 (192.168.192.133)' can't be established.
ECDSA key fingerprint is HA256:jsndQ04TKiKB3GM9c62DO5Cg6SjSzLo+pAyVRGNexCE.
ECDSA key fingerprint is MD5:d5:fb:ef:5c:56:28:52:6f:81:ce:8c:58:17:83:de:9b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.192.133' (ECDSA) to the list of known hosts.
root@192.168.192.133's password:
Last login: Mon Dec 3 18:22:43 2018 from 192.168.192.223
[root@mail ~]#
5.OPENSSH基于口令的认证(双管理员或双普通用户,或普通用户登录管理员用户,或管理员用户登录普通用户)
服务端操作:
[root@mail ~]# useradd user3
[root@mail ~]# passwd user3
Changing password for user user3.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
客户端操作:
[root@c66 ~]# useradd user4
[root@c66 ~]# passwd user4
Changing password for user user4.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
测试:
[root@mail ~]# su - user3
Last login: Mon Dec 3 18:47:42 CST 2018 on pts/0
[user3@mail ~]$ ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc
[user3@mail ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user3/.ssh/id_rsa):
Created directory '/home/user3/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user3/.ssh/id_rsa.
Your public key has been saved in /home/user3/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:JixBP8imSmUXmNDIrnsVSR6+p0blYRvb6G3wtIxwHxw user3@mail.cc74.com
The key's randomart image is:
+---[RSA 2048]----+
|..+ +. |
| o *oo. |
|. *=+o |
| .oo*o=.E |
|... .*oOS. |
|o. =.Oo= |
|.. o * O o |
|. . o o B |
| . . . |
+----[SHA256]-----+
[user3@mail ~]$ ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc .ssh
#ssh-copy-id会自动把公钥放到 要访问的服务器的.ssh/authorized_keys 并且保证权限为600
[user3@mail ~]$ ssh-copy-id user4@192.168.192.223
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user3/.ssh/id_rsa.pub"
The authenticity of host '192.168.192.223 (192.168.192.223)' can't be established.
ECDSA key fingerprint is SHA256:ZUnrgOjaa1LqFlxTcgwFQesY6GyOVXGtxZrsHtVmNdU.
ECDSA key fingerprint is MD5:3e:60:cf:7b:1d:8c:c7:45:5a:42:33:dc:43:da:4b:05.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user4@192.168.192.223's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'user4@192.168.192.223'"
and check to make sure that only the key(s) you wanted were added.
[user3@mail ~]$ ssh user4@192.168.192.223
[user4@c66 ~]$
[root@c66 ~]# ls -a /home/user4/
. .. .bash_logout .bash_profile .bashrc .ssh
#其余的测试就不写出来啦