ssh远程访问及控制
一、ssh远程管理
1.1 概述
ssh是一种安全通道协议
主要功能:实现字符界面的远程登录,远程复制
ssh对通信双方的数据传输进行加密处理,包括用户的口令,具有很好的安全性
1.2 ssh的配置文件
ssh_config:针对客户端的配置文件
sshd_config:针对服务端的配置文件(经常修改)
1.3 ssh组成结构
1、传输层协议:ssh-trans
作用:服务器认证;提供加密技术;校验数据完整;数据压缩
一般运行在TCP/IP的链接上,也可能用于其他可靠的数据流上
2、用户认证协议:ssh-userauth
向服务器提供客户端用户鉴别的功能
运行在ssh-trans之上
作用:开始执行用户认证,从底层协议接收会话标识符;认证私钥的所有权
3、连接协议:ssh-connet
将多个加密隧道分成逻辑隧道
运行在用户认证之上,提供交互式登录会话;远程命令的执行;转发TCP/IP的链接
二、实验
实验一:远程登录
[root@localhost /]# vim /etc/ssh/sshd_config
[root@localhost /]# systemctl restart sshd
切换到虚拟机2
[root@localhost ~]# ssh -p 10022 root@192.168.147.100 //-p表示指定端口号
root@192.168.147.100's password: //输入虚拟机1的root用户的密码
Last login: Wed May 24 10:56:56 2023 from 192.168.147.1 //成功登陆
实验二:远程复制
2.1 复制文件
虚拟机2:
[root@localhost ~]# cd /opt/
[root@localhost opt]# touch 123.txt
[root@localhost opt]# ls
123.txt backup rh
虚拟机1:
[root@localhost ~]# cd /
[root@localhost /]# scp root@192.168.147.101:/opt/123.txt /opt/
root@192.168.147.101's password:
123.txt 100% 0 0.0KB/s 00:00
[root@localhost /]# cd opt/
[root@localhost opt]# ls
123.txt rh
2.2 复制目录
虚拟机1
[root@localhost opt]# ls
123.txt rh
[root@localhost opt]# mkdir aa
[root@localhost opt]# cd aa/
[root@localhost aa]# touch jkl.txt
[root@localhost aa]# ls
jkl.txt
[root@localhost aa]# echo 7458 > jkl.txt
虚拟机2
[root@localhost /]# scp -rP 10022 root@192.168.147.100:/opt/aa /opt/ ##-r:复制目录 -P:指定端口号
root@192.168.147.100's password:
jkl.txt 100% 5 7.2KB/s 00:00
三、sftp
3.1 sftp概述
使用加密技术,基于ssh,传输效率比ftp低,但是安全性更高。使用语法和ftp相同
3.2 实验
虚拟机2
[root@localhost opt]# sftp -P 10022 root@192.168.147.100
root@192.168.147.100's password:
Connected to 192.168.147.100.
sftp> pwd
Remote working directory: /root
sftp> cd /opt
sftp> pwd
Remote working directory: /opt
sftp> get abcd ##下载虚拟机1中opt目录下的abcd文件
Fetching /opt/abcd to abcd
/opt/abcd 100% 5 2.4KB/s 00:00
sftp> put qwer ##上传虚拟机2中opt目录下的qwer文件
Uploading qwer to /opt/qwer
qwer 100% 4 2.6KB/s 00:00
sftp> exit
[root@localhost opt]# ls
123.txt aa abcd backup qwer rh
虚拟机1
[root@localhost opt]# ls
123.txt aa abcd qwer rh
四、用户登录限制
[root@localhost /]# vim /etc/ssh/sshd_config
AllowUsers 用户名 (用户名@IP 限制只能从某某终端登录)
DenyUsers 用户名
:wq!
[root@localhost /]# systemctl restart sshd
五、免密登录
5.1 过程
- 创建秘钥对
- 上传公钥文件
- 导入公钥信息
- 使用密钥对验证方式
5.2 密钥种类
rsa edusa dsa
5.3 密钥两种形式
对称密钥 非对称密钥
5.4 两种加密方式
用户账户登录密码 密钥登录
5.5 rsa免密登录
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:7GaCEiKeooUERamzK4Gy1Dg/rRAveMhj/vx30veDs4U root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| .o. |
| .. |
|.. |
|+ . |
|+=+ S |
|@B+o . . . |
|B%*.o . = E.. |
|Oo=+ . * o +.. |
|o..++.. o ..+.. |
+----[SHA256]-----+
[root@localhost ~]# cd .ssh
[root@localhost .ssh]# ls
id_rsa id_rsa.pub known_hosts
[root@localhost .ssh]# ssh-copy-id -i id_rsa.pub root@192.168.147.101
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.147.101's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.147.101'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost .ssh]# ssh-agent bash
[root@localhost .ssh]# ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@localhost .ssh]# ssh root@192.168.147.101 //没有输入密码,实验成功
Last login: Thu May 25 00:02:54 2023 from 192.168.147.1