openssh

最新推荐文章于 2024-05-22 10:05:38 发布

慕霜ヾ

最新推荐文章于 2024-05-22 10:05:38 发布

阅读量3.7k

点赞数

文章标签： linux 运维

本文链接：https://blog.csdn.net/mushuangpanny/article/details/124371175

版权

openssh

文章目录

- openssh

一. 常见的远程登录

1. telnet 远程登录协议，23/TCP

检查某一个服务是否打开

[root@SYL3 ~]# telnet 192.168.232.129 22 //查看ssh
Trying 192.168.232.129...
Connected to 192.168.232.129.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.0
^C
Connection closed by foreign host.
[root@SYL3 ~]#

2. dropbear 嵌入式系统专用的SSH服务器端和客户端工具

3. ssh (Secure SHell) 22/TCP

通信过程及认证过程是加密的，主机认证，用户认证过程加密
认证过程分为主机认证和用户认证

[root@SYL3 ~]# ssh root@192.168.232.129
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes //主机认证 
Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts.
root@192.168.232.129's password:   //用户认证
Last login: Wed Apr 13 15:32:21 2022 from 192.168.232.1
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[root@SYL3 ~]#

数据传输过程加密

4. ssh的认证方式

口令认证 — 密码

密钥认证 — 公钥（P）和私钥（S）

[root@SYL2 ~]# cd /etc/ssh/
[root@SYL2 ssh]# ls
moduli              ssh_host_ecdsa_key.pub
ssh_config          ssh_host_ed25519_key
ssh_config.d        ssh_host_ed25519_key.pub
sshd_config         ssh_host_rsa_key  //私钥
ssh_host_ecdsa_key  ssh_host_rsa_key.pub //公钥
[root@SYL2 ssh]#

5. 工作模式 — openssh

架构 — 多台主机组成的结构
C/S架构 — C客户端 S服务端

服务器端    
//sshd，配置文件在/etc/ssh/sshd_config
客户端     
//ssh，配置文件在/etc/ssh/ssh_config
    ssh-keygen      //密钥生成器
    ssh-copy-id     //将公钥传输至远程服务器
    scp             //跨主机安全复制工具
[root@SYL2 ~]# cd /etc/ssh/
[root@SYL2 ssh]# ls
moduli              ssh_host_ecdsa_key.pub
ssh_config          ssh_host_ed25519_key
ssh_config.d        ssh_host_ed25519_key.pub
sshd_config         ssh_host_rsa_key
ssh_host_ecdsa_key  ssh_host_rsa_key.pub
[root@SYL2 ssh]#

B/S架构 — 浏览器，访问网站

6. ssh的远程登录方式

6.1 用户名相同，直接用ip地址登录

[root@SYL3 ~]# ssh 192.168.232.129
root@192.168.232.129's password: 
Last login: Wed Apr 13 15:34:37 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[root@SYL3 ~]#

6.2 用户名不同，用户名+ip地址登录

[tom@SYL3 ~]$ ssh root@192.168.232.129
root@192.168.232.129's password: 
Last login: Wed Apr 13 16:09:03 2022 from 192.168.232.128
[root@SYL2 ~]#

用户名不同，直接登录不上

[root@SYL3 ~]# echo 'run123456' | passwd --stdin tom
Changing password for user tom.
passwd: all authentication tokens updated successfully.
[root@SYL3 ~]# su - tom
[tom@SYL3 ~]$ ssh 192.168.232.129
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 
Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts.
tom@192.168.232.129's password:

6.3 不登录进去，并且执行命令后自动退出

客户端：
[tom@SYL3 ~]$ ssh root@192.168.232.129 'echo "123456" > /tmp/abc'
root@192.168.232.129's password: 
[tom@SYL3 ~]$ 
服务端：
[root@SYL2 ~]# cat /tmp/abc 
123456
[root@SYL2 ~]#

7. 加密与解密

1.分为3种

对称加密：加密解密使用同一个密钥
公钥加密 ：也叫非对称加密。有一对密钥，公钥（P）和私钥（S）。用公钥加密，私钥解密反之亦然，公钥加密存在私钥中
公钥加密能实现加密和签名功能：

RSA ：即能实现加密，也能实现签名

DSA：只能实现签名

ELGamal：商业加密算法
单向加密：提取数据特征码，能加密不能解密，常用于做数据完整性校验
- 单向加密的特性：
  
  a) 雪崩效应（输入的微小改变，将会引起结果的巨大改变）
  - ```
  [root@SYL3 ~]# md5sum anaconda-ks.cfg 
  006220f587da6285b6b0611ee62211fb  anaconda-ks.cfg
  [root@SYL3 ~]# echo '#' >> anaconda-ks.cfg 
  [root@SYL3 ~]# md5sum anaconda-ks.cfg 
  ae1344e3f6e53ddd00133be4f013f132  anaconda-ks.cfg
```
b) 定长输出（无论原始数据是多大，结果的长度是相同的）

MD5：Message Digest，128位定长输出

SHA1：Secure Hash Algorithm，160位定长输出

c) 不可逆（无法根据特征码还原成原始数据）

7.1 ssh主机密钥

当用户第一次使用ssh连接到特定服务器时，ssh命令可在用户的_{/.ssh/known_hosts文件中存储该服务器的公钥。在此之后每当用户进行连接时，客户端都会通过对比}/.ssh/known_hosts文件中的服务器条目和服务器发送的公钥，确保从服务器获得相同的公钥。如果公钥不匹配，客户端会假定网络通信已遭劫持或服务器已被入侵，并且中断连接。
如果服务器的公钥发生更改（由于硬盘出现故障导致公钥丢失，或者出于某些正当理由替换公钥），用户则需要更新其~/.ssh/known_hosts文件并删除旧的条目才能够进行登录。
登录生成的文件的位置

[tom@SYL3 ~]$ cd .ssh/
[tom@SYL3 .ssh]$ ls
known_hosts
[tom@SYL3 .ssh]$

[tom@SYL3 ~]$ ssh root@192.168.232.129
root@192.168.232.129's password: 
Last login: Wed Apr 13 16:18:27 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[tom@SYL3 ~]$ cat .ssh/known_hosts
192.168.232.129 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPSiWGhQ+/xyF44ZpZQLIL3+AikA192a77mG/Mq0KZ5ZnXxxLCiPMb62Q7dp10WdlDgyEyRLL9dvl9Rizr2pe9w=

7.2 将文件删除后在登录会重新进行主机验证和用户验证，并且会在客户端生成新文件

[tom@SYL3 .ssh]$ rm -f known_hosts 
[tom@SYL3 .ssh]$ ssh root@192.168.232.129
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts.
root@192.168.232.129's password: 
Last login: Wed Apr 13 17:21:44 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[tom@SYL3 .ssh]$ ls
known_hosts
[tom@SYL3 .ssh]$

7.3 当前主机生成的的文件位置

[tom@SYL3 ~]$ cd .ssh/
[tom@SYL3 .ssh]$ ls
known_hosts

7.4 当前主机密钥存在服务器端的位置,后面有pub的是公钥，其他则是私钥

[root@SYL2 ~]# cd /etc/ssh/
[root@SYL2 ssh]# ls *key*
ssh_host_ecdsa_key
ssh_host_ecdsa_key.pub
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
[root@SYL2 ssh]#

8. 免密登录的配置

1.ssh-keygen -t rsa

2.ssh-copy-id root@192.168.232.129

3.ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.232.129

8.1 使用ssh-keygen命令生成密码。将会生成私钥和公钥,rsa是算法 ssh-keygen -t rsa

生成密钥时，系统将提供指定密码的选项，在访问私钥时必须提供该密码。如果私钥被偷，除颁发者之外的其他任何人很难使用该私钥，因为已使用密码对其进行保护。这样，在攻击者破解并使用私钥前，会有足够的时间生成新的密钥对并删除所有涉及旧密钥的内容。

[mushuang@SYL3 ~]$ ssh-keygen -t rsa//用rsa算法生成
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mushuang/.ssh/id_rsa): //默认生成的位置
Created directory '/home/mushuang/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/mushuang/.ssh/id_rsa.
Your public key has been saved in /home/mushuang/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:svIaGgTu1UN3p/ReXPgUc5lUcaprCT8B3HM9kXu9blc mushuang@SYL3
The key's randomart image is:
+---[RSA 3072]----+
|              .*X|
|         . .  .**|
|.    . . oo.o.o++|
|..  o . o +..++.+|
| ... o. S...oo .o|
|...   .o  .o.+ .E|
| .. o .    .* . .|
|   o +     . . o.|
|  . ...       . .|
+----[SHA256]-----+
[mushuang@SYL3 ~]$ 
[mushuang@SYL3 ~]$

8.2 生成`ssh` 的密钥后，密钥将默认存储在家目录下的`.ssh/`目录中。在什么用户下生成的密钥就会默认保存在该用户下的家目录下，私钥和公钥的权限就分别为`600`和`644`。`.ssh`目录权限必须是`700`。

生成的密钥的位置

[mushuang@SYL3 ~]$ ls .ssh/
id_rsa  id_rsa.pub
[mushuang@SYL3 ~]$

私钥（600）和公钥（644）的权限，目录（700）

[mushuang@SYL3 ~]$ ll .ssh/
total 8
-rw-------. 1 mushuang mushuang 2602 Apr 13 17:55 id_rsa  //私钥600
-rw-r--r--. 1 mushuang mushuang  567 Apr 13 17:55 id_rsa.pub //公钥644
[mushuang@SYL3 ~]$ 
[mushuang@SYL3 ~]$ ll -a .
total 16
drwx------. 2 mushuang mushuang  38 Apr 13 17:55 .ssh  //目录700
[mushuang@SYL3 ~]$

8.3 在可以使用基于密钥的身份验证前，需要将公钥复制到目标系统上。ssh-copy-id 用户名@IP地址

8.3.1 通过`ssh-copy-id`将密钥复制到另一系统时，它默认复制 `~/.ssh/id_rsa.pub` 文件

将客户端生成的密钥复制到服务器中

[mushuang@SYL3 ~]$ ssh-copy-id root@192.168.232.129
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mushuang/.ssh/id_rsa.pub"
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.232.129's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.232.129'"
and check to make sure that only the key(s) you wanted were added.

[mushuang@SYL3 ~]$

服务端权限

[mushuang@SYL3 ~]$ ll .ssh/
total 8
-rw-r--r--. 1 mushuang mushuang  567 Apr 13 17:55 id_rsa.pub //公钥644

[root@SYL2 ~]# ls .ssh
authorized_keys
[root@SYL2 ~]# ll .ssh
total 4
-rw-------. 1 root root 567 Apr 13 18:19 authorized_keys  //600

复制的文件是主机的公钥,公钥（644）发送到服务器的权限变为（600）

[root@SYL2 .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoBmpK2/kHrOgTJzG7B6M4U4ZELV54Qge/lid0zdTcxRyOzLzyP++hwcpCTNt/sheDnNrK4YQTPTwLtbkRKIlM6bFbqUKmFHHUjsCIxi7DFqKV6J1XH7rDF+cO5EXEqEcBMYZ0ku0jj0XRp3GOgOBcidvAtIEoeJqcOZG+XIv72usTRKolNDHp5q9h4SL/9h8Ib2Ie9LX/z/MPA7whjFvogDBI3c8qKeF65/MVaBqHSS8PV04jUh168zu+ASp0W/8EZUspOj3YhuybTz5CYugOTAN2D4iFmheB23IsDbstYhByJ//8BcQIjcTyntGeCQDYG7wAThT0LD2OV7+0xlzGaz3YUMDTJHIyDWDgIWxpceNmd0y9oJzE8IvGiR+RSjNYLNgg+wygdEhEMk+K1WEtG+KbYpZV8HfySGy8Lv+VwfgV7aoxS/3Lc7owx962F5vovsUKIYKaXt0Zk0U3lJUYjE6a+RMo26LTqE/yeebjs0QTFJx2iIQNa14vAoDHoHU= mushuang@SYL3
[root@SYL2 .ssh]#

[mushuang@SYL3 .ssh]$ ls
id_rsa  id_rsa.pub  known_hosts
[mushuang@SYL3 .ssh]$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoBmpK2/kHrOgTJzG7B6M4U4ZELV54Qge/lid0zdTcxRyOzLzyP++hwcpCTNt/sheDnNrK4YQTPTwLtbkRKIlM6bFbqUKmFHHUjsCIxi7DFqKV6J1XH7rDF+cO5EXEqEcBMYZ0ku0jj0XRp3GOgOBcidvAtIEoeJqcOZG+XIv72usTRKolNDHp5q9h4SL/9h8Ib2Ie9LX/z/MPA7whjFvogDBI3c8qKeF65/MVaBqHSS8PV04jUh168zu+ASp0W/8EZUspOj3YhuybTz5CYugOTAN2D4iFmheB23IsDbstYhByJ//8BcQIjcTyntGeCQDYG7wAThT0LD2OV7+0xlzGaz3YUMDTJHIyDWDgIWxpceNmd0y9oJzE8IvGiR+RSjNYLNgg+wygdEhEMk+K1WEtG+KbYpZV8HfySGy8Lv+VwfgV7aoxS/3Lc7owx962F5vovsUKIYKaXt0Zk0U3lJUYjE6a+RMo26LTqE/yeebjs0QTFJx2iIQNa14vAoDHoHU= mushuang@SYL3
[mushuang@SYL3 .ssh]$

登录不用输入密码

[mushuang@SYL3 ~]$ ssh root@192.168.232.129
Last login: Wed Apr 13 17:28:42 2022 from 192.168.232.128
[root@SYL2 ~]#

8.4 scp 复制

scp命令常用选项
    -r      //递归复制
    -p      //保持权限
    -P      //端口
    -q      //静默模式
    -a      //全部复制

使用 scp 命令传送文件到远程主机

[root@SYL3 ~]# scp anaconda-ks.cfg root@192.168.232.129:.
anaconda-ks.c 100% 1095   635.1KB/s   00:00    
[root@SYL3 ~]# 

[root@SYL2 ~]# ls
abc  anaconda-ks.cfg
[root@SYL2 ~]#

使用 scp 命令从远程主机上下载文件到本地

[root@SYL3 ~]# scp root@192.168.232.129:/root/anaconda-ks.cfg /tmp/
anaconda-ks.c 100% 1095   896.7KB/s   00:00    
[root@SYL3 ~]# ls /tmp/
abc
anaconda-ks.cfg

9. 自定义 SSH 服务配置

虽然OpenSSH服务器通常无需修改，但会提供其他安全措施，可以在配置文件/etc/ssh/sshd_config中修改OpenSSH服务器的各个方面。

是否允许root用户远程登录系统— PermitRootLogin {yes|no}

[root@SYL2 ~]# vi /etc/ssh/sshd_config 
[root@SYL2 ~]# cat /etc/ssh/sshd_config | grep PermitRootLogin
PermitRootLogin no  //不允许root账户登录
# the setting of "PermitRootLogin without-password".
[root@SYL2 ~]# systemctl restart sshd //重启sshd服务
[root@SYL2 ~]# 

[root@SYL3 ~]# ssh root@192.168.232.129
root@192.168.232.129's password: 
Permission denied, please try again.//拒绝登录

在服务器端创建一个普通用户，并设置密码
[root@SYL2 ~]# useradd mushuang
[root@SYL2 ~]# echo 'run123456'|passwd --stdin mushuang
Changing password for user mushuang.
passwd: all authentication tokens updated successfully.
[root@SYL2 ~]# 

回到客户端
[root@SYL3 ~]# ssh mushuang@192.168.232.129    //用普通用户登录 
mushuang@192.168.232.129's password: 
Permission denied, please try again.
mushuang@192.168.232.129's password: 
Last failed login: Wed Apr 13 20:13:03 CST 2022 from 192.168.232.128 on ssh:notty
There were 10 failed login attempts since the last successful login.
[mushuang@SYL2 ~]$ su -              //切换家目录
Password: 
Last login: Wed Apr 13 20:08:36 CST 2022 from 192.168.232.128 on pts/1
Last failed login: Wed Apr 13 20:12:21 CST 2022 from 192.168.232.128 on ssh:notty
There was 1 failed login attempt since the last successful login.
[root@SYL2 ~]#                 //登录成功

仅允许root用户基于密钥方式远程登录 — PermitRootLogin without-password
是否启用密码身份验证，默认开启 — PasswordAuthentication {yes|no}

10. SSH 安全注意事项

密码应该经常换且足够复杂

[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs 生成30位随机密码
b7PcVc1k3g_b4TZXjWji2SdkgGszGI
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs 
sPNyMTE4s0JIltp7XSWDrjgqwoAVVf
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 20 |xargs //生成20位随机密码
xgJsjDHGeu67HSF8Ed3H
[root@SYL3 ~]# tr -dc A-Z0-9_ < /dev/urandom | head -c 10 |xargs 
M36U2HWXLQ
[root@SYL3 ~]# 
[root@localhost ~]# openssl rand 20 -base64
Di9ry+dyV40xVvBHirsc3XpBOzg=    //生成20位随机密码

使用非默认端口，将默认端口号关闭，要把防火墙关闭
限制登录客户端地址
仅监听特定的IP地址
禁止管理员直接登录
仅允许有限制用户登录
- AllowUsers
- AllowGroups
使用基于密钥的认证
禁止使用空密码
禁止使用SSHv1版本

设定空闲会话超时时长

[root@SYL3 ~]# vi /etc/profile
将export TMOUT=120写入/etc/profile
然后source
source 命令：常用于重新执行刚修改的初始化文件

利用防火墙设置ssh访问策略
限制ssh的访问频度和并发在线数
做好日志的备份，经常分析（集中于某台服务器）

二. 作业

1.说明密钥认证的过程

1.客户机向服务端发送登录请求
2.服务器收到请求将自己的公钥发送给客户机
3.客户机使用私钥解密验证后发送服务器
4.两者验证通过后，通过登录

2.手动配置密钥认证登录

1.在客户端生成密钥

1.ssh-keygen -t rsa

2.将生成的密钥复制到服务器端，需要指定的加-i

2.ssh-copy-id root@192.168.232.129

2.ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.232.129

2.1 手动配置过程

在客户端生成密钥

[root@SYL3 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:tXrhhC46klUNJ98fUeARpAUSBI2l6rMyGxDjBiCkuP4 root@SYL3
The key's randomart image is:
+---[RSA 3072]----+
|+.    .*=..o*+.  |
|=     +.o. +..   |
|*     .* .o ..   |
|o+   .. oo...    |
|oo  ..  S +. .   |
|o. ..  . + ..    |
| ..oo . o o      |
|  *..+ . .       |
|  .Eo.           |
+----[SHA256]-----+

将生成的密钥复制到服务器端

[root@SYL3 ~]# ssh-copy-id root@192.168.232.129
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.232.129's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.232.129'"
and check to make sure that only the key(s) you wanted were added.

在服务器端查看复制的密钥

[root@SYL2 ~]# cd .ssh/
[root@SYL2 .ssh]# ls
authorized_keys  id_rsa.pub
[root@SYL2 .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCVWPdudaHnGbRv3dDhbyX/2QPlIqdozBe/EvpJqMoxAgVPvy0W+2gQl8wlWOqwfjq0SXJ7LYQXHDIzz2DsPCQly1bJkEAEBoAcDTnDt+KwudmrtyEEb0t2GJEsiQ9zM2bj6B75/lgto65arD6DN8bnOy8x4RAfwTqiCMb9JJfmmmcbH/ttN3OqOW1oZvwr0Ja/U8GEgmO6KBmNojgsM2Z6c3QcXtwDuUzGhZo2j7i0cuYcr81ipNoQQdHRZ6SlFNfhricXOaIciAk/vfvwQuZu1nZbu3iavpMZ2XG2CSUJTpP45syxxyYeRLtz3jSaqSwS2Dl+bnKtTi7LC9vMWCPUGaSquBqN+5OdMIonhnojIJ3QPr328Z+TNXI4mHTsskW//5uqYrwL2+W1OC2xMcmeaCumjGqgoE1lETNyGdm3W8hWw46XjBhMG9USonrWBcL+a6Tm4DPGG1Rr6o8crMANfKQKGEMesvxzANd46wDYN5uvK5FDDKcWkRZYkQitro0= root@SYL3
[root@SYL2 .ssh]#

客户端免密成功登录

[root@SYL3 ~]# ssh 192.168.232.129
Last login: Thu Apr 14 16:42:09 2022 from 192.168.232.128
[root@SYL2 ~]#

3. scp命令免密登录

1.先在客户端（128）生成密钥，ssh-keygen -t rsa
2.在客户端（128）使用 scp 将生成的公钥发送到主机（129）
scp /home/mushuang/.ssh/id_rsa.pub root@192.168.232.129:/.ssh
3.在服务器端创建公钥发送的目录位置，并创建文件
mkdir /.ssh
touch /root/.ssh/authorized_keys
4.修改权限600
chmod 600 /root/.ssh/authorized_keys
5.把客户端发送的公钥追加到你所创建的文件
cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
6.回到主机登录

3.1 scp命令配置过程

先在客户端（128）生成密钥

[mushuang@SYL3 ~]$ ssh-keygen -t rsa    //用rsa算法生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mushuang/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/mushuang/.ssh/id_rsa.
Your public key has been saved in /home/mushuang/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:66TgqDm8T2sUeY56Q86THiMgKxAZu5NvwcEANdN7dY4 mushuang@SYL3
The key's randomart image is:
生成rsa公私钥对。  
输入保存密钥的文件(/home/mushuang/.ssh/id_rsa):  
输入passphrase(为空表示没有passphrase):  
再次输入相同的密码:  
您的身份已经保存在/home/mushuang/.ssh/id_rsa。  
您的公钥保存在/home/mushuang/.ssh/id_rsa.pub目录下。  
密钥指纹为:  
SHA256:66TgqDm8T2sUeY56Q86THiMgKxAZu5NvwcEANdN7dY4 mushuang@SYL3  
钥匙的随机图像是:  
+---[RSA 3072]----+
|=.+.             |
| * o.   . .      |
|+ o .. . +       |
| = +... E .      |
|B o =.  S        |
|++ = .   .       |
|+.O+o   o        |
|o=o@+. +         |
|o+B++ . .        |
+----[SHA256]-----+

在客户端（128）使用 scp 将生成的公钥发送到主机（129）

[mushuang@SYL3 ~]$ scp /home/mushuang/.ssh/id_rsa.pub root@192.168.232.129:/root/.ssh/
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts.
无法建立主机“192.168.232.129(192.168.232.129)”的真实性。  
ECDSA密钥指纹是SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY。  
您确定要继续连接(yes/no/[fingerprint])吗? 是的  
警告:已将'192.168.232.129' (ECDSA)添加到已知主机列表中。
root@192.168.232.129's password: 
id_rsa.pub                           100%  567   236.6KB/s   00:00

在服务器端创建公钥发送的目录位置，并创建文件,并修改公钥权限为600，目录权限为700

[root@SYL2 ~]# mkdir /.ssh
[root@SYL2 ~]# touch /root/.ssh/authorized_keys
[root@SYL2 ~]# ll -a 
total 40
dr-xr-x---.  4 root root  171 Apr 14 15:39 .
drwx------.  2 root root   47 Apr 14 16:17 .ssh   //为700权限
-rw-r--r--.  1 root root  129 May 11  2019 .tcshrc
-rw-------.  1 root root  532 Apr  7 14:49 .viminfo
[root@SYL2 ~]# ll /root/.ssh/
total 4
-rw-r--r--. 1 root root   0 Apr 14 16:17 authorized_keys
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub
[root@SYL2 ~]# chmod 600 /root/.ssh/authorized_keys //修改权限为600
[root@SYL2 ~]# ll /root/.ssh/
total 4
-rw-------. 1 root root   0 Apr 14 16:17 authorized_keys   //600
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub        //发送过来的公钥权限为644

将客户端发送的公钥内容追加到服务器端所创建文件中

[root@SYL2 ~]# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys //追加到服务器所创的文件中
[root@SYL2 ~]# ll /root/.ssh/
total 8
-rw-------. 1 root root 567 Apr 14 16:19 authorized_keys
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub
[root@SYL2 ~]# cat /root/.ssh/authorized_keys //查看公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDURL7SIZxuG6uEEYvFMBF4O5HLmTHrW8hEaB/HRELN+4jJduq8FPpLJb/p9sjl/Gc/wB/aL9Zyg4cFV7ehsTprQ9Zi4bg5qiVAyzx++i4RdJM1ZY5BnZP3G+eeGwCPZ5YYvM6eKeD2cX0H1Q9huV+De0vUycWU9lZpTwRrfMgOzqyU4FxDv81eUwOKNcK9P4NsxIAlNyt+zoFAbD/qv7yoLAHRUZH2LOVLxYxcRUy9WvmJGb5o2cHNClwwUHQ+WD4fQQU0RBnMGpXyyBt+isSm6tfS2IcnfQ22U31piN/clSQm/nY7P9mi1wZdL62PV6AaJkR3lSZ9TdTNdB1qX7OpqWWC45vJ7tbKRtP3iuhY9oE///qPTXY9x8ZaqozXZouFyfBmmQ9olKcywAMRZmU0jEiZruidSSHyrbftPScPCVpOWFUsWJkRktTxTJ0hVaLuN+tDKyks5PPm9C4P6haiO4X+Stqr7jHbBBN42uPDutc61BiC3e8kaH09055ey48= mushuang@SYL3
[root@SYL2 ~]#

回到客户端（128）成功免密登录

[mushuang@SYL3 ~]$ ssh root@192.168.232.129
Last login: Thu Apr 14 16:00:52 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[mushuang@SYL3 ~]$

TprQ9Zi4bg5qiVAyzx++i4RdJM1ZY5BnZP3G+eeGwCPZ5YYvM6eKeD2cX0H1Q9huV+De0vUycWU9lZpTwRrfMgOzqyU4FxDv81eUwOKNcK9P4NsxIAlNyt+zoFAbD/qv7yoLAHRUZH2LOVLxYxcRUy9WvmJGb5o2cHNClwwUHQ+WD4fQQU0RBnMGpXyyBt+isSm6tfS2IcnfQ22U31piN/clSQm/nY7P9mi1wZdL62PV6AaJkR3lSZ9TdTNdB1qX7OpqWWC45vJ7tbKRtP3iuhY9oE///qPTXY9x8ZaqozXZouFyfBmmQ9olKcywAMRZmU0jEiZruidSSHyrbftPScPCVpOWFUsWJkRktTxTJ0hVaLuN+tDKyks5PPm9C4P6haiO4X+Stqr7jHbBBN42uPDutc61BiC3e8kaH09055ey48= mushuang@SYL3
[root@SYL2 ~]#


- 回到客户端（128）成功免密登录

```basic
[mushuang@SYL3 ~]$ ssh root@192.168.232.129
Last login: Thu Apr 14 16:00:52 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[mushuang@SYL3 ~]$

慕霜ヾ

关注

0
点赞
踩
4

收藏

觉得还不错? 一键收藏
0
评论
openssh

openssh文章目录openssh一. 常见的远程登录1. telnet 远程登录协议，23/TCP2. dropbear 嵌入式系统专用的SSH服务器端和客户端工具3. ssh (Secure SHell) 22/TCP4. ssh的认证方式5. 工作模式 --- openssh6. ssh的远程登录方式6.1 用户名相同，直接用ip地址登录6.2 用户名不同，用户名+ip地址登录6.3 不登录进去，并且执行命令后自动退出7. 加密与解密7.1 ssh主机密钥7.2 将文件删除后在登录会重新进行主机验
复制链接

扫一扫