ssh远程管理

ssh

要更改Linux系统的主机名，请使用以下命令:

[root@rhel8 ~]# hostnamectl set-hostname ssh-client
[root@rhel8 ~]# hostnamectl set-hostname ssh-server

SSH或Secure Shell是访问远程计算机的安全方式。默认端口为22，但建议在通过Internet访问远程计算机时使用不同的端口。

要使用SSH登录远程计算机，请使用以下格式：

ssh username@address

将’username’替换为远程计算机的用户名，将’address’替换为远程计算机的IP地址。在尝试登录之前，请确保可以访问远程计算机。如果您没有指定用户名，则将使用shell的当前用户尝试登录。如果远程计算机上不存在该用户，则登录将失败。

要退出SSH会话，请使用以下命令：

exit

SSH服务器配置文件可以在/etc/ssh/目录中找到。此目录中有多个密钥文件，包括ssh_host_ecdsa_key，ssh_host_ed25519_key和ssh_host_rsa_key。这些文件用于非对称加密，比对称加密更安全。

SSH服务器使用sshd_config配置文件，而SSH客户端使用ssh_config配置文件。通常情况下Linux系统都预先安装了客户端和服务器，但Windows没有默认安装SSH客户端。

在SSH客户端计算机上用户的主目录中的~/.ssh/known_hosts文件会记录远程服务器的公钥。如果服务器的IP地址已在known_hosts文件中，则不会提示用户验证服务器的指纹。

使用以下命令检查密钥文件的指纹：

ssh-keygen -lf ssh_host_rsa_key -E md5
ssh-keygen -lf ssh_host_rsa_key -E SHA1
ssh-keygen -lf ssh_host_rsa_key -E SHA2

将-o StrictHostKeyChecking=no选项添加到ssh命令中以禁用指纹验证：

ssh -o StrictHostKeyChecking=no 192.168.199.108

[root@ssh-server ~]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tjExp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system,you have to tell# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
ssh访问的端⼝号，可以修改
#Port 22 
#AddressFamily any
ssh监听的地址,0.0.0.0就表示监听所有的ipv4地址的22端⼝
#ListenAddress 0.0.0.0 
#ListenAddress ::
私钥
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# System-wide Crypto policy:
# This system is following system-wide crypto policy.The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
# variable in /etc/sysconfig/sshd to overwrite the policy.
# For more information, see manual page for update crypto-policies(8).# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin如果是yes就表示允许root通过ssh登录，如果是no就拒绝root通过ssh登录
PermitRootLogin yes

#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
该参数如果是yes就表示⽀持基于公钥的认证，如果是no就表示不⽀持
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
基于公钥认证⽅式开启后，客户端公钥的存放位置
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
该参数如果是yes就表示⽀持密码认证，如果是no就表示不⽀持密码认证
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yesGSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication,account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes#PermitTTY yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE
LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs

该参数表示是否⽀持X转发，如果是yes就表示⽀持，如果是no就表示不⽀持。
# X11Forwarding no

# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

sshd_config文件包含许多配置选项，包括用于SSH连接的端口号。PermitRootLogin选项指定是否允许root用户通过SSH登录。将该值更改为“yes”或“no”以启用或禁用root登录。

更改配置文件后，使用以下命令重新启动SSH服务：

systemctl restart sshd

ssh命令

参数：

p:指定远程服务器上的端口

o：指定配置选项

示例：ssh -p 21212 -o StrictHostKeyChecking=no 192.168.199.108

ssh日志

[root@ssh-server ~]# ls /var/log/secure

该⽂件记录了ssh登录的log

基于公钥的认证⽅式

于公钥的认证⽅式只是为了免密登录，免密登录只是基于公钥认证的⼀个附带特性。基于公钥的认证方式可以防止黑客暴力破解密码。

①第⼀步就是要将客户端的公钥传送到服务端

在客户端上通过ssh-keygen命令⽣成⾮对称加密密钥

[root@ssh-client ~]# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

密钥对的存放⽬录

Enter passphrase (empty for no passphrase):

私钥的密码，可以设置为空

Enter same passphrase again: 重新输⼊私钥的密码

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:puYScDwd7BJS6N0WuN1Fx1e+n+p3njsq8xitOh6rUcI

root@ssh-client

The key’s randomart image is:

±–[RSA 2048]----+

| o.o … …|

| o o + … … |

| . + B + . . .|

| o B B . .|

| o + ES. . |

| . oo . o|

| .o. . . . …|

| .o …oo+ .oo|

| …o+oo==o+=|

±—[SHA256]-----+

②客户端访问服务端的时候采⽤基于公钥的认证⽅式

传到服务器的哪⾥呢？AuthorizedKeysFile .ssh/authorized_keys

配置⽂件上⾯的参数，指定了基于公钥认证⽅式的客户端公钥存放位置

[root@ssh-client ~]# ssh-copy-id -p 21212 gzy@192.168.199.108

只有将公钥传到了具体⽤户的家⽬录下才可以实现基于公钥的认证⽅式

[root@ssh-client .ssh]# ssh -p 21212 [gzy@192.168.199.108](http://gzy@192.168.199.108/) pwd

[root@ssh-client ~]# scp -P 21212 cangls gzy@192.168.199.108:/home/gzy/

[root@ssh-client ~]# sftp -P 21212 [gzy@192.168.199.108](http://gzy@192.168.199.108/)

Connected to gzy@192.168.199.108.

sftp> pwd

Remote working directory: /home/gzy

sftp> get cangls

Fetching /home/gzy/cangls to cangls

sftp> exit