ssh服务
ssh: secure shell, protocol, 22/tcp, 安全的远程登录,代替 telnet
具体的软件实现:
- OpenSSH: ssh协议的开源实现,CentOS默认安装
- dropbear:另一个开源实现
SSH协议版本 - v1: 基于CRC-32做MAC,不安全;man-in-middle
- v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证
公钥交换
- 客户端发起链接请求
- 服务端返回自己的公钥,以及一个会话ID(这一步客户端得到服务端公钥)
- 客户端生成密钥对
- 客户端用自己的公钥异或会话ID,计算出一个值Res,并用服务端的公钥加密
- 客户端发送加密后的值到服务端,服务端用私钥解密,得到Res
- 服务端用解密后的值Res异或会话ID,计算出客户端的公钥(这一步服务端得到客户端公钥)
- 最终:双方各自持有三个秘钥,分别为自己的一对公、私钥,以及对方的公钥,之后的所有通讯都会被加密
openssh
Openssh软件相关包:
- openssh
- openssh-clients
- openssh-server
基于C/S结构工具
客户端: - Linux Client: ssh, scp, sftp,slogin
- Windows Client:xshell, MobaXterm,putty, securecrt, sshsecureshellclien
客户端ssh命令
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问
当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host*key.pub文件中的公钥到客户机的
~./ssh/know_hosts中。下次连接时,会自动匹配相应私钥,不能匹配,将拒绝连接
ssh客户端配置文件:/etc/ssh/ssh_config
主要配置
#StrictHostKeyChecking ask
首次登录不显示检查提示
StrictHostKeyChecking no
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
格式:
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常见选项:
-p port:远程服务器监听的端口
-b:指定连接的源IP
-v:调试模式
-C:压缩方式
-X:支持x11转发
-t:强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
[root@VM_0_3_centos|15|~]#ssh -t 10.0.06 ssh -t 10.0.0.7 ssh -t 10.0.0.8
ssh登录验证方式介绍
ssh服务登录的验证方式
- 用户/口令
- 基于密钥
基于用户和口令登录验证
1.客户端发起ssh请求,服务器会把自己的公钥发送给用户
2.用户会根据服务器发来的公钥对密码进行加密
3.加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
基于密钥的登录方式
1.首先在客户端生成一对密钥(ssh-keygen)
2.并将客户端的公钥ssh-copy-id 拷贝到服务端
3.当客户端再次发送一个连接请求,包括ip、用户名
4.服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生成一个字符串,例如:magedu
5.服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
6.得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7.服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
实现基于密钥的登录方式
在客户端生成密钥对
ssh-keygen -t rsa [-P ‘’] [-f “~/.ssh/id_rsa"]
保存位置
默认放在家目录的.ssh
[root@centos7|~]#cat .ssh/known_hosts
49.234.76.217 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIZVq9onc11NLGtQkTGC8Quq1JiTRIxLTGoj4BEgcr1XGqWPb4KGIIKR6CfKpG7iWkeu1m47DfCVMR2B1zmLuvI=
192.168.142.134 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCzamNjm7jf2s0SOZgvTAQ0N2iRVubAR6YLK+2JXnzhy3SvtNzzY+Dr1M/qr9tnBm1ZO+qKO3ceXfbyxRGQI3RQ=
192.168.142.131 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBJg7FbWAYB0EHLCu8lM9b9Pz+CTUej6A/pvuHWQ9h3hj6kPoyPnQKI8Vn9XIXLho83zpTBvV3wD1LZGKe9NZBQ=
[root@centos7|~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Yztkwjb+rXGL675YU4QSVmFcVNZSpJaQQn64vYTsAIc root@centos7
The key randomart image is:
+---[RSA 2048]----+
| o+=++oo+o |
| o +oo.o.o. |
| E o +.o +. |
| + o * . |
| * S + |
| o O = . |
| . B o |
| + B . |
| .oO+o |
+----[SHA256]-----+
[root@centos7|~]#ls .ssh/
id_rsa id_rsa.pub known_hosts
[root@centos7|~]#cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqkGAdE/KluKhnfUgitGrh+crtnHGxYkRIoKghoioV8cgaY46
kfGeLDul8d4tU9xwgfFgVdX5/30rI2C2dC0ZJ91nD0YvJkI0a97mE6wyqcqwwWdY
gmW15VvKJby+d2FPSlCx1qFdiMzyjpM84YQlGBVPyZnOcUSHgShq2eP/RZJ8gmXx
x/aLfAeNpIz4BXYeC3jNQdSnjg2A7jlYMEYVDgHEGdn0q3qjnxpR+GAdkw8ZcKa2
iQZgcVV7IrrJ5+l173YYomeLS70xyc4XcyAHXVX6InqElaAG3y0Fh3NWqGRgC0rU
QmFOtc2f68Olcc0cXPR4yqbbnGUvPJ6c8ki1WwIDAQABAoIBAQCokzaW87JJ95fC
iMVx7eyDIbc8bCc9y1t16hT7YDAeyYEkQrlna+8LKPxEIZKL6EZVwyN5meZwvASM
gOPm4Ah6WlQC4aEppn+1FvyEGgoH6DNfK+6NHhwePuZGuz1zgpw5nvCW7StpmlPI
K60qNedskx1vJaUsrYflsJkrqP5GaQjkD4+lSUeWqb/1xpZuNZEvsmdv79t9zHCu
cKS9w72/FAm5i9XxbN8AkMaRdzVNzOs2ujRVuQhwj91vv7C6/8DERKtX0fYetwJj
KlA2hrazJwqS9Az3MQOMOlZtbkCJbC/NQEiwv0eCzsLnVqsGjwgZRkBnHRvLyNNY
MDajq9cRAoGBANYdN2E1vnSXTNJXL8SAZ0fPTqXC55Xv70HoCcS6AtKkHaOMjVii
RBwrA0SqskiCLX/FkF2RFGWY3CPtJg1NbMewGOAZ+jMFOAmpBnDjQNbnvfiG006U
AmZCVbzkUEljQnEAKuATznIvJtz/mTMWX5n0hF4tzhQblrtBAcrLDTe3AoGBAMuP
39g4K+9Y/shm5RQxNT/FNmVAbAyd155RxwBkvIz5OAVzU4H0IoaMXoqRiUoVKCq5
e0CIWwXAZkkgbjz5vI2pHKHv6zHpCB19w5bvmdQ07xmoWJ3CL5YxTgmmbKsRp05g
QK7UibEhDh4F8/J3ejvcG6PLp2HxoowPWxVxJYd9AoGAYHQq5XTDhlw+NCcokpnR
bOz7nfquPsImgwcXl3LAIMnjvDBt4DbA/ft2bnGC/Nz/yCZkwXHAwX/Z86k6UhXF
4jL3EcVCC8fXFar6BtKo++bLknCSMjzE0/IgE4a6kETRwnvz1Ju3jYKmPDo8dmIm
0QDwvEhgJHjFLze6qfNM0gMCgYAsN8iME0eX6mEN7yv7wuSqQZCbVe8innbj8Sel
Mjyy8r/0jySoqfuF9p/iwdJswUPEZB4d2oDLMwwE/oJzxFvs+bs6gf85DEGzBkqi
UtG7gvQdQrBdNH1ZxsQI3JnmXyNUpxvl3k06qM+EPg7LsKBguGNYpThq0i5Y9kz2
z2kzkQKBgEbMca+Vx0qtE2M3HNZu9YAe9MFSF6V4UnqUXcjVWGdosMjHuTIYkGhY
HfTPzacrEA+vlDQQaJivKF1lq6gORKGqQtuEPHPmlzaa2gumMD8+sPSvZ2fy92D4
XROaPwNYY8w/wM0pdEvhQ200tyfDKefkPUA59a/iViKOjaVk8AzE
-----END RSA PRIVATE KEY-----
[root@centos7|~]#cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqQYB0T8qW4qGd9SCK0auH5yu2ccbFiREigqCGiKhXxyBpjjqR8Z4sO6Xx3i1T3HCB8WBV1fn/fSsjYLZ0LRkn3WcPRi8mQjRr3uYTrDKpyrDBZ1iCZbXlW8olvL53YU9KULHWoV2IzPKOkzzhhCUYFU/Jmc5xRIeBKGrZ4/9FknyCZfHH9ot8B42kjPgFdh4LeM1B1KeODYDuOVgwRhUOAcQZ2fSreqOfGlH4YB2TDxlwpraJBmBxVXsiusnn6XXvdhiiZ4tLvTHJzhdzIAddVfoieoSVoAbfLQWHc1aoZGALStRCYU61zZ/rw6VxzRxc9HjKptucZS88npzySLVb root@centos7
把公钥文件传输至远程服务器对应用户的家目录
[root@centos7|~]#cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at