02-SSH
procedure
1、版本号协商阶段
1.1 server开启sshd服务,打开端口(默认22),等待client建立连接
1.2 client向server发起TCP连接,server发送message,内含版本号信息
1.3 client与message中的version比较,决定version
1.4 client发送version
1.5 server比较version
1.6 协商成功进入密钥和算法协商阶段
2、密钥和算法协商阶段
2.1 client和server协商生成使用的算法
2.2 server把public key和session id发送给client
2.3 client生成session key并把id和key之间的运算结果使用public key加密后发送给server
2.4 server使用private key解密密文得到的结果和自己的id运算得到key
2.5 client和server彼此知道了session id和session key,以后通过id和key对数据进行传输
3、认证阶段
3.1 账号口令认证
3.1.1 client通过session id和session key把server上的用户的username和password加密后传给server
3.1.2 server使用id和key对密文解密得到username和password
3.1.3 server对username和password认证...
3.1.4 3.1.3失败server请求再次认证;成功二者后续操作
-
3.2 公钥私钥认证
3.2.1 client通过ssh-keygen方式生成public key和private key,然后通过ssh-copy-id等方式把public key发送给server,server把public key放到用户家目录中...这是一个初始的过程
3.2.2 下一次client要求连接,用key、id加密用户名、public key发送给server
3.2.3 server用key、id解密密文得到public key和家目录中的那个比较
3.2.4 失败拒绝连接;成功server发送public key、id、key加密的质询给client,client使用private key、id、key解密质询。
3.2.5 client把解密质询再次id、key加密发送给server,server解密判断是不是同一个质询;是认证通过,否认证失败
4、会话请求、交互阶段
...
OpenSSH
版本
version1 没那么安全
version2 比较安全
配置文件
sshd:/etc/ssh/sshd_config
ssh:/etc/ssh/ssh_config
手册页
man sshd_config
man sshd
man ssh_config
man ssh
服务脚本
/etc/rc.d/init.d/sshd (CentOS 6)
/usr/lib/systemd/system/sshd.service (CentOS 7)
删除client的所有已经认证的主机
rm ~/.ssh/know_hosts
ssh(client)命令
ssh [options] [user@]host [COMMAND]
ssh -l user host [COMMAND]
省略user后则当前系统上是什么用户则就用什么身份登陆到远程主机
-
常用选项:
-l login_name:用以指定的用户登录远程主机
-p port:用于指明远程服务器的端口
-X:支持X11转发
-Y:支持信任的X11转发
X:协议,x-window
在本地显示远程主机上的图形窗口,即把server的信息通过ssh发送到client,使用client的x window显示
前提是本地是X的图形界面,或者提供了x service
Xmanager内置了X service
-o options:登陆时的选项,这里这些选项是可以配置的,在/etc/ssh/ssh_config
ssh -o StrictHostKeyChecking=no 172.16.100.1
client公钥认证登陆
1 ssh-keygen本地生成公钥私钥
ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-P old_passphrase] [-C comment]
[-f output_keyfile]
passphrase表示给私钥加密的短语
-b bits
Specifies the number of bits in the key to create. For RSA keys,
the minimum size is 768 bits and the default is 2048 bits. Gen‐
erally, 2048 bits is considered sufficient. DSA keys must be
exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys,
the -b flag determines the key length by selecting from one of
three elliptic curve sizes: 256, 384 or 521 bits. Attempting to
use bit lengths other than these three values for ECDSA keys will
fail. ED25519 keys have a fixed length and the -b flag will be
ignored.
-f filename
Specifies the filename of the key file.
-t type
Specifies the type of key to create. The possible values are
“rsa1” for protocol version 1 and “dsa”, “ecdsa”, “ed25519”, or
“rsa” for protocol version 2.version means OpenSSH version。
-p Requests changing the passphrase of a private key file instead of
creating a new private key. The program will prompt for the file
containing the private key, for the old passphrase, and twice for
the new passphrase.
-
[root@husa ~]# ssh-keygen -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
82:ee:d4:2b:03:70:0d:67:77:fc:dc:23:99:86:7c:26 root@husa.hust
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| . o . o |
| = . o + + |
|. . .. E X o |
| o . . S= . . |
| .. . . |
| .o . |
| oo . |
| .o. |
+-----------------+
2 复制公钥到server
2.1 ssh-copy-id命令
ssh-copy-id [-n] [-i [identity_file]] [-p port] [-o ssh_option]
[user@]hostname
2.2 主机host:192.168.200.143向主机192.168.200.137复制 公钥
这里需要使用192.168.200.137的账户密码
[root@husa ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.200.137
The authenticity of host '192.168.200.137 (192.168.200.137)' can't be established.
ECDSA key fingerprint is d8:88:76:ef:30:e0:f5:f7:4b:a2:63:51:55:2e:74:28.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.200.137's password:
Permission denied, please try again.
root@192.168.200.137's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.200.137'"
and check to make sure that only the key(s) you wanted were added.
2.3 host:192.168.200.137生成了/root/.ssh/authorized_keys文件
[root@husa .ssh]# pwd
/root/.ssh
[root@husa .ssh]# ls
authorized_keys
3 host:192.168.200.143上登陆到192.168.200.137
[root@husa ~]# ssh root@192.168.200.137
Last failed login: Wed Jan 20 10:58:23 CST 2016 from 192.168.200.143 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Jan 20 08:44:05 2016 from 192.168.200.1
[root@husa ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:4d:a0:50 txqueuelen 1000 (Ethernet)
RX packets 229066 bytes 15450697 (14.7 MiB)
RX errors 0 dropped 157 overruns 0 frame 0
TX packets 341 bytes 51579 (50.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.200.137 netmask 255.255.255.0 broadcast 192.168.200.255
inet6 fe80::20c:29ff:fe4d:a05a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4d:a0:5a txqueuelen 1000 (Ethernet)
RX packets 3630 bytes 558580 (545.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1365 bytes 480150 (468.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1852 bytes 160884 (157.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1852 bytes 160884 (157.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0