SSH是Secure Shell Protocal安全的壳程序协议

 SSH协议本身就提供两个服务器功能:

1.SSH
2.Sftp-Server,提供安全的FTP服务

Version 2由于加上了连接检测的机制,可以避免连接期间被插入恶意的***代码。

[root@szm ~]# ll /etc/ssh/ssh_host*

-rw-------. 1 root root  668 Mar 20 03:56 /etc/ssh/ssh_host_dsa_key

-rw-r--r--. 1 root root  590 Mar 20 03:56 /etc/ssh/ssh_host_dsa_key.pub

-rw-------. 1 root root  963 Mar 20 03:56 /etc/ssh/ssh_host_key

-rw-r--r--. 1 root root  627 Mar 20 03:56 /etc/ssh/ssh_host_key.pub

-rw-------. 1 root root 1675 Mar 20 03:56 /etc/ssh/ssh_host_rsa_key

-rw-r--r--. 1 root root  382 Mar 20 03:56 /etc/ssh/ssh_host_rsa_key.pub

[root@szm ~]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
 
[root@szm ~]# netstat -tlnp | grep ssh
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2157/sshd
tcp        0      0 :::22                       :::*                        LISTEN      2157/sshd
[root@szm ~]# ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is 9b:e2:0b:d2:0a:54:09:d9:3a:1f:49:a1:84:83:a7:cb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.
root@127.0.0.1's password:
Last login: Mon Mar 25 20:36:03 2013 from 192.168.179.1
 
[root@szm ~]# ssh root@127.0.0.1
root@127.0.0.1's password:
Last login: Mon Mar 25 23:46:10 2013 from localhost.localdomain
 如果不写帐号,那么会以本地端计算机的帐号来尝试登录远程主机
 
[root@szm ~]# ssh root@127.0.0.1 ls /
root@127.0.0.1's password:
bin
boot
cgroup
dev
etc
home
lib
lost+found
media
misc
mnt
net
opt
proc
root
sbin
selinux
srv
sys
tmp
usr
var
[root@szm ~]# ssh -f root@127.0.0.1 ls / &> ls.log
root@127.0.0.1's password:
 加了f这个参数和没有加的区别是:加了f会让对方主机自己运行命令,立刻回到本地端,没加的话会等待对方完成命令后回到本地端。

 

 

 

[root@szm ~]# ssh -o StrictHostKeyChecking=no root@localhost

root@localhost's password:

Last login: Mon Mar 25 23:51:12 2013 from 192.168.179.1

ssh公钥被删除解决办法:
[root@szm ~]# rm /etc/ssh/ssh_host_* -f
[root@szm ~]# ssh root@localhost
Read from socket failed: Connection reset by peer
[root@szm ~]# tail /var/log/messages
Mar 25 08:10:09 szm nmbd[2269]:
Mar 25 08:10:09 szm nmbd[2269]:   *****
Mar 25 08:11:14 szm kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Mar 25 08:33:53 szm kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Mar 25 14:08:00 szm kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Mar 25 20:32:28 szm kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Mar 26 09:28:49 szm sshd[27689]: error: Could not load host key: /etc/ssh/ssh_ho                                                st_rsa_key
Mar 26 09:28:49 szm sshd[27689]: error: Could not load host key: /etc/ssh/ssh_ho                                                st_dsa_key
Mar 26 09:30:20 szm sshd[27702]: error: Could not load host key: /etc/ssh/ssh_ho                                                st_rsa_key
Mar 26 09:30:20 szm sshd[27702]: error: Could not load host key: /etc/ssh/ssh_ho                                                st_dsa_key
[root@szm ~]# service sshd restart
 
[root@szm ~]# rm /root/.ssh/known_hosts
rm: remove regular file `/root/.ssh/known_hosts'? y
[root@szm ~]# ssh -o StrictHostKeyChecking=no root@localhost 直接信任主机,不用YESORNO
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
root@localhost's password:
Last login: Tue Mar 26 10:00:02 2013 from localhost.localdomain
 
 
删除原有公钥,生成新的公钥,连接不成功解决办法:
[root@szm ~]# rm /etc/ssh/ssh_host_* -f
[root@szm ~]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Generating SSH1 RSA host key:                              [  OK  ]
Generating SSH2 RSA host key:                              [  OK  ]
Generating SSH2 DSA host key:                              [  OK  ]
Starting sshd:                                             [  OK  ]
[root@szm ~]#
[root@szm ~]# ssh root@localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
ef:fc:bf:23:d7:c7:c3:e8:67:eb:4d:a9:86:13:52:ed.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
 意思为删除known_hosts文件的第一行

 

 

[root@szm ~]# ssh root@localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established.

RSA key fingerprint is ef:fc:bf:23:d7:c7:c3:e8:67:eb:4d:a9:86:13:52:ed.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'localhost' (RSA) to the list of known hosts.---加入Know_hosts

root@localhost's password:

Last login: Tue Mar 26 09:54:35 2013 from 172.16.128.73

SSH的FTP功能:
[root@szm ~]# sftp root@localhost
Connecting to localhost...
root@localhost's password:
sftp> lpwd
Local working directory: /root
sftp> pwd
Remote working directory: /root
sftp> put /etc/hosts
Uploading /etc/hosts to /root/hosts
/etc/hosts                                                                                                                  100%  156     0.2KB/s   00:00
sftp> lcd /tmp
sftp> get .bashrc
Fetching /root/.bashrc to .bashrc
/root/.bashrc                                                                                                               100%  176     0.2KB/s   00:00
sftp> lls -a
.   .bashrc      EdP.aKcM5B6  .esd-500   lost+found          pulse-iSJtSDEu9ort  vmware-config0  vmware-file-mod0  vmware-szm
..  EdP.a0602P3  .esd-0       .ICE-unix  pulse-IkztUMsTtTGX  pulse-TtUqDwHsZZQq  VMwareDnD       vmware-root       yum.log
sftp> exit
 图形化连接SFTP-Server软件:Filezilla,端口22

 

SCP用于以知主机文件:

[root@szm ~]# scp /etc/hosts root@127.0.0.1:~下载

The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.

RSA key fingerprint is ef:fc:bf:23:d7:c7:c3:e8:67:eb:4d:a9:86:13:52:ed.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.

root@127.0.0.1's password:

hosts                                                                                                                      100%  156     0.2KB/s   00:00

 

[root@szm ~]# scp root@127.0.0.1:/etc/bashrc /tmp上传

root@127.0.0.1's password:

bashrc                                                                                                                     100% 2620     2.6KB/s   00:00

设置上传下载带宽:800/8=100Kbyes/s
[root@szm ~]# scp -l 800 /etc/bashrc root@127.0.0.1:/tmp
root@127.0.0.1's password:
bashrc                                                                                                                     100% 2620     2.6KB/s   00:00
 Pietty是Putty的改良版

 

 

[root@szm ~]# cat /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

 

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

 

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

 

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

 

#Port 22

 可以写多一个Port来启动多个端口;

#AddressFamily any

#ListenAddress 0.0.0.0

 主机监听端口IP。

#ListenAddress ::

 

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

 也可以修改支持V1,V2:Protocol 2,1不可这样很不安全,容易被***

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

 SSH私钥放置位置

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

 

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

 

# Authentication:

 

#LoginGraceTime 2m

 如果没有单位。默认为秒

#PermitRootLogin yes

 建议关闭这个Root的登录功能

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

 

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

 是否允许用户自行使用成对的密钥系统进行登录,公针对Version 2

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

 因为使用~/.shh/.rhosts太不安全了,所以这里一定要设置为NO

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

 第一个是给V1用的,使用rhosts文件在/etc/hosts.equiv配合RSA来认证,第二个是用V2用的,这两个都为NO

#IgnoreUserKnownHosts no

 是否要忽略乃主目录内的~/.ssh/known_hosts这个文件记录的内容

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

 

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

 密码不得为空,一定要认证密码

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

 允许任何的密码认证,所以,任何Login.conf规定的谁方式,均可使用,但目前我们比较喜欢使用PAM模块帮忙管理认证,因此这个选项可以设置为NO。

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

 

# GSSAPI options

#GSSAPIAuthentication no

GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

 

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

UsePAM yes

 

# Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

 

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

 这个项目可以让窗口的数据通过SSH连接来传送。

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

 PrindMotd登录后的显示信息,可以关闭

#PrintLastLog yes

 上次登录信息

#TCPKeepAlive yes

 如果所在的网络不稳定,建议关闭

#UseLogin no

#UsePrivilegeSeparation yes

 当非Root用户登录时,会产生一个属于非Root的SSHD程序来使用,对系统较安全

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#ShowPatchLevel no

#UseDNS yes

 一般来说,为了判断客户端来源是否正常合法的,会使用DNS去反查客户端的主机名。

#PidFile /var/run/sshd.pid

 修改放置PID的文件。得知进程ID

#MaxStartups 10

 登录前,也就是得到Shell前的连接数

#PermitTunnel no

#ChrootDirectory none

 

# no default banner path

#Banner none

 

# override default of no subsystems

Subsystem       sftp    /usr/libexec/openssh/sftp-server

 

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server

 DenyUsers ....
 DenyGroups ...

 SSH自动登录解决办法:

1.客户端建立两把密钥;
2.客户端放置好私钥文件;
3.将公钥放置到服务器端的正确目录与文件中;

 [root@szm ~]# ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

84:ef:86:84:79:bf:05:a9:72:e7:80:a7:e3:c7:98:3f root@szm.test.com

The key's randomart p_w_picpath is:

+--[ RSA 2048]----+

|                 |

|       .         |

|      . .        |

|     o o .       |

|    o o S        |

|     + = .       |

|    o+* = .      |

|    +=E= o       |

|   .o+..o        |

+-----------------+

 

[root@szm ~]# ll -d ~/.ssh/;ll ~/.ssh/

drwx------. 2 root root 4096 Mar 27 17:19 /root/.ssh/

total 16

-rw-r--r--. 1 root root  226 Mar 27 14:22 authorized_keys

-rw-------. 1 root root 1675 Mar 27 17:22 id_rsa

-rw-r--r--. 1 root root  399 Mar 27 17:22 id_rsa.pub

-rw-r--r--. 1 root root  782 Mar 26 12:40 known_hosts

 ~/.ssh/目录必须是700权限!id_rsa的文件权限必须是上面那样才行,否则无法实现SSH连接。

[root@szm ~]# scp ~/.ssh/id_rsa.pub root@192.168.179.7:~

The authenticity of host '192.168.179.7 (192.168.179.7)' can't be established.

RSA key fingerprint is ef:fc:bf:23:d7:c7:c3:e8:67:eb:4d:a9:86:13:52:ed.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.179.7' (RSA) to the list of known hosts.

root@192.168.179.7's password:

id_rsa.pub                                    100%  399     0.4KB/s   00:00

[root@szm ~]# cat id_rsa.pub >> ~/.ssh/authorized_keys

[root@szm ~]# ll ~/.ssh/authorized_keys

-rw-r--r--. 1 root root 625 Mar 27 17:30 /root/.ssh/authorized_keys

 为个地方要非常的注意权限

 SSH安全方面的设置:

PermitRootLogin no

DenyUsers ....

DenyGroups ....

 

[root@szm ~]# cat /etc/hosts.allow

sshd:127.0.0.1 192.168.179.0/255.255.255.0

[root@szm ~]# cat /etc/hosts.deny
sshd:ALL

 

日志排错:

 

[root@szm ~]# tail /var/log/secure

 

 

[root@szm ~]# cat /etc/init/prefdm.conf
# prefdm - preferred display manager
#
# Starts gdm/xdm/etc by preference
 
start on stopped rc RUNLEVEL=5
 
stop on starting rc RUNLEVEL=[!5]
 
console output
respawn
respawn limit 10 120
exec /etc/X11/prefdm -nodaemon
 启动一个X Display Manager程序。

 

 X Server,X Client,Window Manager(VM)【GNOME,KDE,XFCE】,Display Manager(DM)【GDM,KDM】

XDMPC配置过程:

1.[root@Centosszm ~]# cat /etc/gdm/custom.conf

# GDM configuration storage

[daemon]

[security]

AllowRemoteRoot=true

DisallowTCP=false

[xdmcp]

Enable=1

[greeter]

[chooser]

[debug]

2.[root@Centosszm ~]# cat /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m udp -p udp --dport 177 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -j ACCEPT

3.[root@Centosszm ~]# /etc/init.d/iptables restart

4.[root@Centosszm ~]# runlevel

3 5--------上一次为3,这一次为5

5.因为已经启动了init 5,需要重启应用配置文件;

 

[root@Centosszm ~]# init 3

[root@Centosszm ~]# init 5

6.查看是否启用了177,6000端口,6000端口用于XServer连接XClient。

[root@Centosszm ~]# netstat -tulnp

7.客户端发起连接;

 在当前运行界别中运行GDM,

[root@Centosszm ~]# gdm

[root@Centosszm ~]# cat /etc/rc.d/rc.local
[root@Centosszm ~]# /usr/sbin/gdm

 

一:在不同的X环境下启动连接:直接用X

在Centos6.X的环境中,如果原本就是Runlevel 5的环境,那么这个图形接口的:0是在tty1终端;如果由runlevel 3启动图形接口,那么是在tty7。

二:在同一个X下启动另一个X:使用Xnest

[root@Centosszm ~]# yum install xorg-x11-server-Xnest

[root@Centosszm ~]# Xnest -query 192.168.179.7 -geometry 640x480 :1

XServer连接前:

 [root@Centosszm ~]# pstree | grep gdm

     |-gdm-binary---gdm-simple-slav-+-Xorg

     |                              |-2*[gdm-session-wor]

     |                                              |-gdm-simple-gree

XServer连接后:
[root@Centosszm ~]# pstree | grep gdm

     |-gdm-binary-+-gdm-simple-slav-+-Xorg

     |            |                 |-2*[gdm-session-wor]

     |            |                                 |-gdm-simple-gree

     |            `-gdm-simple-slav-+-2*[gdm-session-wor]

     |                                              |-gdm-simple-gree---{gdm-sim                         ple-gre}

TigerVNC-Server的配置:
1.[root@Centosszm ~]# yum install tigervnc-server
2.[root@Centosszm ~]# vncpasswd
Password:
Verify:
3.[root@Centosszm ~]# vncserver -------开启连接服务
防火墙端口设置: 在使用防火墙的情况下来连接到一个远程系统,需要打开端口5901.
4.[root@Centosszm ~]# vi /etc/sysconfig/iptables ----这里只开放4个VNC
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5903 -j ACCEPT
 -------------------------------------------------------------
[root@Centosszm ~]# ll .vnc/
total 28
-rw-r--r--. 1 root root 1934 Mar 28 15:53 Centosszm.test.com:1.log
-rw-r--r--. 1 root root    5 Mar 28 15:53 Centosszm.test.com:1.pid
-rw-r--r--. 1 root root 3434 Mar 28 15:33 Centosszm.test.com:2.log
-rw-r--r--. 1 root root 1333 Mar 28 19:57 Centosszm.test.com:3.log
-rw-r--r--. 1 root root    6 Mar 28 19:57 Centosszm.test.com:3.pid
-rw-------. 1 root root    8 Mar 28 15:20 passwd
-rwxr-xr-x. 1 root root  592 Mar 28 15:48 xstartup
Linux VNC客户端连接:
 [root@Centosszm ~]# yum install tigervnc
 在以前的VNC Server有较大差异,在CentOS 6.x当中,Tiger VNC-Server这套软件会主动依据服务器端的图形接口登录方式给予正确的图形显示接口。
Windows VNC连接:
 使用RealVNC
关闭VNC:
[root@Centosszm ~]# vncserver -kill :1
 
VNC搭配本机的XDMCP画面:(有一个谁的GDM界面)
[szm@Centosszm ~]$ vi .vn c/xstartup ------------注释所有行
[szm@Centosszm ~]$ vncserver :5 -query localhost
 
让VNC Server开机启动:
 请注意,不要将VNC Server的指令写入到/etc/rc.d/rc.local文件中,否则可能会产生localhost无法登录的问题。
 
1.[root@Centosszm szm]# grep -v ^# /etc/sysconfig/vncservers
VNCSERVERS="1:root"
VNCSERVERRAGS[1]="-query localhost"
 
2.[root@Centosszm szm]# /etc/init.d/vncserver restart
Shutting down VNC server: 1:root                           [FAILED]
Starting VNC server: 1:root
New 'Centosszm.test.com:1 (root)' desktop is Centosszm.test.com:1
 
Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/Centosszm.test.com:1.log
 
                                                           [  OK  ]
同步的VNC:可以通过图示同步教学,鼠标同步
[root@Centosszm szm]# yum install tigervnc-server-module
 
产生/etc/X11/xorg.conf文件:
[root@Centosszm ~]# X -configure
[root@Centosszm ~]# mv xorg.conf.new /etc/X11/xorg.conf
Section "Screen"
       Option "passwordFile" "/home/root/.vnc/passwd"
.....
Section "Module"
      Load "vnc"
连接方法:
      直接:IP地址就可以了,不用:0之类的端口

 Windows的远程桌面系统:XRDP服务器

 XRDP最终会自动启用VNC,必须要安装VNC才行。否则XRDP无法运行。

 [root@Centosszm ~]# /etc/init.d/xrdp start

Starting xrdp:                                             [  OK  ]

Starting xrdp-sesman:                                      [  OK  ]

[root@Centosszm ~]# netstat -tunlp | grep xrdp

tcp        0      0 127.0.0.1:3350              0.0.0.0:*                   LISTEN      22598/xrdp-sesman

tcp        0      0 0.0.0.0:3389                0.0.0.0:*                   LISTEN      22594/xrdp

[root@Centosszm ~]# cat /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5911 -j ACCEPT

 SSH的高级应用:

在非标准端口启动SSH;

 

[root@Centosszm ~]# vim /etc/ssh/sshd_config
Port 22
Port 23

 

[root@Centosszm ~]# cat /var/log/audit/audit.log | grep AVC | grep ssh | audit2allow -m sshlocal >sshlocal.te

[root@Centosszm ~]# grep sshd_t /var/log/audit/audit.log | audit2allow -M sshlocal

******************** IMPORTANT ***********************

To make this policy package active, execute:

 

semodule -i sshlocal.pp

 

[root@Centosszm ~]# semodule -i sshlocal.pp

 

[root@Centosszm ~]# /etc/init.d/sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

[root@Centosszm ~]# netstat -tulnp | grep ssh

tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      23782/sshd

tcp        0      0 0.0.0.0:23                  0.0.0.0:*                   LISTEN      23782/sshd

tcp        0      0 :::22                       :::*                        LISTEN      23782/sshd

tcp        0      0 :::23                       :::*                        LISTEN      23782/sshd

[root@Centosszm ~]# ssh -p 23 root@localhost
 

以rsync进行同步镜像备份:

 

 rsync不但传输速度快,而且在传输时,可以比对本地端与远程主机欲复制的文件内容,而仅复制两者有差异的文件而已,所以传输的时间就相对降低很多!

 

1.[root@Centosszm ~]# rsync -av /etc /tmp

2.[root@Centosszm ~]# rsync -av -e ssh root@localhost:/etc /tmp
 
3.直接通过rsync提供的服务来传输,此时rsync主机需要启动873port:
  /etc/xinetd.d/rsync
  /etc/rsync.conf
  密码
  rsync -av user@hostname:/dir/path /local/pasth
 

-v:列出信息
-q:安静模式
-r:递归
-u:只更新
-l:复制属性
-p:连同权限复制
-g:保留原文件组
-o:保留原文件主
-D:保留属性
-t:保留时间
-I:忽略更新时间,文件比对上会比较快速
-z:Compress
-e:使用的协议
-a:-rlptgoD

 

通过SSH通道加密原本无加密的服务:

 

[root@Centosszm ~]# ssh -L 5911:127.0.0.1:5901 -n 192.168.179.254

 Centosszm(5911)--------ssh(5911)----------(22)ssh------------(5901)179.154

 

VNC View:localhost:5911

以SSH通道配合X Server传递图形界面:

 

[root@Centosszm ~]# yum install xterm

Xming----->multiple windows---->start a program---->using Putty