1 SSH(Secure Shell)
通过加解密方式构建客户端和服务端之间的安全通道,进而提供可靠的系统管理和文件传输服务。下图是ssh协议工作原理图
1,需要注意的是,SSH Client发起的步骤1如果被冒名服SSH Server截获,再往下进行2、3、4步骤时,SSH Client发起登录的服务端用户密钥将被破解,该过程被称为中间人攻击 2。
常用ssh客户端
- PuTTY:适用windows系统和linux系统;
- WinSCP:适用windows系统,用于文件传输;
- Secure Shell App3:chrome插件;
- Power Shell:Windows 10;
- Git bash: windows。
常用ssh服务端
- OpenSSH:适用linux系统,开源、免费;
- Tectia SSH:商用,适用windows和linux。
2 常用配置
客户端配置文件
- ~/.ssh/config
- ~/.ssh/known_hosts
- /etc/ssh/ssh_config
服务端配置文件
- /etc/ssh/sshd_config
- ~/.ssh/authorized_keys
3 常用命令
- ssh_keygen 生成客户端公钥、私钥对
- ssh_copy_id 将ssh_keygen生成的公钥推送到服务端
- scp 文件传输
- ssh 远程登录、远程执行命令、端口转发等
- sshd 服务端程序,linux系统默认已安装(/usr/sbin/sshd),其它安装方式参考官方文档
4 应用
4.1 检查客户端和服务端ssh程序
检查客户端、服务端SSH程序版本
[root@iZz9b6fosZ ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
检查服务端SSH程序运行状态
[root@iZz9b6fosZ ~]# ps axjf |grep ssh
1 1685 1685 1685 ? -1 Ss 0 0:00 /usr/sbin/sshd
1685 11174 11174 11174 ? -1 Ss 0 0:00 \_ sshd: root@pts/0
1685 15261 15261 15261 ? -1 Ss 0 0:00 \_ sshd: root@pts/1
15263 15454 15453 15263 pts/1 15453 S+ 0 0:00 \_ grep ssh
4.2 ssh_keygen生成客户端私钥、公钥对
ssh-keygen 默认产生rsa类型密钥对,且长度为2048字节。
[root@iZz9b6fosZ ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ylo/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ylo/.ssh/id_rsa.
Your public key has been saved in /home/ylo/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Up6KjbnEV4Hgfo75YM393QdQsK3Z0aTNBz0DoirrW+c ylo@klar
The key's randomart image is:
+---[RSA 2048]----+
| . ..oo..|
| . . . . .o.X.|
| . . o. ..+ B|
| . o.o .+ ..|
| ..o.S o.. |
| . %o= . |
| @.B... . |
| o.=. o. . . .|
| .oo E. . .. |
+----[SHA256]-----+
可以使用以下命令指定密钥类型和密钥长度。
ssh-keygen -t rsa -b 4096
注意: 如果在使用ssh-keygen时,指定了passphrase,建议使用ssh-add指令将客户端私钥加载到ssh-agent中,以免每次连接服务端时需要输入passphrase。
4.3 将ssh-keygen生成的公钥添加到服务端
4.3.1 命令添加(ssh-copy-id)
ssh-copy-id -i user@host
默认添加客户端公钥文件为~/.ssh/id.rsa.pub,服务端默认存储文件为 ~/.ssh/authorized_keys 。 4
4.3.2 手动添加
ssh user@host "mkdir -p .ssh && cat >> .ssh/authorized_keys " < ~/.ssh/id.rsa.pub
首先输入密钥,远程登录,然后检查.ssh目录是否存在,不存在则创建,然后将客户端~/.ssh/id.rsa.pub文件内容追加到服务端.ssh/authorized_keys文件。5
4.4 配置检查
检查服务端配置文件/etc/ssh/sshd_config
- PubkeyAuthentication yes 使能公钥认证功能;
- PermitRootLogin yes 是否使能或禁用root用户登录;
- Port 22 指定ssh使用端口,默认22;
- RSAAuthentication yes 使能RSA认证功能;
检查客户端配置文件/etc/ssh/ssh_config
- PubkeyAuthentication yes 使能公钥认证功能;
客户端进一步配置
$ cat >> ~/.ssh/config
Host git
HostName 192.168.20.82
Port 2222
User git
检查客户端到服务端SSH连接状态
$ ssh git -vT
OpenSSH_7.1p2, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /c/Users/admin/.ssh/config
debug1: /c/Users/admin/.ssh/config line 26: Applying options for git
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 192.168.20.82 [192.168.20.82] port 2222.
debug1: Connection established.
debug1: identity file /c/Users/admin/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/admin/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/admin/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/admin/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/admin/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/admin/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/admin/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /c/Users/admin/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9
debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.20.82:2222 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:TqMpeQRlbLBDoVuM6UfUGj9kVR5CtAo9MiRmX+y3M+w
debug1: Host '[192.168.20.82]:2222' is known and matches the ECDSA host key.
debug1: Found key in /c/Users/admin/.ssh/known_hosts:15
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /c/Users/admin/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to 192.168.20.82 ([192.168.20.82]:2222).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /data/git/.ssh/authorized_keys:2: key options: command user-rc
debug1: Remote: /data/git/.ssh/authorized_keys:2: key options: command user-rc
Hi there: tinycs! You've successfully authenticated with the key named tinycs@163.com, but Gitea does not provide shell access.
If this is unexpected, please log in with password and setup Gitea under another user.
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 3124, received 3252 bytes, in 0.1 seconds
Bytes per second: sent 21135.7, received 22001.7
debug1: Exit status 0
至此,客户端可以直接使用 ssh Host 进行远程登录。
4.5 常用应用
远程文件传输8
端口转发9
扫一扫
598
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
