SSH基础操作
修改Linux系统主机名
[root@kelong-1 ~]# hostnamectl set-hostname ssh-server
ssh基本格式
ssh username@address
登录之前必须确认address可达
如果不指定username,默认会以当前shell的用户连接远端服务器
如果服务端没有当前shell的用户,是不可能连接成功的
[root@ssh-client ~]# ssh root@192.168.190.128
The authenticity of host '192.168.190.128 (192.168.190.128)' can't be established.
ECDSA key fingerprint is SHA256:MmODYVPkw0MaR+fcu/H5Q5+tYZzH+H+XIFfFbPWHSD0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.190.128' (ECDSA) to the list of known hosts.
root@192.168.190.128's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Mar 29 06:38:29 2022
SSH服务端的配置文件与安全
[root@ssh-server ~]# cd /etc/ssh
[root@ssh-server ssh]# ls
moduli ssh_config.d ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
ssh_config sshd_config ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
默认ssh服务器在我们rhel8系统,有3对非堆成加密密钥
第一对
ssh_host_ecdsa_key
ssh_host_ecdsa_key.pub
第二对
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
第三对
ssh_host_rsa_key
ssh_host_rsa_key.pub
非对称加密算法不仅仅只有rsa,还有dsa,ecdsa,ed25519
服务端是为了适配不同种类的客户端所以有多重非对称加密的密钥
sshd_config是ssh服务端的配置文件
ssh_config是ssh客户端的配置文件
一般我们的Linux系统都自带服务端和客户端,windows就是一种默认不带ssh客户端的系统。
[root@ssh-server ssh]# ssh-keygen -lf ssh_host_ecdsa_key ##查看指纹
256 SHA256:MmODYVPkw0MaR+fcu/H5Q5+tYZzH+H+XIFfFbPWHSD0 ssh_host_ecdsa_key.pub (ECDSA)
[root@ssh-client ssh]# ssh-keygen -lf ssh_host_ecdsa_key -E SHA1 ##查看不同加密算法的指纹
256 SHA1:xn7vdT3xhGK/l/rKI4mtxfqTKJc ssh_host_ecdsa_key.pub (ECDSA)
[root@ssh-server ssh]# ssh -o StrictHostKeyChecking=no 192.168.190.129 ##不做指纹检测,但记录远端服务器公钥至~/.ssh/known_hosts
Warning: Permanently added '192.168.190.129' (ECDSA) to the list of known hosts.
root@192.168.190.129's password:
SSH配置文件
17 #Port 22 ##ssh访问的端口号,可以修改
19 #ListenAddress 0.0.0.0 ##ssh监听的地址,0.0.0.0就表示监听所有的ipv4地址的22端口
23 HostKey /etc/ssh/ssh_host_rsa_key ##私钥
24 HostKey /etc/ssh/ssh_host_ecdsa_key ##私钥
25 HostKey /etc/ssh/ssh_host_ed25519_key ##私钥
47 PermitRootLogin yes ##如果是yes就是表示允许root通过ssh登录,如果是no就表示拒绝root通过ssh登录
52 #PubkeyAuthentication yes ##该参数如果是yes就表示支持基于公钥的认证
56 AuthorizedKeysFile .ssh/authorized_keys ##基于公钥验证方式开启后,公钥的存放位置
74 PasswordAuthentication yes ##该参数如果是yes就表示支持密码验证
147 # X11Forwarding no ##该参数表示是否支持X11转发,如果是yes就表示支持
注意修改完ssh配置文件需要重启sshd服务
因为改的配置文件只是在硬盘里
基于公钥认证
基于公钥认证的方式更安全,防止黑客暴力破解密码
1.第一步要将客户端的公钥传送到服务端
在客户端上通过ssh-keygen命令生成非对称加密密钥
[root@ssh-client ~]# ssh-keygen ##加-t用不同算法生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##密钥对的存放目录
Enter passphrase (empty for no passphrase): ##私钥的密码,可以设置为空
Enter same passphrase again: ##重新输入私钥的密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Mx0y7+GuZlZ0XDyUvLpL4p0NxlLY77SwcjzBWH4zVTQ root@ssh-client
The key's randomart image is:
+---[RSA 2048]----+
| +.E.|
| * o|
| o .. . o.|
| =.++ . .|
| S.=*o. . |
| =o+=.+ |
| .=.*+oo |
| +o.*=O . |
| +..oo=o+ |
+----[SHA256]-----+
[root@ssh-client ~]# ssh-copy-id -p 22 root@192.168.190.128 ##将生成的公钥,利用ssh-copy-id命令传输到服务端,-i指定认证文件
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.190.128's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' 'root@192.168.190.128'"
and check to make sure that only the key(s) you wanted were added.
2.客户端访问服务端的时候采用基于公钥认证方式
AuthorizedKeysFile .ssh/authorized_keys ##配置文件上面的参数,指定了基于公钥认证方式的客户端公钥存放位置