1 . ssh 协议
ssh 为Secure Shell 的缩写,是一种网络安全协议,专为远程登陆会话和其他网络服务提供安全协议的协议。通过使用可以把1数据的传输进行加密,有效防止远程管理过程中的信息泄露问题
从客户端来看,有两种验方式:基于密码,基于密钥。
非对称加密
公钥: 加密
私钥:解密
反之不可!!!
1.1 ssh登陆流程
![](https://i-blog.csdnimg.cn/blog_migrate/85e4bd82514aacac47cab0576e774685.png)
1.2 ssh远程连接- 基于密钥的登陆方式
![](https://i-blog.csdnimg.cn/blog_migrate/1b6a7cec7b6139ce3eb498ae108eddc5.png)
说明:
先在客户机生成一对密钥(公钥和私钥)
客户端将生成的公钥拷贝到需要访问的服务端机器上
当客户端再次发送一个连接请求,包括IP ,用户名
服务器得到客户端请求后,会得到authorized——key中查找,如果有相应的IP和用户,就会随机生成一个字符串,例如:qwer
服务端将客户端拷贝过来的公钥对随机字符串 qwer 进行加密
相关命令
生成密钥 ssh-keygen -t rsa
切换到ssh目录 cd .ssh/
查看.ssh目录(一步到位) :cd .ssh | ll
上传密钥手动 ssh-copy-id 192.168.137.137 #目标服务器IP
1.2.1 OpenSSH
openSSH 是SSH协议的免费开源实现
Openssh由客户端和服务器端的软件组成,服务器是一个守护进程(daemon),它在后台进行并响应来自客户端的连接请求,服务器一般是 ssh进程,提供了对远程连接的处理。
客户端包含ssh程序以及像scp(远程拷贝),slogin(远程登录),.sfcp(安全文件传输)等其他的应用程序
默认情况下,centos会自带安装openSSH服务
[root@centos6~]#yum list installed | grep openssh #查询软件(openssh)安装
openssh.x86_64 5.3p1-122.el6 @anaconda-CentOS-201703281317.x86_64/6.9
openssh-askpass.x86_64 5.3p1-122.el6 @anaconda-CentOS-201703281317.x86_64/6.9
openssh-clients.x86_64 5.3p1-122.el6 @anaconda-CentOS-201703281317.x86_64/6.9
openssh-server.x86_64 5.3p1-122.el6 @anaconda-CentOS-201703281317.x86_64/6.9
1.2.2 openssh使用示例
目的:免密登陆
设备
客户机:centos 6
标签 a
ip:192.168.137.129
服务器:centos 7
ip:192.168.137.130
标签 b
2.在 a 机器上生成密钥 (公钥和私钥)
[root@centos6~]#ssh-keygen -t rsa #按4下enter键
Generatingpublic/privatersakeypair.
Enterfileinwhichtosavethekey (/root/.ssh/id_rsa):
/root/.ssh/id_rsaalreadyexists.
Overwrite (y/n)?y
Enterpassphrase (emptyfornopassphrase):
Entersamepassphraseagain:
Youridentificationhasbeensavedin/root/.ssh/id_rsa.
Yourpublickeyhasbeensavedin/root/.ssh/id_rsa.pub.
Thekeyfingerprintis:
8e:55:4d:53:39:c6:ff:39:e5:16:39:35:a8:f2:d2:bcroot@centos6
Thekey's randomart image is:
+--[ RSA2048]----+
| ooo. |
| oo=..|
| . o. o+|
| o . +o|
| S= .*|
| + . + o+|
| . . . . ..|
| E |
| |
+-----------------+
[root@centos6~]#cd .ssh #切换到.ssh目录下
[root@centos6~/.ssh]#ll #查看一下
total16
-rw-------. 1rootroot 391Nov1700:43authorized_keys
-rw-------. 1rootroot1675Nov2002:07id_rsa#私钥
-rw-r--r--. 1rootroot 394Nov2002:07id_rsa.pub #公钥
-rw-r--r--. 1rootroot 794Nov1700:43known_hosts
2.将公钥拷贝到 b机器 上
[root@centos6~/.ssh]#ssh-copy-id 192.168.137.130 # b机器的id
Theauthenticityofhost'192.168.137.130 (192.168.137.130)'can't be established.
RSAkeyfingerprintiscb:65:de:c5:99:52:fc:91:29:62:b6:ab:57:2f:e0:55.
Areyousureyouwanttocontinueconnecting (yes/no)?yes #输入 yes connect:连接
Warning: Permanentlyadded'192.168.137.130' (RSA) tothelistofknownhosts.
root@192.168.137.130's password:
Nowtryloggingintothemachine, with"ssh '192.168.137.130'", andcheckin:
.ssh/authorized_keys
tomakesurewehaven't added extra keys that you weren'texpecting.
3.切换到b机器,查看一下
[root@CCC01 ~]# cd .ssh #切换到 .ssh目录下
[root@CCC01 .ssh]# ll #查看一下
total 8
-rw-------. 1 root root 394 Nov 22 10:41 authorized_keys # 生成了这个文件
-rw-r--r--. 1 root root 397 Nov 20 17:19 known_hosts
[root@CCC01 .ssh]#
切换 a机器
[root@centos6 ~/.ssh]#ssh root@192.168.137.130 #尝试使用a机器登陆b机器
Last login: Tue Nov 22 09:59:13 2022 from 192.168.137.1
[root@CCC01 ~]# #登陆成功!
[root@CCC01 ~]# exit #尝试退出一下
logout
Connection to 192.168.137.130 closed.
[root@centos6 ~/.ssh]# # 退出到a机器上了
1.2.3公钥和私钥的非对称性
依旧使用上述机器
切换到b机器
[root@CCC01 .ssh]# ssh 192.168.137.129 登陆下a机器
root@192.168.137.129's password: # 依旧需要密码
Last login: Sun Nov 20 01:37:51 2022 from 192.168.137.1
[root@centos6 ~]#
如果需要互相免密登陆的话,需要使用b机器在操作一次
[root@CCC01 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:lFyJzqMt4N3UP4YoJ7wSDYf4TpoPLjtzEz5rM75PUAI root@CCC01
The key's randomart image is:
+---[RSA 2048]----+
|E ... |
| . ..o. |
| .... o+. |
| .o+ ..= . |
| .o B =So o |
| ..= O = . + |
| ..*.. * . . |
|+.@oo . |
|.O=Xo. |
+----[SHA256]-----+
[root@CCC01 ~]# ssh-copy-id 192.168.137.129
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.137.129's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.137.129'"
and check to make sure that only the key(s) you wanted were added.
[root@CCC01 ~]# ssh 192.168.137.129
==[root@centos6 ~]#== #测试成功!