linux远程连接ssh服务和http的深入介绍

1.实现免密登录

要实现免密登录，我们首先需要创建一对密钥，然后将公共密钥上传到目标服务器的指定文件

1>首先我们需要创建密钥

使用 ssh-keygen 命令可以创建于身份验证的私钥与公钥，默认情况下私钥和公钥存放以下位置

·/.ssh/id_rsa  私钥
·/.ssh/id_rsa.pub 公钥

[root@root .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:V2G8ASNS1ZGRzM2IXqgDoBuLrqtZNdxDHseFe/q1SK4 root@root
The key's randomart image is:
+---[RSA 3072]----+
|    ....oo=O=O   |
|   .  .o.ooo@.o  |
|  o   o.o+ ..o   |
| . = + o+ o..    |
|. o + + S+.      |
|.  . . .... .    |
| ..      + o .   |
|.o        + .    |
|*.      E.       |
+----[SHA256]-----+

[root@root ~]# cd /root/.ssh/
[root@root .ssh]# ll
total 12
-rw-------. 1 root root 2590 Jul 24 11:18 id_rsa
-rw-r--r--. 1 root root  563 Jul 24 11:18 id_rsa.pub

2>密钥创建完成，我们需要将公钥传给目标服务器

 通过ssh-copy-id的方式

[root@root .ssh]# ssh-copy-id root/192.168.38.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: ERROR: ssh: Could not resolve hostname root/192.168.38.130: Name or service not known

[root@root .ssh]# ssh-copy-id root@192.168.38.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.38.130's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.38.130'"
and check to make sure that only the key(s) you wanted were added.

此时公钥便可在另一台服务器上查询到

[root@root .ssh]# ll
total 8
-rw-------. 1 root root 1126 Jul 24 20:30 authorized_keys
-rw-r--r--. 1 root root  176 Jul 24 14:46 known_hosts

 3>此时我们便可以免密使用ssh远程登录第二台服务器

[root@root .ssh]# ssh root@192.168.38.130
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Sun Jul 24 20:12:36 2022 from 192.168.38.1
[root@root ~]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.38.130  netmask 255.255.255.0  broadcast 192.168.38.255
        inet6 fe80::20c:29ff:feb2:cb4e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b2:cb:4e  txqueuelen 1000  (Ethernet)
        RX packets 556  bytes 64404 (62.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 418  bytes 65460 (63.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.设置只允许student1， student2用户登录

.AllowUsers user1 user2    #登录白名单（默认没有这个配置，需要自己手动添加），允许远程登录的用户。如果名单中没有的用户，则提示拒绝登录

1>首先我们需要创建两个用户student1，student2

[root@root ~]# useradd student1
[root@root ~]# passwd student1
Changing password for user student1.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.

[root@root ~]# useradd student2
[root@root ~]# passwd student2
Changing password for user student2.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.

2>在文件/etc/ssh/sshd_config设置白名单

 

**记者重启ssh服务

systemctl restart sshd.service

 3>此时便可以验证，使用student1，student2，rhcsa三个用户分别验证

[student2@root root]$ ssh root@192.168.38.130
The authenticity of host '192.168.38.130 (192.168.38.130)' can't be established.
ECDSA key fingerprint is SHA256:ZZjkzKAVZ4iW4fvCD2fNjJ/GdZqTUuvoxRBnabrmXVg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.38.130' (ECDSA) to the list of known hosts.
root@192.168.38.130's password: 
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Sun Jul 24 20:34:54 2022 from 192.168.38.128
[root@root ~]#
[root@root ~]# su student1
[student1@root root]$ ssh root@192.168.38.130
The authenticity of host '192.168.38.130 (192.168.38.130)' can't be established.
ECDSA key fingerprint is SHA256:ZZjkzKAVZ4iW4fvCD2fNjJ/GdZqTUuvoxRBnabrmXVg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.38.130' (ECDSA) to the list of known hosts.
root@192.168.38.130's password: 
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Sun Jul 24 20:51:48 2022 from 192.168.38.130
[root@root ~]#
[root@root ~]# su rhcsa
[rhcsa@root root]$ ssh root@192.168.38.130
root@192.168.38.130's password: 
Permission denied, please try again.
root@192.168.38.130's password: 
Permission denied, please try again.
root@192.168.38.130's password: 
root@192.168.38.130: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[rhcsa@root root]$ 

如图所示student1，和student2可以登录root用户，而rhcsa用户则因为权限不足无法登录
3.get和post的区别

1.表现形式上:GET可以被缓存，POST不会

GET安全性比较差，POST比较好

GET在浏览器回退时是无害的，而POST会再次提交请求

GET请求参数会被完整保留在浏览器历史记录里，而POST中的参数不会被保留

2.功能上：get是从服务器获取数据，而post是向服务器发送数据

3.长度上：get发送数据时，个体、向URL添加数据，而URL长度是有限的，因此get长度有限，而post长度无限制
4.HTTP状态码，常用的状态码有哪些？

• 状态代码：由三位数字组成，第一个数字定义了响应的类别，且有五种可能取值。
  • 1xx：指示信息 —— 表示请求已接收，继续处理
  • 2xx：成功 —— 表示请求已被成功接收、理解、接受
  • 3xx：重定向 —— 要完成请求必须进行更进一步的操作
  • 4xx：客户端错误 —— 请求有语法错误或请求无法实现
  • 5xx：服务器端错误 —— 服务器未能实现合法的请求
  • 常见状态代码、状态描述的说明如下：
    • 200 OK：客户端请求成功
    • 400 Bad Request：客户端请求有语法错误，不能被服务器所理解
    • 401 Unauthorized：请求未经授权，这个状态代码必须和 WWW-Authenticate 报头域一起使用
    • 403 Forbidden：服务器收到请求，但是拒绝提供服务
    • 404 Not Found：请求资源不存在，举个例子：输入了错误的URL
    • 500 Internal Server Error：服务器发生不可预期的错误
    • 503 Server Unavailable：服务器当前不能处理客户端的请求，一段时间后可能恢复正常

5.HTTP请求报文和响应报文

http请求报文由请求行、请求头部、空行和请求报文主体几个部分组成

 

http响应报文由起始行、响应头部、空行和响应报文主体这几个部分组成

 
6.HTTP是如何保持连接状态的

cookie+session实现

cookie：

       Cookie是由服务器端生成，发送给浏览器，浏览器会将Cookie的key/value保存到某个目录下的文本文件内，下次请求同一网站时自动发送该Cookie给服务器

Cookie可以用来在某个WEB站点会话间持久的保持状态

session：

       Session是另一种记录客户状态的机制，基于Cookie实现，不同的是Cookie保存在客户端浏览器中，而Session保存在服务器上

客户端浏览器访问服务器的时候，服务器把客户端信息以某种形式记录在服务器上，这就是Session，客户端浏览器再次访问时只需要从该Session中查找该客户的状态就可以了。 

         通过cookie和session的了解，我们可以看出Cookie的本质就是文件，一般放在请求头里，保存在浏览器上。

      由于cookie并不是很安全，别人可以分析存放在本地的cookie并进行cookie欺骗，考虑到安全应当使用session。

并且session会在一定时间内保存在服务器上。当访问增多，会比较占用你服务器的性能，考虑到减轻服务器性能方面，应当使用cookie。

所以综合考量我们通常使用cookie+session共同完成状态保持。具体实现如下图所示：