1.实现免密登录
要实现免密登录,我们首先需要创建一对密钥,然后将公共密钥上传到目标服务器的指定文件
1>首先我们需要创建密钥
使用 ssh-keygen 命令可以创建于身份验证的私钥与公钥,默认情况下私钥和公钥存放以下位置
·/.ssh/id_rsa 私钥
·/.ssh/id_rsa.pub 公钥
[root@root .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:V2G8ASNS1ZGRzM2IXqgDoBuLrqtZNdxDHseFe/q1SK4 root@root
The key's randomart image is:
+---[RSA 3072]----+
| ....oo=O=O |
| . .o.ooo@.o |
| o o.o+ ..o |
| . = + o+ o.. |
|. o + + S+. |
|. . . .... . |
| .. + o . |
|.o + . |
|*. E. |
+----[SHA256]-----+
[root@root ~]# cd /root/.ssh/
[root@root .ssh]# ll
total 12
-rw-------. 1 root root 2590 Jul 24 11:18 id_rsa
-rw-r--r--. 1 root root 563 Jul 24 11:18 id_rsa.pub
2>密钥创建完成,我们需要将公钥传给目标服务器
通过ssh-copy-id的方式
[root@root .ssh]# ssh-copy-id root/192.168.38.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: ERROR: ssh: Could not resolve hostname root/192.168.38.130: Name or service not known
[root@root .ssh]# ssh-copy-id root@192.168.38.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.38.130's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.38.130'"
and check to make sure that only the key(s) you wanted were added.
此时公钥便可在另一台服务器上查询到
[root@root .ssh]# ll
total 8
-rw-------. 1 root root 1126 Jul 24 20:30 authorized_keys
-rw-r--r--. 1 root root 176 Jul 24 14:46 known_hosts
3>此时我们便可以免密使用ssh远程登录第二台服务器
[root@root .ssh]# ssh root@192.168.38.130
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Sun Jul 24 20:12:36 2022 from 192.168.38.1
[root@root ~]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.38.130 netmask 255.255.255.0 broadcast 192.168.38.255
inet6 fe80::20c:29ff:feb2:cb4e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:b2:cb:4e txqueuelen 1000 (Ethernet)
RX packets 556 bytes 64404 (62.8 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 418 bytes 65460 (63.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
2.设置只允许student1, student2用户登录
.AllowUsers user1 user2 #登录白名单(默认没有这个配置,需要自己手动添加),允许远程登录的用户。如果名单中没有的用户,则提示拒绝登录
1>首先我们需要创建两个用户student1,student2
[root@root ~]# useradd student1
[root@root ~]# passwd student1
Changing password for user student1.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@root ~]# useradd student2
[root@root ~]# passwd student2
Changing password for user student2.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
2>在文件/etc/ssh/sshd_config设置白名单
**记者重启ssh服务
systemctl restart sshd.service
3>此时便可以验证,使用student1,student2,rhcsa三个用户分别验证
[student2@root root]$ ssh root@192.168.38.130
The authenticity of host '192.168.38.130 (192.168.38.130)' can't be established.
ECDSA key fingerprint is SHA256:ZZjkzKAVZ4iW4fvCD2fNjJ/GdZqTUuvoxRBnabrmXVg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.38.130' (ECDSA) to the list of known hosts.
root@192.168.38.130's password:
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Sun Jul 24 20:34:54 2022 from 192.168.38.128
[root@root ~]#
[root@root ~]# su student1
[student1@root root]$ ssh root@192.168.38.130
The authenticity of host '192.168.38.130 (192.168.38.130)' can't be established.
ECDSA key fingerprint is SHA256:ZZjkzKAVZ4iW4fvCD2fNjJ/GdZqTUuvoxRBnabrmXVg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.38.130' (ECDSA) to the list of known hosts.
root@192.168.38.130's password:
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Sun Jul 24 20:51:48 2022 from 192.168.38.130
[root@root ~]#
[root@root ~]# su rhcsa
[rhcsa@root root]$ ssh root@192.168.38.130
root@192.168.38.130's password:
Permission denied, please try again.
root@192.168.38.130's password:
Permission denied, please try again.
root@192.168.38.130's password:
root@192.168.38.130: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[rhcsa@root root]$
如图所示student1,和student2可以登录root用户,而rhcsa用户则因为权限不足无法登录
3.get和post的区别
1.表现形式上:GET可以被缓存,POST不会
GET安全性比较差,POST比较好
GET在浏览器回退时是无害的,而POST会再次提交请求
GET请求参数会被完整保留在浏览器历史记录里,而POST中的参数不会被保留
2.功能上:get是从服务器获取数据,而post是向服务器发送数据
3.长度上:get发送数据时,个体、向URL添加数据,而URL长度是有限的,因此get长度有限,而post长度无限制
4.HTTP状态码,常用的状态码有哪些?
- 状态代码:由三位数字组成,第一个数字定义了响应的类别,且有五种可能取值。
- 1xx:指示信息 —— 表示请求已接收,继续处理
- 2xx:成功 —— 表示请求已被成功接收、理解、接受
- 3xx:重定向 —— 要完成请求必须进行更进一步的操作
- 4xx:客户端错误 —— 请求有语法错误或请求无法实现
- 5xx:服务器端错误 —— 服务器未能实现合法的请求
- 常见状态代码、状态描述的说明如下:
- 200 OK:客户端请求成功
- 400 Bad Request:客户端请求有语法错误,不能被服务器所理解
- 401 Unauthorized:请求未经授权,这个状态代码必须和 WWW-Authenticate 报头域一起使用
- 403 Forbidden:服务器收到请求,但是拒绝提供服务
- 404 Not Found:请求资源不存在,举个例子:输入了错误的URL
- 500 Internal Server Error:服务器发生不可预期的错误
- 503 Server Unavailable:服务器当前不能处理客户端的请求,一段时间后可能恢复正常
5.HTTP请求报文和响应报文
http请求报文由请求行、请求头部、空行和请求报文主体几个部分组成
http响应报文由起始行、响应头部、空行和响应报文主体这几个部分组成
6.HTTP是如何保持连接状态的
cookie+session实现
cookie:
Cookie是由服务器端生成,发送给浏览器,浏览器会将Cookie的key/value保存到某个目录下的文本文件内,下次请求同一网站时自动发送该Cookie给服务器
Cookie可以用来在某个WEB站点会话间持久的保持状态
session:
Session是另一种记录客户状态的机制,基于Cookie实现,不同的是Cookie保存在客户端浏览器中,而Session保存在服务器上
客户端浏览器访问服务器的时候,服务器把客户端信息以某种形式记录在服务器上,这就是Session,客户端浏览器再次访问时只需要从该Session中查找该客户的状态就可以了。
通过cookie和session的了解,我们可以看出Cookie的本质就是文件,一般放在请求头里,保存在浏览器上。
由于cookie并不是很安全,别人可以分析存放在本地的cookie并进行cookie欺骗,考虑到安全应当使用session。
并且session会在一定时间内保存在服务器上。当访问增多,会比较占用你服务器的性能,考虑到减轻服务器性能方面,应当使用cookie。
所以综合考量我们通常使用cookie+session共同完成状态保持。具体实现如下图所示: