openSSH就是开源的ssh(Secure Shell),ssh协议可以用来传输文件和进行远程连接。
客户端:
linux:ssh
WIndows:putty、SecrureCRT、Xshell等
服务端:
sshd
登陆格式:
[kiosk@foundation80 ~]$ ssh root@172.25.80.100 ##ssh 登陆的用户名@服务器ip地址
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established. ##第一次连接一个陌生主机会在用户家目录下
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08. ##自动建立.ssh/know_hosts
Are you sure you want to continue connecting (yes/no)? ##记录连接过的主机信息
root@172.25.80.200's password: ##输入密码连接成功
Last login: Fri Apr 13 07:35:55 2018
[root@localhost ~]# exit ##退出当前连接
logout
Connection to 172.25.80.200 closed.
###默认连接只是以SHELL进行连接,如果需要远程打开主机图形功能需要输入"-X"
openssh的配置文件
/etc/ssh/
ssh_config ##关于客户端的配置文件
sshd_config ##关于服务端的配置文件
[root@localhost ~]# man 5 sshd_config ##可以查看配置文件各参数的设置方法,#代表注销,参数不生效
常用:
Port ** ##可以更改服务使用的端口,使用其他端口使用该服务
ListenAddress ##可以设置只对某ip地址提供服务
PermitRootLogin yes ##是否允许root用户远程连接
AllowUsers ##登录白名单
DenyUsers ##登录黑名单,黑白名单只能同时生效一个 更改完成后,需要重新加载配置文件 [root@localhost ~]# systemctl reload sshd Linux中服务的管理 systemctl 动作 服务 systemctl start sshd #开启服务 systemctl stop sshd #停止服务 systemctl status sshd #查看服务状态 systemctl restart sshd #重启服务 systemctl reload sshd #让服务从新加载配置 systemctl enable sshd #设定服务开启启动 systemctl disable sshd #设定服务开机不启动 systemctl list-unit-files #查看系统中所有服务的开机启动状态 systemctl list-units #查看系统中所有开启的服务 systemctl set-default graphical.target #开机时开启图形 systemctl set-default multi-user.targe #开机时不开图形
基于密钥的认证-KEY认证
[root@localhost ~]# ssh-keygen ##生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##保存加密字符的文件
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. ##私钥
Your public key has been saved in /root/.ssh/id_rsa.pub. ##公钥
The key fingerprint is:
e0:89:c9:5f:58:77:1d:ba:1a:1f:0d:fb:23:55:75:63 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| .Eo|
| o..+|
| . . . + . .|
| . + = . . = . |
| + + S . + o |
| . . + + |
| . . o o |
| . . |
| |
+-----------------+
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.80.100
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.80.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.25.80.100'"
and check to make sure that only the key(s) you wanted were added.
## ssh-copy-id ##加密命令
## -i ##指定密钥
## /root/.ssh/id_rsa.pub ##密钥
## root ##加密用户
## 172.25.80.100 ##主机ip
生成密钥后,将私密拷贝至客户端,连接前所使用用户的家目录下的.ssh/文件夹内即可
网络拷贝可以使用scp命令
[kiosk@foundation80 ~]$ scp root@172.25.80.100:/root/.ssh/id_rsa ~/.ssh/ ##在客户端从服务端
root@172.25.80.100's password: ##下载私钥文件至家目录下的.ssh/目录下
id_rsa 100% 1675 1.6KB/s 00:00
[root@localhost ~]# scp ~/.ssh/id_rsa root@172.25.80.250:/home/kiosk/.ssh/ ##在服务端将私钥文件上
The authenticity of host '172.25.80.250 (172.25.80.250)' can't be established. ##传送至客户端某用户家目录下的.ssh目录
ECDSA key fingerprint is 05:eb:75:10:96:04:ec:c6:f4:28:ed:d0:fd:73:85:31.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.80.250' (ECDSA) to the list of known hosts.
root@172.25.80.250's password:
id_rsa 100% 1675 1.6KB/s 00:00
[kiosk@foundation80 .ssh]$ ssh root@172.25.80.100
Last login: Fri Apr 13 11:03:46 2018 from 172.25.80.250
##将私钥拷贝到了kiosk用户家目录下的.ssh目录中,此时在kiosk用户环境下登陆服务端不需要密码,就可以直接连接成功
[root@localhost ~]# rm -rf /root/.ssh/authorized_keys
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh root@172.25.80.100
root@172.25.80.100's password:
Last login: Fri Apr 13 11:13:52 2018 from 172.25.80.250
##删除authorized_keys文件后,客户端解密文件失效
[root@localhost ~]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh root@172.25.80.100
Last login: Fri Apr 13 11:17:17 2018 from 172.25.80.250
[root@localhost ~]#
##重新生成锁文件,解密文件功能恢复