Linux-远程连接openssh

openSSH就是开源的ssh（Secure Shell），ssh协议可以用来传输文件和进行远程连接。

客户端：

linux：ssh

WIndows：putty、SecrureCRT、Xshell等

服务端：

sshd

登陆格式：

[kiosk@foundation80 ~]$ ssh root@172.25.80.100                                        ##ssh 登陆的用户名@服务器ip地址
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established.        ##第一次连接一个陌生主机会在用户家目录下
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.             ##自动建立.ssh/know_hosts
Are you sure you want to continue connecting (yes/no)?                                ##记录连接过的主机信息
root@172.25.80.200's password:                                                        ##输入密码连接成功
Last login: Fri Apr 13 07:35:55 2018
[root@localhost ~]# exit                                                              ##退出当前连接
logout
Connection to 172.25.80.200 closed.

###默认连接只是以SHELL进行连接，如果需要远程打开主机图形功能需要输入"-X"

openssh的配置文件

/etc/ssh/

ssh_config                        ##关于客户端的配置文件

sshd_config                     ##关于服务端的配置文件

[root@localhost ~]# man 5 sshd_config            ##可以查看配置文件各参数的设置方法,#代表注销，参数不生效
常用：
Port **                ##可以更改服务使用的端口，使用其他端口使用该服务
ListenAddress          ##可以设置只对某ip地址提供服务
PermitRootLogin yes    ##是否允许root用户远程连接
AllowUsers             ##登录白名单
DenyUsers              ##登录黑名单,黑白名单只能同时生效一个 更改完成后，需要重新加载配置文件 [root@localhost ~]# systemctl reload sshd Linux中服务的管理 systemctl    动作    服务 systemctl start sshd         #开启服务 systemctl stop sshd          #停止服务 systemctl status sshd        #查看服务状态 systemctl restart sshd       #重启服务 systemctl reload sshd        #让服务从新加载配置 systemctl enable sshd        #设定服务开启启动 systemctl disable sshd       #设定服务开机不启动 systemctl list-unit-files       #查看系统中所有服务的开机启动状态 systemctl list-units            #查看系统中所有开启的服务 systemctl set-default graphical.target    #开机时开启图形 systemctl set-default multi-user.targe    #开机时不开图形 

基于密钥的认证-KEY认证

[root@localhost ~]# ssh-keygen                                        ##生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):              ##保存加密字符的文件
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.              ##私钥
Your public key has been saved in /root/.ssh/id_rsa.pub.              ##公钥
The key fingerprint is:
e0:89:c9:5f:58:77:1d:ba:1a:1f:0d:fb:23:55:75:63 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
|              .Eo|
|             o..+|
|      . . . + . .|
|   . + = . . = . |
|    + + S . + o  |
|     . .   + +   |
|      .   . o o  |
|             . . |
|                 |
+-----------------+
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.80.100      
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.80.100's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.25.80.100'"
and check to make sure that only the key(s) you wanted were added.
## ssh-copy-id                 ##加密命令
## -i                          ##指定密钥
## /root/.ssh/id_rsa.pub       ##密钥
## root                        ##加密用户
## 172.25.80.100               ##主机ip

生成密钥后，将私密拷贝至客户端，连接前所使用用户的家目录下的.ssh/文件夹内即可

网络拷贝可以使用scp命令

[kiosk@foundation80 ~]$ scp root@172.25.80.100:/root/.ssh/id_rsa ~/.ssh/        ##在客户端从服务端
root@172.25.80.100's password:                                                  ##下载私钥文件至家目录下的.ssh/目录下
id_rsa                                        100% 1675     1.6KB/s   00:00  

[root@localhost ~]# scp ~/.ssh/id_rsa root@172.25.80.250:/home/kiosk/.ssh/          ##在服务端将私钥文件上
The authenticity of host '172.25.80.250 (172.25.80.250)' can't be established.      ##传送至客户端某用户家目录下的.ssh目录
ECDSA key fingerprint is 05:eb:75:10:96:04:ec:c6:f4:28:ed:d0:fd:73:85:31.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.80.250' (ECDSA) to the list of known hosts.
root@172.25.80.250's password: 
id_rsa                                        100% 1675     1.6KB/s   00:00    

[kiosk@foundation80 .ssh]$ ssh root@172.25.80.100
Last login: Fri Apr 13 11:03:46 2018 from 172.25.80.250
##将私钥拷贝到了kiosk用户家目录下的.ssh目录中，此时在kiosk用户环境下登陆服务端不需要密码，就可以直接连接成功

[root@localhost ~]# rm -rf /root/.ssh/authorized_keys 
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh root@172.25.80.100
root@172.25.80.100's password: 
Last login: Fri Apr 13 11:13:52 2018 from 172.25.80.250
##删除authorized_keys文件后，客户端解密文件失效

[root@localhost ~]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh root@172.25.80.100
Last login: Fri Apr 13 11:17:17 2018 from 172.25.80.250
[root@localhost ~]# 
##重新生成锁文件，解密文件功能恢复