OpenSSH服务器
SSH (Secure Shell )协议
是一种安全通道协议
对通信数据进行了加密处理,用于远程管理
OpenSSH
服务名称:sshd
服务端主程序:/usr/sbin/sshd
服务端配置文件:/etc/ssh/sshd_config
服务监听选项
端口号、协议版本、监听IP地址
禁用反向解析
举例:
服务端[root@server1 ~]# vi /etc/ssh/sshd_config
#Port 22 修改为 Port 12345 注:端口号不能超过定值,且不能被占用
[root@serverl ~]# systemctl restart sshd 重启该服务
用户端验证[root@server1 ~]# ssh root@192.168.1.10 验证修改端口是否报错
ssh: connect to host 192.168.1.10 port 22: No route to host
[root@serverl ~]# ssh root@192.168.1.10 -p 12345
The authenticity of host '[192.168.1.10]:12345 ([192.168.1.10]:12345)' can't be established.
ECDSA key fingerprint is SHA256:OCK70+YcRUWXSsDdbwYY7QPSQSgx1XsXIIofuspo6Lk.
ECDSA key fingerprint is MD5:2c:11:20:54:8a:ee:12:e5:33:02:b1:5d:74:f2:df:f3.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '[192.168.1.10]:12345' (ECDSA) to the list of known hosts.
root@192.168.1.10's password:
Last failed login: Wed Sep 9 16:48:23 CST 2020 from 192.168.1.100 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Sep 9 15:32:30 2020 from 192.168.1.1
服务端:重启服务报错可尝试关闭防火墙等操作
[root@serverl ~]# systemctl stop firewalld
[root@serverl ~]# setenforce 0
用户登录控制
禁用root用户、空密码用户
限制登录验证时间、重试次数
AllowUsers、DenyUsers
例:用户登录控制
服务端:[root@serverl ~]# vi /etc/ssh/sshd_config
#LoginGraceTime 2m
PermitRootLogin no 修改为该条命令,不允许root用户登录,线网是禁止root登录,一般是su -提权
[root@serverl ~]# systemctl restart sshd 重启该服务
用户端退出[root@serverl ~]# exit
登出
Connection to 192.168.1.10 closed.
验证:[root@serverl ~]# ssh root@192.168.1.10 -p 12335
root@192.168.1.10's password:
Permission denied, please try again. 拒绝无权限
[root@serverl ~]# ssh xwy@192.168.1.10 -p 12335
xwy@192.168.1.10's password:
[xwy@serverl ~]$ su root
密码:
[root@serverl xwy]#
例:限制重试次数
服务端[root@serverl ~]# vi /etc/ssh/sshd_config
MaxAuthTries 3 修改该条命令,最大认证的次数3
[root@serverl ~]# systemctl restart sshd 服务重启
用户端[root@serverl xwy]# ssh xwy@192.168.1.10 -p 12335 回车
输入三次错误密码后
Received disconnect from 192.168.1.10 port 12335:2: Too many authentication failures
Authentication failed.
但退出之后还可以重新输入上述密码进行验证
例:登录验证时间
服务端 [root@serverl ~]# vi /etc/ssh/sshd_config
LoginGraceTime 1m 登录时候允许你1分钟内输入密码,超过就提示超时
[root@serverl ~]# systemctl restart sshd 服务重启
用户端 [root@serverl xwy]# ssh xwy@192.168.1.10 -p 12335
xwy@192.168.1.10's password: 不输入密码,等一分钟,输入密码后报错
Authentication failed.
例:服务端
[root@serverl ~]# netstat -anpt | grep sshd 查看监听地址
[root@serverl ~]# netstat -anpt | grep sshd
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 61569/sshd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 60444/sshd: root@pt
tcp 0 52 192.168.1.10:22 192.168.1.1:58219 ESTABLISHED 60444/sshd: root@pt
tcp 0 0 192.168.1.10:12345 192.168.1.100:33700 ESTABLISHED 61404/sshd: xwy [pr
tcp6 0 0 :::12345 :::* LISTEN 61569/sshd
tcp6 0 0 ::1:6010 :::* LISTEN 60444/sshd: root@pt
[root@serverl ~]# vi /etc/ssh/sshd_config
#ListenAddress 0.0.0.0 修改为ListenAddress 192.168.1.10 (修改该地址)监听的ip地址,侦听的哪个网卡 哪个线路被连接过来。
[root@serverl ~]# systemctl restart sshd 服务重启 发现监听的第一条网段发生改变
[root@serverl ~]# netstat -anpt | grep sshd
tcp 0 0 192.168.1.10:12345 0.0.0.0:* LISTEN 61631/sshd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 60444/sshd: root@pt
tcp 0 0 192.168.1.10:22 192.168.1.1:58219 ESTABLISHED 60444/sshd: root@pt
tcp 0 0 192.168.1.10:12345 192.168.1.100:33700 ESTABLISHED 61404/sshd: xwy [pr
tcp6 0 0 ::1:6010 :::* LISTEN 60444/sshd: root@pt
[root@serverl xwy]# ssh xwy@192.168.1.10 -p 12335
ssh: connect to host 192.168.1.10 port 12335: Connection refused
[root@serverl xwy]# ssh xwy@192.168.1.10 -p 12345
xwy@192.168.1.10's password: 发现可以登录
Last login: Wed Sep 9 16:52:08 2020 from 192.168.1.100
例:只允许zhangsan和wangwu以192.168.1.100的ip登录 root也无法登录(即使root账户没有被禁用) 客户端的地址
[root@serverl ~]# vi /etc/ssh/sshd_config
服务器: 最后一行添加该命令allowusers zhangsan wangwu@192.168.1.100
[root@serverl ~]# systemctl restart sshd 服务重启
[root@serverl ~]# useradd zhangsan 新建两个用户
[root@serverl ~]# passwd zhangsan
更改用户 zhangsan 的密码 。
新的 密码:
无效的密码: 密码是一个回文
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@serverl ~]# useradd wangwu
[root@serverl ~]# passwd wangwu
更改用户 wangwu 的密码 。
新的 密码:
无效的密码: 密码是一个回文
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
用户端:
[xwy@serverl ~]$ exit 退出到自己主机名称位置
登出
Connection to 192.168.1.10 closed.
[root@serverl xwy]# exit
exit
[xwy@serverl ~]$ exit
登出
Connection to 192.168.1.10 closed.
[root@server1 ~]#
[root@server1 ~]# ssh zhangsan@192.168.1.10 -p 12345 zhangsan用户服务器上一定要有(即192.168.1.10主机里面)
zhangsan@192.168.1.10's password: 输入zhangsan密码
[zhangsan@serverl ~]$
服务器:
[root@serverl ~]# netstat -anpt | grep sshd 发现多了一个192.168.1.100的ip zhangsan
tcp 0 0 192.168.1.10:12345 0.0.0.0:* LISTEN 61821/sshd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 60444/sshd: root@pt
tcp 0 52 192.168.1.10:22 192.168.1.1:58219 ESTABLISHED 60444/sshd: root@pt
tcp 0 0 192.168.1.10:12345 192.168.1.100:33702 ESTABLISHED 61912/sshd: zhangsa
tcp6 0 0 ::1:6010 :::* LISTEN 60444/sshd: root@pt
登录验证方式
密码验证:核对用户名、密码是否匹配
密钥对验证:核对客户的私钥、服务端公钥是否匹配
[root@serverl ~]# vi /etc/ssh/sshd_config
PasswordAuthentication yes 默认开启
#PubkeyAuthentication yes 默认没有开启
AuthorizedKeysFile .ssh/authorized_keys 默认开启(.代表隐藏的目录,后面表示密钥库)
[root@serverl ~]# ssh-keygen -t rsa 生成密钥对,才会产生ssh文件
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9BqOpl5d4WdzBXlgYpkPCI8I1eXf2oYO4HSv7mMCI9I root@serverl
The key's randomart image is:
+---[RSA 2048]----+
| .....o..oo+o |
| . ..+..+o...|
| . o + o ..|
| . o o ... |
| . S = = o |
| . E o* * + * |
| . .+o= . + o |
| + . o+ . |
| .o =+.. |
+----[SHA256]-----+
[root@serverl ~]# ls -lah 查看是否有该文件
drwx------. 2 root root 38 9月 9 19:23 .ssh
[root@serverl ~]# cd .ssh/ 该目录下查看私钥,公钥
[root@serverl .ssh]# ls -lh
总用量 8.0K
-rw-------. 1 root root 1.7K 9月 9 19:23 id_rsa 私钥
-rw-r--r--. 1 root root 394 9月 9 19:23 id_rsa.pub 公钥
使用SSH客户端程序
ssh命令——远程安全登录
ssh user@host 端口选项
客户端:[root@server1 ~]# vi /etc/hosts
最后一行添加:192.168.1.10 serverl (serverl表示服务机名)
[root@serverl ~]# ssh root@serverl 查看远程安全登录的现象
The authenticity of host 'serverl (192.168.1.10)' can't be established.
ECDSA key fingerprint is SHA256:OCK70+YcRUWXSsDdbwYY7QPSQSgx1XsXIIofuspo6Lk.
ECDSA key fingerprint is MD5:2c:11:20:54:8a:ee:12:e5:33:02:b1:5d:74:f2:df:f3.
Are you sure you want to continue connecting (yes/no)?
scp命令——远程安全复制
格式1:scp user@host:file1 file2 下载
格式2:scp file1 user@host:file2 上传
例:服务器:在opt目录下创建a目录,并在a目录下新建1.2文件,并退出
root@serverl ~]# cd /opt/
[root@serverl opt]# mkdir a
[root@serverl opt]# cd a
[root@serverl a]# vi 2.txt
[root@serverl a]# vi 1.txt
[root@serverl a]# cd
客户端新建一个文件夹[root@server1 ~]# vi aaa
[root@server1 ~]# scp root@serverl:/opt/a/1.txt /root 下载服务端文件并查看
root@serverl's password:
1.txt 100% 25 2.2KB/s 0
[root@server1 ~]# ls -lh
总用量 16K
-rw-r--r--. 1 root root 25 9月 10 08:59 1.txt
[root@server1 ~]# scp aaa root@serverl:/opt 上传新建文件
root@serverl's password:
aaa 100% 14 1.1KB/s 0
客户端查看上传文件:[root@serverl ~]# cd /opt/
[root@serverl opt]# ls -lh
总用量 4.0K
drwxr-xr-x. 2 root root 45 9月 10 08:53 a
-rw-r--r--. 1 root root 14 9月 10 09:02 aaa
drwxr-xr-x. 2 root root 6 3月 26 2015 rh
客户机复制目录给服务器
服务端新建用户[root@serverl opt]# useradd zhangsan
[root@serverl opt]# passwd zhangsan
更改用户 zhangsan 的密码 。
新的 密码:
无效的密码: 密码是一个回文
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
客户机:[root@server1 ~]# cd /opt
[root@server1 opt]# ls -lh
总用量 0
drwxr-xr-x. 2 root root 6 3月 26 2015 rh
[root@server1 opt]# vi a
[root@server1 opt]# vi b
[root@server1 opt]# ls -lh
总用量 8.0K
-rw-r--r--. 1 root root 11 9月 10 09:19 a
-rw-r--r--. 1 root root 8 9月 10 09:19 b
drwxr-xr-x. 2 root root 6 3月 26 2015 rh
[root@server1 opt]# cd
[root@server1 ~]# scp -r /opt /zhangsan@serverl:/home/zhangsan
zhangsan@serverl's password:
Permission denied, please try again.
zhangsan@serverl's password:
a 100% 11 1.3KB/s 00:00
b 100% 8 4.8KB/s 00:00
服务端验证:[root@serverl ~]# cd /home/zhangsan
[root@serverl zhangsan]# ls -lh
总用量 0
drwxr-xr-x. 3 zhangsan zhangsan 34 9月 10 09:20 opt
[root@serverl zhangsan]# cd /opt
[root@serverl opt]# ls -lh
总用量 4.0K
drwxr-xr-x. 2 root root 45 9月 10 08:53 a
-rw-r--r--. 1 root root 14 9月 10 09:02 aaa
drwxr-xr-x. 2 root root 6 3月 26 2015 rh
sftp命令——安全FTP sftp与ssh公用22号端口号
服务器新建lisi用户,并创建两个用户:[root@serverl ~]# useradd lisi
[root@serverl ~]# passwd lisi
[root@serverl ~]# cd /home/lisi
[root@serverl lisi]# vi a1
[root@serverl lisi]# vi a2
客户端验证:下载与上传
[root@server1 ~]# sftp lisi@192.168.1.10
lisi@192.168.1.10's password:
Connected to 192.168.1.10.
sftp> pwd
Remote working directory: /home/lisi
sftp> ls -lh
-rw-r--r-- 0 0 0 15B Sep 10 09:51 a1
-rw-r--r-- 0 0 0 17B Sep 10 09:51 a2
sftp> get a1
Fetching /home/lisi/a1 to a1
/home/lisi/a1 100% 15 7.7KB/s 00:00
sftp> put initial-setup-ks.cfg
Uploading initial-setup-ks.cfg to /home/lisi/initial-setup-ks.cfg
initial-setup-ks.cfg
构建密钥对验证的SSH体系
在客户机中创建密钥对
ssh-keygen命令
可用的加密算法:RSA、ECDSA或DSA
将公钥文件上传至服务器
任何方式均可(FTP、Emall、SCP、HTTP......)
在服务器中导入公钥文本
将公钥文本添加至目标用户的公钥库
默认公钥库位置:~/.ssh/authorized_keys
客户端使用密钥对验证登录
验证用户:服务端的用户lisi
验证密码:客户端的用户zhangsan的私钥短语
[zhangsan@localhost ~]$ssh lisi@172.16.16.22
[lisi@localhost ~]$whoami
lisi
构建密钥对验证的SSH体系6.6
第2步和第3步可以采用另外一种方法
ssh-copy-id -i 公钥文件user@host
验证密码后,会将公钥自动添加到目标主机user宿主目录下的.ssh/suthorized_keys文件结尾
[zhangsan1@localhost ~]$ ssh-copy-id-i ~/.ssh/id_rsa.pub lisi@172.16.16.22
例:
客户端:新建用户wangwu[root@server1 ~]# useradd wangwu
[root@server1 ~]# passwd wangwu
[root@server1 ~]# su wangwu
[wangwu@server1 root]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wangwu/.ssh/id_rsa):
Created directory '/home/wangwu/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wangwu/.ssh/id_rsa.
Your public key has been saved in /home/wangwu/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:G00adgYuwW6EdTrB501ddM0cZUjA1GsYeMYqYVOd948 wangwu@server1
The key's randomart image is:
+---[RSA 2048]----+
| =+ o..BoB+=B|
| . +*=.o X +o+|
| o+++=++ + o |
| o+oBo . o .|
| . S.. . ..|
| o E .|
| . |
| |
| |
+----[SHA256]-----
在连接另外一个终端192.168.1.100(与客户机相同)的ip
输入[root@server1 ~]# gpasswd -a wangwu wheel 将wangwu用户提权
正在将用户“wangwu”加入到“wheel”组中
[root@server1 ~]# id wangwu 查看添加后的效果
uid=1001(wangwu) gid=1001(wangwu) 组=1001(wangwu),10(wheel)
客户机:[wangwu@server1 root]$ sudo /usr/bin/ls /home/wangwu/.ssh
[sudo] wangwu 的密码:
wangwu 不在 sudoers 文件中。此事将被报告。
[wangwu@server1 root]$ exit
exit
您在 /var/spool/mail/root 中有新邮件
[root@server1 ~]# id wangwu
uid=1001(wangwu) gid=1001(wangwu) 组=1001(wangwu),10(wheel)
[root@server1 ~]# su wangwu
[wangwu@server1 root]$ sudo /usr/bin/ls /home/wangwu/.ssh
[sudo] wangwu 的密码:
id_rsa id_rsa.pub 查看到公钥与私钥
[wangwu@server1 root]$ sudo /usr/bin/scp /home/wangwu/.ssh/id_rsa.pub lisi@192.168.1.10:/tmp
[sudo] wangwu 的密码:
lisi@192.168.1.10's password:
id_rsa.pub 100% 396 49.3KB/s 00:00
服务机:
[root@serverl ~]# cd /tmp/
[root@serverl tmp]# ls -lh 查看是否有公钥生成
总用量 16K
-rw-r--r--. 1 lisi lisi 396 9月 10 11:16 id_rsa.pub
[root@serverl tmp]# cd
[root@serverl ~]# mkdir /home/lisi/.ssh
[root@serverl ~]# cat /tmp/id_rsa.pub >> /home/lisi/.ssh/authorized_keys
[root@serverl ~]# cat /home/lisi/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2mVNMNAHQHKLDn1tZttyEDuLOtf4WCc00cEAmXx/5RmNufEWmWNa6g84rvCmRt7oc5UiX5lmfS/bnqY+gamFTnzkHfs4eJMtKfOJBy6IVaA/iS4/8Ttsk32nHQUgS8xefwgSEZoLmKXsh6Qoy2UhRgw43lhIbrl1JdbiVkE9ovUKdnvrI/RJfr5RkYUxw3qVOtwuGNabSj0MLKECFuqCZMaMWdRSKRu7CshKD+tTejbmBXIOjItCYHYP/hPpZg70ut3eSfYTNaqcrvfCjA3TDMh9HsSwSNQoZbeMI5f3+OSEWig6xhwVBqC93/YoOQVIJD0pqZJ/p9rt5Y22ESZ9V wangwu@server1 zhangsan的公钥地址
客户端:lisi用户可以登录
[wangwu@server1 root]$ ssh lisi@192.168.1.10
The authenticity of host '192.168.1.10 (192.168.1.10)' can't be established.
ECDSA key fingerprint is SHA256:OCK70+YcRUWXSsDdbwYY7QPSQSgx1XsXIIofuspo6Lk.
ECDSA key fingerprint is MD5:2c:11:20:54:8a:ee:12:e5:33:02:b1:5d:74:f2:df:f3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.10' (ECDSA) to the list of known hosts.
[lisi@serverl ~]$ whoami
lisi
另一种密码传递方式(还原环境)
服务端:创建用户lisi
[root@server1 ~]# useradd lisi
[root@server1 ~]# passwd lisi
客户端:创建用户zhangsan
[root@server1 ~]# useradd zhangsan
[root@server1 ~]# passwd zhangsan
[root@server1 ~]# gpasswd -a zhangsan wheel
正在将用户“zhangsan”加入到“wheel”组中
[zhangsan@server1 root]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_rsa):
Created directory '/home/zhangsan/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/zhangsan/.ssh/id_rsa.
Your public key has been saved in /home/zhangsan/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:SsuKuUZDBQO80PgCrKyuE9pYudr3TP2W6MQRNGSx74M zhangsan@server1
The key's randomart image is:
+---[RSA 2048]----+
|++o. .*. |
|+o... o o |
|=... o |
|ooo o |
|.o . . S . |
|o = o = + |
|o* o = E.o. |
|+o+o.+ ...o. |
|++=o..o.... |
+----[SHA256]-----+
[zhangsan@server1 root]$ sudo /usr/bin/ssh-copy-id -i /home/zhangsan/.ssh/id_rsa.pub lisi@192.168.1.10
我们信任您已经从系统管理员那里了解了日常注意事项。
总结起来无外乎这三点:
#1) 尊重别人的隐私。
#2) 输入前要先考虑(后果和风险)。
#3) 权力越大,责任越大。
[sudo] zhangsan 的密码:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/zhangsan/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.10 (192.168.1.10)' can't be established.
ECDSA key fingerprint is SHA256:hEV9VE2F5nsCmCKJ+ff91Aa+kau+PsBmzRCpEKlBGXA.
ECDSA key fingerprint is MD5:73:20:4f:90:c5:75:fa:cd:ad:d5:e7:21:70:1b:18:47.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
lisi@192.168.1.10's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'lisi@192.168.1.10'"
and check to make sure that only the key(s) you wanted were added.
[zhangsan@server1 root]$ whoami
zhangsan 发现不用密码即可登录
[zhangsan@server1 root]$ ssh lisi@192.168.1.10
The authenticity of host '192.168.1.10 (192.168.1.10)' can't be established.
ECDSA key fingerprint is SHA256:hEV9VE2F5nsCmCKJ+ff91Aa+kau+PsBmzRCpEKlBGXA.
ECDSA key fingerprint is MD5:73:20:4f:90:c5:75:fa:cd:ad:d5:e7:21:70:1b:18:47.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.10' (ECDSA) to the list of known hosts.
[lisi@server1 ~]$ whoami
lisi
免密码登录(无密码)
用户端:
[root@server1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4CIXvR0djWpwtr5zNh+JORSLJvZ0TC/Rv8wgyTgMeaY root@server1
The key's randomart image is:
+---[RSA 2048]----+
| .o |
| ...o..o. |
| . =++o= . |
| o X+B * . |
| . o EoS X o . |
| o o =.+ = = . |
| ..+ o + |
| o +. . |
| + o. |
+----[SHA256]-----+
[root@server1 ~]# ssh
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
[root@server1 ~]# ssh-copy-id 192.168.1.100 192.168.1.100客户端ip
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
ECDSA key fingerprint is SHA256:kJpOKmzZwNj2Sh2iKtzIOuuhxr/0qu6BB16k3JBMgNM.
ECDSA key fingerprint is MD5:f9:22:17:a1:de:4e:a3:9c:f9:e9:c3:17:b9:4c:32:8f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.1.100'"
and check to make sure that only the key(s) you wanted were added.
[root@server1 ~]# ssh root@192.168.1.100
Last login: Thu Sep 10 13:39:09 2020
免密码登录(有密码)
另启一台客户机10.0.0.11
[root@serverl ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 输入密码123456
Enter same passphrase again: 输入密码123456
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/ZN4oS3/1cB0b1hGdtfmKoEHpEI6r6jPrOM9lX+D1B4 root@serverl
The key's randomart image is:
+---[RSA 2048]----+
| . .. *|
| o .. o=|
| o . . o .o+|
| o . .. oo =o|
| o S ....+.o|
| . + . E =.o.o.|
| . o o o = *. o|
|.+.. o + + . . |
|+=+.. . . ... |
+----[SHA256]-----+
[root@serverl ~]# ssh-copy-id 192.168.1.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.10 (192.168.1.10)' can't be established.
ECDSA key fingerprint is SHA256:hEV9VE2F5nsCmCKJ+ff91Aa+kau+PsBmzRCpEKlBGXA.
ECDSA key fingerprint is MD5:73:20:4f:90:c5:75:fa:cd:ad:d5:e7:21:70:1b:18:47.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.10's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.1.10'"
and check to make sure that only the key(s) you wanted were added.
[root@serverl ~]# ssh-agent bash
[root@serverl ~]# ssh-add
Enter passphrase for /root/.ssh/id_rsa: 输入密码123456
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@serverl ~]# ssh root@192.168.1.10
Last login: Thu Sep 10 09:07:45 2020 from 192.168.1.11
附加:公钥密码体制
公钥密码体分为三个部分,公钥、加密、解密算法,它的加密解密过程如下:
加密:通过加密算法和公钥对内容(或说明文)进行加密,得到密文,加密过程需要用到公钥
解密:通过解密算法和私钥对密文进行解密,得出密文,解密过程需要用到解密算法和私钥。注意,有公钥加密的内容,只能由私钥进行解密,也就是说,由公钥加密的内容,如果不知道私钥,是无法解密的
公钥密码体制的公钥和算法都是公开的(这是为什么叫公钥密码体制的原因),私钥都是保密的,大家都以公钥进行加密,但是只有私钥的特有者才能解密。在实际的使用中,有需要的人会生成一对公钥的私钥,把公钥发布出去给别人使用,自己保留私钥
RSA简介
RSA是一种公钥密码体制,公钥公开,私钥保留,它的加密解密算法是公开的。由公钥加密的内容可以并只能由私钥进行解密,并且由私钥加密的内容可以并只能由公钥进行解密,也就是说,RSA这一对公钥、私钥都可以用来加密和解密,并且一方加密的内容可以并且只能由对方进行解密。
对称加密算法
在对称加密算法中,加密使用的密钥和解密使用的密钥是相同的,也就是说,加密和解密都是使用的同一个密钥。因此对称加密算法要保证安全性的话,密钥要做好保密,只能让使用的人知道,不能对外公开,这个和上面的1公钥密码体制有所不同,公钥密码体制中加密是用公钥,解密使用私钥,而对称加密算法中,加密和解密都是使用同一个密钥,不区分公钥和私钥
非对称加密算法 (相对于对称安全性高)
在非对称加密算法中,加密使用的密钥和解密使用的密钥是不同的。前面所说的公钥密码体制就是一种非对称加密算法,它的公钥和私钥是不能相同的,也就是说加密使用的密钥和解密使用的密钥不同。因此它是一个非对称加密算法
TCP Wrappers策略应用
策略的应用顺序
1.检查hosts.allow,找到匹配则允许访问
2.再检查hosts.deny,找到则拒绝访问
3.若两个文件中均无匹配策略,则默认允许访问
TCP Wrappers概述2.1
保护原理
保护机制的实现方式
方式1:通过tcpd程序对其他服务程序进行包装
方式2:由其他服务程序调用libwrap.so.*链接库
访问控制策略的配置文件
/etc/hosts.allow
/etc/hosts.deny
设置访问控制策略
策略格式:服务程序列表:客户端地址列表
服务程序列表:
多个服务以逗号分隔,ALL表示所有服务
客户端地址列表
多个地址以逗号分隔,ALL表示所有地址
允许使用通配符?和*
网段地址,如192.168.4. 或者192.168.4.0/255.255.255.0
区域地址,如.benet.com
策略的应用顺序
1.检查hosts.allo,找到匹配则允许访问
2.再检查hosts.deny,找到则拒绝访问
3.若两个文件中均无匹配策略,则默认允许访问
策略应用实例
仅允许从以下地址访问sshd服务
主机61.63.65.67
网段192.168.2.0/24
禁止其他所有地址访问受保护的服务
sshd基本配置
检查sshd是否开启:
[root@server1 liming]# netstat -natp | grep 22(即0.0.0.0.22端口)
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1570/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1005/sshd
tcp 0 0 20.0.0.11:22 20.0.0.1:65401 ESTABLISHED 51407/sshd: root@pt
tcp6 0 0 :::22 :::* LISTEN 1005/sshd
[root@server1 liming]# which sshd //(命令文件位置)
/usr/sbin/sshd
配置文件位置:
[root@server1 ]# vim /etc/ssh/
ssh_config //客户端配置文件
sshd_config //服务端配置文件
[root@server1 ]# vim /etc/ssh/sshd_config
17 Port 22 //开启22号端口号(若是修改端口会导致xshell连接中断)
19 #ListenAddress 0.0.0.0 (默认表示监听的任意网络)
20 #ListenAddress :: (代表监听的是ipv6)
37 #LoginGraceTime 2m (默认会话时间两分钟)
38 #PermitRootLogin yes (默认允许root用户有效登录)
39 #StrictModes yes (权限的验证,验证你进行ssh用对方的身份去进行登录的时候,验证你登录的用户是否具备家目录以及hosts文件(验证你的访问权限)的权限)
40 #MaxAuthTries 6(验证的次数6次)
41 #MaxSessions 10(访问的最大连接数10个)
43 #PubkeyAuthentication yes(密钥验证)
一:
验证用户登录:(主机名server2通过ssh协议以root的身份远程登录主机server1,并进行创建文件的操作)
[root@server2 ~]# ssh root@20.0.0.11 (对方的ip)
The authenticity of host '20.0.0.11 (20.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:oyGJ3iDy2VmJEvrJc2fPhoMY4moIq1XM/XU3A2YIKmI.
ECDSA key fingerprint is MD5:16:9d:43:43:fb:45:a2:6e:a7:a7:8a:0f:d8:67:93:32.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.11' (ECDSA) to the list of known hosts.
root@20.0.0.11's password:
Last login: Mon Dec 28 09:37:34 2020 from 20.0.0.1
[root@server1 ~]# cd /opt/
[root@server1 opt]# touch abc.txt
[root@server1 opt]# exit
登出
Connection to 20.0.0.11 closed.
主机名server1上进行验证,查看/opt目录是否有abc.txt文件生成
[root@server1 ~]# ls /opt/
abc.txt rh
通过以上验证,发现安全性较差,对此进行修改
38 PermitRootLogin no //不允许对方以root的身份登录
[root@server1 ~]# systemctl restart sshd //重启服务
创建lisi用户
[root@server1 ~]# useradd lisi
[root@server1 ~]# passwd lisi
[root@server1 ~]# id lisi
uid=1002(lisi) gid=1002(lisi) 组=1002(lisi)
修改之后在用主机server2验证
[root@server2 ~]# ssh root@20.0.0.11 (对方的ip) //通过ssh协议以root的身份远程登录主机server1
root@20.0.0.11's password:
Permission denied, please try again. //输入密码之后发现没有权限登录
那我们在尝试利用lisi用户去登录,验证试试看
[root@server2 ~]# ssh lisi@20.0.0.11
lisi@20.0.0.11's password: (发现输入密码可以登录)
Last failed login: Mon Dec 28 14:14:27 CST 2020 from 20.0.0.12 on ssh:notty
There was 1 failed login attempt since the last successful login.
[lisi@server1 ~]$ su - root 切换root用户,发现可以切换(虽然修改不允许对方以root的身份登录)
密码:
上一次登录:一 12月 28 14:01:20 CST 2020从 20.0.0.12pts/1 上
最后一次失败的登录:一 12月 28 14:14:12 CST 2020从 20.0.0.12ssh:notty 上
最有一次成功登录后有 2 次失败的登录尝试。
[root@server1 ~]# exit //推出登录
登出
[lisi@server1 ~]$ exit
登出
Connection to 20.0.0.11 closed.
通过以上验证。发现即使修改不允许对方以root的身份登录仍然不安全
此时,需要修改PAM认证模块登录,去保证安全性
[root@server1 ~]# vim /etc/pam.d/su
6 auth required pam_wheel.so use_uid (取消第六行注释,开启whell模块认证)
[root@server2 ~]# ssh lisi@20.0.0.11
lisi@20.0.0.11's password:
Last login: Mon Dec 28 14:14:48 2020 from 20.0.0.12
[lisi@server1 ~]$ su - root
密码:
su: 拒绝权限
//此时用户仍然可以登录进去,但是无法切换到root用户,没有权限(原因:不在安全组sheel中)
[lisi@server1 ~]$ su - xwy //发现同级别的切换也无法正常切换
密码:
su: 拒绝权限
[lisi@server1 ~]$ exit
登出
Connection to 20.0.0.11 closed.
[root@server2 ~]# ssh xwy@20.0.0.11 //以在安全组中的用户xwy登录,发现可以切换到root用户
xwy@20.0.0.11's password:
Last failed login: Mon Dec 28 14:26:58 CST 2020 on pts/1
There was 1 failed login attempt since the last successful login.
[xwy@server1 ~]$ su - root
密码:
上一次登录:一 12月 28 14:15:56 CST 2020pts/1 上
最后一次失败的登录:一 12月 28 14:23:31 CST 2020pts/1 上
最有一次成功登录后有 1 次失败的登录尝试。
[root@server1 ~]# su - lisi //发现也可以切换到lisi用户(由此返现加入安全组用户的权限高于普通用户)
上一次登录:一 12月 28 14:23:22 CST 2020从 20.0.0.12pts/1 上
[lisi@server1 ~]$ exit //退出登录
登出
[root@server1 ~]# exit
登出
[xwy@server1 ~]$ exit
登出
Connection to 20.0.0.11 closed.
二:
[lisi@server1 ~]$ vim /etc/ssh/sshd_config
40 MaxAuthTries 6(默认验证的次数6次)
[root@server1 ~]# systemctl restart sshd //重启服务
[root@server2 ~]# ssh xwy@20.0.0.11
xwy@20.0.0.11's password:
Permission denied, please try again.
xwy@20.0.0.11's password:
Permission denied, please try again.
xwy@20.0.0.11's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
//发现密码输入错误超过三次就提示不能再次进行输入了,但是会发现,默认可以输入6次就没有任何意义,以下命令则可以实现输入6次密码
[root@server2 ~]# ssh -o NumberOfPasswordPrompts=8 xwy@20.0.0.11 (8>6)
xwy@20.0.0.11's password:
Permission denied, please try again.
xwy@20.0.0.11's password:
Permission denied, please try again.
xwy@20.0.0.11's password:
Permission denied, please try again.
xwy@20.0.0.11's password:
Permission denied, please try again.
xwy@20.0.0.11's password:
Permission denied, please try again.
xwy@20.0.0.11's password:
Received disconnect from 20.0.0.11 port 22:2: Too many authentication failures
Authentication failed.
三:黑白名单(配置文件中需要手动添加)
[root@server1 ~]# useradd wangwu 添加wangwu用户
[root@server1 ~]# passwd wangwu
[root@server1 ~]# vim /etc/ssh/sshd_config
42 AllowUsers xwy@20.0.0.12 wangwu //只允许用户xwy只能在20.0.0.12主机上登录,wangwu用户登录
[root@server1 ~]# systemctl restart sshd //重启服务
server2主机上登录(主机ip为20.0.0.12)
[root@server2 ~]# ssh wangwu@20.0.0.11
wangwu@20.0.0.11's password:
[wangwu@server1 ~]$ exit
[root@server2 ~]# ssh lisi@20.0.0.11
Permission denied, please try again.
lisi@20.0.0.11's password:
[root@server2 ~]# ssh xwy@20.0.0.11
xwy@20.0.0.11's password:
[xwy@server1 ~]$ exit
发现server2主机(20.0.0.12)能以wangwu xwy用户登录,lisi用户无法登录
再次开启一台主机(ip:20.0.0.13 主机名:server3)
[root@server3 ~]# ssh wangwu@20.0.0.11
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.11' (ECDSA) to the list of known hosts.
wangwu@20.0.0.11's password:
[wangwu@server1 ~]$ exit
[root@server3 ~]# ssh xwy@20.0.0.11
xwy@20.0.0.11's password:
Permission denied, please try again.
发现只允许wangwu用户登录,xwy用户不能登录
总的来说,白名单设置即42 AllowUsers xwy@20.0.0.12 wangwu是仅允许
黑名单:DenyUsers
ssh建议使用白名单
sshd密钥对登录
服务端为server1,IP(20.0.0.11)
客户端为server2,IP(20.0.0.12)
接sshd基本配置内容
44 PubkeyAuthentication yes //开启密钥对登录
48 AuthorizedKeysFile .ssh/authorized_keys(该目录为隐藏模式,每个用户的家目录下都会有该文件) //生成的密钥存放的位置
[root@server1 ~]# cd /home/
[root@server1 home]# ls
liming lisi wangwu xwy
[root@server1 home]# cd lisi/
[root@server1 lisi]# ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc .cache .config .mozilla .viminfo
[root@server1 lisi]# cd ../xwy
[root@server1 xwy]# ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc .cache .config .mozilla
此时,发现并没有 .ssh/authorized_keys文件生成
利用客户端来做一个密钥的生成
新建用户:wt
[root@server2 ~]# useradd wt
[root@server2 ~]# passwd wt
[root@server2 ~]# su - wt //切换到wt用户
[wt@server2 ~]$ ssh-keygen -t ecdsa
(-t:指定类型(type))(ecdsa:椭圆曲线数字签名,安全)
[wt@server2 ~]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/wt/.ssh/id_ecdsa): (生成的位置/home/wt/.ssh/id_ecdsa)
Created directory '/home/wt/.ssh'.
Enter passphrase (empty for no passphrase): (可以输入密码:如111111)
Enter same passphrase again: (可以输入密码:如111111)
Your identification has been saved in /home/wt/.ssh/id_ecdsa.
Your public key has been saved in /home/wt/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:xqnunstUWKadqwR6FeAn81fK0qyUnWynMXMv/GFhAmM wt@server2
The key's randomart image is:
+---[ECDSA 256]---+
| . |
| . . |
| + o E . |
| = ^ O |
| . O S + o |
| . + O X + . |
| . . = o o + |
| . = o + . |
| oO. . |
+----[SHA256]-----+
[wt@server2 ~]$ ls -a //查看生成密钥的位置
. .. .bash_logout .bash_profile .bashrc .cache .config .mozilla .ssh
[wt@server2 ~]$ cd .ssh/
[wt@server2 .ssh]$ ls
id_ecdsa(私钥) id_ecdsa.pub(公钥)(public)
需要将公钥推送过去,并且输入到对方的服务器之中:
[wt@server2 .ssh]$ ssh-copy-id -i id_ecdsa.pub xwy@20.0.0.11
(-i:表示指定文件 id_ecdsa.pub为指定的文件)(以什么身份推送给对方:这里是xwy)20.0.0.11(对方的服务器地址)
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '20.0.0.11 (20.0.0.11)' can't be established.
ECDSA key fingerprint is SHA256:oyGJ3iDy2VmJEvrJc2fPhoMY4moIq1XM/XU3A2YIKmI.
ECDSA key fingerprint is MD5:16:9d:43:43:fb:45:a2:6e:a7:a7:8a:0f:d8:67:93:32.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
xwy@20.0.0.11's password: (输入xwy的登录密码)
Number of key(s) added: 1 (一个文件被added添加了,添加的位置:known_hosts)
Now try logging into the machine, with: "ssh 'xwy@20.0.0.11'"
and check to make sure that only the key(s) you wanted were added.
[wt@server2 .ssh]$ ls //查看是否有新文件产生
id_ecdsa id_ecdsa.pub known_hosts
主服务器进行查看:(查看公钥是否被传入)
[root@server1 xwy]# cd /home/xwy/
[root@server1 xwy]# ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc .cache .config .mozilla .ssh
[root@server1 xwy]# cd .ssh/
[root@server1 .ssh]# ls
authorized_keys
[root@server1 .s
查看该文件的内容:
[root@server1 .ssh]# cat authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFq8EoazYV0MhrmR9/dQuBQGrNfCy8JaEuUdEFJ0rUc6WwQrIInxhR5GQOrzxWE/s+bc4JnRhI7ht8M8SaVML2Q= wt@server2
客户端:
[wt@server2 .ssh]$ whoami //查看当前用户
wt
[wt@server2 .ssh]$ ssh xwy@20.0.0.11
Enter passphrase for key '/home/wt/.ssh/id_ecdsa': //输入开始的椭圆加密验证的密码(111111)
Last failed login: Mon Dec 28 15:07:18 CST 2020 from 20.0.0.13 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Dec 28 14:59:36 2020 from 20.0.0.12
验证方式有两种:
一:对方的用户名,密码,直接登录验证
二:使用里面的密钥对进行登录
[xwy@server1 ~]$ exit
登出
Connection to 20.0.0.11 closed.
[wt@server2 .ssh]$ ssh xwy@20.0.0.11
Enter passphrase for key '/home/wt/.ssh/id_ecdsa':
Last login: Mon Dec 28 16:21:46 2020 from 20.0.0.12
此时会发现当退出登录后,需要重新输入密码,假设这是一台固定的服务器,且被任务是安全性的主机和用户的话,这样每次登录输入密码就很麻烦,能不能免密码验证登录呢?
需要退到本地
[wt@server2 .ssh]$ ssh-
ssh-add ssh-agent ssh-copy-id ssh-keygen ssh-keyscan
[wt@server2 .ssh]$ ssh-agent bash
echo Agent pid 56886;-agent:代理功能 (代理谁: bash)
添加你要与他进行交互的密钥
[wt@server2 .ssh]$ ssh-add(添加你的密钥命令,密钥口令)
Enter passphrase for /home/wt/.ssh/id_ecdsa:
Identity added: /home/wt/.ssh/id_ecdsa (/home/wt/.ssh/id_ecdsa)
[wt@server2 .ssh]$ ssh xwy@20.0.0.11 //此时发现可以直接登录,不需要密码登录
Last login: Mon Dec 28 16:25:22 2020 from 20.0.0.12
附加:[wt@server2 ~]$ ssh-keygen -t rsa(ras:非对称密钥)
TCP Wrappers
TCP wrappers(第一道拦截)
服务是否支持TCP wrappers,就是看该服务 是否有支持模块
[root@server1 xwy]# cd /etc/ //因为该目录下的文件多,使用以筛选的方式进行查找
[root@server1 etc]# ls ./ | grep *.allow
hosts.allow
先读允许,再读拒绝
做白名单:
[root@server1 etc]# vim hosts.allow
sshd:20.0.0.12 //在最后一行添加改内容(允许20.0.0.12的主机通过sshd协议登录)
[root@server1 etc]# vim hosts.deny
sshd:ALL
客户端登录验证:
[root@server2 ~]# ssh xwy@20.0.0.11
xwy@20.0.0.11's password:
Last login: Mon Dec 28 16:42:49 2020 from 20.0.0.12
[xwy@server1 ~]$ exit
服务端查看配置文件:(检测内部是否添加了黑白名单,避免重复)
[root@server1 etc]# vim /etc/ssh/sshd_config
其他客户端登录:(发现非20.0.0.12的主机无法登录,不允许连接)
[root@server3 ~]# ssh xwy@20.0.0.11
ssh_exchange_identification: read: Connection reset by peer
做黑名单仅拒绝
[root@server1 etc]# vim /etc/hosts.allow //进入白名单
sshd:20.0.0.12 //删除该条命令
[root@server1 etc]# vim /etc/hosts.deny //进入黑名单
[root@server1 etc]# vim /etc/hosts.deny
sshd:20.0.0.12 //添加该条命令
验证:
[root@server3 ~]# ssh xwy@20.0.0.11 (此时,主机20.0.0.13可以登录,但20.0.0.12的主机不可登录)
xwy@20.0.0.11's password:
Last login: Mon Dec 28 19:43:16 2020 from 20.0.0.12
[xwy@server1 ~]$
[xwy@server1 ~]$ exit
[root@server2 ~]# ssh xwy@20.0.0.11
ssh_exchange_identification: read: Connection reset by peer
若黑白名单内同时添加了
sshd:20.0.0.12 该条命令,会出现什么情况
[root@server1 etc]# vim /etc/hosts.deny
[root@server1 etc]# vim /etc/hosts.allow
结果:两个主机都能登录(20.0.0.12 20.0.0.13)
因为先读允许,说明20.0.0.12的主机能登录,因为拒绝中没有限制20.0.0.13主机的登录,所以两台主机都可以登录。
ssh客户端
[root@server1 ~]# vim /etc/ssh/sshd_config
17 Port 123 若连接端口发现改变
客户端连接就需要进行修改:[root@server2 .ssh]# ssh -p 123 xwy@20.0.0.11
[root@server1 .ssh]# vim /etc/ssh/sshd_config
38 PermitRootLogin yes //开发root权限
删除白名单内容
[root@server1 .ssh]# systemctl restart sshd //重启服务
[root@server1 ~]# ssh root@20.0.0.11 //此时root用户便可以登录了
root@20.0.0.11's password:
Last failed login: Mon Dec 28 17:26:05 CST 2020 from 20.0.0.11 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Dec 28 17:25:46 2020
在客户端/opt目录新建两个目录,进行验证
[root@server1 ~]# cd /opt/
[root@server1 opt]# ls
abc.txt rh
[root@server1 opt]# echo "this is ssh-client" > ssh_client.txt
[root@server1 opt]# mkdir -p text/jerry
[root@server1 opt]# ll
总用量 4
-rw-r--r--. 1 root root 0 12月 28 14:01 abc.txt
drwxr-xr-x. 2 root root 6 3月 26 2015 rh
-rw-r--r--. 1 root root 19 12月 28 17:30 ssh_client.txt (文件)
drwxr-xr-x. 3 root root 19 12月 28 17:30 text(目录 )
想把客户机上的文件远程复制给对方
[root@server1 opt]# scp ssh_client.txt root@20.0.0.11:/home/
root@20.0.0.11's password:
ssh_client.txt
服务端查看是否有文件生成
[root@server1 .ssh]# ls /home/
liming lisi ssh_client.txt wangwu xwy
[root@server1 .ssh]# cat /home/ssh_client.txt
this is ssh-client
如果是文件夹的方式传输呢?
客户端上传
[root@server1 opt]# scp -r text/ root@20.0.0.11:/home/
root@20.0.0.11's password:
服务端查看:
[root@server1 .ssh]# cd /home/
[root@server1 home]# ls
liming lisi ssh_client.txt text wangwu xwy
[root@server1 home]# cd text/
[root@server1 text]# ls
jerry
清空opt目录下的文件
[root@server1 opt]# rm -rf ssh_client.txt
[root@server1 opt]# rm -rf text/
[root@server1 opt]# rm -rf abc.txt
[root@server1 opt]# ll
总用量 0
drwxr-xr-x. 2 root root 6 3月 26 2015 rh
[root@server1 opt]# sftp root@20.0.0.11 //通过ftp的方式登录到服务端
root@20.0.0.11's password:
Connected to 20.0.0.11.
sftp> ls //查看发现是服务端的文件
anaconda-ks.cfg initial-setup-ks.cfg 下载 公共 图片
文档 桌面 模板 视频 音乐
在服务端内创建文件
[root@server1 ~]# touch root.txt
客户端查看:
sftp> ls
anaconda-ks.cfg initial-setup-ks.cfg root.txt 下载 公共
图片 文档 桌面 模板 视频
音乐
sftp> cd /home
sftp> ls
liming lisi ssh_client.txt text wangwu xwy
sftp> get ssh_client.txt
Fetching /home/ssh_client.txt to ssh_client.txt
/home/ssh_client.txt
sftp> bye //退出
[root@server1 opt]# ls //查看文件已下载
rh ssh_client.txt
[root@server1 opt]# mv ssh_client.txt ssh_server.txt //修改文件名,并进行上传
[root@server1 opt]# ls
rh ssh_server.txt
客户机上传文件
[root@server1 opt]# sftp root@20.0.0.11
root@20.0.0.11's password:
Connected to 20.0.0.11.
sftp> ls
anaconda-ks.cfg initial-setup-ks.cfg root.txt 下载 公共
图片 文档 桌面 模板 视频
音乐
sftp> cd /home/
sftp> ls
liming lisi ssh_client.txt text wangwu xwy
sftp> put ssh_server.txt
Uploading ssh_server.txt to /home/ssh_server.txt
ssh_server.txt 100% 19 22.8KB/s 00:00
sftp> bye
附加:使用get命令会补全对方的路径,使用put命令会补全自己的命令
服务端查看文件是否接受:
[root@server1 ~]# ls /home/
liming lisi ssh_client.txt ssh_server.txt text wangwu xwy
思考:只允许你操作对方登录自己的家目录
[root@server1 opt]# sftp xwy@20.0.0.11 //以用户xwy登录服务端
xwy@20.0.0.11's password:
Connected to 20.0.0.11.
sftp> ls
服务端新建目录:
[root@server1 ~]# cd /home/xwy/
[root@server1 xwy]# ls
[root@server1 xwy]# touch abc.txt
查看
sftp> ls
abc.txt
此时,会发现,客户端登录到服务端后可以进行任意的切换路径等操作,这样很不安全,应该怎样解决该问题