协议简介:
OpenSSH 是 SSH 协议的免费开源实现。SSH协议族可以用来进行远程控制, 或在计算机之间传送文件。而实现此功能的传统方式,如telnet 、ftp等都是极为不安全的,并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据,并由此来代替原来的类似服务。
两种认证方式:
密码认证、密钥认证
环境部署:
server:图形化redhat
ip:192.168.22.3
client:图形化redhat
ip:192.168.22.4
实验1:密码登录
在server启动ssh密码登录服务,实现client密码远程登录server
因防火墙默认放行ssh服务,因此这不需要再次放行
server:
[root@serverB ~]# yum -y install openssh* //安装ssh服务
[root@serverB ~]# systemctl restart sshd //重启ssh服务
[root@serverB ~]# setenforce 0
client:
[root@client ~]# ssh root@192.168.22.3
The authenticity of host '192.168.22.3 (192.168.22.3)' can't be established.
ECDSA key fingerprint is SHA256:fPcUU18Fvcbh2GZ4MvDgwDGVU0hWay+ZDy+Bw9jpvak.
Are you sure you want to continue connecting (yes/no)? yes //输入yes
Warning: Permanently added '192.168.22.3' (ECDSA) to the list of known hosts.
root@192.168.22.3's password: //输入server root用户密码
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Dec 6 17:48:04 2022 from 192.168.22.4
[root@serverB ~]#
[root@serverB ~]# exit
实验2:密钥登录
在client生成密钥对,并将公钥发给server,实验client密钥远程登录server
client:生成密钥对
[root@client ~]# yum -y install openssh* //client安装ssh服务
root@client ~]# ssh-keygen -t rsa //生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): //密钥对存放路径,回车默认
Enter passphrase (empty for no passphrase): //密钥对密码,回车为空
Enter same passphrase again: //确认密钥对密码
[root@client ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.22.3 //发送公钥
格式:ssh-copy-id -i 公钥路径 发送的用户@主机ip
root@192.168.22.3's password: //输入192.168.22.1主机的root密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.22.3'"
and check to make sure that only the key(s) you wanted were added.
server查看公钥文件,修改登陆方式
[root@serverB .ssh]# ls
authorized_keys
[root@serverB .ssh]#
[root@serverB ~]# vim /etc/ssh/sshd_config
73 PasswordAuthentication no 拒绝密码登陆
[root@serverB ~]# systemctl restart sshd
client验证:
[root@client ~]# ssh root@192.168.22.3
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Tue Dec 6 18:54:48 2022 from 192.168.22.4
[root@serverB ~]#
端口更改:
[root@serverB ~]# vim /etc/ssh/sshd_config
17 #Port 22 ssh默认使用22端口。如需更改,取消17行注释,更改端口即可
同时防火墙也需要放行相应的端口,或者关闭防火墙