Linux与云计算——第二阶段 第三章：SSH服务器架设（上）openssh 基础

Linux与云计算——第二阶段Linux服务器架设

第三章：SSH服务器架设（上）openssh 基础

1.密码认证

配置SSH服务器以便远程主机连接访问

[1] 即使你在安装CentOS系统的时候选择了最小化安装，OpenSSH也会被默认安装，所以你不需要再安装任何额外的软件包来实现该功能。缺省情况下你可以通过密码实现远程访问，如果需要增强安全性，建议还是要修改部分配置。

[[email protected] ~]# vim /etc/ssh/sshd_config

# line 49:去掉备注并修改 ( 阻止root用户远程访问 )

PermitRootLogin no

# line 77和78: 去掉注释

PermitEmptyPasswords no

PasswordAuthentication yes

[[email protected] ~]# systemctl restart sshd

[2] 如果防火墙服务处于开启状态，请允许SSH服务，SSH使用TCP的20端口进行通信。 [[email protected] ~]# firewall-cmd --add-service=ssh --permanent

[[email protected] ~]# firewall-cmd --reload

在CentOS上配置SSH客户端.

[3] 安装SSH客户端.

[[email protected] ~]# yum -y install openssh-clients

[4] 使用一个普通用户连接SSH服务器.

# ssh [[email protected](hostname or IP address)]

[[email protected] ~]# ssh [email protected]

The authenticity of host ‘192.168.96.128 (192.168.96.128)‘ can‘t be established.

ECDSA key fingerprint is 26:a3:c4:bc:cb:36:c5:20:1d:9c:ad:eb:b2:11:bb:36.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.96.128‘ (ECDSA) to the list of known hosts.

[email protected]‘s password:

[[email protected] ~]$

[5] 我们也可以使用SSH来在远程主机上执行命令.

# 例如我们希望执行"cat /etc/passwd"

[[email protected] ~]# ssh [email protected] "cat /etc/passwd"

[email protected]‘s password:

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

...

...

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

Configure SSH Client on Windows.

[6]你也可以尝试在windows上使用一些终端软件来实现，例如putty、xshell或者SecureCRT.

2.文件传输（CentOS）

使用基于SSH的文件传输非常方便并且安全高效.

[1] 使用SCP (Secure Copy)来进行文件传输.

# scp [Option] Source Target

# 将本地的[test.txt] 拷贝给远程服务器 [demo.example.com]

[[email protected] ~]# cp /etc/passwd ./test.txt

[[email protected] ~]# scp test.txt [email protected]:~/

[email protected]‘s password:

test.txt                                                100% 1040     1.0KB/s   00:00

[2] 使用SFTP (SSH File Transfer Protocol)来进行文件传输.

SFTP服务器功能一般是默认开启的，如果没有开启，就在[/etc/ssh/sshd_config]文件中加入以下行来开启它 [Subsystem sftp /usr/libexec/openssh/sftp-server].

# sftp [Option] [[email protected]]

[[email protected] ~]# sftp [email protected]

[email protected]‘s password:

Connected to 192.168.96.128

# 显示远程主机的当前目录

sftp> pwd

Remote working directory: /home/user

# 显示本地服务器的当前目录

sftp> !pwd

/root

# 显示远程主机当前目录中的文件

sftp> ls -l

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

# 显示本地主机中当前目录中的文件

sftp> !ls -l

total 8

-rw-------. 1 root root  996 Jul  8 03:44 anaconda-ks.cfg

-rw-r--r--. 1 root root 1040 Jul  8 20:15 test.txt

# 上传一个文件到远程服务器

sftp> put anaconda-ks.cfg redhat.txt

Uploading anaconda-ks.cfg to /home/user/redhat.txt

anaconda-ks.cfg

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

# 从远程服务器上下载一个文件

sftp> get test.txt

Fetching /home/user/test.txt to test.txt

/home/user/test.txt

# 在远程服务器上创建目录

sftp> mkdir testdir

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

drwxrwxr-x    2 user     user            6 Jul  8 12:35 testdir

# 删除目录

sftp> rmdir testdir

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

# 删除一个文件

sftp> rm test.txt

Removing /home/user/test.txt

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

# 退出

sftp> quit

3.文件传输（Windows）

在Windows平台下，有一款SCP传输的工具值得推荐使用，可以自行下载安装，使用方法很简单，安装完毕后，连接服务器，就可以自由传输文件了。

4.Keys认证

使用密钥认证的方式访问SSH服务器，给服务器创建一个私钥和公钥。

[1] 为每一个用户创建一个密钥对，并且普通用户通过密钥登录访问服务器。

# 创建密钥对

[[email protected] ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/user/.ssh/id_rsa):

Created directory ‘/home/user/.ssh‘.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/user/.ssh/id_rsa.

Your public key has been saved in /home/user/.ssh/id_rsa.pub.

The key fingerprint is:

b4:22:69:1c:b6:35:77:88:bc:61:96:b3:13:b6:fb:70 [email protected]

The key‘s randomart image is:

[[email protected] ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

[[email protected] ~]$ chmod 600 ~/.ssh/authorized_keys 

[2] 将创建好的密钥发给客户机，客户机可以通过该密钥访问服务器并完成验证。

[[email protected] ~]$ mkdir ~/.ssh

[[email protected] ~]$ chmod 700 ~/.ssh

# 将密钥拷贝到本地的ssh目录中

[[email protected] ~]$ mkdir ~/.ssh

[[email protected] ~]$ chmod 700 ~/.ssh

[[email protected] ~]$ scp [email protected]:/home/user/.ssh/id_rsa ~/.ssh/

The authenticity of host ‘192.168.96.128 (192.168.96.128)‘ can‘t be established.

ECDSA key fingerprint is 26:a3:c4:bc:cb:36:c5:20:1d:9c:ad:eb:b2:11:bb:36.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.96.128‘ (ECDSA) to the list of known hosts.

[email protected]‘s password:

id_rsa

[[email protected] ~]$ ssh -i ~/.ssh/id_rsa [email protected]

Last login: Fri Jul  8 14:11:41 2016

[[email protected] ~]$

[3] 如果你 "PasswordAuthentication" 设置为no,系统将更加安全。

[[email protected] ~]# vim /etc/ssh/sshd_config

# line 79: 把yes更换为 "no"

PasswordAuthentication no

[[email protected] ~]# systemctl restart sshd

详细视频课程请戳—→ http://edu.51cto.com/course/course_id-6574.html