ssh服务
ssh名字为secure shell,目前使用的版本号为2,所使用的端口号为tcp的22号端口,可以实现安全的远程登录。
ssh协议版本有v1版和v2版本:
v1是基于CRC-32做MAC,不安全,无法防止中间人***。
V2版本双方主机协议选择安全的MAC方式基于DH算法做密钥交换,基于RSA或DSA实现身份认证
ssh具体的软件实现为:Openssh和dropbear
Openssh
openssh是ssh的一种实现,它能允许远程系统经验证地加密安全访问。当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host_ecdsa_key.pub文件中的公钥到客户机的~/.ssh/know_hosts中。下次连接时会自动匹配相应私钥,不能匹配的将拒绝连接
ssh软件的组成
openssh是由openssh、openssh-clients、openssh-server这几个包组成。
由于ssh是基于C/S结构,所以它分别有客户端的配置和服务器端的配置。
openssh客户端
一、配置文件
ssh客户端的配置存放在/etc/ssh/ssh_config文件内,一般客户端的配置文件不做修改,使用默认配置,但其中有几项选项稍作了解。
1.StrictHostKeyChecking
当客户端第一次访问服务器时,客户端会询问所访问的主机是否是你真正想想要访问的主机。默认是每次都会询问,当设置为no时,不会再询问。
StrictHostKeyChecking no2.port
此项为连接服务器时的端口号。默认为22号端口,当服务器的ssh服务的端口为非标时,将配置文件的port进行修改,也可以使用ssh -p PORT来指定端口号。
修改配置文件方法
port 9527 #找到port行修改为指定端口手动指定端口号方法:
[[email protected] ~]# ssh [email protected] -p 9527二、ssh的用户登陆方式
ssh有2中登录方式,一种是基于口令的登陆方式,另一种是基于Key的登登录方式。
基于口令的登陆方式
基于口令的登陆方式依赖于ssh命令
ssh的使用方法:
ssh [option] [[email protected]]host [COMMAND]| 选项 | 说明 |
|---|---|
| -p port | 指定远程服务器监听的端口 |
| -b | 指定连接的源IP |
| -v | 调试模式 |
| -C | 压缩方式 |
| -X | 支持x11转发 |
| -t | 强制伪tty分配 |
常用选项示例:
-p:可以用来指定连接远程主机的端口号,常用在服务器端口号为非标的情况下
[[email protected] ~]# ssh [email protected] -p 9527-C:压缩方法连接,常用在带宽较小的情况下
[[email protected] ~]# ssh -C [email protected]-X:支持x11转发功能
x11转发功能可以实现将远程的主机的图形化桌面拉取到本机,从而实现图形操作。
[[email protected] ~]# ssh -X [email protected]-t:强制伪tty分配
强制伪tty分配使用的场合为有a、b、c、d,4台主机,a要去连接d,但d,c,b只能通过单线去连接,a无法直接连接到的d,需要b,c上依次登录才能登录到d,使用-t选项可以实现一条命令直接登录至d主机
[[email protected] ~]# ssh -t 192.168.73.132 ssh -t 192.168.73.133 ssh 192.168.73.134
[email protected]‘s password:
The authenticity of host ‘192.168.73.133 (192.168.73.133)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.133‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
The authenticity of host ‘192.168.73.134 (192.168.73.134)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.134‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Last failed login: Tue Apr 16 11:41:25 CST 2019 from 192.168.73.133 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Tue Apr 16 07:15:03 2019 from 192.168.73.1基于密钥方式的登录
一、交互式方法实现密钥登录
1.先在本机生成私钥
[[email protected] ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:7s3nPNrHugMdkip+8ozUvE2pYeUnvGGhylzVHMhaPMk [email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| |
| + o |
| E.. |
| oo+.. |
| S.+oo. |
| .+.*.o. |
| ...O O... |
| +oB.X B+ o |
| =+* *+** |
+----[SHA256]-----+2.将密钥文件发送给远端的主机
[[email protected] ~]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘[email protected]‘"
and check to make sure that only the key(s) you wanted were added.二、非交互式方法实现密钥登陆
1.生成密钥,存放在~/.ssh/id_rsa
[[email protected] ~]# ssth-keygen - rsa -N "" -f ~/.ssh/id_rs
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:q+dIP5AXsmfJT71CleOlW8pR27c/SBdDJaRBK/n3ibo [email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| .o.o o|
| . + o |
| o o.. |
| . . o+ oo |
| =So +.=.oo|
| + *.o =o+o+|
| .=.+ ..Bo.+|
| . +o o *. o |
| ooo. E. +|
+----[SHA256]-----+2.复制密钥至远程主机
[[email protected] ~]# ssh-copy-id 192.168.73.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.注意:key验证必须保证key的安全,若私钥文件被偷走,别人可以利用私钥文件进行免密登陆,为防止密钥被别人盗走后被别人免密登陆,可以对私钥进行加密。
3.密钥的加密
[[email protected] .ssh]# ssh-keygen -t rsa -P "111111" -f ~/.ssh/id_rsa #创建密钥时对密钥进行加密
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+kwhjUafA73ra7CoTaR59wemYBSGMummrZbHwubPUlI root[email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| . . |
|+ . o . |
|.o . .o . |
| o E.. = o |
|o.... + S |
|...=o..oo+ |
|..B.ooo=o. |
|.B.*..o*. . |
|+.*+. .*o |
+----[SHA256]-----+
[[email protected] .ssh]# ssh-copy-id 192.168.73.128 #将密钥复制到远程主机
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host ‘192.168.73.128 (192.168.73.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.
[[email protected] .ssh]# ssh 192.168.73.128
Enter passphrase for key ‘/root/.ssh/id_rsa‘: #再次登陆时要求输入密钥的密码
Last login: Tue Apr 16 21:15:58 2019 from 192.168.73.132由于每次需要输入密码太过麻烦,也可以使用代理,先输一次密码,只有所有登陆时所需要的输入的密码都由代理来输入,达到免密的方法
4.ssh-agent代理的使用
[[email protected] .ssh]# ssh-agent bash #运行代理
[[email protected] .ssh]# ssh-add #将密钥通过命令添加给代理
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[[email protected] .ssh]# ssh 192.168.73.128
Last login: Tue Apr 16 21:21:40 2019 from 192.168.73.128 #再次实现免密登陆
[[email protected] ~]# 5.集群模式下的基于key验证。
假设有3台设备,要实现相互间key验证登陆,那我们就需要依次坐在每台主机上,执行创建密钥和公钥分发的操作,由于此方法过于繁琐,有没有更加便捷的方法呢?
实现思路:3台主机公用一个公私钥
5.1现在一台主机上创建私钥文件
[[email protected] ~]# mkdir .ssh
[[email protected] ~]# ssh-keygen -P "" -t rsa -f .ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+pUkZANYvXQPGCF2VC5dpF7FNnZvLVyZZRNg7Av33f8 [email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| o=o==..++ooB|
| .. ++ooo.o=++|
| .=o+oo+ +o|
| o.+ o.oo +|
| S o o ooo|
| . o . . .o|
| . o .|
| . . .|
| . E|
+----[SHA256]-----+5.2对自己创建authorized_keys文件
[[email protected] ~]# ssh-copy-id 192.168.73.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host ‘192.168.73.128 (192.168.73.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.5.3将整个.ssh目录分发给另外两台主机
[[email protected] ~]# scp -rp .ssh 192.168.73.132:/root/
[email protected]‘s password:
id_rsa 100% 1675 1.3MB/s 00:00
id_rsa.pub 100% 406 389.1KB/s 00:00
known_hosts 100% 352 536.8KB/s 00:00
authorized_keys 100% 406 660.1KB/s 00:00
[[email protected] ~]# scp .ssh 192.168.73.133:/root/
The authenticity of host ‘192.168.73.133 (192.168.73.133)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.133‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
.ssh: not a regular file
[[email protected] ~]# scp -rp .ssh 192.168.73.133:/root/
[email protected]‘s password:
id_rsa 100% 1675 1.2MB/s 00:00
id_rsa.pub 100% 406 365.0KB/s 00:00
known_hosts 100% 528 1.1MB/s 00:00
authorized_keys 100% 406 619.8KB/s 00:00 5.4登录测试
[[email protected] ~]# ssh 192.168.73.133
Last login: Tue Apr 16 06:23:20 2019
[[email protected] ~]# ssh 192.168.73.132
Last login: Tue Apr 16 13:50:51 2019 from 192.168.73.1
[[email protected] ~]# ssh 192.168.73.128
Last login: Tue Apr 16 21:50:38 2019 from 192.168.73.1原文地址:https://blog.51cto.com/11886307/2382115
时间: 2024-08-02 19:49:43