SSH: Secure shell, prototol, 22/tcp,安全的遠端登入
OpenSSH: ssh協定的開源實作
ssh協定版本
v1: 基于CRC-32做MAC,不安全: man-in-middle
v2: 雙方主機協定選擇安全的MAC方式, 基于DH算法做密鑰交換,基于RSA或DSA算法實作身份認證;
兩種方式的使用者登入認證:基于Password & 基于key
OpenSSH: C/S
Client: ssh, scp, sftp,
Server: sshd
備注:Windows clinet: xshell, putty, securecrt, sshsecureshellclient
用戶端元件:sshd
ssh, 配置檔案 :/etc/ssh/ssh_config
1
2
3
<code>格式:</code><code>ssh</code> <code>[user@]host [COMMAND]</code>
<code> </code><code>ssh</code> <code>[ –l user ] host [COMMAND]</code>
<code> </code><code>-p port: 遠端伺服器監聽的端口;</code>
伺服器端元件:sshd
sshd, 配置檔案: /etc/ssh/sshd_config
示例:模拟環境
CentOS 7, IP: 192.168.0.111
CentOS 6.7,IP:192.168.0.113
可以使用如下指令檢視系統的版本資訊(适用用RedHat, CentOS)
<code>[root@jimjimlv ~]</code><code># cat /etc/redhat-release </code>
<code>CentOS release 6.7 (Final)</code>
不指定使用者遠端登入主機CentOS 6.7
4
5
6
7
8
9
10
11
<code>[root@localhost ~]</code><code># cat /etc/redhat-release </code>
<code>CentOS Linux release 7.1.1503 (Core) </code>
<code>[root@localhost ~]</code><code># ssh 192.168.0.113 </code>
<code>The authenticity of host </code><code>'192.168.0.113 (192.168.0.113)'</code> <code>can't be established. </code>
<code>RSA key fingerprint is a8:16:d9:15:8a:01:e5:d3:fb:26:bd:94:13:3e:50:6e. </code>
<code>Are you sure you want to </code><code>continue</code> <code>connecting (</code><code>yes</code><code>/no</code><code>)? </code><code>yes</code> <code>#第一次授權密鑰确認 </code>
<code>Warning: Permanently added </code><code>'192.168.0.113'</code> <code>(RSA) to the list of known hosts. </code>
<code>[email protected]'s password: </code><code>#輸入root管理密碼</code>
<code>Last login: Fri Feb 19 22:14:48 2016 from 192.168.0.109 </code><code>#成功登入遠端主機</code>
<code>[root@jimjimlv ~]</code><code># cat /etc/redhat-release </code>
使用exit指令退出遠端登入
<code>[root@jimjimlv ~]</code><code># exit </code>
<code>logout</code>
<code>Connection to 192.168.0.113 closed.</code>
指定使用者centos6.7遠端登入主機CentOS 6.7
<code>[root@localhost ~]</code><code># ssh [email protected] </code>
<code>[email protected]'s password: </code>
<code>[centos6.7@jimjimlv ~]$ </code><code>cat</code> <code>/etc/redhat-release</code>
生産環境當中,從安全的角度出發,預設的主機通路端口都需要修改掉,以下将示範修改端口後的主機遠端通路方法
步驟一、修改配置檔案/etc/ssh/sshd_config
12
13
14
15
16
17
<code># $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $</code>
<code># This is the sshd server system-wide configuration file. See </code>
<code># sshd_config(5) for more information.</code>
<code># This sshd was compiled with PATH=/usr/local/bin:/usr/bin</code>
<code># The strategy used for options in the default sshd_config shipped with </code>
<code># OpenSSH is to specify options with their default value where </code>
<code># possible, but leave them commented. Uncommented options override the </code>
<code># default value.</code>
<code># If you want to change the port on a SELinux system, you have to tell </code>
<code># SELinux about this change. </code>
<code># semanage port -a -t ssh_port_t -p tcp </code>
<code>#PORTNUMBER </code>
<code># </code>
<code>Port 2223 </code>
<code>#AddressFamily any </code>
<code>ListenAddress 0.0.0.0 </code>
<code>#ListenAddress ::</code>
重新開機sshd服務
<code>[root@localhost </code><code>ssh</code><code>]</code><code># systemctl restart sshd.service</code>
關閉防火牆
<code>CentOS 6 </code><code>#service sshd restart</code>
<code>CentOS 7 </code><code>#systemctl stop firewalld.service</code>
<code>Xsheel:\></code><code>ssh</code> <code>2223 </code><code>#IP位址後緊跟着新端口号</code>
<code>Last login: Sat Feb 20 22:49:35 2016 from 192.168.0.109 </code>
<code>[root@localhost ~]</code><code># cat /etc/redhat-release </code>
<code>CentOS Linux release 7.1.1503 (Core)</code>
基于key的ssh遠端登入
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<code>[root@localhost .</code><code>ssh</code><code>]</code><code># ssh-keygen -t rsa #生成密鑰指令</code>
<code>Generating public</code><code>/private</code> <code>rsa key pair. </code>
<code>Enter </code><code>file</code> <code>in</code> <code>which</code> <code>to save the key (</code><code>/root/</code><code>.</code><code>ssh</code><code>/id_rsa</code><code>): </code>
<code>Enter passphrase (empty </code><code>for</code> <code>no passphrase): </code>
<code>Enter same passphrase again: </code>
<code>Your identification has been saved </code><code>in</code> <code>/root/</code><code>.</code><code>ssh</code><code>/id_rsa</code><code>. </code>
<code>Your public key has been saved </code><code>in</code> <code>/root/</code><code>.</code><code>ssh</code><code>/id_rsa</code><code>.pub. </code>
<code>The key fingerprint is: </code>
<code>9d:fc:93:7d:9a:00:01:47:23:69:9e:08:0c:cf:ca:bd [email protected] </code>
<code>The key's randomart image is: </code>
<code>+--[ RSA 2048]----+ </code>
<code>| .o oo+ | </code>
<code>| oo o+ . | </code>
<code>| o. + .. | </code>
<code>| . o . oo o | </code>
<code>| o . S = | </code>
<code>| . o o | </code>
<code>| E = . .| </code>
<code>| o + | </code>
<code>| o | </code>
<code>+-----------------+ </code>
<code>[root@localhost .</code><code>ssh</code><code>]</code><code># ls #密鑰存儲的位置為/root/.ssh/</code>
<code>id_rsa id_rsa.pub known_hosts </code>
<code>[root@localhost .</code><code>ssh</code><code>]</code><code># ssh-copy-id -i /root/.ssh/id_rsa [email protected] #複制密鑰到遠端主機 </code>
<code>/usr/bin/ssh-copy-id</code><code>: INFO: attempting to log </code><code>in</code> <code>with the new key(s), to filter out any that are already installed </code>
<code>/usr/bin/ssh-copy-id</code><code>: INFO: 1 key(s) remain to be installed -- </code><code>if</code> <code>you are prompted now it is to </code><code>install</code> <code>the new keys </code>
<code>[email protected]'s password: </code><code>#輸入root登入密碼</code>
<code>Number of key(s) added: 1</code>
<code>Now try logging into the machine, with: </code><code>"ssh '[email protected]'"</code> <code>and check to </code><code>make</code> <code>sure that only the key(s) you wanted were added.</code>
<code>[root@localhost .</code><code>ssh</code><code>]</code><code># ssh [email protected] #通路登入遠端主機時,無需提供賬戶與密碼認證登入</code>
<code>Last login: Sat Feb 20 01:53:08 2016</code>
直接運作遠端主機的某個指令:
<code>[root@localhost .</code><code>ssh</code><code>]</code><code># ssh [email protected] 'ifconfig' </code>
<code>eth0 Link encap:Ethernet HWaddr 00:0C:29:F0:55:67 </code>
<code> </code><code>inet addr:192.168.0.113 Bcast:192.168.0.255 Mask:255.255.255.0 </code>
<code> </code><code>inet6 addr: fe80::20c:29ff:fef0:5567</code><code>/64</code> <code>Scope:Link </code>
<code> </code><code>UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 </code>
<code> </code><code>RX packets:6116 errors:0 dropped:0 overruns:0 frame:0 </code>
<code> </code><code>TX packets:1449 errors:0 dropped:0 overruns:0 carrier:0 </code>
<code> </code><code>collisions:0 txqueuelen:1000 </code>
<code> </code><code>RX bytes:526598 (514.2 KiB) TX bytes:181464 (177.2 KiB)</code>
<code>lo Link encap:Local Loopback </code>
<code> </code><code>inet addr:127.0.0.1 Mask:255.0.0.0 </code>
<code> </code><code>inet6 addr: ::1</code><code>/128</code> <code>Scope:Host </code>
<code> </code><code>UP LOOPBACK RUNNING MTU:65536 Metric:1 </code>
<code> </code><code>RX packets:8 errors:0 dropped:0 overruns:0 frame:0 </code>
<code> </code><code>TX packets:8 errors:0 dropped:0 overruns:0 carrier:0 </code>
<code> </code><code>collisions:0 txqueuelen:0 </code>
<code> </code><code>RX bytes:628 (628.0 b) TX bytes:628 (628.0 b)</code>
<code>[root@localhost .</code><code>ssh</code><code>]</code><code>#</code>
本文轉自 Nico_Lv 51CTO部落格,原文連結:http://blog.51cto.com/nearlv/1743797,如需轉載請自行聯系原作者