linux ssh互为信任

实验目的配置两台服务器不用密码互为登入

大纲

1.服务器IP 192.168.1.236 和192.168.1.208

2.在192.168.1.236 生成一对密钥

3.将1.236公钥传递至1.208

4.在1.208生成一对密钥

5.将1.208公钥传至1.236

ssh v1, v2

客户端：

 Linux: ssh

 Windows: putty, SecureCRT(), SSHSecureShellClient, Xmanager

服务器端：

 sshd

openssh (ssh, sshd)

ssh --> telnet

sshd:  主机密钥

netstat

 -r

 -n

 -t: tcp connections

 -u: udp connections

 -l: listening

 -p: process

ssh (ssh_config)

sshd (sshd_config)

/etc/ssh

ssh:

 ssh -l USERNAME REMOTE_HOST ['command']

 ssh USERNAME@REMOTE_HOST

 -p port

 -X

 -Y

基于密钥的认证:

一台主机为客户端（基于某个用户实现）：

1、生成一对密钥

ssh-keygen

 -t {rsa|dsa} 算法

 -f /path/to/keyfile 保存的密钥文件

  -N 'password'  指定密码

2、将公钥传输至服务器端某用户的家目录下的.ssh/authorized_keys文件中

使用文件传输工具传输(ssh-copy-id, scp)

ssh-copy-id -i /path/to/pubkey USERNAME@REMOTE_HOST

3、测试登录

scp: 基于ssh的远程复制命令，可以实现在主机之间传输数据

scp [options] SRC DEST

 -p

 -a

REMOTE_MACHINE

 USERNAME@HOSTNAME:/path/to/somefile

ssh-keygen -t rsa -f .ssh/id_rsa -N '' 创建私钥密码为空

-f指定路径

-t 指定加密算法

192.168.1.236服务器

1.生成一对密钥

[root@mail .ssh]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

45:ff:bb:0a:07:57:73:c4:1c:e6:3e:a1:ad:2a:51:72 root@mail

[root@mail .ssh]# ls

known_hosts  id_rsa--私钥  id_rsa.pub--公钥

[root@mail .ssh]# ll

total 8

-rw-r--r-- 1 root root    0 Aug  7 10:36 known_hosts

-rw------- 1 root root 1675 Aug  7 10:41 id_rsa

-rw-r--r-- 1 root root  391 Aug  7 10:41 mail_rsa.pub

2.查看目录权限

[root@mail ~]# ll -ha

drwx------  2 root root 4.0K Aug  7 10:41 .ssh

3.将本地公钥传递至远程服务器保存在对应目录下面.ssh/authorized_keys

[root@mail .ssh]# ssh-copy-id -i mail_rsa.pub [email protected]

The authenticity of host '192.168.1.208 (192.168.1.208)' can't be established.

RSA key fingerprint is 2b:33:02:38:1d:1e:df:2e:7f:3a:e9:98:41:64:07:28.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.208' (RSA) to the list of known hosts.

[email protected]'s password:

Now try logging into the machine, with "ssh '[email protected]'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

4.测试登入

[root@mail .ssh]# ssh 192.168.1.208

Last login: Thu Aug  7 11:00:48 2014 from 192.168.1.236

192.168.1.208服务器

5.登入192.168.1.208 生成一对密钥

[root@rrcy .ssh]# ssh-keygen -t rsa

cb:96:66:fb:df:28:2d:7f:74:cc:b7:79:80:2b:ce:6a root@rrcy

The key's randomart p_w_picpath is:

+--[ RSA 2048]----+

|                 |

|        S    . o |

|       . o  . o =|

|        B  . o o+|

|       +Eo+ oo.o.|

|       .o++*+.. .|

+-----------------+

[root@rrcy .ssh]# ls

authorized_keys  id_rsa  id_rsa.pub  known_hosts

6.将公钥添加到192.168.1.236 .ssh/authorized_keys

[root@rrcy .ssh]# ssh-copy-id -i id_rsa.pub [email protected]

The authenticity of host '192.168.1.236 (192.168.1.236)' can't be established.

RSA key fingerprint is f0:f4:36:5b:b7:cf:46:24:42:f0:cc:58:98:df:3a:99.

Warning: Permanently added '192.168.1.236' (RSA) to the list of known hosts.

[email protected]'s password:

Now try logging into the machine, with "ssh '[email protected]'", and check in:

7.测试登入

[root@rrcy .ssh]# ssh 192.168.1.236

Last login: Thu Aug  7 11:06:01 2014 from 192.168.1.208

ssh 默认FTP sftp root@ip

总结：

1、密码应该经常换且足够复杂；

2、使用非默认端口；

3、限制登录客户地址；

4、禁止管理直接登录；

5、仅允许有限制用户登录；

6、使用基于密钥的认证；

7、禁止使用版本1