网站建设销售提成多少,网站建设与维护的选择题,品牌推广的内容,模板设计图文章目录 一、SSH#xff1a;Secure Shell二、Openssh#xff08;一#xff09;基于密码登录#xff1a;#xff08;二#xff09;基于Key的登录验证 一、SSH#xff1a;Secure Shell
实现的软件工具 1.Openssh#xff1a;centos默认安装
相关包#xff1a;
openss… 文章目录 一、SSHSecure Shell二、Openssh一基于密码登录二基于Key的登录验证 一、SSHSecure Shell
实现的软件工具 1.Opensshcentos默认安装
相关包
opensshopenssh-clientsopenssh-server
配置文件 客户端/etc/ssh/ssh_config 服务器端/etc/ssh/sshd_config
2.Dropbear开源工具
基于C/S结构 Linux Client: ssh, scp, sftpslogin Windows Clientxshell, putty, securecrt, sshsecureshellclient Server: sshd
二、Openssh
配置文件路径下的文件私钥、公钥存放位置
[rootCentOS7 ~]#ll /etc/ssh/
total 604
-rw-r--r--. 1 root root 581843 Apr 11 2018 moduli
-rw-r--r-- 1 root root 2305 Jul 16 20:09 ssh_config
-rw-------. 1 root root 3907 Apr 11 2018 sshd_config
-rw-r-----. 1 root ssh_keys 227 May 11 14:22 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 May 11 14:22 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 May 11 14:22 ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 May 11 14:22 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1675 May 11 14:22 ssh_host_rsa_key #私钥文件服务器级私钥
-rw-r--r--. 1 root root 382 May 11 14:22 ssh_host_rsa_key.pub #公钥文件服务器级公钥第一次连接确认身份需要人工确认连接公网主机时需要自己计算哈希值是否与公开的哈希值相同
两种登录认证方式 1.基于密码:每次连接需要手工输入密码 2.基于key:不需要输入密码
一基于密码登录
1.客户端配置
1客户端第一次连接服务会弹出是否连接的提示可在客户端配置中选择是否弹出提示
[rootCentOS7 ~]#vim /etc/ssh/ssh_config
StrictHostKeyChecking no家目录生成文件连接时在提示后面敲完yes或者客户端设置不提示会在客户端家目录~/.ssh下生成一个known_hosts 文件用于Client和Server的双向认证避免中间人man-in-the-middle attack攻击每次Client向Server发起连接的时候SSH client通过known_hosts中的host key来验证Server的身份的
[rootCentOS7 ~]#cat .ssh/known_hosts
#格式:DomainName/IpAddress EncryptionAlgorithm HostKey
192.168.37.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPmD8LimHeC8phXcEzH6qOqcdzB0b2xYNN08trPfwBH1HhZf7uG87lhr2b8Ca7ocZ4JQ9nyMxvufvD3Pm4CPF02SSH 客户端使用 常用连接登录语法
ssh [user] host [COMMAND]
ssh [-l user] host [COMMAND]常用选项 -p port远程服务器监听的端口 -b指定连接的源IP如果客户端有多个IP可指定某个IP连接服务器 -v调试模式 -C压缩方式节约带宽 -X支持x11转发X协议依赖xserver服务 -t强制伪tty分配
ssh 默认以当前用户名连接远程主机
[rootCentOS7 ~]#ssh root192.168.37.100 cat /etc/passwd-b: 客户端指定IP连接服务器端 服务器端查看连接的主机IP
-v 调试模式查看登录过程
[rootCentOS7 ~]#ssh root192.168.37.100 -p 2222 -b 192.168.37.7 -v
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 59: Applying options for *
debug1: Connecting to 192.168.37.100 [192.168.37.100] port 2222.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.37.100:2222 as root
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server-client cipher: chacha20-poly1305openssh.com MAC: implicit compression: none
debug1: kex: client-server cipher: chacha20-poly1305openssh.com MAC: implicit compression: none
debug1: kex: curve25519-sha256 need64 dh_need64
debug1: kex: curve25519-sha256 need64 dh_need64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:jFKSoZLTx3S9cFLtPfZWnJUCrx9cAONPuCAsS7hfgo
debug1: checking without port identifier
debug1: Host 192.168.37.100 is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: found matching key w/out port
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algsrsa-sha2-256,rsa-sha2-512
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
root192.168.37.100s password:-X xclock 是X协议的客户端xserver服务按照客户端指令通过显卡GPU绘图 xclock客户端和xserver可能不在同一台主机 xmanager包含xshell安装时给window安装xserverwindows本身不带xserver
-t:类似跳板机直接跳到某个主机
#最后一个主机不加-t
[rootmaster ~]#ssh -t 192.168.37.102 ssh -t 192.168.37.103 ssh 192.168.37.101
root192.168.37.102s password:
root192.168.37.103s password:
root192.168.37.101s password:
Last login: Tue Jul 16 21:15:09 2019 from 192.168.37.103 2.服务器端 修改ssh端口号生产环境如果是基于口令登录的建议修改端口
[rootmaster ~]#vim /etc/ssh/sshd_configPort 2222
[rootmaster ~]#systemctl restart sshd#客户端连接指定服务器端口
#[rootCentOS7 ~]#ssh root192.168.37.100 -p 2222二基于Key的登录验证
测试环境 两台centos7 主机IP分别为192.168.37.102、192.168.37.103 192.168.37.102 为客户端 192.168.37.103 为服务端主机
配置如下 1.手动生成公钥、私钥基于用户级的秘钥对每个用户有不同的自己的秘钥对 配置过程中传输公钥时仍然需要基于密码验证
#192.168.37.102主机操作生成秘钥对
[rootCentOS7 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #设置保存秘钥路径
Enter passphrase (empty for no passphrase): #设置私钥密码
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FJaHeE4SFzu1RcgUhu6aE81atdUsRFsBlB5heWcw rootCentOS7.6.localdomain
The keys randomart image is:
---[RSA 2048]----
| ..ooo o*|
| . o... o.E|
| . .. ... ..|
| ..... .o ..|
| .So. ..|
| .. *...|
| .o . |
| o.. . |
| .o.o |
----[SHA256]-----[rootCentOS7 ~]#ll .ssh/
total 16
-rw------- 1 root root 1675 Jul 16 22:25 id_rsa #ssh-keygen生成的私钥
-rw-r--r-- 1 root root 408 Jul 16 22:25 id_rsa.pub #ssh-keygen生成的公钥
-rw-r--r-- 1 root root 748 Jul 16 21:11 known_hosts
2.拷贝主机公钥
#102主机第一次拷贝时需要输入口令
[rootCentOS7 ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub root192.168.37.103#37.103主机查看家目录文件拷贝过来的公钥系统改名为authorized_keys
[rootCentOS7 ~]#ll ~/.ssh/
total 8
-rw------- 1 root root 408 Jul 16 22:30 authorized_keys #37.102主机的公钥大小相同
-rw-r--r-- 1 root root 396 Jul 16 21:12 known_hosts 102主机 /root/.ssh/id_rsa.pub 和103主机 /root/.ssh/authorized_keys 公钥文件内容相同 3.测试登录
#102主机测试登录103主机
[rootCentOS7 ~]#ssh 192.168.37.103
Last login: Tue Jul 16 21:24:08 2019 from 192.168.37.102
