ssh

ssh在linux上有两个服务，一个是ssh客户端，另一个是sshd服务端

针对服务器的注意事项：
1.密码应该经常换
2.使用非默认端口
3.限制登录客户地址
4.禁止管理员直接登录
5.仅允许有限用户登录
6.使用基于秘钥的认证
7.禁止使用版本1

★客户端：

配置文件在/etc/ssh/ssh_config

1.密码ssh
　　ssh   root@ip/主机名：在linux内以对方root的身份ssh登录 　　
　　ssh   root@ip/主机名  ['命令']：以对方root身份远程执行一条命令
　　ssh -p #：使用非默认端口
　　如果ssh无法成功登录，可以在自己用户的家目录内找到一个隐藏文件.ssh/known_host，找到对应的ssh信息，或者直接删掉这个文件即可

2.公私钥ssh
　　ssh-keygen：生成公钥私钥对，默认会在root目录下有个私钥和公钥
　　　　　　-t [rsa | dsa]：指定加密算法
　　　　　　-f '路径'：指定存储路径
　　　　　　-P '密码'：为私钥加上密码

[root@bogon ~]# ssh-keygen -t rsa     #指定rsa算法
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):   #秘钥存放路径
Enter passphrase (empty for no passphrase):           #指定密码，我这里为空
Enter same passphrase again:                            #确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
72:f5:89:28:fd:90:3f:00:16:ea:b1:e5:97:09:b1:72 root@bogon
The key's randomart image is:
+--[ RSA 2048]----+
|      o          |
|     . +         |
|    + E   .      |
|   . O + * o .   |
|    o + S . o    |
|       = =       |
|          +      |
|           .     |
|                 |
+-----------------+
[root@bogon ~]# ls .ssh/
id_rsa  id_rsa.pub

3.ssh-copy-id -i ~/.ssh/id_rsa.pub   root@主机/ip     ：将公钥传给对端主机，-i  指定公钥。这时再去登录对端主机就不需要密码了　　

[root@bogon ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.17.148.113
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.17.148.113's password:   #这里需要输入远端对应用户的密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.17.148.113'"
and check to make sure that only the key(s) you wanted were added.

[root@bogon ~]# ssh root@172.17.148.113
Last login: Thu May 31 23:11:36 2018 from 172.17.148.255  #现在登录就不需要密码了

4.scp：主机之间的文件传输
　　scp  源文件  root@主机名/ip：存储路径       传送文件到远程主机，中间要加上冒号
　　scp  root@主机名/ip：原文件  存储路径　　　 拉取远程主机文件到本地，加冒号
　　　　-r：递归
　　　　-p：保留元属性
　　　　-C：压缩
5.rsync：用法同scp，会多一次校验，如果校验文件一样就不再复制，只复制不同文件

6.sftp：配置过ssh秘钥登录的也不用输入密码，直接sftp  ip就可以。get获取文件

7.xshell生成的秘钥要放在远程主机的家目录下.ssh/authorized_keys里面，如果没有这个文件需要新建，文件夹权限为700，文件权限为600。而且在复制秘钥的时候要注意复制全了。这地方吃了大亏！

8.开启秘钥认证之后将密码认证关闭就好了
　　PasswordAuthentication no

★服务端：

sshd配置文件
#空格代表注释信息
#参数代表可以更改项
配置文件更改完后需要服务重读配置service sshd reload

[root@localhost ssh]# cat /etc/ssh/sshd_config 
#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22                            默认监听端口22，可以更换成其他端口
#AddressFamily any                  默认监听ipv4和ipv6
#ListenAddress 0.0.0.0              监听地址
#ListenAddress ::                   默认服务器上的所有端口地址都监听，如果想监听一个在这里加上ip

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2                          使用ssh版本2

# HostKey for protocol version 1    
#HostKey /etc/ssh/ssh_host_key      版本1的密钥
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key  版本2的密钥
#HostKey /etc/ssh/ssh_host_dsa_key  版本2的密钥

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h         密钥有效期限
#ServerKeyBits 1024                 密钥长度

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH                 日志来源默认为认证相关
SyslogFacility AUTHPRIV              日志来源：认证、权限
#LogLevel INFO　　　　　　　　　　　　   日志级别

# Authentication:

#LoginGraceTime 2m                   建立连接后，无响应等待时间，默认2分钟
#PermitRootLogin yes                 是否允许管理员直接登陆，应该关闭root远程直接登录，用普通用户su过去
#StrictModes yes                     是否使用严格限定模式
#MaxAuthTries 6                      最多尝试6次
#MaxSessions 10                      同一会话最大连接数

#RSAAuthentication yes               是否基于rsa认证
#PubkeyAuthentication yes            是否基于公钥认证
#AuthorizedKeysFile	.ssh/authorized_keys     key文件放在哪个位置
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no           
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no              是否忽略读取~/.ssh/known_host文件
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes                     是否读取上面那个文件

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes         是否开启密码登录
#PermitEmptyPasswords no            是否允许口令为空的账号登录
PasswordAuthentication yes          开启密码认证

# Change to no to disable s/key passwords 
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no   ？？？

# Kerberos options
#KerberosAuthentication no           密码是否符合什么要求？？
#KerberosOrLocalPasswd yes           基于本地的/etc/passwd文件校验密码
#KerberosTicketCleanup yes           用户退出登录后是否清除记录？
#KerberosGetAFSToken no              

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes                           基于PAM认证

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes                   
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes                      登陆成功后是否显示/etc/motd文件的内容             
#PrintLastLog yes                   是否打印上次登陆信息
#TCPKeepAlive yes                   是否持续连接
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10                    允许同时有几个还未输入密码的连接
#PermitTunnel no                    
#ChrootDirectory none

# no default banner path
#Banner none                      用户登陆成功后，显示的登录成功信息，格式为Banner  /to/files

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server      启用sftp服务

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

#AllowUsers  xxx xxx xxx       允许登录的用户      这几个都是本地的用户组
#AllowGroups        　　允许登录的组
#DenyUsers   xxx xxx xxx        不予许登录的用户
#DenyGroups        　　 不允许登录的组