ssh

冯风史
2023-12-01

ssh在linux上有两个服务,一个是ssh客户端,另一个是sshd服务端

针对服务器的注意事项:
1.密码应该经常换
2.使用非默认端口
3.限制登录客户地址
4.禁止管理员直接登录
5.仅允许有限用户登录
6.使用基于秘钥的认证
7.禁止使用版本1

客户端:

配置文件在/etc/ssh/ssh_config

1.密码ssh
  ssh   root@ip/主机名:在linux内以对方root的身份ssh登录   
  ssh   root@ip/主机名  ['命令']:以对方root身份远程执行一条命令
  ssh -p #:使用非默认端口
  如果ssh无法成功登录,可以在自己用户的家目录内找到一个隐藏文件.ssh/known_host,找到对应的ssh信息,或者直接删掉这个文件即可

2.公私钥ssh
  ssh-keygen:生成公钥私钥对,默认会在root目录下有个私钥和公钥
      -t [rsa | dsa]:指定加密算法
      -f '路径':指定存储路径
      -P '密码':为私钥加上密码

[root@bogon ~]# ssh-keygen -t rsa     #指定rsa算法
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):   #秘钥存放路径
Enter passphrase (empty for no passphrase):           #指定密码,我这里为空
Enter same passphrase again:                            #确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
72:f5:89:28:fd:90:3f:00:16:ea:b1:e5:97:09:b1:72 root@bogon
The key's randomart image is:
+--[ RSA 2048]----+
|      o          |
|     . +         |
|    + E   .      |
|   . O + * o .   |
|    o + S . o    |
|       = =       |
|          +      |
|           .     |
|                 |
+-----------------+
[root@bogon ~]# ls .ssh/
id_rsa  id_rsa.pub

3.ssh-copy-id -i ~/.ssh/id_rsa.pub   root@主机/ip     :将公钥传给对端主机,-i  指定公钥。这时再去登录对端主机就不需要密码了  

[root@bogon ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.17.148.113
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.17.148.113's password:   #这里需要输入远端对应用户的密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.17.148.113'"
and check to make sure that only the key(s) you wanted were added.

[root@bogon ~]# ssh root@172.17.148.113
Last login: Thu May 31 23:11:36 2018 from 172.17.148.255  #现在登录就不需要密码了

4.scp:主机之间的文件传输
  scp  源文件  root@主机名/ip:存储路径       传送文件到远程主机,中间要加上冒号
  scp  root@主机名/ip:原文件  存储路径    拉取远程主机文件到本地,加冒号

    -r:递归
    -p:保留元属性
    -C:压缩
5.rsync:用法同scp,会多一次校验,如果校验文件一样就不再复制,只复制不同文件

6.sftp:配置过ssh秘钥登录的也不用输入密码,直接sftp  ip就可以。get获取文件

7.xshell生成的秘钥要放在远程主机的家目录下.ssh/authorized_keys里面,如果没有这个文件需要新建,文件夹权限为700,文件权限为600。而且在复制秘钥的时候要注意复制全了。这地方吃了大亏!

8.开启秘钥认证之后将密码认证关闭就好了
  PasswordAuthentication no

服务端:

sshd配置文件
#空格代表注释信息
#参数代表可以更改项
配置文件更改完后需要服务重读配置service sshd reload

[root@localhost ssh]# cat /etc/ssh/sshd_config 
#	$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22                            默认监听端口22,可以更换成其他端口
#AddressFamily any                  默认监听ipv4和ipv6
#ListenAddress 0.0.0.0              监听地址
#ListenAddress ::                   默认服务器上的所有端口地址都监听,如果想监听一个在这里加上ip

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2                          使用ssh版本2

# HostKey for protocol version 1    
#HostKey /etc/ssh/ssh_host_key      版本1的密钥
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key  版本2的密钥
#HostKey /etc/ssh/ssh_host_dsa_key  版本2的密钥

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h         密钥有效期限
#ServerKeyBits 1024                 密钥长度

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH                 日志来源默认为认证相关
SyslogFacility AUTHPRIV              日志来源:认证、权限
#LogLevel INFO               日志级别

# Authentication:

#LoginGraceTime 2m                   建立连接后,无响应等待时间,默认2分钟
#PermitRootLogin yes                 是否允许管理员直接登陆,应该关闭root远程直接登录,用普通用户su过去
#StrictModes yes                     是否使用严格限定模式
#MaxAuthTries 6                      最多尝试6次
#MaxSessions 10                      同一会话最大连接数

#RSAAuthentication yes               是否基于rsa认证
#PubkeyAuthentication yes            是否基于公钥认证
#AuthorizedKeysFile	.ssh/authorized_keys     key文件放在哪个位置
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no           
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no              是否忽略读取~/.ssh/known_host文件
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes                     是否读取上面那个文件

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes         是否开启密码登录
#PermitEmptyPasswords no            是否允许口令为空的账号登录
PasswordAuthentication yes          开启密码认证

# Change to no to disable s/key passwords 
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no   ???

# Kerberos options
#KerberosAuthentication no           密码是否符合什么要求??
#KerberosOrLocalPasswd yes           基于本地的/etc/passwd文件校验密码
#KerberosTicketCleanup yes           用户退出登录后是否清除记录?
#KerberosGetAFSToken no              

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes                           基于PAM认证

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes                   
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes                      登陆成功后是否显示/etc/motd文件的内容             
#PrintLastLog yes                   是否打印上次登陆信息
#TCPKeepAlive yes                   是否持续连接
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10                    允许同时有几个还未输入密码的连接
#PermitTunnel no                    
#ChrootDirectory none

# no default banner path
#Banner none                      用户登陆成功后,显示的登录成功信息,格式为Banner  /to/files

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server      启用sftp服务

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server

#AllowUsers xxx xxx xxx 允许登录的用户 这几个都是本地的用户组
#AllowGroups   允许登录的组
#DenyUsers xxx xxx xxx 不予许登录的用户
#DenyGroups    不允许登录的组
 
 

 

转载于:https://www.cnblogs.com/forlive/p/8934197.html

 类似资料: