ssh在linux上有两个服务,一个是ssh客户端,另一个是sshd服务端
针对服务器的注意事项:
1.密码应该经常换
2.使用非默认端口
3.限制登录客户地址
4.禁止管理员直接登录
5.仅允许有限用户登录
6.使用基于秘钥的认证
7.禁止使用版本1
★客户端:
配置文件在/etc/ssh/ssh_config
1.密码ssh
ssh root@ip/主机名:在linux内以对方root的身份ssh登录
ssh root@ip/主机名 ['命令']:以对方root身份远程执行一条命令
ssh -p #:使用非默认端口
如果ssh无法成功登录,可以在自己用户的家目录内找到一个隐藏文件.ssh/known_host,找到对应的ssh信息,或者直接删掉这个文件即可
2.公私钥ssh
ssh-keygen:生成公钥私钥对,默认会在root目录下有个私钥和公钥
-t [rsa | dsa]:指定加密算法
-f '路径':指定存储路径
-P '密码':为私钥加上密码
[root@bogon ~]# ssh-keygen -t rsa #指定rsa算法 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): #秘钥存放路径 Enter passphrase (empty for no passphrase): #指定密码,我这里为空 Enter same passphrase again: #确认密码 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 72:f5:89:28:fd:90:3f:00:16:ea:b1:e5:97:09:b1:72 root@bogon The key's randomart image is: +--[ RSA 2048]----+ | o | | . + | | + E . | | . O + * o . | | o + S . o | | = = | | + | | . | | | +-----------------+ [root@bogon ~]# ls .ssh/ id_rsa id_rsa.pub
3.ssh-copy-id -i ~/.ssh/id_rsa.pub root@主机/ip :将公钥传给对端主机,-i 指定公钥。这时再去登录对端主机就不需要密码了
[root@bogon ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.17.148.113 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@172.17.148.113's password: #这里需要输入远端对应用户的密码 Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@172.17.148.113'" and check to make sure that only the key(s) you wanted were added. [root@bogon ~]# ssh root@172.17.148.113 Last login: Thu May 31 23:11:36 2018 from 172.17.148.255 #现在登录就不需要密码了
4.scp:主机之间的文件传输
scp 源文件 root@主机名/ip:存储路径 传送文件到远程主机,中间要加上冒号
scp root@主机名/ip:原文件 存储路径 拉取远程主机文件到本地,加冒号
-r:递归
-p:保留元属性
-C:压缩
5.rsync:用法同scp,会多一次校验,如果校验文件一样就不再复制,只复制不同文件
6.sftp:配置过ssh秘钥登录的也不用输入密码,直接sftp ip就可以。get获取文件
7.xshell生成的秘钥要放在远程主机的家目录下.ssh/authorized_keys里面,如果没有这个文件需要新建,文件夹权限为700,文件权限为600。而且在复制秘钥的时候要注意复制全了。这地方吃了大亏!
8.开启秘钥认证之后将密码认证关闭就好了
PasswordAuthentication no
★服务端:
sshd配置文件
#空格代表注释信息
#参数代表可以更改项
配置文件更改完后需要服务重读配置service sshd reload
[root@localhost ssh]# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 默认监听端口22,可以更换成其他端口 #AddressFamily any 默认监听ipv4和ipv6 #ListenAddress 0.0.0.0 监听地址 #ListenAddress :: 默认服务器上的所有端口地址都监听,如果想监听一个在这里加上ip # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 使用ssh版本2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key 版本1的密钥 # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key 版本2的密钥 #HostKey /etc/ssh/ssh_host_dsa_key 版本2的密钥 # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h 密钥有效期限 #ServerKeyBits 1024 密钥长度 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH 日志来源默认为认证相关 SyslogFacility AUTHPRIV 日志来源:认证、权限 #LogLevel INFO 日志级别 # Authentication: #LoginGraceTime 2m 建立连接后,无响应等待时间,默认2分钟 #PermitRootLogin yes 是否允许管理员直接登陆,应该关闭root远程直接登录,用普通用户su过去 #StrictModes yes 是否使用严格限定模式 #MaxAuthTries 6 最多尝试6次 #MaxSessions 10 同一会话最大连接数 #RSAAuthentication yes 是否基于rsa认证 #PubkeyAuthentication yes 是否基于公钥认证 #AuthorizedKeysFile .ssh/authorized_keys key文件放在哪个位置 #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no 是否忽略读取~/.ssh/known_host文件 # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes 是否读取上面那个文件 # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes 是否开启密码登录 #PermitEmptyPasswords no 是否允许口令为空的账号登录 PasswordAuthentication yes 开启密码认证 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no ??? # Kerberos options #KerberosAuthentication no 密码是否符合什么要求?? #KerberosOrLocalPasswd yes 基于本地的/etc/passwd文件校验密码 #KerberosTicketCleanup yes 用户退出登录后是否清除记录? #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes 基于PAM认证 # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes 登陆成功后是否显示/etc/motd文件的内容 #PrintLastLog yes 是否打印上次登陆信息 #TCPKeepAlive yes 是否持续连接 #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 允许同时有几个还未输入密码的连接 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none 用户登陆成功后,显示的登录成功信息,格式为Banner /to/files # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server 启用sftp服务 # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
#AllowUsers xxx xxx xxx 允许登录的用户 这几个都是本地的用户组
#AllowGroups 允许登录的组
#DenyUsers xxx xxx xxx 不予许登录的用户
#DenyGroups 不允许登录的组