本文共 10465 字,大约阅读时间需要 34 分钟。
ssh名字为secure shell,目前使用的版本号为2,所使用的端口号为tcp的22号端口,可以实现安全的远程登录。
ssh协议版本有v1版和v2版本: v1是基于CRC-32做MAC,不安全,无法防止中间人***。 V2版本双方主机协议选择安全的MAC方式基于DH算法做密钥交换,基于RSA或DSA实现身份认证 ssh具体的软件实现为:Openssh和dropbearOpenssh
openssh是ssh的一种实现,它能允许远程系统经验证地加密安全访问。当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host_ecdsa_key.pub文件中的公钥到客户机的~/.ssh/know_hosts中。下次连接时会自动匹配相应私钥,不能匹配的将拒绝连接
ssh软件的组成
openssh是由openssh、openssh-clients、openssh-server这几个包组成。 由于ssh是基于C/S结构,所以它分别有客户端的配置和服务器端的配置。openssh客户端
ssh客户端的配置存放在/etc/ssh/ssh_config文件内,一般客户端的配置文件不做修改,使用默认配置,但其中有几项选项稍作了解。
1.StrictHostKeyChecking当客户端第一次访问服务器时,客户端会询问所访问的主机是否是你真正想想要访问的主机。默认是每次都会询问,当设置为no时,不会再询问。StrictHostKeyChecking no
2.port
此项为连接服务器时的端口号。默认为22号端口,当服务器的ssh服务的端口为非标时,将配置文件的port进行修改,也可以使用ssh -p PORT来指定端口号。修改配置文件方法port 9527 #找到port行修改为指定端口
手动指定端口号方法:
[root@centos7 ~]# ssh root@192.168.73.133 -p 9527
ssh有2中登录方式,一种是基于口令的登陆方式,另一种是基于Key的登登录方式。
基于口令的登陆方式依赖于ssh命令
ssh的使用方法:ssh [option] [user@]host [COMMAND]
| 选项 | 说明 |
|---|---|
| -p port | 指定远程服务器监听的端口 |
| -b | 指定连接的源IP |
| -v | 调试模式 |
| -C | 压缩方式 |
| -X | 支持x11转发 |
| -t | 强制伪tty分配 |
常用选项示例:
-p:可以用来指定连接远程主机的端口号,常用在服务器端口号为非标的情况下
[root@centos7 ~]# ssh root@192.168.73.133 -p 9527
-C:压缩方法连接,常用在带宽较小的情况下
[root@centos7 ~]# ssh -C root@192.168.73.133
-X:支持x11转发功能
x11转发功能可以实现将远程的主机的图形化桌面拉取到本机,从而实现图形操作。[root@centos7 ~]# ssh -X root@192.168.73.133
-t:强制伪tty分配
强制伪tty分配使用的场合为有a、b、c、d,4台主机,a要去连接d,但d,c,b只能通过单线去连接,a无法直接连接到的d,需要b,c上依次登录才能登录到d,使用-t选项可以实现一条命令直接登录至d主机[root@centos7 ~]# ssh -t 192.168.73.132 ssh -t 192.168.73.133 ssh 192.168.73.134root@192.168.73.132's password: The authenticity of host '192.168.73.133 (192.168.73.133)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.73.133' (ECDSA) to the list of known hosts.root@192.168.73.133's password: The authenticity of host '192.168.73.134 (192.168.73.134)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.73.134' (ECDSA) to the list of known hosts.root@192.168.73.134's password: Last failed login: Tue Apr 16 11:41:25 CST 2019 from 192.168.73.133 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Tue Apr 16 07:15:03 2019 from 192.168.73.1
一、交互式方法实现密钥登录
1.先在本机生成私钥[root@centos7 ~]# ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:7s3nPNrHugMdkip+8ozUvE2pYeUnvGGhylzVHMhaPMk root@centos7.localdomainThe key's randomart image is:+---[RSA 2048]----+| || + o || E.. || oo+.. || S.+oo. || .+.*.o. || ...O O... || +oB.X B+ o || =+* *+** |+----[SHA256]-----+
2.将密钥文件发送给远端的主机
[root@centos7 ~]# ssh-copy-id root@192.168.73.132/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.73.132's password: Permission denied, please try again.root@192.168.73.132's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@192.168.73.132'"and check to make sure that only the key(s) you wanted were added.
二、非交互式方法实现密钥登陆
1.生成密钥,存放在~/.ssh/id_rsa[root@centos7 ~]# ssth-keygen - rsa -N "" -f ~/.ssh/id_rsGenerating public/private rsa key pair.Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:q+dIP5AXsmfJT71CleOlW8pR27c/SBdDJaRBK/n3ibo root@centos7.localdomainThe key's randomart image is:+---[RSA 2048]----+| .o.o o|| . + o || o o.. || . . o+ oo || =So +.=.oo|| + *.o =o+o+|| .=.+ ..Bo.+|| . +o o *. o || ooo. E. +|+----[SHA256]-----+
2.复制密钥至远程主机
[root@centos7 ~]# ssh-copy-id 192.168.73.128/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.73.128's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh '192.168.73.128'"and check to make sure that only the key(s) you wanted were added.
注意:key验证必须保证key的安全,若私钥文件被偷走,别人可以利用私钥文件进行免密登陆,为防止密钥被别人盗走后被别人免密登陆,可以对私钥进行加密。
3.密钥的加密[root@centos7 .ssh]# ssh-keygen -t rsa -P "111111" -f ~/.ssh/id_rsa #创建密钥时对密钥进行加密Generating public/private rsa key pair.Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:+kwhjUafA73ra7CoTaR59wemYBSGMummrZbHwubPUlI root@centos7.localdomainThe key's randomart image is:+---[RSA 2048]----+| . . ||+ . o . ||.o . .o . || o E.. = o ||o.... + S ||...=o..oo+ ||..B.ooo=o. ||.B.*..o*. . ||+.*+. .*o |+----[SHA256]-----+[root@centos7 .ssh]# ssh-copy-id 192.168.73.128 #将密钥复制到远程主机/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"The authenticity of host '192.168.73.128 (192.168.73.128)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.73.128's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh '192.168.73.128'"and check to make sure that only the key(s) you wanted were added.[root@centos7 .ssh]# ssh 192.168.73.128Enter passphrase for key '/root/.ssh/id_rsa': #再次登陆时要求输入密钥的密码Last login: Tue Apr 16 21:15:58 2019 from 192.168.73.132
由于每次需要输入密码太过麻烦,也可以使用代理,先输一次密码,只有所有登陆时所需要的输入的密码都由代理来输入,达到免密的方法
4.ssh-agent代理的使用[root@centos7 .ssh]# ssh-agent bash #运行代理[root@centos7 .ssh]# ssh-add #将密钥通过命令添加给代理Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)[root@centos7 .ssh]# ssh 192.168.73.128Last login: Tue Apr 16 21:21:40 2019 from 192.168.73.128 #再次实现免密登陆[root@centos7 ~]#
5.集群模式下的基于key验证。
假设有3台设备,要实现相互间key验证登陆,那我们就需要依次坐在每台主机上,执行创建密钥和公钥分发的操作,由于此方法过于繁琐,有没有更加便捷的方法呢? 实现思路:3台主机公用一个公私钥5.1现在一台主机上创建私钥文件[root@centos7 ~]# mkdir .ssh[root@centos7 ~]# ssh-keygen -P "" -t rsa -f .ssh/id_rsaGenerating public/private rsa key pair.Your identification has been saved in .ssh/id_rsa.Your public key has been saved in .ssh/id_rsa.pub.The key fingerprint is:SHA256:+pUkZANYvXQPGCF2VC5dpF7FNnZvLVyZZRNg7Av33f8 root@centos7.localdomainThe key's randomart image is:+---[RSA 2048]----+| o=o==..++ooB|| .. ++ooo.o=++|| .=o+oo+ +o|| o.+ o.oo +|| S o o ooo|| . o . . .o|| . o .|| . . .|| . E|+----[SHA256]-----+
5.2对自己创建authorized_keys文件
[root@centos7 ~]# ssh-copy-id 192.168.73.128/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"The authenticity of host '192.168.73.128 (192.168.73.128)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@192.168.73.128's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh '192.168.73.128'"and check to make sure that only the key(s) you wanted were added.
5.3将整个.ssh目录分发给另外两台主机
[root@centos7 ~]# scp -rp .ssh 192.168.73.132:/root/root@192.168.73.132's password: id_rsa 100% 1675 1.3MB/s 00:00 id_rsa.pub 100% 406 389.1KB/s 00:00 known_hosts 100% 352 536.8KB/s 00:00 authorized_keys 100% 406 660.1KB/s 00:00 [root@centos7 ~]# scp .ssh 192.168.73.133:/root/The authenticity of host '192.168.73.133 (192.168.73.133)' can't be established.ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.73.133' (ECDSA) to the list of known hosts.root@192.168.73.133's password: .ssh: not a regular file[root@centos7 ~]# scp -rp .ssh 192.168.73.133:/root/root@192.168.73.133's password: id_rsa 100% 1675 1.2MB/s 00:00 id_rsa.pub 100% 406 365.0KB/s 00:00 known_hosts 100% 528 1.1MB/s 00:00 authorized_keys 100% 406 619.8KB/s 00:00
5.4登录测试
[root@centos7 ~]# ssh 192.168.73.133Last login: Tue Apr 16 06:23:20 2019[root@centos7 ~]# ssh 192.168.73.132Last login: Tue Apr 16 13:50:51 2019 from 192.168.73.1[root@centos7 ~]# ssh 192.168.73.128Last login: Tue Apr 16 21:50:38 2019 from 192.168.73.1
转载于:https://blog.51cto.com/11886307/2382115