目录
ssh安装包
[root@centos7:~]# yum info openssh
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Installed Packages
Name : openssh
Arch : x86_64
Version : 7.4p1
Release : 16.el7
Size : 1.9 M
Repo : installed
From repo : anaconda
Summary : An open source implementation of SSH protocol versions 1 and 2
URL : http://www.openssh.com/portable.html
License : BSD
Description : SSH (Secure SHell) is a program for logging into and executing
: commands on a remote machine. SSH is intended to replace rlogin and
: rsh, and to provide secure encrypted communications between two
: untrusted hosts over an insecure network. X11 connections and
: arbitrary TCP/IP ports can also be forwarded over the secure channel.
:
: OpenSSH is OpenBSD's version of the last free version of SSH, bringing
: it up to date in terms of security and features.
:
: This package includes the core files necessary for both the OpenSSH
: client and server. To make this package useful, you should also
: install openssh-clients, openssh-server, or both.
[root@centos7:~]# rpm -qa "openssh**"
openssh-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64
[root@centos7:~]# rpm -ql openssh
/etc/ssh
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/libexec/openssh
/usr/libexec/openssh/ctr-cavstest
/usr/libexec/openssh/ssh-keysign
[root@centos7:~]# rpm -ql openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd.socket
[root@centos7:~]# rpm -ql openssh-clients
/etc/ssh/ssh_config
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-idsshd服务
[root@centos7:~]# systemctl status sshd
[root@centos7:~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
[root@centos7:~]# systemctl stop sshd #已连接的不会断开,新的连接被拒绝ssh客户端连接服务器
# Port 22
[root@centos7:~]# vim /etc/ssh/ssh_config
#服务器端的sshd服务端口,如果不是22,则客户端的配置文件端口可改为和服务器一样,
#或者每次连接加-p选项
[root@centos7:~]# vim /etc/ssh/sshd_config
#第一次连接会问是否连接 yes/no
[root@centos7:~]# ssh 192.168.14.6
The authenticity of host '192.168.14.6 (192.168.14.6)' can't be established.
RSA key fingerprint is SHA256:ldwv9HEi63iQKlkKOjUKAOovAkQgmKhkm6UjK0JoV8k.
RSA key fingerprint is MD5:24:c8:d0:86:48:c0:3b:6d:2b:8d:95:3f:93:00:61:4d.
Are you sure you want to continue connecting (yes/no)?
[root@centos7:~]# vim /etc/ssh/ssh_config
# StrictHostKeyChecking ask
StrictHostKeyChecking no #改为no,第一次连接不会在询问,不建议
[root@centos7:~]# ssh 192.168.14.6
输入yes和centos6的密码,即连接上centos6,下次再连接centos6,则不会再问是否yes/no,直接输入密码即可。连接的记录文件如下
[root@centos7:.ssh]# ls
id_rsa id_rsa.pub known_hosts
[root@centos7:.ssh]# pwd
/root/.ssh
[root@centos7:.ssh]# cat known_hosts
192.168.14.6 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1SbTaorjFFhvaTjyac3U0pT9fhhwtWt70aQcTeUnf+8fCygCyuIQ1rw1Q7oPOF+RxTBFhSHZDmSxx4sz+ZJ7VAluosRrncKiOAqH3m3coSvRo+htboFldbP8oB8eTi5bxByLijUFiVphRJ6JUgfxugHSY0MTb3UFz+KFAAv+8KWGVTZ1UWOD3aeTAb3UOkK/7ZjWsN1AidAiEwyoNmGjgVFvOEk+3Tt7JQhufx0WnEIuMb6k2JG5LzSaoQ5akv+I5tTPJxkZjkYjF6Ktag/NJ9xzEKp9n95XHlqntCusF+TT8v4Q5jHQh8c3prmpwJcE7TQJhQl65eZj3ur5ICre9Q==
#删除文件里面的此条记录,则下次连接会当做第一次连接,任然询问是否连接(yes/no)
当centos7连接过centos6时,即centos7的家目录下/root/.ssh/known_hosts有192.168.14.6记录时,把服务器centos6(192.168.14.6)网络断开,再开启一个新的虚拟机ip配置为192.168.31.6。再次从centos7连接此ip,结果如下
[root@centos7:.ssh]# ssh 192.168.14.6
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:0w2zn5i6KOssvh7PUxCGo0/dSK77g3dihbXaQHEExDQ.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending RSA key in /root/.ssh/known_hosts:3
RSA host key for 192.168.14.6 has changed and you have requested strict checking.
Host key verification failed.
第一次连接服务器,记录服务器的公钥信息,存放于本地/root/.ssh/known_hosts,下次连接时,服务器发送的消息时是用私钥加密的,当客户端收到私钥签名的消息时,用本地保存的服务器公钥解密,成功,则验证了身份。私钥要保护好,否则被偷走,会被冒充
[root@centos7:ssh]# ls
moduli ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key
sshd_config ssh_host_ed25519_key ssh_host_rsa_key.pub
# ssh_host_rsa_key centos7私钥客户端ssh使用示例
示例1、#登录远程主机执行命令后在本机显示后,退出远程主机
[root@centos7:ssh]# ssh 192.168.14.6 'ip a'
[email protected]'s password:
/root/.bashrc: line 8: aliaz: command not found
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:37:0c:a3 brd ff:ff:ff:ff:ff:ff
inet 192.168.14.6/24 brd 192.168.14.255 scope global eth1
inet6 fe80::20c:29ff:fe37:ca3/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:37:0c:ad brd ff:ff:ff:ff:ff:ff
inet 172.18.119.213/16 brd 172.18.255.255 scope global eth0
inet6 fe80::20c:29ff:fe37:cad/64 scope link
valid_lft forever preferred_lft forever示例2、#指定ip连接远程主机
[root@centos7:ssh]# ip a a 192.168.31.27/24 dev ens33
[root@centos7:ssh]# ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:84:9c:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.31.7/24 brd 192.168.31.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.31.27/24 scope global secondary ens33
valid_lft forever preferred_lft forever
inet6 fe80::a12f:1465:53a3:13b5/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@centos7:ssh]# ssh -b 192.168.31.27 192.168.14.6
[email protected]'s password:
Last login: Wed Jul 18 18:00:05 2018 from 192.168.14.1
[root@centos6 ~ ]#ss -nt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.14.6:22 192.168.31.27:62718示例3、连接到远程主机后,执行一个打开图形界面的命令
[root@centos7:ssh]# ssh -X 192.168.14.6
[email protected]'s password:
Last login: Wed Jul 18 18:54:34 2018 from 192.168.14.1
[root@centos6 ~ ]#system-config-users
system-config-users requires a currently running X server.
[root@centos6 ~ ]#system-config-users
Xlib: extension "RANDR" missing on display "localhost:12.0" 如图1,图2
图1,图2
运行程序在centos6上,画图在centos7上,基于x11协议,不管centos6运行在哪种运行模式(init3,init5等),都可以运行图形工具在centos7上
------------------------------
xshell中也有此工具,如图3,图4,图5
图3
图4
图5
X 协议转发
所有图形化应用程序都是X客户程序
• 能够通过tcp/ip连接远程X服务器
• 数据没有加密机,但是它通过ssh连接隧道安全进行
ssh -X user@remotehost gedit
remotehost主机上的gedit工具,将会显示在本机的X服务器上
传输的数据将通过ssh连接加密
示例3,多次跳堡垒机
#不让centos7连接centos6,但别的机器centos7-1可以连接centos6
[root@centos6 ssh ]#iptables -A INPUT -s 192.168.31.7 -j REJECT
[root@centos7:ssh]# ssh -t 192.168.31.17 ssh 192.168.14.6
[root@centos7:ssh]# ssh -t 192.168.31.17 ssh -t 192.168.31.27 ssh 192.168.14.6
=================================================================
=================================================================
ssh登录验证方法
基于用户名和口令验证登录
1 客户端发起ssh请求,服务器会把自己的公钥发送给用户
2 用户会根据服务器发来的公钥对密码进行加密
3 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
基于key验证(/root/.sshauthorized_keys)
1 首先在客户端生成一对密钥(ssh-keygen)
2 并将客户端的公钥ssh-copy-id 拷贝到服务端
前两步准备工作
3 当客户端再次发送一个连接请求,包括ip、用户名
4 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP用户,就会随机生成一个字符串,例如:acdf
5 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
6 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
基于key验证
[root@centos7:~]# ssh-keygen #默认rsa算法生成ssh公私钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PIyFODiX7ZmdrJ/ych1YZxukLX3EFY5+1JjYtpAfzH8 root@centos7
The key's randomart image is:
+---[RSA 2048]----+
| . oo|
| . + . .*=o.|
| o = o . =+oOo.|
| o o X .+ B+o+ |
| = So + =o.E|
| .... . . .|
| . . . |
| o.... |
| =+ |
+----[SHA256]-----+
#私钥权限600
[root@centos7:.ssh]# ll
total 12
-rw-------. 1 root root 1679 Jul 18 18:48 id_rsa
-rw-r--r--. 1 root root 394 Jul 18 18:48 id_rsa.pub
-rw-r--r--. 1 root root 966 Jul 18 16:24 known_hosts
#专门命令传公钥,如果传的是私钥,系统默认会改为公钥
[root@centos7:.ssh]# ssh-copy-id -i id_rsa 192.168.14.6
#[root@centos7:.ssh]# ssh-copy-id 192.168.14.6
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
#centos6上接收到的是centos7的公钥
[root@centos6 .ssh ]#pwd
/root/.ssh
[root@centos6 .ssh ]#ls
authorized_keys known_hosts
[root@centos6 .ssh ]#cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCryPu31TT0RD6+y8uODvRRPygQNDinMW92HuOt+kZCV4S5SKReLCZ+7TvqLtJnGkofXr7AqH9VGLHVv8YxY7SOFT72brEFqAJJlbeKoQj0ZhopVkSAYms5sqcbz4OHaGHLmFZe7pN1EnbBUVnax1VsPF5jCsEKMQZeaCGHfYq+c5+kErwSnvr/5oNB66z0twSapP4gymoZML9Mas7btyuZ9QJ2wqN1dasjncPQBA7FsmNc6+EBxfEac8MdljW6MZ8M/S0y9Et6gi5en9pp8yuz96do6GifhT30UiN4QqLyPWJE8evuEjsyE+1F7I/yUSdksTbSayDrJudocnmlPJ91 root@centos7
#此时连接,只有centos7上的root用户才可直接登录进去,无需密码
[root@centos7:.ssh]# ssh 192.168.14.6
Last login: Wed Jul 18 19:01:41 2018 from 192.168.14.1
[root@centos6 ~ ]#
#普通用户生成公私钥
[root@centos7:.ssh]# su - dhy
Last login: Tue Jul 10 11:15:11 CST 2018 on pts/1
[dhy@centos7:~]$ ssh-keygen -t dsa #用dsa加密算法生成公私钥
Generating public/private dsa key pair.
Enter file in which to save the key (/home/dhy/.ssh/id_dsa):
Created directory '/home/dhy/.ssh'.
Enter passphrase (empty for no passphrase): #私钥加密,不设密码
Enter same passphrase again:
把生成的公钥传到远程主机
#私钥生成后加密
[dhy@centos7:.ssh]$ ssh-keygen -p
Enter file in which the key is (/home/dhy/.ssh/id_rsa):
#可以用-f指定要加密文件
[dhy@centos7:.ssh]$ ssh-keygen -p -f id_dsa
[dhy@centos7:.ssh]$ ssh-keygen --help----------------------------------------
windows上的xshell连接远程主机,基于key
xshell自带的工具,如图6。生成后,私钥默认有xshell管理,公钥先放到桌面,再复制到远程主机,远程主机上cat xshell_pub.key >> /root/.ssh/authorized_keys
如图7,则windows的xshell可以基于key连接远程主机上有xshell公钥的机器,
图6
图7
启用ssh私钥口令代理
利用centos7生成的公私钥,把公钥拷贝到其它多台机器上,此时从centos7上连接其它机器,需要输入centos7生成的私钥密码即可。不想每次输入私钥密码,可以启用代理
[dhy@centos7:.ssh]$ ssh-agent bash
[dhy@centos7:.ssh]$ ssh-add
Identity added: /home/dhy/.ssh/id_dsa (/home/dhy/.ssh/id_dsa)
[dhy@centos7:.ssh]$
代理程序退出,下次再登录上去连接远程主机,则仍需要输入私钥口令
多台机器基于key可以互想连接
可以把一对公私钥拷贝到所有机器上
#生成公私钥,在利用ssh-copy-id生成公钥到
[root@centos7:~]# ssh-keygen
#自己连接自己,即把公钥导入自己的机器(/root/.ssh/authorized_keys)
[root@centos7:.ssh]# ssh-copy-id 192.168.31.7
脚本
host.txt
192.168.31.17 root centos
192.168.31.27 root centos1
192.168.31.37 root passwd
#!/bin/bash
#生成公私钥对
ssh-keygen -t rsa -P '' -f /root/.ssh/id_rsa &> /dev/null &&echo "ssh key is Created"
while read line;do
ip=`echo $line|awk '{print $1}'`
user=`echo $line|awk '{print $2}'`
password=echo `$line|awk '{print $3}'`
expect <<-EOF
set timeout 10
spawn ssh-copy-id -i ~/.ssh/id_rsa.pub $user@$ip
expect{
"yes/no" { send "yes\n";exp_continue }
"pasword" { send "$password\n" }
}
EOF
echo "$ip is finished"
doen < hostline.txtssh介绍:
ssh代替telnet,telnet不安全,是明文传输的
ssh:secure shell
实验:ssh服务 c/s结构(client/server)
socket:标识应用唯一地址
ip+tcp/udp port
http tcp/80
ssh tcp/22
cat /etc/services
SSH
ssh: secure shell, protocol, 22/tcp, 安全的远程登录
具体的软件实现:
OpenSSH: ssh协议的开源实现,CentOS默认安装
dropbear:另一个开源实现 英文译:抛弃的狗熊
SSH协议版本
v1: 基于CRC-32做MAC,不安全;man-in-middle
v2:双方主机协议选择安全的MAC方式
基于DH算法做密钥交换,基于RSA或DSA实现身份认证
两种方式的用户登录认证:
基于password
基于key
openssh软件组成
相关包:
openssh
openssh-clients
openssh-server
工具:
基于C/S结构
Client: ssh, scp, sftp,slogin
Windows客户端:
xshell, putty, securecrt, ssh,secure,shell,client
Server: sshd
ssh客户端
客户端组件:
ssh, 配置文件:/etc/ssh/ssh_config
Host PATTERN
StrictHostKeyChecking no 首次登录不显示检查提示
格式:ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常见选项
-p port:远程服务器监听的端口
-b:指定连接的源IP
-v:调试模式
-C:压缩方式
-X: 支持x11转发
-Y:支持信任x11转发
ForwardX11Trusted yes
-t: 强制伪tty分配
ssh -t remoteserver1 ssh remoteserver2
允许实现对远程系统经验证地加密安全访问
当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host*key.pub (CentOS7默认是ssh_host_ecdsa_key.pub)文件中的公钥到客户机的 ~/.ssh/know_hosts中。下次连接时,会自动匹配相应私钥,不能匹配,将拒绝连接
-----------------------------------------------------------------------
ssh服务登录验证
ssh服务登录验证方式:
用户/口令
基于密钥
基于用户和口令登录验证
1 客户端发起ssh请求,服务器会把自己的公钥发送给用户
2 用户会根据服务器发来的公钥对密码进行加密
3 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
基于密钥的登录方式
1 首先在客户端生成一对密钥(ssh-keygen)
2 并将客户端的公钥ssh-copy-id 拷贝到服务端
前两步准备工作
3 当客户端再次发送一个连接请求,包括ip、用户名
4 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP用户,就会随机生成一个字符串,例如:acdf
5 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
6 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
基于key认证
基于密钥的认证:
(1) 在客户端生成密钥对
ssh-keygen -t rsa [-P ''] [-f “~/.ssh/id_rsa"]
把公钥文件传输至远程服务器对应用户的家目录
ssh-copy-id [-i [identity_file]] [user@]host
测试
在SecureCRT或Xshell实现基于key验证
在SecureCRT工具—>创建公钥—>生成Identity.pub文件
转化为openssh兼容格式(适合SecureCRT,Xshell不需要转化格式),并复制到 需登录主机上相应文件authorized_keys中,注意权限必须为600,在需登录的ssh主机上执行:
ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys
(5)重设私钥口令:
ssh-keygen –p
(6)验证代理(authentication agent)保密解密后的密钥
• 这样口令就只需要输入一次
• 在GNOME中,代理被自动提供给root用户
• 否则运行ssh-agent bash
(7)钥匙通过命令添加给代理
ssh-add