基于linux下的openssh服务

什么是openssh？

OpenSSH是SSH（Secure SHell）协议的免费开源实现。
SSH协议族可以用来进行远程控制，或在计算机之间传送文件。
而实现此功能的传统方式，如telnet(终端仿真协议)、 rcp ftp、
rlogin、rsh都是极为不安全的，并且会使用明文传送密码。OpenSSH提供了
服务端后台程序和客户端工具，用来加密远程控制和文件传输过程中的数据，并由此来代替原来的类似服务。

实验前提：

打开两台虚拟机分别配置IP为172.25.254.121和172.25.254.221，只要不同即可。

服务端：

hostnamectl set-hostname service.com  更改名字方便区分
[root@service ~]# ifconfig   查看IP
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.25.254.121  netmask 255.255.255.0  broadcast 172.25.254.255
        inet6 fe80::5054:ff:fe0f:48bf  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:0f:48:bf  txqueuelen 1000  (Ethernet)
        RX packets 101  bytes 11691 (11.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 59  bytes 8702 (8.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 774  bytes 65764 (64.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 774  bytes 65764 (64.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 82:6a:62:ea:93:7e  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0    

客户端：

hostnamectl set-hostname client.com  更改名字方便区分
[root@client ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.25.254.221  netmask 255.255.255.0  broadcast 172.25.254.255
        inet6 fe80::5054:ff:fe41:fe50  prefixlen 64  scopeid 0x20<link>
        ether 52:54:00:41:fe:50  txqueuelen 1000  (Ethernet)
        RX packets 1818  bytes 444942 (434.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1530  bytes 4472387 (4.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 1965  bytes 4704608 (4.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1965  bytes 4704608 (4.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 1a:88:fa:b6:6a:c3  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

客户端连接需要密码:

[root@client ~]# rm -fr /root/.ssh/   删除.ssh目录
[root@client ~]# ssh [email protected]  连接服务端，目录会自动生成
The authenticity of host '172.25.254.121 (172.25.254.121)' can't be established.
ECDSA key fingerprint is b1:05:1c:1c:99:8d:fd:26:e7:d9:62:3c:32:4d:91:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.121' (ECDSA) to the list of known hosts.
root@172.25.254.121's password: 
Last login: Thu Jun 14 08:33:55 2018 from 172.25.254.221
[root@service ~]# exit
logout
Connection to 172.25.254.121 closed.
[root@client ~]# cd /root/.ssh/   切换到.ssh路径
[root@client .ssh]# ls   查看已经有了连接
known_hosts

在服务端：

[root@service ~]# rm -fr /root/.ssh/  删除.ssh目录
[root@service ~]# ssh [email protected]  连接客户端生成目录
The authenticity of host '172.25.254.221 (172.25.254.221)' can't be established.
ECDSA key fingerprint is 1c:8a:8c:8e:fe:33:f3:7a:9d:70:11:f9:9a:57:6c:23.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.221' (ECDSA) to the list of known hosts.
root@172.25.254.221's password: 
Last login: Thu Jun 14 08:21:20 2018 from 172.25.254.84
[root@client ~]# exit
logout
Connection to 172.25.254.221 closed.
[root@service ~]# cd /root/.ssh/   切换到.ssh路径
[root@service .ssh]# ls   已经有了连接
known_hosts

在服务端：

生成锁和钥匙：

[root@service .ssh]# ssh-keygen   生成密钥的命令
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 保存加密字符的文件用默认
Enter passphrase (empty for no passphrase):  可以为空，如果不想为空必须大于4位
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa. 私钥
Your public key has been saved in /root/.ssh/id_rsa.pub. 公钥
The key fingerprint is:
4c:ce:8b:d0:98:b5:c5:5c:e3:72:a9:11:9b:e0:b6:ce [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|      . . o      |
|     . + * o     |
|      + X +      |
|     * O =       |
|    + + S        |
|     + . .       |
|      E .        |
|                 |
|                 |
+-----------------+
[root@service .ssh]# ls
id_rsa  id_rsa.pub  known_hosts

加密ssh用户的认证：

[root@service .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]   对服务端进行加密
ssh-copy-id     加密命令
-i          指定密钥
/root/.ssh/id_rsa.pub   密钥
root            加密用户
172.25.254.121      主机ip
[root@service .ssh]# ls   已经生成锁文件
authorized_keys  id_rsa  id_rsa.pub  known_hosts

验证：

[root@service .ssh]# scp /root/.ssh/id_rsa [email protected]:/root/.ssh/
root@172.25.254.221's password: 
id_rsa                                        100% 1675     1.6KB/s   00:00      解密文件传输到客户端

在客户端：

[root@client .ssh]# ls    查看已经有了私钥
id_rsa  known_hosts
[root@client .ssh]# ssh [email protected]  可以免密连接
Last login: Thu Jun 14 08:41:02 2018 from 172.25.254.221
[root@service ~]# exit   退出
logout
Connection to 172.25.254.121 closed.

在服务端：

[root@service .ssh]# rm -fr authorized_keys  当此文件被删除，客户端解密文件失效
[root@service .ssh]# ls   查看已经被删除
id_rsa  id_rsa.pub  known_hosts

在客户端：

[root@client .ssh]# ssh [email protected]  连接需要密码
root@172.25.254.121's password: 
Last login: Thu Jun 14 08:49:10 2018 from 172.25.254.221
[root@service ~]# exit   退出
logout 
Connection to 172.25.254.121 closed.

扫描二维码关注公众号，回复： 2349748 查看本文章

在服务端：

[root@service .ssh]# scp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys  从新生成锁文件，解密文件功能恢复
[root@service .ssh]# ls  查看已经生成锁文件
authorized_keys  id_rsa  id_rsa.pub  known_hosts

在客户端：

[root@client .ssh]# ssh [email protected]  可以免密连接
Last login: Thu Jun 14 08:49:35 2018 from 172.25.254.221
[root@service ~]# exit  退出
logout
Connection to 172.25.254.121 closed.
[root@client .ssh]# rm -fr id_rsa  在客户端删除私钥之后也没办法免密执行
[root@client .ssh]# ls  查看已经删除私钥
known_hosts
[root@client .ssh]# ssh [email protected]  连接需要密码
root@172.25.254.121's password: 
Last login: Thu Jun 14 08:50:10 2018 from 172.25.254.221
[root@service ~]# exit  退出
logout
Connection to 172.25.254.121 closed.

在服务端：

[root@service .ssh]# scp /root/.ssh/id_rsa [email protected]:/root/.ssh/  重新发送解密文件
root@172.25.254.221's password: 
id_rsa                                        100% 1675     1.6KB/s   00:00

在客户端：

[root@client .ssh]# ls  查看已经有了私钥
id_rsa  known_hosts
[root@client .ssh]# ssh [email protected] 可以免密连接
Last login: Thu Jun 14 08:50:23 2018 from 172.25.254.221
[root@service ~]# exit  退出
logout
Connection to 172.25.254.121 closed.