1.openssh
##概述:
在Linux系统中,OpenSSH是目前最流行的远程系统登录与文件传输应用,也是传统Telenet、FTP和R系列等网络应用的换代产品。
其中,ssh(Secure Shell)可以替代telnet、rlogin和rsh,scp(Secure Copy)与sftp(Secure FTP)能后替代ftp。
OpenSSH采用密钥的方式对数据进行加密,确保数据传输的安全。在正式开始传输数据之前,双方首先要交换密钥,当收到对方的数据时,
再利用密钥和相应的程序对数据进行解密。这种加密的数据传输有助于防止非法用户获取数据信息。
OpenSSH采用随机的方式生成公私密钥。密钥通常只需生成一次,必要时也可以重新制作。
当使用ssh命令登录到远程系统时,OpenSSH服务器的sshd守护进行将会发送一个公钥,OpenSSH客户端软件ssh将会提示用户确认是否接收发送的公钥。
同时,OpenSSH客户端也会向服务器回传一个密钥,使OpenSSH连接双方的每个系统都拥有对方的密钥,因而能够解密对方经由加密链路发送的加密数据。
OpenSSH服务器的公钥与私玥均存储在/etc/ssh目录中。在OpenSSH客户端,用户收到的所有公钥,
以及提供密钥的OpenSSH服务器的IP地址均存储在用户主目录下的~/.ssh/known_hosts文件中(.ssh是一个隐藏目录)。
如果密钥与IP地址不再匹配,OpenSSH将会认为某个环节出了问题。例如,重新安装操作系统或者升级OpenSSH都会导致系统再次生成新的密钥,
恶意的网络攻击也会造成密钥的变动。因此,当密钥发生变化时,总是应当先了解密钥发生变化的原因,以确保网络访问期间的数据安全。
当主机中开启openssh服务时,那么就对外开放了远程连接的接口
openssh服务的服务端: sshd
openssh服务的客户端: ssh
2.在客户端连接sshd(服务端)的方式
格式:ssh 服务端用户@服务端ip地址
例如:
ssh root@172.25.254.130 ##在客户端用ssh命令连接172.25.0.10主机的root用户
##以不打开远程主机的图形功能方式连接主机
[root@localhost ~]# ssh [email protected]
The authenticity of host '172.25.254.200 (172.25.254.200)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)?
#当当前主机第一次连接陌生主机时,会自动建立.ssh/know_hosts,这个文中记录的是连接过的主机信息
root@172.25.254.200's password: #输入密码连接成功
Last login: Fri Mar 30 02:05:52 2018 from 172.25.254.100
[root@localhost ~]# exit #表示退出当前连接
logout
Connection to 172.25.254.200 closed.
##注意:如果需要打开远程主机图形功能需要输入 -X
[kiosk@foundation66 Desktop]$ ssh -X root@172.25.254.230
root@172.25.254.230's password:
Connection closed by 172.25.254.230
##拍照或者录像
[kiosk@foundation66 Desktop]$ cheese
3.给ssh服务添加新的认证方式 (KEY认证)
客户端(client): 172.25.254.130
服务端(service): 172.25.254.230
1)更改主机名
[root@localhost Desktop]# hostnamectl set-hostname client
[root@localhost Desktop]# hostname
client
[root@localhost Desktop]# exit
logout
Connection to 172.25.254.130 closed.
[kiosk@foundation66 Desktop]$ ssh root@172.25.254.130
root@172.25.254.130's password:
Last login: Tue Sep 11 05:24:02 2018 from 172.25.254.66
[root@localhost ~]# hostnamectl set-hostname service
[root@localhost ~]# hostname
service
[root@localhost ~]# exit
logout
Connection to 172.25.254.230 closed.
[kiosk@foundation66 Desktop]$ ssh root@172.25.254.230
root@172.25.254.230's password:
Last login: Tue Sep 11 05:30:58 2018 from 172.25.254.66
2)生成锁和钥匙
[root@service ~]# ssh-keygen #生成密钥的命令
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #保存加密字符的文件用默认
Enter passphrase (empty for no passphrase): #可以为空,如果想为空必须大于4位
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. ##私钥
Your public key has been saved in /root/.ssh/id_rsa.pub. ##公钥
The key fingerprint is:
3e:8e:b1:d4:c1:1e:9f:69:c9:ff:12:fc:10:dc:bf:0f root@service
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| . . |
| . o . |
| S . . . |
| + = ++ .|
| o = B +E .|
| . = o .. .o |
| o . .o. o|
+-----------------+
3)加密ssh用户的认证
[root@service ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host '172.25.254.230 (172.25.254.230)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.254.230's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
4)将解密文件传输到客户端
[root@service ~]# scp /root/.ssh/id_rsa [email protected]:/root/.ssh/
The authenticity of host '172.25.254.130 (172.25.254.130)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.130' (ECDSA) to the list of known hosts.
root@172.25.254.130's password:
id_rsa 100% 1679 1.6KB/s 00:00
测试:
[root@client ~]# cd /root/.ssh/
[root@client .ssh]# ls
authorized_keys id_rsa
##免密连接成功
[root@client .ssh]# ssh [email protected]
The authenticity of host '172.25.254.230 (172.25.254.230)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.230' (ECDSA) to the list of known hosts.
Last login: Tue Sep 11 05:35:23 2018 from 172.25.254.66
[root@service ~]# exit
logout
##当此文件被删除,客户端解密文件失效
[root@service ~]# rm -fr /root/.ssh/authorized_keys
##免密连接失败
[root@client ~]# ssh [email protected]
root@172.25.254.230's password:
##拷贝一份锁文件(重新生成锁文件),解密文件功能恢复
[root@service .ssh]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
##免密连接恢复
[root@client ~]# ssh [email protected]
Last failed login: Tue Sep 11 05:51:04 EDT 2018 from 172.25.254.230 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Tue Sep 11 05:40:27 2018 from 172.25.254.130
##加密命令:
ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.230
参数详解:
ssh-copy-id ##加密命令
-i ##指定密钥
/root/.ssh/id_rsa.pub ##密钥
root ##加密用户
172.25.254.230 ##主机ip
4.sshd的安全配置
##禁止原始认证方式
vim /etc/ssh/sshd_config
78 PasswordAuthentication no|yes ##开启或关闭ssh的默认认证方式
48 PermitRootLogin no|yes ##开启或关闭root用户的登陆权限
79 AllowUsers westos ##用户白名单,当前设定是只允许westos登陆
80 DenyUsers linux ##用户黑名单,当前设定是只不允许linux登陆