Linux初级：ssh服务及基于key验证方法

ssh

配置文件：
/etc/ssh/ssh_config 客户端
/etc/ssh/sshd_config 服务器端

首次连接，系统自动会把公钥从被连接考到发起连接主机，来做认证
    /etc/ssh/ssh_host_rsa_key.pub （被连接的主机）
    /root/.ssh/known_hosts （发起连接主机）
如更换机器IP一样，清空known.hosts文件即可

1、服务器端更改默认端口22（我这里port更改为6666)

[root@centos7 ~]#vim /etc/ssh/sshd_config 
#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 6666
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
"/etc/ssh/sshd_config" 139L, 3908C written

更改过后记得
systemctl reload ssdh
ss -ntl可查看端口是否更改

2、指定端口链接 -p

[root@dadda6 ~]#ssh 192.168.32.61 -p 6666
[email protected]'s password: 
Last login: Thu Sep 13 21:35:55 2018 from 192.168.32.50
Dadda Up!

3、客户端更改默认端口22（我这里更改为6666,与服务器同样）

[root@dadda6 ~]#vim /etc/ssh/ssh_config 
#       $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
    Port 6666
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
    Port 6666
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
Host *
        GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
        ForwardX11Trusted yes
# Send locale-related environment variables
        SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
        SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
        SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
        SendEnv XMODIFIERS
"/etc/ssh/ssh_config" 59L, 2049C written

4、指定ip链接链接 -b

[root@dadda6 ~]#ssh -b 192.168.32.50 192.168.32.61
[email protected]'s password: 
Last login: Thu Sep 13 21:39:27 2018 from 192.168.32.50
Dadda Up!
[root@centos7 ~]#

5、调试模式 -v

[root@dadda6 ~]#ssh -v 192.168.32.61               
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.32.61 [192.168.32.61] port 6666.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host '192.168.32.61' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
[email protected]'s password: 
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Sep 13 21:46:10 2018 from 192.168.32.50
Dadda Up!
[root@centos7 ~]#

6、用图形界面打开连接主机图形界面 -x (windows可通过xshell中的xstar连接linux桌面）

[root@dadda6 ~]#ssh -X 192.168.32.61
[email protected]'s password: 
Last login: Thu Sep 13 22:12:05 2018 from 192.168.32.50
Dadda Up!
[root@centos7 ~]#nm-connection-editor

7、强制伪tty分配 -t（通过192.168.32.68跳转到192.168.32.77）

[root@centos7 ~]#ssh -t 192.168.32.68 ssh 192.168.32.77

---

基于key验证

1、发起连接主机生成秘钥

[root@centos7 ~]#cd .ssh
[root@centos7 .ssh]#ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): dushan_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in dushan_rsa.
Your public key has been saved in dushan_rsa.pub.
The key fingerprint is:
SHA256:GmCdKdxjddHQxc0cfyawAyDh0weuKQIjBuMYaVhWzcs [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|=oo..oo.+.==.o.=.|
|*= . +oB o .oo. =|
|*o  =.X.o . o . +|
|oo . +E= .   . o.|
|  . . + S        |
|   . . o         |
|      .          |
|                 |
|                 |
+----[SHA256]-----+

2、把公钥拷贝给需要连接的主机（默认生成/root/.ssh/authorized_keys文件）

[root@centos7 .ssh]#ssh-copy-id -i /root/.ssh/dushan_rsa.pub 192.168.32.50
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/dushan.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.32.50'"
and check to make sure that only the key(s) you wanted were added.

3、直接连接即可

[root@centos7 .ssh]#ssh 192.168.32.50

4、设置或更改私钥口令

[root@centos7 .ssh]#ssh-keygen -p
Enter file in which the key is (/root/.ssh/id_rsa): dushan_rsa
Enter old passphrase: 
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

5、利用expect把公钥推送到多台主机
生成iplist.txt 文件，把ip都填在里面

#**************************************************************
#Author：                 Dadda_Du
#QQ：                     316722220     
#Date：                   2018-09-13    
#FileName：               ssh_push_key.sh
#URL:                     https://blog.csdn.net/weixin_40001704
#Description:             The script test
#Copyright(C):            2018 all rights reserved
#**************************************************************
pw="dushan"
rpm -q expect &> /dev/null || yum -y install expect
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
while read ip ; do
expect <<EOF
spawn ssh-copy-id i /root/.ssh/id_rsa.pub $ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$pw\n" }
}
expect eof
EOF
done < iplist.txt

6、在SecureCRT或Xshell实现基于key验证

在SecureCRT工具—>创建公钥—>生成Identity.pub文件
转化为openssh兼容格式（适合SecureCRT，Xshell不需要转化格式），
并复制到需登录主机上相应文件authorized_keys中,
注意权限必须为600，在需登录的ssh主机上执行：
ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys

---

scp

常用选项：
-C 压缩数据流
-r 递归复制
-p 保持原文件的属性信息
-q 静默模式
-P PORT 指明remote host的监听的端口

[root@centos7 ~]#scp /etc/fstab 192.168.32.50:/data
[email protected]'s password: 
fstab                                               100%  784     1.1MB/s   00:00

！！！大量重复文件推荐用rsync，不要使用scp命令

rsync

选项：
-n 模拟复制过程
-v 显示详细过程
-r 递归复制目录树
-p 保留权限
-t 保留时间戳
-g 保留组信息
-o 保留所有者信息
-l 将软链接文件本身进行复制（默认）
-L 将软链接文件指向的文件复制
-a 存档，相当于–rlptgoD，但不保留ACL（-A）和SELinux属性（-X）

[root@centos7 ~]#rsync -av /etc/sysconfig/ 192.168.32.50:/data
拷贝文件带/,把目录下的文件复制过去
[root@centos7 ~]#rsync -av /etc/sysconfig 192.168.32.50:/data
拷贝文件不带/,把目录复制过去

sftp

交互式文件传输工具
用法和传统的ftp工具相似
利用ssh服务实现安全的文件上传和下载
使用ls cd mkdir rmdir pwd get put等指令，可用？或help获取帮助信息
sftp [user@]host
sftp> help

pssh

依赖epel源
yum install pssh

pssh是一个python编写可以在多台服务器上执行命令的工具，也可实现文件复制
选项：
--version：查看版本
-h：主机文件列表，内容格式”[user@]host[:port]”
-H：主机字符串，内容格式”[user@]host[:port]”
-A：手动输入密码模式
-i：每个服务器内部处理信息输出
-l：登录使用的用户名
-p：并发的线程数【可选】
-o：输出的文件目录【可选】
-e：错误输入文件【可选】
-t：TIMEOUT 超时时间设置，0无限制【可选】
-O：SSH的选项
-P：打印出服务器返回信息
-v：详细模式

连接一台执行命令hostanme
[root@centos7 ~]#pssh -H 192.168.32.50 -A -i hostname

连接多台，利用iplist.txt文件
[root@centos7 ~]#pssh -h iplist.txt -A -i hostname

连接多台，分别创建dushan用户（批量执行命令)
[root@centos7 ~]#pssh -h iplist.txt -A -i "useradd dushan"

连接多台，统一修改selinux文件
[root@centos7 ~]#pssh -h iplist.txt -A -i "sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config"

pscp.pssh

pscp.pssh功能是将本地文件批量复制到远程主机
选项
-v 显示复制过程
-r 递归复制目录

将本地curl.sh 复制到/app/目录
pscp.pssh -H 192.168.1.10 /root/test/curl.sh /app/
pscp.pssh -h host.txt /root/test/curl.sh /app/

将本地多个文件批量复制到/app/目录
pscp.pssh -H 192.168.1.10 /root/f1.sh /root/f2.sh /app/

将本地目录批量复制到/app/目录
pscp.pssh -H 192.168.1.10 -r /root/test/ /app/

pslurp

pslurp功能是将远程主机的文件批量复制到本地
选项
-L 指定从远程主机下载到本机的存储的目录，local是下载到本地后的名称
-r 递归复制目录

批量下载目标服务器的日志文件至/data下，并更名为m
pslurp -h iplist.txt -L /data /var/log/messages m