ssh
配置文件:
/etc/ssh/ssh_config 客户端
/etc/ssh/sshd_config 服务器端
首次连接,系统自动会把公钥从被连接考到发起连接主机,来做认证
/etc/ssh/ssh_host_rsa_key.pub (被连接的主机)
/root/.ssh/known_hosts (发起连接主机)
如更换机器IP一样,清空known.hosts文件即可
1、服务器端更改默认端口22(我这里port更改为6666)
[root@centos7 ~]#vim /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 6666
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
"/etc/ssh/sshd_config" 139L, 3908C written
更改过后记得systemctl reload ssdh
ss -ntl
可查看端口是否更改
2、指定端口链接 -p
[root@dadda6 ~]#ssh 192.168.32.61 -p 6666
[email protected]'s password:
Last login: Thu Sep 13 21:35:55 2018 from 192.168.32.50
Dadda Up!
3、客户端更改默认端口22(我这里更改为6666,与服务器同样)
[root@dadda6 ~]#vim /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
Port 6666
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
Port 6666
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
"/etc/ssh/ssh_config" 59L, 2049C written
4、指定ip链接链接 -b
[root@dadda6 ~]#ssh -b 192.168.32.50 192.168.32.61
[email protected]'s password:
Last login: Thu Sep 13 21:39:27 2018 from 192.168.32.50
Dadda Up!
[root@centos7 ~]#
5、调试模式 -v
[root@dadda6 ~]#ssh -v 192.168.32.61
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.32.61 [192.168.32.61] port 6666.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host '192.168.32.61' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
[email protected]'s password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Sep 13 21:46:10 2018 from 192.168.32.50
Dadda Up!
[root@centos7 ~]#
6、用图形界面打开连接主机图形界面 -x (windows可通过xshell中的xstar连接linux桌面)
[root@dadda6 ~]#ssh -X 192.168.32.61
[email protected]'s password:
Last login: Thu Sep 13 22:12:05 2018 from 192.168.32.50
Dadda Up!
[root@centos7 ~]#nm-connection-editor
7、强制伪tty分配 -t(通过192.168.32.68跳转到192.168.32.77)
[root@centos7 ~]#ssh -t 192.168.32.68 ssh 192.168.32.77
基于key验证
1、发起连接主机生成秘钥
[root@centos7 ~]#cd .ssh
[root@centos7 .ssh]#ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): dushan_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in dushan_rsa.
Your public key has been saved in dushan_rsa.pub.
The key fingerprint is:
SHA256:GmCdKdxjddHQxc0cfyawAyDh0weuKQIjBuMYaVhWzcs [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|=oo..oo.+.==.o.=.|
|*= . +oB o .oo. =|
|*o =.X.o . o . +|
|oo . +E= . . o.|
| . . + S |
| . . o |
| . |
| |
| |
+----[SHA256]-----+
2、把公钥拷贝给需要连接的主机(默认生成/root/.ssh/authorized_keys文件)
[root@centos7 .ssh]#ssh-copy-id -i /root/.ssh/dushan_rsa.pub 192.168.32.50
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/dushan.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.32.50'"
and check to make sure that only the key(s) you wanted were added.
3、直接连接即可
[root@centos7 .ssh]#ssh 192.168.32.50
4、设置或更改私钥口令
[root@centos7 .ssh]#ssh-keygen -p
Enter file in which the key is (/root/.ssh/id_rsa): dushan_rsa
Enter old passphrase:
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
5、利用expect把公钥推送到多台主机
生成iplist.txt 文件,把ip都填在里面
#**************************************************************
#Author: Dadda_Du
#QQ: 316722220
#Date: 2018-09-13
#FileName: ssh_push_key.sh
#URL: https://blog.csdn.net/weixin_40001704
#Description: The script test
#Copyright(C): 2018 all rights reserved
#**************************************************************
pw="dushan"
rpm -q expect &> /dev/null || yum -y install expect
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
while read ip ; do
expect <<EOF
spawn ssh-copy-id i /root/.ssh/id_rsa.pub $ip
expect {
"yes/no" { send "yes\n";exp_continue }
"password" { send "$pw\n" }
}
expect eof
EOF
done < iplist.txt
6、在SecureCRT或Xshell实现基于key验证
在SecureCRT工具—>创建公钥—>生成Identity.pub文件
转化为openssh兼容格式(适合SecureCRT,Xshell不需要转化格式),
并复制到需登录主机上相应文件authorized_keys中,
注意权限必须为600,在需登录的ssh主机上执行:
ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys
scp
常用选项:
-C 压缩数据流
-r 递归复制
-p 保持原文件的属性信息
-q 静默模式
-P PORT 指明remote host的监听的端口
[root@centos7 ~]#scp /etc/fstab 192.168.32.50:/data
[email protected]'s password:
fstab 100% 784 1.1MB/s 00:00
!!!大量重复文件推荐用rsync,不要使用scp命令
rsync
选项:
-n 模拟复制过程
-v 显示详细过程
-r 递归复制目录树
-p 保留权限
-t 保留时间戳
-g 保留组信息
-o 保留所有者信息
-l 将软链接文件本身进行复制(默认)
-L 将软链接文件指向的文件复制
-a 存档,相当于–rlptgoD,但不保留ACL(-A)和SELinux属性(-X)
[root@centos7 ~]#rsync -av /etc/sysconfig/ 192.168.32.50:/data
拷贝文件带/,把目录下的文件复制过去
[root@centos7 ~]#rsync -av /etc/sysconfig 192.168.32.50:/data
拷贝文件不带/,把目录复制过去
sftp
交互式文件传输工具
用法和传统的ftp工具相似
利用ssh服务实现安全的文件上传和下载
使用ls cd mkdir rmdir pwd get put等指令,可用?或help获取帮助信息
sftp [user@]host
sftp> help
pssh
依赖epel源yum install pssh
pssh是一个python编写可以在多台服务器上执行命令的工具,也可实现文件复制
选项:
--version:查看版本
-h:主机文件列表,内容格式”[user@]host[:port]”
-H:主机字符串,内容格式”[user@]host[:port]”
-A:手动输入密码模式
-i:每个服务器内部处理信息输出
-l:登录使用的用户名
-p:并发的线程数【可选】
-o:输出的文件目录【可选】
-e:错误输入文件【可选】
-t:TIMEOUT 超时时间设置,0无限制【可选】
-O:SSH的选项
-P:打印出服务器返回信息
-v:详细模式
连接一台执行命令hostanme
[root@centos7 ~]#pssh -H 192.168.32.50 -A -i hostname
连接多台,利用iplist.txt文件
[root@centos7 ~]#pssh -h iplist.txt -A -i hostname
连接多台,分别创建dushan用户(批量执行命令)
[root@centos7 ~]#pssh -h iplist.txt -A -i "useradd dushan"
连接多台,统一修改selinux文件
[root@centos7 ~]#pssh -h iplist.txt -A -i "sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config"
pscp.pssh
pscp.pssh功能是将本地文件批量复制到远程主机
选项
-v 显示复制过程
-r 递归复制目录
将本地curl.sh 复制到/app/目录
pscp.pssh -H 192.168.1.10 /root/test/curl.sh /app/
pscp.pssh -h host.txt /root/test/curl.sh /app/
将本地多个文件批量复制到/app/目录
pscp.pssh -H 192.168.1.10 /root/f1.sh /root/f2.sh /app/
将本地目录批量复制到/app/目录
pscp.pssh -H 192.168.1.10 -r /root/test/ /app/
pslurp
pslurp功能是将远程主机的文件批量复制到本地
选项
-L 指定从远程主机下载到本机的存储的目录,local是下载到本地后的名称
-r 递归复制目录
批量下载目标服务器的日志文件至/data下,并更名为m
pslurp -h iplist.txt -L /data /var/log/messages m