01. Introduction to knowledge of remote management services
1) Introduction to SSH remote login service Description
SSH is the abbreviation of Secure Shell Protocol, formulated by the IETF Network Working Group;
before data transmission, SSH encrypts online data packets through encryption technology Encryption processing is performed, and data transmission is performed after encryption.
The security of the transmitted data is ensured.
SSH is a security protocol designed for remote login sessions and other network services.
The use of the SSH protocol can effectively prevent the problem of information leakage during the remote management process. In the current production environment operation and maintenance work, the
vast majority of enterprises generally use the SSH protocol service to replace the traditional insecure remote online service software, such as telnet ( 23 port, unencrypted), etc.
By default, the SSH service mainly provides two service functions:
2) SSH remote login service function
a One is to provide a service similar to the telnet remote online server, that is, the SSH service mentioned above;
b The other is similar to FTP The sftp-server of the service uses the SSH protocol to transmit data and provides a more secure SFTP service (vsftp, proftp). 3) Troubleshooting ideas for SSH
remote login service -ss/netstat -lntup (server check) /telnet/nmap/nc (client check) 02. Telnet remote login service function function SSH remote login service feature description
Telnet remote login service function
03. Detailed explanation of the concept of remote management service
1) SSH remote management service encryption technology
ssh connection login process
①. The ssh client sends a connection request
>/root/.ssh/known_hosts
②. The ssh server will send a confirmation message , ask the client if you really want to connect to me
③. The ssh client input is completed yes, it will wait for a public key information
cat /root/.ssh/known_hosts
④. The ssh server sends the public key information to the ssh client
⑤. The ssh client uses a password to log in. The
encryption technology is divided into two versions: v1 and v2.
The sshv1 version will not change the lock and key frequently, so there will be security risks. The
sshv2 version will often change the lock and key, thus improving the security of remote connections.
2) Authentication type of SSH remote management service
Remote login based on key method
①. Create key pair information (public key and private key) on the
ssh management server ②. The ssh management server sends the public key to the managed server
③. ssh management The server sends a connection request to the managed server④. The ssh
managed server sends a public key challenge to the management
server⑤. The ssh management server processes the public key challenge request and sends the public key challenge result to the managed
host⑥. The ssh managed server receives the public key Key challenge response information to confirm successful authentication
⑦. The ssh management server can establish a key-based connection login with the managed
server
第一个里程:在管理主机上创建密钥对信息
ssh-keygen -t dsa <-- 创建密钥对命令 -t dsa表示指定密钥对加密类型
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): <-- 确认私钥文件所保存的路径
/root/.ssh/id_dsa already exists.
Overwrite (y/n)? y <-- 如果已经存在了密钥对信息,是否进行覆盖
Enter passphrase (empty for no passphrase): <-- 确认是否给私钥设置密码信息(一般为空)
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
46:c8:21:b9:99:6e:0c:59:39:66:38:7a:97:29:51:76 root@m01
The key's randomart image is:
+--[ DSA 1024]----+
| o+oE |
| +.B+ o |
| . B Bo . |
|. = B . |
| . * S |
| + . |
| . |
| |
| |
+-----------------+
第二个里程:将管理主机上公钥信息发送给被管理主机
ssh-copy-id -i /root/.ssh/id_dsa.pub 172.16.1.31
[email protected]'s password:
Now try logging into the machine, with "ssh '172.16.1.31'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
第三个里程:进行远程管理测试(基于密钥的方式进行远程管理)
ssh 172.16.1.31 <-- 可以不用输入密码信息,就能登陆成功
ssh 172.16.1.31 uptime <-- 可以不用登陆到远程主机,就可以直接查看远程主机信息
05. SSH服务端配置文件信息说明(/etc/ssh/sshd_config)
Port 52113 <- 修改ssh服务端口号信息
ListenAddress 0.0.0.0 <- 主要作用提升网络连接安全性
PS:监听地址只能配置为服务器网卡上拥有的地址
PermitRootLogin no <- 是否允许root用户远程登录
PermitEmptyPasswords no <- 是否允许空密码
UseDNS no <- 是否进行DNS反向解析(提升ssh远程连接效率)
GSSAPIAuthentication no <- 是否进行远程GSSAPI认证(提升ssh远程连接效率)
10. sftp常用操作命令总结
bye Quit sftp <-- 表示退出sftp传输模式
cd path Change remote directory to 'path' <-- 改变远程目录信息
pwd Display remote working directory <-- 显示远程主机当前目录信息
lcd path Change local directory to 'path' <-- 改变本地目录路径信息
lpwd Print local working directory <-- 输出本地目录路径信息
get [-P] remote-path [local-path]
Download file <-- 下载文件命令
put [-P] local-path [remote-path] <-- 上传文件命令
Upload file
思考:
01. 批量的分发公钥信息,并且采用免交互方式实现
02. 批量管理(ansible)