The intention of covering a large number of experiments, be sure to grasp it.
Jump: one step forward set of experiments _SSH port
Intention content
OpenSSL
-
Three components:
openssl: multi-purpose command line tool, OpenSSL package
libcrypto: encryption algorithm library, packet-libs OpenSSL
libssl: application encryption module library that implements ssl and TLS, package nss -
Two modes of operation: interactive and batch mode
-
Encryption
Symmetric encryption:
Tools: openssl enc, gpg
algorithm: 3des, aes, blowfish, twofish
One-way encryption:
Tools: md5sum, sha1sum, sha224sum, sha256sum -
MAC: Message Authentication Code message authentication codes, one-way encryption of an extension application for realizing network communication mechanism to ensure the integrity of data transmitted
authentication 1. CBC-MAC mode of operation with block cipher
2. HMAC: Use md5 or sha1 algorithm
openssl command
openssl command ...
- command can be:
-
enc: encryption coding
- Encryption: (- salt disrupted decrypting result, -a: base64 encoding)
openssl enc -e -des3 -a -salt -in testfile -out testfile.cipher - Decryption:
openssl enc -d -des3 -a -salt –in testfile.cipher -out testfile
- Encryption: (- salt disrupted decrypting result, -a: base64 encoding)
-
dgst: Data Summary
- Calculation of md5
openssl dgst -md5 /PATH/SOMEFILE
ormd5sum /PATH/TO/SOMEFILE
- Calculation of md5
-
passwd: generating a user password
- Help: man sslpasswd
openssl passwd -1 –salt centos(up to 8)
- Help: man sslpasswd
-
rand: generating a random number
- Help: man sslrand
openssl rand -base64|-hex NUM
NUM: number of bytes
- Help: man sslrand
-
genrsa: generating a key pair
- Generate a private key:
(umask 077; openssl genrsa –out test.key –des 2048) - Decrypt the encrypted key:
openssl rsa -in test.key –out test2.key - Extract a public key from the private key
openssl rsa –in test.key –pubout –out test.key.pub
- Generate a private key:
-
Random number generator: pseudo-random number
/dev/random: a random number only returns the entropy pool; nonce exhausted, blocking
/dev/urandom: returns a random number from the entropy pool; exhaustion random number, using the software will generate a pseudorandom number, nonblocking
SSH
ssh: secure shell, 22 / tcp, secure remote login
- Specific software:
- OpenSSH: ssh open source implementation of the agreement, CentOS default installation
- dropbear: Another open source implementation
SSH protocol version
- v1: done based on MAC CRC-32, unsafe; man-in-middle
- v2: The two sides Host MAC protocol choose a safe way
based on DH key exchange algorithm to do, to achieve authentication based on RSA or DSA
- User login authentication in two ways:
(1) based on password
(2) based on key
OpenSSH Introduction
- Related packages:
OpenSSH
OpenSSH-Clients
OpenSSH-Server - Tools: The C / S structure
Linux Client: ssh, scp, sftp,slogin
Windows Client:xshell, putty, securecrt, sshsecureshellclient
Server: sshd
ssh client
Proven allows secure encrypted access to remote systems
when users connect remotely ssh server, ssh server will be copied /etc/ssh/ssh_host*key.pub(CentOS7 default is ssh_host_ecdsa_key.pub) public key file to the client ~. / ssh / know_hosts in. When the next connection will automatically match the corresponding private key, can not match, reject the connection
ssh [user@]host [COMMAND]
| Options | significance |
|---|---|
| -l login_name | Specifies the login name |
| -p port | The remote server listens on port |
| -b | Specify the local IP connection |
| -v | Debug mode |
| -C | Compression |
| -X | Support x11 forwarding |
| -t | Forced pseudo-tty allocation |
- ssh configuration file: / etc / ssh / ssh_config
- Direct remote command execution
[ ]$ ssh 192.168.88.65 'ip a'
[email protected]'s password:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:46:29:d8 brd ff:ff:ff:ff:ff:ff
inet 192.168.88.65/24 brd 192.168.88.255 scope global eth0
inet6 fe80::20c:29ff:fe46:29d8/64 scope link
valid_lft forever preferred_lft forever
- Public key exchange
- The client sends a link request
- Return to their server's public key, and a session ID (this step is to get the client server public key)
- The client generates a key pair
- The client public key with his own exclusive or a session ID, a calculated value Res, and the public key encryption server
- Value encrypted client sends to the server, with the server private key to decrypt give Res
- Res different server with the decrypted value or a session ID, client's public key is calculated (this step to give the client public key server)
- Final: three keys held by each party, respectively, a pair of their own public, private, and each other's public keys, after all communications will be encrypted
- ssh encrypted communications
ssh login authentication service
1. User / password
2. Based on the key
- Login authentication based on user name password
- Ssh client initiates a request, the server will send its public key to the user
- Users can encrypt the password sent from the server based on public key
- Encrypted information back to the server, the server with its private key to decrypt, if the password is correct, the user login is successful
- After a successful connection, the server's public key will be stored in the
~/.ssh/know_hostsfile - Stored in the server's public key
/etc/ssh/ssh_host_rsa_key.pub
- ssh key-based login authentication service
- First generates a pair of keys on the client (ssh-keygen)
- And the client's public key ssh-copy-id copied to the server
- When the client sends a connection request again, including IP, username
- After the end of the service request of the client to obtain, to the authorized_keys will find, if there are IP and the user's response, will generate a random string, for example: magedu
- The server will be copied using the client's public key to encrypt, and then sent to the client
- After obtaining a message sent by the server, the client will use to decrypt the private key, and then sends the decrypted character string to the server
- After the service being terminated string sent by the client, and compared with the previous match, if agreed, would allow password-free login
scp command
scp [options] SRC... DEST/
| Options | significance |
|---|---|
| -C | Compressed data stream |
| -r | Recursive copy |
| -p | Keep the original file attribute information |
| -q | Silent mode |
| -P PORT | Specified remote host listening port |
rsync command
ssh and rsh services achieve copy files between remote systems based on high efficiency, using a secure shell connection as transmission
- 复制目录和目录下文件
rsync -av /etc server1:/tmp - 只复制目录下文件
rsync -av /etc/ server1:/tmp
| 选项 | 意义 |
|---|---|
| -n | 模拟复制过程 |
| -v | 显示详细过程 |
| -r | 递归复制目录树 |
| -p | 保留权限 |
| -t | 保留时间戳 |
| -g | 保留组信息 |
| -o | 保留所有者信息 |
| -l | 将软链接文件本身进行复制(默认) |
| -L | 将软链接文件指向的文件复制 |
| -a | 存档,相当于–rlptgoD,但不保留ACL(-A)和SELinux属性(-X) |
sftp命令
交互式文件传输工具,用法和传统的ftp工具相似,利用ssh服务实现安全的文件上传和下载
- 使用
lscdmkdirrmdirpwdgetput等指令,可用?或help获取帮助信息 - sftp [user@]host
sftp [email protected]
sftp> help
ssh服务器
- 服务器端:sshd, 配置文件: /etc/ssh/sshd_config
- 常用参数:
Port #指定端口,默认22
ListenAddress ip #指定监听的IP
LoginGraceTime 2m #登录输入密码的宽限时间
PermitRootLogin yes #是否允许root登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #最大授权
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #开启公钥验证
PermitEmptyPasswords no #禁止空密码
PasswordAuthentication yes #密码验证
GatewayPorts no #网关端口
ClientAliveInterval #检测非活跃周期,单位:秒
ClientAliveCountMax #检测非活跃次数,默认3
UseDNS yes #解析成域名提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10:30:100
Banner /path/file #登录提示
#限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups
- ssh连接优化
vim /etc/ssh/sshd_config
UserDNS no
GSSAPIAuthentication no
ssh服务的最佳实践
- 建议使用非默认端口(Port)
- 禁止使用protocol version 1
- 限制可登录用户
- 设定空闲会话超时时长
- 利用防火墙设置ssh访问策略
- 仅监听特定的IP地址
- 基于口令认证时,使用强密码策略
tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12| xargs - 使用基于密钥的认证
- 禁止使用空密码
- 禁止root用户直接登录
- 限制ssh的访问频度和并发在线数
- 经常分析日志lastb
drobear
实验:编译安装dropbear示例
ssh协议的另一个实现:dropbear
- 源码编译安装:
- 安装开发包组:
yum -y group install "Development Tools"
可能还会差一个:yum -y install zlib-devel - 下载dropbear-2019.78.tar.bz2
wget https://matt.ucc.asn.au/dropbear/dropbear-2019.78.tar.bz2 - 解压:
tar xf dropbear-2019.78.tar.bz2 - 查看说明
cd dropbear-2019.78
less INSTALL README - 编译安装:
./configure
make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"
make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install - 查看所带的命令:
ls /usr/local/sbin/ /usr/local/bin/ - 查看帮助:
dropbear -h - 使⽤dropbearkey命令⽣成对应的公私钥:
mkdir /etc/dropbear
dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048 - 使⽤dropbearkey命令⽣成数字签名:
dropbearkey -t dss -f /etc/dropbear/dropbear_dsa_host_key - 前台运行
dropbear -p :2222 -F –E - 后台运行
dropbear -p :2222 - 客户端访问:
ssh -p 2222 [email protected]
dbclient -p 2222 [email protected]
轻量级自动化运维工具
- pssh:基于python编写,可在多台服务器上执行命令的工具,也可实现文件复制,提供了基于ssh和scp的多个并行工具
项目:http://code.google.com/p/parallel-ssh/ - pdsh:Parallel remote shell program,是一个多线程远程shell客户端,可以并行执行多个远程主机上的命令。 pdsh可以使用几种不同的远程shell服务,包括标准的“rsh”,Kerberos IV和ssh
项目: https://pdsh.googlecode.com/ - mussh:Multihost SSH wrapper,是一个shell脚本,允许您使用一个命令在多个主机上通过ssh执行命令或脚本。 mussh可使用ssh-agent和RSA / DSA密钥,以减少输入密码
项目:http://www.sourceforge.net/projects/mussh
说明:以上工具都包含在EPEL源中
pssh工具
命令:pssh
并行ssh程序
| 选项 | 意义 |
|---|---|
| –version | 查看版本 |
| -h | 主机文件列表,内容格式”[user@]host[:port]” |
| -H | 主机字符串,内容格式”[user@]host[:port]” |
| -A | 手动输入密码模式 |
| -i | 每个服务器内部处理信息输出 |
| -l | 登录使用的用户名 |
| -p | 并发的线程数【可选】 |
| -o | 输出的文件目录【可选】 |
| -e | 错误输出文件【可选】 |
| -t | TIMEOUT 超时时间设置,0无限制【可选】 |
| -O | SSH的选项 |
| -P | 打印出服务器返回信息 |
| -v | 详细模式 |
- 在node1上使⽤pssh命令获取node2主机的主机名
pssh -H "172.20.1.102" -A -i hostname - 通过pssh批量关闭seLinux
pssh -H [email protected] -i 'sed -i "s/^SELINUX=.*/SELINUX=disabled/" /etc/selinux/config' - 批量发送指令
pssh -h host.txt -i setenforce 0 - 当不支持ssh的key认证时,通过 -A选项,使用密码认证批量执行指令
pssh -H [email protected] -A -i hostname - 将标准错误和标准正确重定向都保存至/app目录下
pssh -H 192.168.1.10 -o /app -e /app -i "hostname"
命令:pscp
pscp功能是将本地文件批量复制到远程主机
pscp [-vAr] [-h hosts_file] [-H [user@]host[:port]] [-l user] [-p par] [-o outdir] [-e errdir] [-t timeout] [-O options] [-x args] [-X arg] local remote
| 选项 | 意义 |
|---|---|
| -v | 显示复制过程 |
| -r | 递归复制目录 |
- 将本地curl.sh复制到/app/
#指定主机ip
pscp.pssh -H 192.168.1.10 /root/test/curl.sh /app/
#指定ip列表host.txt
pscp.pssh -h host.txt /root/test/curl.sh /app/
#pscp.pssh -H 主机IP 要发送的文件 目的目录
- 将本地多个文件批量复制到/app/目录
pscp.pssh -H 192.168.1.10 /root/f1.sh /root/f2.sh /app/
- 将本地目录批量复制到/app/目录
pscp.pssh -H 192.168.1.10 -r /root/test/ /app/
pslurp命令
pslurp功能是将远程主机的文件批量复制到本地
pslurp [-vAr] [-h hosts_file] [-H [user@]host[:port]] [-l user] [-p par][-o outdir] [-e errdir] [-t timeout] [-O options] [-x args] [-X arg] [-L localdir] remote local [本地名]
| 选项 | 意义 |
|---|---|
| -L | Specify the download from the remote host to the storage directory of the machine, local name is downloaded to the local post |
| -r | Copy directories recursively |
- Batch download passwd file to the target server / down app, and renamed user
pslurp -H 192.168.1.10 -L /app /etc/passwd user