openssh

常見的遠程登錄工具
telnet（遠程登錄協議，端口23） 明文，可以抓包獲得用戶名與密碼。一般只用於測試
ssh（secure shell，應用層協議，端口22）通信過程及認證過程加密且主機認證
dropbear 嵌入式系統專用的SSH服務器端和客戶端工具

OpenSSH是使用SSH透過計算機網絡加密通訊的實現。用於在遠程系統上安全運行shell。如果在可提供ssh服務的遠程Linux系統中擁有用戶帳戶，則ssh是通常用來遠程登錄到該系統的命令。ssh命令也可用於在遠程系統中運行命令。

---

ssh簡介

ssh版本

V1：基於CRC-32作MAC，無法防範中間人***
V2：雙方主機協議選擇安全的MAC方式，基於DH算法做密鑰交換，基於RSA或DSA算法實現身份認證

ssh認證兩種方式

• 基於口令認證
• 基於密鑰認證（不需要輸密碼）

openssh的 工作模式

是基於C/S架構工作client/server（另外還有B/S架構browser）
服務器端sshd，配置文件/etc/ssh/sshd_config
客戶端ssh ，配置文件/etc/ssh/ssh_config
ssh-keygen //密鑰生成器
ssh-copy-id //將公鑰傳輸至遠程服務端
scp //跨主機安全複製工具

Secure Shell 示例

以當前用戶身份創建遠程交互式shell，然後在結束時使用exit命令返回到之前的shell

[root@cygames ~]# ssh 192.168.161.100
The authenticity of host '192.168.161.100 (192.168.161.100)' can't be established.
ECDSA key fingerprint is SHA256:xj5/Qq8WV0G4/sdF7/hNgq76VBZzsTxnCc/FuptqmFI.
ECDSA key fingerprint is MD5:7b:f5:4c:cb:3e:75:fe:ac:bf:81:d4:dd:8c:6d:18:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.161.100' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Mon Jan 7 06:19:18 2019 from 192.168.161.1
[root@cy ~]#

以其他用戶身份在選定主機上連接到遠程shell
[root@cygames ~]# ssh [email protected]
[email protected]'s password:
[chen@cy ~]$

以遠程用戶身份（remoteuser）在遠程主機（remotehost）上通過將輸出返回到本地顯示器的方式來執行單一命令
[root@cygames ~]# ssh 192.168.161.100 '/usr/sbin/ip a s ens33'
[email protected]'s password:
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d9:31:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.161.100/24 brd 192.168.161.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::7c5f:bec9:7ecd:41f7/64 scope link
valid_lft forever preferred_lft forever

ssh密鑰認證

ssh通過公鑰加密的方式保持通信安全。當某一ssh客戶端連接到ssh服務器時，在該客戶端登錄之前，服務器會向其發送公鑰副本。這可用於爲通信渠道設置安全加密，並可驗證客戶端的服務器。
用戶第一次使用ssh連接到特定服務器時，ssh命令可在用戶的~/.ssh/known_hosts文件中存儲該服務器的公鑰。在此之後每當用戶進行連接時，客戶端都會通過對比~/.ssh/known_hosts文件中的服務器條目和服務器發送的公鑰，確保從服務器獲得相同的公鑰。如果公鑰不匹配，客戶端會假定網絡通信已遭劫持或服務器已被***，並且中斷連接。

這意味着，如果服務器的公鑰發生更改（由於硬盤出現故障導致公鑰丟失，或者出於某些正當理由替換公鑰），用戶則需要更新其~/.ssh/known_hosts文件並刪除舊的條目才能夠進行登錄。

root@cy ~]# cat ~/.ssh/known_hosts
192.168.161.177 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMLHizRSDpHB+WORU4Qbdd8lghQeQzfzyGTvZU5oSthAvok9O97yRN4Hmt8y3WhGrfdfLbZlrcd/I+xmn1b025s=
[root@cy ~]# ls /etc/ssh/key
/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key.pub

配置基於 SSH 密鑰的身份驗證

[root@cygames ~]# ssh-keygen -t rsa //使用 ssh-keygen 創建公鑰-私鑰對
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:EDJOascdlJi/8SYKzeWJDyGGGaSQqou937JUFa8y5zM root@cygames
The key's randomart image is:
+---[RSA 2048]----+
|oo +++.. |
|= =o+.o o |
|o+o +.o . . |
|+.o.. +o . |
|.. + =+=S |
|. . =.==o |
|.o ..+ oE |
|o ..o.. o |
| .ooo. |
+----[SHA256]-----+
[root@cygames ~]# ssh-copy-id [email protected] //使用 ssh-copy-id 將公鑰複製到遠程系統上的正確位置
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.161.100 (192.168.161.100)' can't be established.
ECDSA key fingerprint is SHA256:xj5/Qq8WV0G4/sdF7/hNgq76VBZzsTxnCc/FuptqmFI.
ECDSA key fingerprint is MD5:7b:f5:4c:cb:3e:75:fe:ac:bf:81:d4:dd:8c:6d:18:0f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[root@cygames ~]# ssh 192.168.161.100 //無需命令直接登錄
Last login: Mon Jan 7 06:26:35 2019
[root@cy ~]#