SSH服務器
配置SSH服務器配置文件 /etc/ssh/sshd_config
[root@CentOS7 ~]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22 #默認監聽端口,建議修改
#AddressFamily any #支持IP協議,默認v4、v6都支持
#ListenAddress 0.0.0.0 #默認監聽的IP地址,建議修改爲內網地址
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key #密鑰文件名
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging #日誌的配置,默認存放在/var/log/secure
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes #是否允許root直接登陸,建議no
#StrictModes yes #是否檢查密鑰文件的權限
#MaxAuthTries 6 #最大嘗試登錄次數,實際爲二分之一
#MaxSessions 10 #相同會話最多同時連接次數
#PubkeyAuthentication yes #是否允許基於Key驗證連接
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys #公鑰文件存放路徑
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes #是否允許通過用戶口令進行連接
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication no #是否使用此類驗證,建議no
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0 #客戶端連接活動間隔,單位是秒
#ClientAliveCountMax 3 #客戶端活動間隔探測次數,超出即斷開連接
#ShowPatchLevel no
UseDNS no #是否使用DNS反向解析,建議no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100 #支持最大的未驗證連接數,10個未驗證連接:超過後,斷開30%未驗證連接:超過100個時斷開所有未驗證連接
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none #提示信息
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
添加 AllowUsers 用戶... 可以限制遠程主機允許通過那些用戶登陸 ssh 服務器,不再此列表中的用戶,遠程主機皆不能訪問,包括 root 用戶;
添加 DenyUsers 用戶... 可以限制遠程主機不能通過那些用戶登陸 ssh 服務器。
當一個用戶同時出現在 AllowUsers 與 DenyUsers 列表中時,ssh 會拒絕遠程主機通過此用戶訪問 ssh 服務器。
sftp命令類似與傳統的 ftp 工具,但是在鏈接基於在 SSH 協議,可以安全的傳輸數據。
[root@CentOS6 ~]# sftp [email protected] #sftp是交互式命令
Connecting to 192.168.30.74...
sftp> ls
11 Desktop Documents Downloads Music Pictures Public Templates
Videos aa anaconda-ks.cfg app bin initial-setup-ks.cfg user.txt useradd
sftp> pwd
Remote working directory: /root
sftp> get /etc/fstab /data
Fetching /etc/fstab to /data/fstab
/etc/fstab 100% 595 0.6KB/s 00:00
sftp> exit
pssh工具
pssh命令用於在多臺主機上通過 SSH 連接併發執行命令。
語法:pssh 目標主機 [選項] 動作
[root@CentOS6 ~]# pssh -H 192.168.30.74 -H 192.168.30.75 -A -i pwd
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password:
[1] 13:50:51 [SUCCESS] 192.168.30.74
/root
[2] 13:50:57 [SUCCESS] 192.168.30.75
/root
[root@CentOS6 ~]# pssh -H 192.168.30.74 -H 192.168.30.75 -i pwd
[1] 13:52:55 [SUCCESS] 192.168.30.74
/root
[2] 13:52:56 [SUCCESS] 192.168.30.75
/root
選項:
-h:主機文件列表,內容格式每行爲”[user@]host[:port]”
-H:主機字符串
-l:登錄使用的用戶名
-p:併發的線程數
-o:輸出的文件目錄,輸出時會覆蓋原文件內容
-e:錯誤輸入文件
-t:TIMEOUT 超時時間設置,0無限制
-O:SSH的選項
-v:詳細模式
-A:手動輸入密碼模式,不使用 -A 選項需要兩臺主機已完成基於Key驗證
-x:額外的命令行參數使用空白符號,引號,反斜線處理
-X:額外的命令行參數,單個參數模式,同-x
-i:每個服務器內部處理信息輸出
-P:打印出服務器返回信息
[root@CentOS7 err.log]#⮀ssh [email protected] 'echo $PATH'
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
[root@CentOS7 err.log]#⮀ssh [email protected] 'echo $PATH'
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
[root@CentOS7 err.log]#⮀ssh [email protected] 'echo $PATH'
/app/bin:/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
由此可見,在當需要執行的命令或者腳本不再上述 PATH變量 中,則需要使用絕對路徑。
pscp.pssh命令用於向多臺主機推送文件。
語法:pscp.pssh 目標主機 [選項] 本地文件 遠程目錄
[root@CentOS7 data]# pscp.pssh -H 192.168.30.75 -H 192.168.30.69 host.sh /root/bin
[1] 14:32:29 [SUCCESS] 192.168.30.69
[2] 14:32:30 [SUCCESS] 192.168.30.75
選項:與 pssh 差別不大,多了 -r 遞歸複製
-r:遞歸複製
-h:主機文件列表,內容格式每行爲”[user@]host[:port]”
-H:主機字符串
-O:SSH的選項
-o:輸出的文件目錄,輸出時會覆蓋原文件內容
-e:錯誤輸入文件
-t:TIMEOUT 超時時間設置,0無限制
-x:額外的命令行參數使用空白符號,引號,反斜線處理
-X:額外的命令行參數,單個參數模式,同-x
pslurp命令用於從多臺主機拉取文件。
語法:pslurp.pssh 目標主機 [選項] -L 本地目錄 遠程文件 [輸出文件名]
[root@CentOS7 err.log]#⮀pslurp -H [email protected] -H 192.168.30.69 -L /data/ /var/log/messages maa
[1] 16:02:27 [SUCCESS] 192.168.30.69
[2] 16:02:28 [SUCCESS] [email protected]
SSH端口轉發
搭建實驗環境
1、創建iptables,拒絕 192.168.30.69 連接 192.168.30.75
[root@CentOS7 ~]# iptables -A INPUT -s 192.168.30.69 -j REJECT
[root@CentOS7 ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 92 packets, 15050 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 192.168.30.69 0.0.0.0/0 reject-with icmp-port-unreachable
2、啓用 192.168.30.75 上的 telnet 服務端口
[root@CentOS7 ~]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Fri 2018-05-25 00:19:27 CST; 8min ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
May 25 00:19:27 CentOS7.Miriam systemd[1]: Listening on Telnet Server Activation Socket.
May 25 00:19:27 CentOS7.Miriam systemd[1]: Starting Telnet Server Activation Socket.
本地端口轉發
本地主機是192.168.30.69
語法:ssh -L 本地端口:目標主機地址:目標端口 SSH服務器地址
[root@CentOS6 ~]# ssh -L 1024:192.168.30.75:23 192.168.30.74 #建立192.168.30.69與192.168.30.74的ssh端口轉發連接
Last login: Thu May 24 13:51:17 2018 from 192.168.30.69
[root@CentOS7 ~]#
[root@CentOS6 ~]# telnet 127.0.0.1 1024 #使用本地1024端口連接telnet服務
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: jiangbowen
Password:
[jiangbowen@CentOS7 ~]$ #連接成功
[root@CentOS7 ~]# ss -nt #查看192.168.30.74的端口狀態
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.30.74:22 192.168.30.69:55416
ESTAB 0 0 192.168.30.74:54308 192.168.30.75:23
ESTAB 0 52 192.168.30.74:22 192.168.30.1:1799
選項:
-f 後臺啓用
-N 不打開遠程shell,處於等待狀態
-g 啓用網關功能
轉發過程:data<->localhost:1024<->localhost:XXXXX<->sshsrv:22 <->sshsrv:YYYYY<->telnetsrv:23
遠程端口轉發
本地主機是192.168.30.74
語法:ssh -R 遠程端口:目標主機地址:目標端口 SSH服務器地址
[root@CentOS7 ~]# ssh -R 1024:192.168.30.75:23 192.168.30.69 #建立192.168.30.74與192.168.30.69的ssh端口轉發連接
Last login: Thu May 24 17:14:38 2018 from 192.168.30.74
[root@CentOS6 ~]#
[root@CentOS6 ~]# ss -nt #192.168.30.69上的端口狀態
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 192.168.30.69:22 192.168.30.1:1796
ESTAB 0 0 192.168.30.69:22 192.168.30.74:50658
[root@CentOS6 ~]# ss -ntl #本地1024端口已經處於監聽狀態
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:1024 *:*
LISTEN 0 128 ::1:1024 :::*
LISTEN 0 128 :::33959 :::*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 *:111 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 ::1:631 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 *:44351 *:*
[root@CentOS6 ~]# telnet 127.0.0.1 1024 #使用telney訪問本地的1024端口
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Kernel 3.10.0-862.el7.x86_64 on an x86_64
CentOS7 login: jiangbowen
Password:
Last login: Fri May 25 00:54:56 from ::ffff:192.168.30.74
[jiangbowen@CentOS7 ~]$ #連接成功
轉發過程:data<->sshsrv:1024<->sshsrv:22<->localhost:XXXXX<->localhost:YYYYY<->telnetsrv:23