02-SSH
procedure
1、版本號協商階段
1.1 server開啓sshd服務,打開端口(默認22),等待client建立連接
1.2 client向server發起TCP連接,server發送message,內含版本號信息
1.3 client與message中的version比較,決定version
1.4 client發送version
1.5 server比較version
1.6 協商成功進入密鑰和算法協商階段
2、密鑰和算法協商階段
2.1 client和server協商生成使用的算法
2.2 server把public key和session id發送給client
2.3 client生成session key並把id和key之間的運算結果使用public key加密後發送給server
2.4 server使用private key解密密文得到的結果和自己的id運算得到key
2.5 client和server彼此知道了session id和session key,以後通過id和key對數據進行傳輸
3、認證階段
3.1 賬號口令認證
3.1.1 client通過session id和session key把server上的用戶的username和password加密後傳給server
3.1.2 server使用id和key對密文解密得到username和password
3.1.3 server對username和password認證...
3.1.4 3.1.3失敗server請求再次認證;成功二者後續操作
-
3.2 公鑰私鑰認證
3.2.1 client通過ssh-keygen方式生成public key和private key,然後通過ssh-copy-id等方式把public key發送給server,server把public key放到用戶家目錄中...這是一個初始的過程
3.2.2 下一次client要求連接,用key、id加密用戶名、public key發送給server
3.2.3 server用key、id解密密文得到public key和家目錄中的那個比較
3.2.4 失敗拒絕連接;成功server發送public key、id、key加密的質詢給client,client使用private key、id、key解密質詢。
3.2.5 client把解密質詢再次id、key加密發送給server,server解密判斷是不是同一個質詢;是認證通過,否認證失敗
4、會話請求、交互階段
...
OpenSSH
版本
version1 沒那麼安全
version2 比較安全
配置文件
sshd:/etc/ssh/sshd_config
ssh:/etc/ssh/ssh_config
手冊頁
man sshd_config
man sshd
man ssh_config
man ssh
服務腳本
/etc/rc.d/init.d/sshd (CentOS 6)
/usr/lib/systemd/system/sshd.service (CentOS 7)
刪除client的所有已經認證的主機
rm ~/.ssh/know_hosts
ssh(client)命令
ssh [options] [user@]host [COMMAND]
ssh -l user host [COMMAND]
省略user後則當前系統上是什麼用戶則就用什麼身份登陸到遠程主機
-
常用選項:
-l login_name:用以指定的用戶登錄遠程主機
-p port:用於指明遠程服務器的端口
-X:支持X11轉發
-Y:支持信任的X11轉發
X:協議,x-window
在本地顯示遠程主機上的圖形窗口,即把server的信息通過ssh發送到client,使用client的x window顯示
前提是本地是X的圖形界面,或者提供了x service
Xmanager內置了X service
-o options:登陸時的選項,這裏這些選項是可以配置的,在/etc/ssh/ssh_config
ssh -o StrictHostKeyChecking=no 172.16.100.1
client公鑰認證登陸
1 ssh-keygen本地生成公鑰私鑰
ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-P old_passphrase] [-C comment]
[-f output_keyfile]
passphrase表示給私鑰加密的短語
-b bits
Specifies the number of bits in the key to create. For RSA keys,
the minimum size is 768 bits and the default is 2048 bits. Gen‐
erally, 2048 bits is considered sufficient. DSA keys must be
exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys,
the -b flag determines the key length by selecting from one of
three elliptic curve sizes: 256, 384 or 521 bits. Attempting to
use bit lengths other than these three values for ECDSA keys will
fail. ED25519 keys have a fixed length and the -b flag will be
ignored.
-f filename
Specifies the filename of the key file.
-t type
Specifies the type of key to create. The possible values are
“rsa1” for protocol version 1 and “dsa”, “ecdsa”, “ed25519”, or
“rsa” for protocol version 2.version means OpenSSH version。
-p Requests changing the passphrase of a private key file instead of
creating a new private key. The program will prompt for the file
containing the private key, for the old passphrase, and twice for
the new passphrase.
-
[root@husa ~]# ssh-keygen -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
82:ee:d4:2b:03:70:0d:67:77:fc:dc:23:99:86:7c:26 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| . o . o |
| = . o + + |
|. . .. E X o |
| o . . S= . . |
| .. . . |
| .o . |
| oo . |
| .o. |
+-----------------+2 複製公鑰到server
2.1 ssh-copy-id命令
ssh-copy-id [-n] [-i [identity_file]] [-p port] [-o ssh_option]
[user@]hostname
2.2 主機host:192.168.200.143向主機192.168.200.137複製 公鑰
這裏需要使用192.168.200.137的賬戶密碼
[root@husa ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host '192.168.200.137 (192.168.200.137)' can't be established.
ECDSA key fingerprint is d8:88:76:ef:30:e0:f5:f7:4b:a2:63:51:55:2e:74:28.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.200.137's password:
Permission denied, please try again.
root@192.168.200.137's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.2.3 host:192.168.200.137生成了/root/.ssh/authorized_keys文件
[root@husa .ssh]# pwd
/root/.ssh
[root@husa .ssh]# ls
authorized_keys3 host:192.168.200.143上登陸到192.168.200.137
[root@husa ~]# ssh [email protected]
Last failed login: Wed Jan 20 10:58:23 CST 2016 from 192.168.200.143 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Jan 20 08:44:05 2016 from 192.168.200.1
[root@husa ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:4d:a0:50 txqueuelen 1000 (Ethernet)
RX packets 229066 bytes 15450697 (14.7 MiB)
RX errors 0 dropped 157 overruns 0 frame 0
TX packets 341 bytes 51579 (50.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.200.137 netmask 255.255.255.0 broadcast 192.168.200.255
inet6 fe80::20c:29ff:fe4d:a05a prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:4d:a0:5a txqueuelen 1000 (Ethernet)
RX packets 3630 bytes 558580 (545.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1365 bytes 480150 (468.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1852 bytes 160884 (157.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1852 bytes 160884 (157.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
