1.首先,初步瞭解ssh和telnet的概念。ssh:secure shell,監聽端口 22/tcp。openssh即開源ssh,是登錄服務器時mingetty--》login的一種服務。早期使用telnet,監聽端口23/tcp。
2.安裝軟件包,並啓動相應的服務。
[root@lab1 ~]# yum install -y telnet-server
[root@lab1 ~]# yum install -y xinetd
[root@lab1 ~]# yum list all telnet*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.ustc.edu.cn
* epel: fedora.cs.nctu.edu.tw
* extras: centos.ustc.edu.cn
* updates: mirrors.163.com
Installed Packages
telnet.x86_64 1:0.17-64.el7 @base
Available Packages
telnet-server.x86_64 1:0.17-64.el7 base
[root@lab1 ~]# systemctl start telnet.socket
[root@lab1 ~]# systemctl start xinetd
[root@lab1 ~]# ss -tnl | grep 23
LISTEN 0 128 :::23 :::*
這裏,xinet作爲超級守護進程,幫助不經常監聽的服務進程(瞬時守護進程)的端口,代爲監聽。
3.創建一個測試用戶user001,進行登錄測試。
[root@lab1 ~]# useradd user001
[root@lab1 ~]# passwd user001
Changing password for user user001.
New password:
BAD PASSWORD: The password is a palindrome
Retype new password:
passwd: all authentication tokens updated successfully.
[C:\~]$ telnet 172.20.0.131
Connecting to 172.20.0.131:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Kernel 3.10.0-693.el7.x86_64 on an x86_64
lab1 login: user001
Password:
4.關於SSH協議,有兩個版本。
V1:基於CRC-32做MAC方式
V2:雙方主機協議選擇安全的MAC方式,基於DH算法做密鑰交換,基於RSA或DSA算法實現身份認證
有兩種用戶登錄認證方式,1.基於password,2.基於key。整個服務採用C/S架構,Client端ssh(也可以是scp,sftp類似服務,也支持windows客戶端,常用客戶端軟件有xshell,putty),Server端sshd。
5.關於配置文件。ssh_config是客戶端配置文件。/etc/ssh/sshd_config服務端配置文件。grep -v ^# /etc/ssh/ssh_config可以查看啓動的配置。
[root@lab1 ~]# ll /etc/ssh/* | grep _config
-rw-r--r--. 1 root root 2276 Aug 6 2017 /etc/ssh/ssh_config
-rw-------. 1 root root 3906 Aug 6 2017 /etc/ssh/sshd_config
[root@lab1 ~]# grep -v ^# /etc/ssh/ssh_config
Host *
GSSAPIAuthentication yes
ForwardX11Trusted yes
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
存放祕鑰的目錄.ssh,known_hosts文件存放具體的信息。
[root@lab1 ~]# ll -a | grep .ssh$
drwx------. 2 root root 38 Apr 30 01:34 .ssh
[root@lab1 ~]# cd .ssh
[root@lab1 .ssh]# ll
total 12
-rw-------. 1 root root 1675 Apr 30 01:34 id_rsa
-rw-r--r--. 1 root root 403 Apr 30 01:34 id_rsa.pub
-rw-r--r--. 1 root root 191 Apr 30 01:52 known_hosts
[root@lab1 .ssh]# cat known_hosts
lab2.example.com,172.20.0.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGyLbTdEeGObgSe12gZQ6uA2sF5Lj6kozhXYJEw5SJff0AXojnyIP/81kVcjydgAgZ9gAMZsTQx5+Yzf8bC2AVs=
6.生成祕鑰ssh-keygen,ssh-copy-id [email protected]傳送到指定主機指定用戶的家目錄。
[root@lab1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:GUpULbipIhpx5jgtu3/EvTw5lEPius1krQlTJT2rnk4 [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| .o.. |
| o. . . |
| . =o.. |
|. o .+++ o |
| B o.=o.S |
|* +.=o= |
|.*o+Eo.+ |
|o .X.+* |
|.oo+O o |
+----[SHA256]-----+
[root@lab1 ~]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'lab2.example.com (172.20.0.128)' can't be established.
ECDSA key fingerprint is SHA256:2kh6qcdfS88uBPN4RI9/yGdd83S9wY3a16+A2qf7ImE.
ECDSA key fingerprint is MD5:18:4d:e5:3e:76:44:e7:99:c0:e5:bd:48:1b:34:99:da.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
7.利用xshell生成祕鑰。可以生成一個祕鑰並保存在本地,具體操作如下。
8.編輯認證文件。注意 .ssh/authorized_keys如果是新建,則應保證權限爲600。將密鑰指寫入.ssh/authorized_keys文件。通過xshell登陸的時候,認證方式選擇key即可。
[root@lab2 ~]# ll -a .ssh/authorized_keys
-rw-------. 1 root root 403 Apr 30 02:35 .ssh/authorized_keys
[root@lab2 ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn/s7fq6I1yUNoYSjOwaf/GSfbFidlG/0hQbcwNaaPft6F84SIzvTUjjGfrwF1E9k6duBs/MfF3dHfN2UKLa1eUXvyWAtufFr8gFx+Dir4afBIKaGmxN2MhqnQxvq1drolflb9leIAx+rvdx2t7VGASUO9fRRP6tTd/pwWJllhIexS93f1kvmDRgnkaTEsSu6ufYCPl2/WNamGXsdwbbkyRj8sD3zoPq/ooOJuAAcS4BJrumqeigcg8O0f/nNkHQwjqB2vil33OliCZxlPv9kNffFVOtz0aeWqXuVa1k7YUW4T+5znXVy0Z+GFdIS+QdtoQXep2QfOgTPFYzALMzgz [email protected]
[root@lab2 ~]# vi .ssh/authorized_keys
[root@lab2 ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDn/s7fq6I1yUNoYSjOwaf/GSfbFidlG/0hQbcwNaaPft6F84SIzvTUjjGfrwF1E9k6duBs/MfF3dHfN2UKLa1eUXvyWAtufFr8gFx+Dir4afBIKaGmxN2MhqnQxvq1drolflb9leIAx+rvdx2t7VGASUO9fRRP6tTd/pwWJllhIexS93f1kvmDRgnkaTEsSu6ufYCPl2/WNamGXsdwbbkyRj8sD3zoPq/ooOJuAAcS4BJrumqeigcg8O0f/nNkHQwjqB2vil33OliCZxlPv9kNffFVOtz0aeWqXuVa1k7YUW4T+5znXVy0Z+GFdIS+QdtoQXep2QfOgTPFYzALMzgz [email protected]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtr00qWBSxn6XkobBJhnpcJ2ltk6iAGyDrSpWWRRtmietE3eL8RBTnunlNB/3oeDhrtTpM+dzzZNTddR/KRURCNcv+gcUoT9vDEQRVu8sPmHSd5tXllWjjFSaUHDWULdiHXTp6Qc19VClJZDrldEfF8jlroD27FC2KXujmJF2S5u6+YNFMeNRljynWBtGk2v3klMfhzdqkFY159+8qfq8MUqsWtRrCbSdQvzJ6JCuaiML48YCvM57BFCejSucMqEHtM1XDgUgFtJbj3tGN1ZzsPeQTX2yIcNObW2UZFklbc2A1UaAwVIwqZCc41GJVlY5Rgrww80JxPbXyYyAqX2JGw== rsa 2048-043019
9.關於sftp的使用。如果已經配置ssh,則sftp同樣可以使用。
[root@lab1 ~]# sftp [email protected]
Connected to 172.20.0.128.
sftp> ls -l -a
dr-xr-x--- 3 root root 147 Apr 30 01:52 .
dr-xr-xr-x 17 root root 224 Dec 5 07:18 ..
-rw------- 1 root root 185 Apr 30 01:50 .bash_history
-rw-r--r-- 1 root root 18 Dec 28 2013 .bash_logout
-rw-r--r-- 1 root root 176 Dec 28 2013 .bash_profile
-rw-r--r-- 1 root root 176 Dec 28 2013 .bashrc
-rw-r--r-- 1 root root 100 Dec 28 2013 .cshrc
drwx------ 2 root root 29 Apr 30 02:39 .ssh
-rw-r--r-- 1 root root 129 Dec 28 2013 .tcshrc
-rw------- 1 root root 1409 Dec 5 07:19 anaconda-ks.cfg
10.關於服務端sshd。rpm -q openssh查看已經安裝的軟件包版本。 grep -v ^# /etc/ssh/sshd_config | grep -v ^$查看服務生效的配置(這裏額外再囉嗦一下,#開頭直接接文字是可以啓用的功能,#開頭接空格然後是文字則是註釋),其他功能大家可以自己看配置文件。tail /var/log/secure可以看到服務所寫入的日誌信息。 ll /var/log/secure這裏可以看到對於日誌是有權限控制的。
[root@lab1 ~]# rpm -q openssh
openssh-7.4p1-11.el7.x86_64
[root@lab1 ~]# grep -v ^# /etc/ssh/sshd_config | grep -v ^$
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
[root@lab1 ~]# tail /var/log/secure
Apr 30 02:16:15 lab1 login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/1 ruser= rhost=bogon
Apr 30 02:16:27 lab1 login: FAILED LOGIN 1 FROM bogon FOR (unknown), User not known to the underlying authentication module
Apr 30 21:31:59 lab1 polkitd[669]: Loading rules from directory /etc/polkit-1/rules.d
Apr 30 21:31:59 lab1 polkitd[669]: Loading rules from directory /usr/share/polkit-1/rules.d
Apr 30 21:31:59 lab1 polkitd[669]: Finished loading, compiling and executing 2 rules
Apr 30 21:31:59 lab1 polkitd[669]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr 30 21:32:01 lab1 sshd[938]: Server listening on 0.0.0.0 port 22.
Apr 30 21:32:01 lab1 sshd[938]: Server listening on :: port 22.
Apr 30 21:36:20 lab1 sshd[1241]: Accepted password for root from 172.20.0.1 port 63432 ssh2
Apr 30 21:36:20 lab1 sshd[1241]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@lab1 ~]# ll /var/log/secure
-rw-------. 1 root root 7360 Apr 30 21:36 /var/log/secure