Linux-遠程連接openssh

openSSH就是開源的ssh（Secure Shell），ssh協議可以用來傳輸文件和進行遠程連接。

客戶端：

linux：ssh

WIndows：putty、SecrureCRT、Xshell等

服務端：

sshd

登陸格式：

[kiosk@foundation80 ~]$ ssh [email protected]                                        ##ssh 登陸的用戶名@服務器ip地址
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established.        ##第一次連接一個陌生主機會在用戶家目錄下
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.             ##自動建立.ssh/know_hosts
Are you sure you want to continue connecting (yes/no)?                                ##記錄連接過的主機信息
[email protected]'s password:                                                        ##輸入密碼連接成功
Last login: Fri Apr 13 07:35:55 2018
[root@localhost ~]# exit                                                              ##退出當前連接
logout
Connection to 172.25.80.200 closed.

###默認連接只是以SHELL進行連接，如果需要遠程打開主機圖形功能需要輸入"-X"

openssh的配置文件

/etc/ssh/

ssh_config                        ##關於客戶端的配置文件

sshd_config                     ##關於服務端的配置文件

[root@localhost ~]# man 5 sshd_config            ##可以查看配置文件各參數的設置方法,#代表註銷，參數不生效
常用：
Port **                ##可以更改服務使用的端口，使用其他端口使用該服務
ListenAddress          ##可以設置只對某ip地址提供服務
PermitRootLogin yes    ##是否允許root用戶遠程連接
AllowUsers             ##登錄白名單
DenyUsers              ##登錄黑名單,黑白名單隻能同時生效一個
更改完成後，需要重新加載配置文件
[root@localhost ~]# systemctl reload sshd

Linux中服務的管理
systemctl    動作    服務
systemctl start sshd         #開啓服務
systemctl stop sshd          #停止服務
systemctl status sshd        #查看服務狀態
systemctl restart sshd       #重啓服務
systemctl reload sshd        #讓服務從新加載配置
systemctl enable sshd        #設定服務開啓啓動
systemctl disable sshd       #設定服務開機不啓動

systemctl list-unit-files       #查看系統中所有服務的開機啓動狀態
systemctl list-units            #查看系統中所有開啓的服務
systemctl set-default graphical.target    #開機時開啓圖形
systemctl set-default multi-user.targe    #開機時不開圖形

基於密鑰的認證-KEY認證

[root@localhost ~]# ssh-keygen                                        ##生成密鑰
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):              ##保存加密字符的文件
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.              ##私鑰
Your public key has been saved in /root/.ssh/id_rsa.pub.              ##公鑰
The key fingerprint is:
e0:89:c9:5f:58:77:1d:ba:1a:1f:0d:fb:23:55:75:63 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
|              .Eo|
|             o..+|
|      . . . + . .|
|   . + = . . = . |
|    + + S . + o  |
|     . .   + +   |
|      .   . o o  |
|             . . |
|                 |
+-----------------+
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]      
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
## ssh-copy-id                 ##加密命令
## -i                          ##指定密鑰
## /root/.ssh/id_rsa.pub       ##密鑰
## root                        ##加密用戶
## 172.25.80.100               ##主機ip

生成密鑰後，將私密拷貝至客戶端，連接前所使用用戶的家目錄下的.ssh/文件夾內即可

網絡拷貝可以使用scp命令

[kiosk@foundation80 ~]$ scp [email protected]:/root/.ssh/id_rsa ~/.ssh/        ##在客戶端從服務端
[email protected]'s password:                                                  ##下載私鑰文件至家目錄下的.ssh/目錄下
id_rsa                                        100% 1675     1.6KB/s   00:00  

[root@localhost ~]# scp ~/.ssh/id_rsa [email protected]:/home/kiosk/.ssh/          ##在服務端將私鑰文件上
The authenticity of host '172.25.80.250 (172.25.80.250)' can't be established.      ##傳送至客戶端某用戶家目錄下的.ssh目錄
ECDSA key fingerprint is 05:eb:75:10:96:04:ec:c6:f4:28:ed:d0:fd:73:85:31.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.80.250' (ECDSA) to the list of known hosts.
[email protected]'s password: 
id_rsa                                        100% 1675     1.6KB/s   00:00    

[kiosk@foundation80 .ssh]$ ssh [email protected]
Last login: Fri Apr 13 11:03:46 2018 from 172.25.80.250
##將私鑰拷貝到了kiosk用戶家目錄下的.ssh目錄中，此時在kiosk用戶環境下登陸服務端不需要密碼，就可以直接連接成功

[root@localhost ~]# rm -rf /root/.ssh/authorized_keys 
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh [email protected]
[email protected]'s password: 
Last login: Fri Apr 13 11:13:52 2018 from 172.25.80.250
##刪除authorized_keys文件後，客戶端解密文件失效

[root@localhost ~]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh [email protected]
Last login: Fri Apr 13 11:17:17 2018 from 172.25.80.250
[root@localhost ~]# 
##重新生成鎖文件，解密文件功能恢復