openSSH就是開源的ssh(Secure Shell),ssh協議可以用來傳輸文件和進行遠程連接。
客戶端:
linux:ssh
WIndows:putty、SecrureCRT、Xshell等
服務端:
sshd
登陸格式:
[kiosk@foundation80 ~]$ ssh [email protected] ##ssh 登陸的用戶名@服務器ip地址
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established. ##第一次連接一個陌生主機會在用戶家目錄下
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08. ##自動建立.ssh/know_hosts
Are you sure you want to continue connecting (yes/no)? ##記錄連接過的主機信息
[email protected]'s password: ##輸入密碼連接成功
Last login: Fri Apr 13 07:35:55 2018
[root@localhost ~]# exit ##退出當前連接
logout
Connection to 172.25.80.200 closed.
###默認連接只是以SHELL進行連接,如果需要遠程打開主機圖形功能需要輸入"-X"
openssh的配置文件
/etc/ssh/
ssh_config ##關於客戶端的配置文件
sshd_config ##關於服務端的配置文件
[root@localhost ~]# man 5 sshd_config ##可以查看配置文件各參數的設置方法,#代表註銷,參數不生效
常用:
Port ** ##可以更改服務使用的端口,使用其他端口使用該服務
ListenAddress ##可以設置只對某ip地址提供服務
PermitRootLogin yes ##是否允許root用戶遠程連接
AllowUsers ##登錄白名單
DenyUsers ##登錄黑名單,黑白名單隻能同時生效一個
更改完成後,需要重新加載配置文件
[root@localhost ~]# systemctl reload sshd
Linux中服務的管理
systemctl 動作 服務
systemctl start sshd #開啓服務
systemctl stop sshd #停止服務
systemctl status sshd #查看服務狀態
systemctl restart sshd #重啓服務
systemctl reload sshd #讓服務從新加載配置
systemctl enable sshd #設定服務開啓啓動
systemctl disable sshd #設定服務開機不啓動
systemctl list-unit-files #查看系統中所有服務的開機啓動狀態
systemctl list-units #查看系統中所有開啓的服務
systemctl set-default graphical.target #開機時開啓圖形
systemctl set-default multi-user.targe #開機時不開圖形
基於密鑰的認證-KEY認證
[root@localhost ~]# ssh-keygen ##生成密鑰
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##保存加密字符的文件
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. ##私鑰
Your public key has been saved in /root/.ssh/id_rsa.pub. ##公鑰
The key fingerprint is:
e0:89:c9:5f:58:77:1d:ba:1a:1f:0d:fb:23:55:75:63 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| .Eo|
| o..+|
| . . . + . .|
| . + = . . = . |
| + + S . + o |
| . . + + |
| . . o o |
| . . |
| |
+-----------------+
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host '172.25.80.100 (172.25.80.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
## ssh-copy-id ##加密命令
## -i ##指定密鑰
## /root/.ssh/id_rsa.pub ##密鑰
## root ##加密用戶
## 172.25.80.100 ##主機ip
生成密鑰後,將私密拷貝至客戶端,連接前所使用用戶的家目錄下的.ssh/文件夾內即可
網絡拷貝可以使用scp命令
[kiosk@foundation80 ~]$ scp [email protected]:/root/.ssh/id_rsa ~/.ssh/ ##在客戶端從服務端
[email protected]'s password: ##下載私鑰文件至家目錄下的.ssh/目錄下
id_rsa 100% 1675 1.6KB/s 00:00
[root@localhost ~]# scp ~/.ssh/id_rsa [email protected]:/home/kiosk/.ssh/ ##在服務端將私鑰文件上
The authenticity of host '172.25.80.250 (172.25.80.250)' can't be established. ##傳送至客戶端某用戶家目錄下的.ssh目錄
ECDSA key fingerprint is 05:eb:75:10:96:04:ec:c6:f4:28:ed:d0:fd:73:85:31.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.80.250' (ECDSA) to the list of known hosts.
[email protected]'s password:
id_rsa 100% 1675 1.6KB/s 00:00
[kiosk@foundation80 .ssh]$ ssh [email protected]
Last login: Fri Apr 13 11:03:46 2018 from 172.25.80.250
##將私鑰拷貝到了kiosk用戶家目錄下的.ssh目錄中,此時在kiosk用戶環境下登陸服務端不需要密碼,就可以直接連接成功
[root@localhost ~]# rm -rf /root/.ssh/authorized_keys
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh [email protected]
[email protected]'s password:
Last login: Fri Apr 13 11:13:52 2018 from 172.25.80.250
##刪除authorized_keys文件後,客戶端解密文件失效
[root@localhost ~]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
[root@localhost ~]# exit
logout
Connection to 172.25.80.100 closed.
[kiosk@foundation80 .ssh]$ ssh [email protected]
Last login: Fri Apr 13 11:17:17 2018 from 172.25.80.250
[root@localhost ~]#
##重新生成鎖文件,解密文件功能恢復