SSH常见分类:算法
OpenSSH用于在远程系统上安全运行shell。若是您在可提供ssh服务的远程Linux系统中拥有用户账户,则ssh是一般用来远程登陆到该系统的命令。ssh命令也可用于在远程系统中运行命令。shell
SSH有两个版本:vim
openssh有两种认证方式:安全
openSSH基于C/S(客户端/服务器)构架工做bash
#服务器端sshd /etc/ssh/sshd_config #客户端ssh /etc/ssh/ssh_config ssh-keygen #密钥生成器 ssh-copy-id #公钥传输至远程服务器 scp #跨主机安全复制工具
用户可经过使用公钥身份验证进行ssh登陆身份验证。ssh容许用户使用私钥-公钥方案进行身份验证。这意味着将生成私钥和公钥这两个密钥。私钥文件用做身份验证凭据,像密码同样,必须妥善保管。公钥复制到用户但愿登陆的系统,用于验证私钥。公钥并不须要保密。拥有公钥的ssh服务器能够发布仅持有您私钥的系统才可解答的问题。所以,能够根据所持有的密钥进行验证。如此一来,就没必要在每次访问系统时键入密码,但安全性仍能获得保证。服务器
使用ssh-keygen命令生成密钥,将会生成私钥和公钥并发
注意
生成密钥时,系统将提供指定密码的选项,在访问私钥时必须提供该密码。若是私钥被偷,除颁发者以外的其余任何人很难使用该私钥,由于已使用密码对其进行保护。这样,在攻击者破解并使用私钥前,会有足够的时间生成新的密钥对并删除全部涉及旧密钥的内容。dom
生成密钥后,密钥将默认存储在家目录下的.ssh/文件夹里。
私钥和公钥的权限就分别为600和644。.ssh/目录权限必须是700。
在能够使用基于密钥的身份验证前,须要将公钥复制到目标系统上。能够使用ssh-copy-id完成这一操做。
经过ssh-copy-id将密钥复制到另外一系统时,它默认复制~/.ssh/id_rsa.pub文件。ssh
#生成密钥 [root@Lynk ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:kKfhcqCOlPwsS9Nb3OILPRTU4MHr0bprs/A7sPrTs08 root@Lynk The key's randomart image is: +---[RSA 2048]----+ | .+o | | o..o | | .o* . | |. .. =.* | | +. o.* S | |.o+.+=. | |.+.*+*.E | |. +oBB+ | | ooooO@. | +----[SHA256]-----+ #将密钥复制给服务器 [root@Lynk ~]# ssh-copy-id root@192.168.26.129 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.26.129 (192.168.26.129)' can't be established. ECDSA key fingerprint is SHA256:bpCNTMSwW5iFAtt2aAQ9QNrdd1ojBZDCMLsA0wJ/K3k. ECDSA key fingerprint is MD5:1a:34:7a:fb:dd:cf:ff:ea:68:ae:3f:2f:87:ed:2c:78. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.26.129's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.26.129'" and check to make sure that only the key(s) you wanted were added. #登陆服务器 [root@Lynk ~]# ssh root@192.168.26.129 Last login: Mon Jan 7 07:05:25 2019 from 192.168.26.1 [root@LynkSer ~]#
在咱们完成服务的设置以后,可能还会有开启防火墙来保证主机安全的需求,这时应该为防火墙添加富规则来保证咱们的ssh服务能够经过防火墙。ide
#禁止ssh服务连入 [root@LynkSer ~]# firewall-cmd --remove-service=ssh --permanent success [root@LynkSer ~]# firewall-cmd --reload success #此时远程主机没法经过ssh链接本地主机 [root@Lynk ~]# ssh root@192.168.26.129 ssh: connect to host 192.168.26.129 port 22: No route to host #添加放行富规则 [root@LynkSer ~]# firewall-cmd --add-rich-rule 'rule family=ipv4 source address=192.168.26.128/24 service name=ssh accept' --permanent success #重载防火墙让配置生效 [root@LynkSer ~]# firewall-cmd --reload success #再次尝试连入本地主机 [root@Lynk ~]# ssh root@192.168.26.129 Last login: Mon Jan 7 07:38:11 2019 from 192.168.26.128 #成功了,退出吧 [root@LynkSer ~]# exit logout Connection to 192.168.26.129 closed.
OpenSSH服务器一般无需修改,但会提供其余安全措施,能够在配置文件/etc/ssh/sshd_config中修改OpenSSH服务器的各个方面。
#是否容许root用户远程登陆系统
PermitRootLogin {yes|no}
#仅容许root用户基于密钥方式远程登陆
PermitRootLogin without-password
#是否启用密码身份验证,默认开启
PasswordAuthentication {yes|no}
#登陆 [root@Lynk ~]# ssh root@192.168.26.129 Last login: Mon Jan 7 07:23:45 2019 from 192.168.26.128 #退出 [root@LynkSer ~]# exit logout Connection to 192.168.26.129 closed. #在远程服务器上执行一个命令 [root@Lynk ~]# ssh root@192.168.26.129 'echo "I AM LYNK" > /opt/whoami' [root@Lynk ~]# ssh root@192.168.26.129 Last login: Mon Jan 7 07:24:50 2019 from 192.168.26.128 [root@LynkSer ~]# cat /opt/whoami I AM LYNK #查看当前全部登陆到这台主机的会话 [root@LynkSer ~]# w 07:29:10 up 30 min, 3 users, load average: 0.17, 0.09, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 07:00 26:06 0.73s 0.19s vim /etc/sysconfig/network-scripts/ifcfg-e root pts/0 192.168.26.1 07:05 23:45 0.03s 0.03s -bash root pts/1 192.168.26.128 07:29 2.00s 0.08s 0.04s w ***