第六章 SSH远程服务介绍

时间 2020-08-18

标签第六 ssh 远程服务介绍繁體版

原文原文链接

1、相关介绍

1.简介
SSH是一个安全协议，在进行数据传输时，会对数据包进行加密处理，加密后在进行数据传输。确保了数据传输安全。那SSH服务主要功能有哪些呢？
1)提供远程链接的服务
linux远程链接： ssh telnet
windows的远程链接： RDP (remote desktop)、向日葵、teamviewer
2)对传输数据进行加密linux

2.ssh和telnet
1）使用telnet链接服务器
#安装telnet服务
[root@NFS ~]# yum install -y telnet-serverweb

#启动
[root@NFS ~]# systemctl start telnet.socketshell

#telnet只支持普通用户登陆，建立用户
[root@NFS ~]# useradd lhd
[root@NFS ~]# echo 123 | passwd --stdin lhd
Changing password for user lhd.
passwd: all authentication tokens updated successfully.vim

#链接测试
[c:\~]$ telnet 10.0.0.31 23
Connecting to 10.0.0.31:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.windows

Kernel 3.10.0-957.el7.x86_64 on an x86_64
NFS login: lhd
Password: 123
[lhd@NFS ~]$ su -安全

#筛选去重命令
[root@NFS ~]# echo "vviimm //eettcc//ssyyssccoonnffiigg//nneettwwoorrkk--ssccrriippttss//iiffccffgg--eetthh00" | sed -nr 's#(.)(.)#\1#gp'
vim /etc/sysconfig/network-scripts/ifcfg-eth0服务器

2）ssh和telnet二者区别
#telnet:
不能使用root用户登陆，只能使用普通用户
数据包没有进行加密，传输都是明文的

#ssh:
可使用任意用户登陆
数据传输都是加密的网络

2、ssh相关命令

1.ssh客户端和服务端
SSH有客户端与服务端，咱们将这种模式称为C/S架构，ssh客户端支持Windows、Linux、Mac等平台。
在ssh客户端中包含 ssh|slogin远程登录、scp远程拷贝、sftp文件传输、ssh-copy-id秘钥分发等应用程序。

2.ssh命令
[root@web01 ~]# ssh root@172.16.1.31 -p 22

#命令拆分
ssh    #命令
root   #系统用户（若是不写，就使用当前服务器的当前用户）
@    #分隔符
172.16.1.31  #远程主机的IP
-p     #指定端口（终端不支持）
22    #端口（默认22）

-o StrictHostKeyChecking=no  #首次访问时不验证身份

3.xshell链接不上虚拟机怎么办？
1)查网络
ping ip
tcping ip port

2)查端口
telnet
tcping ip port

3)检查网卡是否启动
ip a

4)虚拟网络编辑器
查看子网IP和网关

5)查看windows虚拟网卡
vmnat8

6)防火墙

3、scp命令

1.简介
scp客户端命令：远程拷贝
相似于rsync，scp全量，rsync增量
scp支持推和拉

2.scp推
#把当前目录下的hostname_ip.sh文件推送到172.16.1.31机器的/tmp目录下
[root@web01 ~]# scp hostname_ip.sh 172.16.1.31:/tmp

#注意：
 与rsync不一样，推送时不管是加 / 仍是不加 / ，推送的都是目录
 若是想推送目录下的文件，则使用 *
 
3.scp拉
[root@web01 ~]# scp 172.16.1.31:/tmp/1.txt ./

#注意：
 与rsync不一样，拉取时不管是加 / 仍是不加 / ，拉取的都是目录
 若是想拉取目录下的文件，则使用 *
 
4.经常使用参数
-P 指定端口，默认22端口可不写
-r 表示递归拷贝目录
-p 表示在拷贝文件先后保持文件或目录属性不变
-l 限制传输使用带宽(默认kb)

[root@web01 /tmp]# scp -l 8096 1.txt 172.16.1.31:/tmp/
root@172.16.1.31's password: 
1.txt    12%   64MB   1.0MB/s   07:19 ETA

5.总结
1)scp经过ssh协议加密方式进行文件或目录拷贝。
2)scp链接时的用户做为为拷贝文件或目录的权限。
3)scp支持数据推送和拉取，每次都是全量拷贝，效率较低。

4、sftp命令

1.终端链接

#文件传输命令

sftp:/root>

#下载文件

sftp:/root> get hostname_ip.sh

Fetching /root/hostname_ip.sh to hostname_ip.sh

sftp: received 497 ؖ½ؠin 0.01 seconds

#上传文件

sftp:/root> put

2.服务器之间链接

#链接

[root@web01 ~]# sftp root@172.16.1.31

root@172.16.1.31's password:

Connected to 172.16.1.31.

#操做远程链接过去的机器

sftp> pwd

Remote working directory: /root

sftp> ls -l

-rw-------    1 root     root         1429 Jul  6 02:17 anaconda-ks.cfg

-rw-r--r--    1 root     root          497 Aug  5 20:15 hostname_ip.sh

-rw-r--r--    1 root     root       727290 Aug 15 01:15 sersync2.5.4_64bit_binary_stable_final.tar.gz

#若是想操做本机，则在命令前加一个 l

sftp> lls -l

total 8

-rw-r--r--  1 root root    0 Aug 18 00:25 1.txt

-rw-------. 1 root root 1429 Jul  6 02:17 anaconda-ks.cfg

-rw-r--r--. 1 root root  497 Aug  5 20:15 hostname_ip.sh

#拉取命令

sftp> get 1.txt ./

#当使用拉取命令的时候，前面的是远程服务器，后面的是本地服务器

#推送命令

sftp> put 1.txt ./

#当使用put的时候，前面的是本地服务器，后面的是远程服务器

3.文件传输工具

#图形化工具

1)xftp

2)filezilla

3)flashfxp

4.命令对比

#rz/sz:

 1)不能上传4G以上的文件

 2)不能断点续传

 3)不能上传文件夹

#sftp:

 1)能上传大于4G的文件

 2)能断点续传

 3)能够上传文件夹

5、ssh验证方式

1.方式一：基于用户名密码远程链接
#须要知道服务器的IP，端口，系统用户，用户密码才能连接远程主机
[root@NFS ~]# ssh root@172.16.1.7 -p 2222
root@172.16.1.7's password: 
Last login: Tue Aug 18 00:44:33 2020 from 10.0.0.1
[root@web01 ~]#

#设置密码
1）复杂的密码（容易忘记）
2）简单的密码（容易被破解）
3）每台机器密码都不同
4）密码是动态的
5）密码三个月一变
6）密码错误三次，锁定用户
7）密码确定是没有规律的

2.基于密钥的方式
默认状况下，经过ssh客户端命令登录远程服务器，须要提供远程系统上的账号与密码，但为了下降密码泄露的机率和提升登录的方便性，建议使用密钥验证方式。

1）生成密钥对
[root@web01 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:n618dqJXK1Z1mvHcv31VadZTBwni3gXEghWSp9+HTj4 root@web01
The key's randomart image is:
+---[RSA 2048]----+
|       .++++..o |
|       ooo.... o|
|         o.. . =|
|       .. . ..==|
|       S.....oB=|
|         ..o+ * =|
|         o+.+ .o|
|         . .E o +|
|          +* = .+|
+----[SHA256]-----+

2）将公钥发送至免密登陆的服务器
#方式一：手动复制

[root@web01 ~]# cat .ssh/id_rsa.pub   #查看公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbOLFAuHJy6xtGOBFIWALpyWNyR3ixgULtv9uVMELre1iVv6S/fBT3YqKR6naX1y1oyhWBD6njMhXDANuG9OQ/ABTHrgOJrF5JMY1AS9jI5DrMaIdfoBXcmck6RuID5yddlLiA6VdeHI8ndtth7bu6Ed50otviNbzF7NG7chX9oGbju6uGMY12pb0BKCtJaJ9qycGJOZCi8OyrIycJBexsiC+DYOwvXjmtdRtf7KNBnHSDDEIsywQNku1/WXUE0l4CMoZ/zjgO19fdxfdbCT4qAWTz0r9CDUzhEFIVZgz73KLahy+IXIhNupHXf0VcrS3h11rWDUrOeIw2oIZHEPz3 root@web01

#将公钥写到要链接的机器
[root@NFS ~]# vim .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbOLFAuHJy6xtGOBFIWALpyWNyR3ixgULtv9uVMELre1iVv6S/fBT3YqKR6naX1y1oyhWBD6njMhXDANuG9OQ/ABTHrgOJrF5JMY1AS9jI5DrMaIdfoBXcmck6RuID5yddlLiA6VdeHI8ndtth7bu6Ed50otviNbzF7NG7chX9oGbju6uGMY12pb0BKCtJaJ9qycGJOZCi8OyrIycJBexsiC+DYOwvXjmtdRtf7KNBnHSDDEIsywQNku1/WXUE0l4CMoZ/zjgO19fdxfdbCT4qAWTz0r9CDUzhEFIVZgz73KLahy+IXIhNupHXf0VcrS3h11rWDUrOeIw2oIZHEPz3 root@web01

#受权
[root@NFS ~]# chmod 600 .ssh/authorized_keys

#链接测试
[root@web01 ~]# ssh 172.16.1.31
Last failed login: Tue Aug 18 00:51:38 CST 2020 from 10.0.0.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Aug 17 23:39:28 2020 from 172.16.1.7

#方式二：命令推送公钥

[root@web01 ~]# ssh-copy-id -i .ssh/id_rsa.pub root@172.16.1.41   #命令推送公钥
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:mOtCaBS+53EDW9mKoXVj4v5Q1E1fYB0DexMHr/WzTc4.
ECDSA key fingerprint is MD5:75:12:f6:05:4c:5d:66:6f:21:0d:8e:0f:fc:bb:36:d6.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

[root@web01 ~]#

#链接测试
[root@web01 ~]# ssh 172.16.1.41
Last login: Mon Aug 17 23:32:44 2020 from 10.0.0.1

6、做业

1.需求

1.恢复快照
2.m01链接web01,backup,NFS作免密登陆
3.链接的用户是名字的缩写

2.环境准备

主机	角色	IP
m01	免密登陆	10.0.0.61
backup	备份服务器	10.0.0.41
NFS	NFS服务器	10.0.0.31
web01	web服务器	10.0.0.7

3.建立统一用户

[root@m01 ~]# useradd jh
[root@m01 ~]# passwd jh
Changing password for user jh.
New password: 
BAD PASSWORD: The password is a palindrome
Retype new password: 
passwd: all authentication tokens updated successfully.

[root@web01 ~]# useradd jh
[root@文web01 ~]# passwd jh
Changing password for user jh.
New password: 
BAD PASSWORD: The password is a palindrome
Retype new password: 
passwd: all authentication tokens updated successfully.

[root@NFS ~]# useradd jh
[root@NFS ~]# passwd jh
Changing password for user jh.
New password: 
BAD PASSWORD: The password is a palindrome
Retype new password: 
passwd: all authentication tokens updated successfully.

[root@backup ~]# useradd jh
[root@backup ~]# passwd jh
Changing password for user jh.
New password: 
BAD PASSWORD: The password is a palindrome
Retype new password: 
passwd: all authentication tokens updated successfully.

4.m01配置backup免密登陆

1.切换用户
[root@m01 ~]# su - jh

2.生成验证树
[jh@m01 ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jh/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/jh/.ssh/id_rsa.
Your public key has been saved in /home/jh/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Km6/mnGgGEZs5tc1sU9Qf6mzTyMZo5LCPRduDgEQIXw jh@m01
The key's randomart image is:
+---[RSA 2048]----+
|.. +o o..       |
|...E.   + .   . |
| =. . + . . o   |
|=   . o +   o   |
|.o ... .So =     |
|.o......+ o *   |
|. . ooo* = + o   |
|   ..=. B   + . |
|   .+oo. .   .   |
+----[SHA256]-----+

3.命令推送密钥
[jh@m01 ~]$ ssh-copy-id  -i .ssh/id_rsa.pub jh@10.0.0.41
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
jh@10.0.0.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'jh@10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.

5.m01配置NFS免密登陆

1.命令推送密钥
[jh@m01 ~]$ ssh-copy-id  -i .ssh/id_rsa.pub jh@10.0.0.31
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '10.0.0.31 (10.0.0.31)' can't be established.
ECDSA key fingerprint is SHA256:g6buQ4QMSFl+5MMAh8dTCmLtkIfdT8sgRFYc6uCzV3c.
ECDSA key fingerprint is MD5:5f:d7:ad:07:e8:fe:d2:49:ec:79:2f:d4:91:59:c5:03.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
jh@10.0.0.31's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'jh@10.0.0.31'"
and check to make sure that only the key(s) you wanted were added.

5m01配置web01免密登陆

1.命令推送密钥
[jh@m01 ~]$ ssh-copy-id  -i .ssh/id_rsa.pub jh@10.0.0.7
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '10.0.0.7 (10.0.0.7)' can't be established.
ECDSA key fingerprint is SHA256:g6buQ4QMSFl+5MMAh8dTCmLtkIfdT8sgRFYc6uCzV3c.
ECDSA key fingerprint is MD5:5f:d7:ad:07:e8:fe:d2:49:ec:79:2f:d4:91:59:c5:03.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
jh@10.0.0.7's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'jh@10.0.0.7'"
and check to make sure that only the key(s) you wanted were added.

6.测试

1.m01免密登陆web01测试链接
[jh@m01 ~]$ ssh jh@10.0.0.7
Last login: Mon Aug 17 19:28:43 2020 from 10.0.0.61
[jh@web01 ~]$ logout
Connection to 10.0.0.7 closed.架构

2.m01免密登陆NFS测试链接
[jh@m01 ~]$ ssh jh@10.0.0.31
Last login: Mon Aug 17 19:25:58 2020 from 10.0.0.61
[jh@NFS ~]$ logout
Connection to 10.0.0.31 closed.dom

3.m01免密登陆backup测试链接
[jh@m01 ~]$ ssh jh@10.0.0.41
Last login: Mon Aug 17 19:24:11 2020 from 10.0.0.61
[jh@backup ~]$ logout
Connection to 10.0.0.41 closed.

4.退出登陆
[jh@m01 ~]$