########################################################
######################第九单元###########################
########################################################
1.什么是openssh
openssh是一个提供远程访问控制的软件或工具。
ssh(secure shell)由IETF制定,是建立在应用层和传输层基础上的一种安全协议,使用tcp 22端口。
ssh传输数据是加密的,保障数据安全;ssh传输数据是经过压缩的,加快了传输速度。
ssh -X root@172.25.254.9 ###开启图形模式
2.如何实现远程访问
格式:ssh 远程主机用户@远程主机ip地址
ssh root@172.25.254.1
The authenticity of host '172.25.254.1 (172.25.254.1)' can't be established.
ECDSA key fingerprint is 55:dd:43:ce:bf:94:dd:91:49:e7:97:29:63:3d:02:02.
Are you sure you want to continue connecting (yes/no)? yes ###建立安全传输key
root@172.25.254.1's password: ###密码输入没有回显
Last failed login: Sun Oct 11 16:56:29 CST 2015 from 172.25.254.206 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Oct 11 16:55:46 2015 from 172.25.254.206
[root@foundation1 ~]# ###登陆成功
[root@foundation1 ~]# logout ###退出,ctrl +d 或logout
Connection to 172.25.254.1 closed.
注:登录成功之后在/root/.ssh/know_hosts中被记录。
/etc/motd ###motd文件用于设定登陆显示字符,可告知用户相关活动信息。
补充:
/etc/issue ##issue文件显示登录在login的提示符(/etc/issue.net是远程登录显示的)
issue内的各代码意义:
\l ##显示第几个终端接口
\m ##显示硬件的等级
\n ##显示主机的网络名称
\o ##显示domain name
\r ##显示操作系统的版本
\t ##显示本地端的时间
\d ##显示星期、月、日、年
\s ##显示操作系统的名称
#####################ssh的key认证######################
1.生成key
[test@foundation0 ~]$ ssh-keygen ###生成公钥和私钥的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):『enter』 ###指定加密字符保存文件,使用默认
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase): ###密码,必须大于4位
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is: ###确认密码
a5:4f:02:51:68:59:f4:e8:e3:c5:91:1f:6f:86:99:06 test@foundation0.ilt.example.com
The key's randomart p_w_picpath is:
+--[ RSA 2048]----+
| . *+ |
| +. o . |
| . . . E . |
| o + + * |
| S + * + |
| . * . o |
| . . |
| |
| |
+------------------------+
[test@foundation0 .ssh]$ pwd
/home/test/.ssh ###生成密钥存放位置(root的话,在/root/.ssh)
[test@foundation0 .ssh]$ ls
id_rsa id_rsa.pub ###id_rsa为私钥,id_rsa.pub为公钥
2.使用key加密目标主机的目标用户
[test@foundation0 ~]$ ssh-copy-id -i /home/test/.ssh/id_rsa.pub westos@172.25.254.100
The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
westos@172.25.254.100's password: ###确认密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'westos@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.
内容解释:
ssh-copy-id -i ####上传key的工具,-i指定使用的公钥的路径位置
/home/test/.ssh/id_rsa.pub ####公钥的路径位置
westos ####被管理的目标用户
172.25.254.100 ####被管理用户所在主机的ip
authorized_keys ###此文件在目标用户家目录的.ssh中,这个文件就是目标用户被加密的标识,可以进去查看
总结:
1)ssh-keygen ##运行结束后会在/home/.ssh目录下生成id_rsa id_rsa.pub
2)ssh-copy-id -i /公钥的路径 user@host ##将公钥复制到远程主机的authorized_keys文件中
3)登录远程主机不需要密码
3.sshd服务的简单配置
/etc/ssh/sshd_config ###sshd服务的配置文件
48 PermitRootLogin yes|no ###48行,是否允许root用户通过sshd的认证
78 PasswordAuthentication yes|no ###78行,开启或关闭用户密码认证登录
AllowUsers student ###用户白名单,只允许在名单中出现的用户使用sshd服务
systemctl restart sshd ###重新加载配置
eg1:vim /etc/ssh/sshd_config ##编辑/etc/ssh/sshd_config文件
添加AllowUsers student ##那么其他远程连接只能连接student@172.25.8.10
systemctl restart sshd ##重新加载配置
eg2:scp /决对路径/id_rsa westos@172.25.8.11:/绝对路径下的.ssh(把钥匙发给目标主机)
切换到目标主机root更改vim /etc/ssh/sshd_config(78行取消原来密码登陆)
systemctl restart sshd重新加载配置,使用另一个虚拟机里的root或student用户远程连接
