SSH远程管理服务实战
SSH远程管理服务实战

SSH基本概述

SSH是一个安全协议,在进行数据传输时,会对数据包进行加密处理,加密后在进行数据传输。确保了数

据传输安全。

SSH服务主要功能

1.提供远程连接服务器的服务

2.对传输的数据进行加密

ssh协议和telnet协议的区别

ssh服务会对传输数据进行加密, 监听在本地22/tcp端口, ssh服务默认支持roo用户登录

telnet服务不对数据进行加密, 监听在本地23/tcp端口, Telnet默认不支持root用户登录

ssh相关命令

ssh远程登录服务器命令

ssh root@10.0.0.41 -p 22

#root:指定用哪个用户连接(远端服务器的用户),当前用户是root就可以不加
#@:分隔符
#10.0.0.41:远端主机的IP
#-p:指定远端主机端口,ssh默认22可以省略

ssh root@172.16.1.31 'ifconfig'

在远端机器上执行命令,不用连接过去

[root@backup ~]$ ssh root@172.16.1.31 'ifconfig'
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:3enksfMN5/ep92kZMkIEC39u/yyFXAX8gO9F83Lm1vE.
ECDSA key fingerprint is MD5:84:3b:b2:f2:ea:31:9f:96:b1:d8:45:2b:13:b7:62:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.
root@172.16.1.31's password: 
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.31  netmask 255.255.255.0  broadcast 172.16.1.255
        inet6 fe80::20c:29ff:fea7:5d90  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:a7:5d:90  txqueuelen 1000  (Ethernet)
        RX packets 2110  bytes 128819 (125.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1098  bytes 68693 (67.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

scp -rp /oldboy/ root@172.16.1.7:/opt

远程拷贝(全量)走的是ssh协议

[root@backup ~]$ scp -rp /oldboy/ root@172.16.1.7:/opt
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:3enksfMN5/ep92kZMkIEC39u/yyFXAX8gO9F83Lm1vE.
ECDSA key fingerprint is MD5:84:3b:b2:f2:ea:31:9f:96:b1:d8:45:2b:13:b7:62:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.
root@172.16.1.7's password: 
1.txt                                                                         100%    0     0.0KB/s 

[root@web01 ~]$ ll /opt/
total 0
drwxr-xr-x 2 root root 19 Jul  9 19:44 oldboy

SSH的验证方式

SSH远程管理服务实战_数据

创建秘钥对 (公钥私钥)

公钥:管理机发给远程机

私钥:管理机用来打开远程机的锁(公钥)

#在管理机上生成公钥和私钥
[root@m01 ~]$ ssh-keygen

[root@m01 ~]$ ll .ssh/
total 12
-rw------- 1 root root 1679 Jul  9 10:49 id_rsa			#私钥(钥匙)
-rw-r--r-- 1 root root  390 Jul  9 10:49 id_rsa.pub		#公钥(锁)
-rw-r--r-- 1 root root  682 Jul  9 11:21 known_hosts	#第一次利用公钥连接远程机时会有交互(输入yes),输入后就会在这个文件中产生远程机ip信息,表示已经第一次连接就输入过了,以后再连接就不用再输入了
[root@m01 ~]$ cat .ssh/known_hosts 
10.0.0.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.31 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.8 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=

#将公钥发送给被管理端 
[root@m01 ~]$  ssh-copy-id -i ~/.ssh/id_rsa.pub root@10.0.0.41

#被管理端的服务器公钥保存后 
[root@backup ~]$ ll .ssh/
total 8
-rw------- 1 root root 390 Jul  9 10:53 authorized_keys		#存放公钥的文件
-rw-r--r-- 1 root root 345 Jul  9 19:45 known_hosts

ssh-copy-id这个命令都帮我们做了哪些事

# 1.在被管理端创建了一个.ssh目录在家目录下
mkdir ~/.ssh

# 2.将.ssh目录权限修改为700
chmod 700 ~/.ssh

# 3.创建公钥存放的文件 
[root@backup ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu8ecP9QulOO45n79fI2oDFW8VQsfvDTCZBnAJm9sqU97QhBwqHs7fCLs5bgIMh7OEwNXQVQqHBLO1gCQVbU5D1YWpR7xnL0+lOevpvk48D5JVO3KvHO86Cg4CNk7Yergf/DqMZf0WB9UtNNmiE+wrYdbbtbsKAvYQye4/MZ7IklZcWZ2l4lHikz3gJsxTdpTvDFZO/aBfKef5qoxpx9r9L6BB0cfwIueah/gUhsTacWdgApYSZgTsb05XxFxYTnfxeOkWSGjZ8lI4g27hrqhpobueU5lx7PU+QFd6PoKUgWYLSFGKt5SWrMVsPKMmr4WqhZL/OUEkIxB2Ro3pgigl root@m01

# 4.修改公钥存放文件的权限 
 chmod 600 ~/.ssh/authorized_keys

ssh优化

[root@m01 ~]$ vim /etc/ssh/sshd_config 
#端口
17 Port 22

#允许root登录 
38 #PermitRootLogin yes

#允许密码登录 
65 PasswordAuthentication yes

#GSS接口认证 
79 GSSAPIAuthentication no

#使用DNS的反向解析 
115 UseDNS no

重启ssh服务
[root@m01 ~]$ systemctl restart sshd