一、安装配置SFTP
中文:安全文件传送协议,是一种数据流连接,提供文件访问、传输和管理功能的网络传输协议
SFTP依赖的是系统自带的SSH服务,SFTP默认连接账号就是Linux root账号和密码
本文章使用的是在各主机上新添的普通用户:docker
描述:1.docker是你为该sftp服务创建的用户名,/dcos/ISMG7/为sftp服务器访问根路径
2.测试sftp连接成功之后,docker用户可使用免密进行sftp登录
注意:配置免密登录后,ssh、sftp也适用
1.检查版本与安装
#检查:
[root@local ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
#安装,已安装的会更新到最新版本
yum install -y openssl openssh-server
#开机自启
systemctl enable sshd.service
#验证开机自启
[root@local dcos]# systemctl list-unit-files |grep sshd
sshd-keygen.service static
sshd.service enabled
sshd@.service static
sshd.socket disabled
2.新建用户
[root@local ~]# mkdir -p /dcos/ISMG7/
[root@local ~]# cd /dcos/ISMG7/
[root@local ISMG7]# useradd docker
[root@local ISMG7]# echo "pwd123" | passwd --stdin docker
更改用户 sftpdocker 的密码 。
passwd:所有的身份验证令牌已经成功更新。
#备份配置文件,防止出错
[root@local ISMG7]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
3.配置sshd_config文件-重启-测试
vim /etc/ssh/sshd_config
#注释下列
133 #Subsystem sftp /usr/libexec/openssh/sftp-server
#直接在文件最后添加如下
#配置SSH
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
Subsystem sftp internal-sftp
#配置SFTP
Match user docker #使用用户为docker
ChrootDirectory /dcos/ISMG7/ #指定sftp访问的根目录
#ForceCommand internal-sftp
AllowTcpForwarding yes #改为yes,则解决仅sftp用户使用的问题,同时注释ForceCommand……
#重启sshd服务
systemctl restart sshd
#测试连接
sftp -P 22 docker@127.0.0.1
后续:想配置sftp组登录,网上到处都是
二、配置sftp免密登录:
两种方式:
1、传送公钥。由 登录端 将自身的公钥传送给 被登录端
2、传送私钥。由 被登录端 将自身的私钥传送给 登录端
1.使用公钥免密登录
本文使用方法:传送公钥
主要命令:
ssh-keygen -t rsa -P ""
ssh-copy-id -i .ssh/id_rsa.pub 192.168.100.102
#开始~
#现有102、103、104 三台机器,其中102部署sftp,其余103、104免密登录102,实现sftp登录免密
1、部署102的sftp
[root@102 ~]# useradd docker
[root@102 ~]# echo "pwd123" | passwd --stdin docker
更改用户 docker 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@102 ~]# vim /etc/ssh/sshd_config
[root@102 ~]#
[root@102 ~]# systemctl restart sshd
[root@102 ~]# sftp -P 22 docker@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:RQtfZBp7A0NgbvSg3cfEM1/+ef2MnFgO7CEqL6takjM.
ECDSA key fingerprint is MD5:00:1d:81:ec:31:02:b1:15:08:e5:bd:a9:64:31:bd:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
docker@127.0.0.1's password:
Connected to 127.0.0.1.
sftp> pwd
Remote working directory: /
sftp> ls
sftp> bye
2.配置103免密登录
2.1 创建用户docker
[root@103 ~]# useradd docker
[root@103 ~]# echo "pwd123" | passwd --stdin docker
更改用户 docker 的密码 。
passwd:所有的身份验证令牌已经成功更新。
2.2 切换docker用户
[root@103 ~]# su docker
[docker@103 root]$ cd
2.3 生成103的私钥、公钥
[docker@103 ~]$ ssh-keygen -t rsa -P "" # 生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/home/docker/.ssh/id_rsa):
Created directory '/home/docker/.ssh'.
Your identification has been saved in /home/docker/.ssh/id_rsa.
Your public key has been saved in /home/docker/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:R/qzP5t7xgXssk+d6yHId2HKQOXVJXWQ21otLMCUq+Y docker@103
The key's randomart image is:
+---[RSA 2048]----+
| o.. .o=*|
| + o o.o|
| .+ + o.|
| oo . * +|
| S... o B |
| oo. = =.+|
| o oo O.=.|
| E o+o* o|
| ..=Boo |
+----[SHA256]-----+
[docker@103 ~]$ ls .ssh # 查看密钥
id_rsa id_rsa.pub
2.4 注释配置项,使用ssh-copy-id命令将103的公钥传到102上
#在此之前先把sftp服务器上的ChrootDirectory /dcos/ISMG7/这个注释掉,重启下sshd服务,之后再传公钥到sftp服务器上,否则会报错/bin/bash: No such file or directory,注释之后在传送,如下:
[docker@103 ~]$ ssh-copy-id -i .ssh/id_rsa.pub 192.168.100.102
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
docker@192.168.100.102's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.100.102'"
and check to make sure that only the key(s) you wanted were added.
2.5 在102机器上查看是否有authorized_keys文件,有则成功
[docker@102 ~]$ cd .ssh
[docker@102 .ssh]$ ls
authorized_keys
[docker@102 .ssh]$ cat authorized_keys # 可以看到103已存在,成功了
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe20O8E2aSbDQNoGuaEjPCl2w/2CP6PRdffRWeW8To73I4lmBXM5G5uMkuYP5dyorbgUWwrGu1UNQ2RRi05YMeDMWtdELmz5MVYkThJJs/RkJLlFTX7yS7aep4J26nhWBwWxkDTt7K4/txP+CrPtkyQRczG4a0fzjJXTJLBItkA3eQW2aZihh7lX3aHOAzaaqjMaVLjV8xxz3yS0HnxK8J1XOf4tCkk7gfsACqvETobOJCmqErG1ZENhDNsIe4IsmUX5nPfTTM54jpIeiLvTA8nxBAeKeXDFBLAl5NCUPm8wkn8iPj8nPJCBrRkKGLblWsxho6G3jDbS6AdeNbR2rN docker@103
2.6 在103上测试:发现登录102访问sftp无需输入密码
[docker@103 ~]$ sftp docker@192.168.100.102
Connected to 192.168.100.102.
sftp> ls
sftp> pwd
Remote working directory: /home/docker
sftp> bye
2.7 更改sftp的根目录,再次测试
# 此时是家目录,与我们要的跟目录不符合,此时sshd注释配置文件中取消ChrootDirectory /dcos/ISMG7/注释,重启sshd服务,再次测试、如下:
[docker@103 ~]$ sftp docker@192.168.100.102
Connected to 192.168.100.102.
sftp> pwd
Remote working directory: / # 恢复正常,是我们想要的根目录/dcos/ISMG7/
sftp> ls
3.增添104机器免密登录
3.1 root用户切换到docker用户
[root@104 ~]# su docker
[docker@104 root]$ cd # 回到docker用户的根目录
3.2 生成104的私钥公钥
[docker@104 ~]$ ssh-keygen -t rsa -P "" # 生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/home/docker/.ssh/id_rsa):
Your identification has been saved in /home/docker/.ssh/id_rsa.
Your public key has been saved in /home/docker/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XdvA8eaTPlAtQ8/0om4p02gKPV7r9pRsNDSQXrfVPDM docker@104
The key's randomart image is:
+---[RSA 2048]----+
| ... ..o|
| .o.+.E=|
| . .*.BoO|
| ..o X.= |
| S . * = |
| . * * . |
| . o * X o |
| o =.B . |
| ooo.. |
+----[SHA256]-----+
[docker@104 ~]$ ls .ssh/ # 查看密钥
id_rsa id_rsa.pub
3.3 进入104密钥目录,并将104的公钥以root用户权限scp到102用户docker的.ssh目录下
[docker@104 ~]$ cd .ssh # 进入密钥的目录
[docker@104 .ssh]$ ls
id_rsa id_rsa.pub
[docker@104 .ssh]$ scp id_rsa.pub root@192.168.100.102:/home/docker/.ssh # 将公钥以root用户传到102下的docker的密钥目录下
root@192.168.100.102's password: # 输入root用户密码
id_rsa.pub 100% 392 405.2KB/s 00:00 #传输成功
3.4 验证,在102上查看104的公钥是否传了过来
[docker@102 ~]$ cd .ssh
[docker@102 .ssh]$ ls
authorized_keys id_rsa.pub
[docker@102 .ssh]$ cat id_rsa.pub # 可以看到存在公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3RaDAKCfe1qXeXYQCKb35OpebDF+QXp3YuwtC/6se9kFEMJyBpblwj1iaYmF7klGe9K3fJ/RshLKM8yHDNfiXHw3ref9gcP70tglZ+PLIAxfBPV9gw/rkXigL9jJ/M1ukoe1Kf/UfsAD18Lonm2/l6ggWTThE+f2PiyRZME7buDAwG9ix7dW4wj81zKYhspzYgJk5NkWrJgG2DgK+SBFqmIIzdMwUFyMsVIRCu3mdlKWapemBunbM54K0KcdqNf7fZSH9+Tp+YrVzXLagp3WSdPSgwD8Ph7UGnmjdEfEHYQMDT+MV6fYoe2A0UqjyqhZ36pzcbZS5e72CHKDIiMxr docker@104
3.5 在102机器上,将104的公钥追加到authorized_keys文件中
[docker@102 .ssh]$ cat id_rsa.pub >>authorized_keys #将该公钥追加到authorized_keys文件中
[root@102 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDe20O8E2aSbDQNoGuaEjPCl2w/2CP6PRdffRWeW8To73I4lmBXM5G5uMkuYP5dyorbgUWwrGu1UNQ2RRi05YMeDMWtdELmz5MVYkThJJs/RkJLlFTX7yS7aep4J26nhWBwWxkDTt7K4/txP+CrPtkyQRczG4a0fzjJXTJLBItkA3eQW2aZihh7lX3aHOAzaaqjMaVLjV8xxz3yS0HnxK8J1XOf4tCkk7gfsACqvETobOJCmqErG1ZENhDNsIe4IsmUX5nPfTTM54jpIeiLvTA8nxBAeKeXDFBLAl5NCUPm8wkn8iPj8nPJCBrRkKGLblWsxho6G3jDbS6AdeNbR2rN docker@103
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3RaDAKCfe1qXeXYQCKb35OpebDF+QXp3YuwtC/6se9kFEMJyBpblwj1iaYmF7klGe9K3fJ/RshLKM8yHDNfiXHw3ref9gcP70tglZ+PLIAxfBPV9gw/rkXigL9jJ/M1ukoe1Kf/UfsAD18Lonm2/l6ggWTThE+f2PiyRZME7buDAwG9ix7dW4wj81zKYhspzYgJk5NkWrJgG2DgK+SBFqmIIzdMwUFyMsVIRCu3mdlKWapemBunbM54K0KcdqNf7fZSH9+Tp+YrVzXLagp3WSdPSgwD8Ph7UGnmjdEfEHYQMDT+MV6fYoe2A0UqjyqhZ36pzcbZS5e72CHKDIiMxr docker@104
#追加成功
3.6 在104上连接ftp服务器102机器,测试是否免密:
[docker@104 .ssh]$ sftp docker@192.168.100.102
Connected to 192.168.100.102. # 无需密码,成功
sftp> ls
sftp>
2.使用私钥免密登录
注意,本下文使用的是新环境
本文使用方法:传送私钥
用户、密码:docker pwd123
主机:102、103
[root@local ~]# hostnamectl set-hostname 102 #设置主机名102
[root@local ~]# bash #切换环境、立刻生效
[root@102 ~]#
[root@102 ~]# useradd docker #创建用户dcoker
[root@102 ~]# echo "pwd123" |passwd --stdin docker #非交互式设置docker用户密码
更改用户 docker 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@102 ~]# su docker #切换docker用户
[docker@102 root]$ cd
[docker@102 ~]$ ssh-keygen -t rsa -P "" #生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/home/docker/.ssh/id_rsa): #直接回车
Created directory '/home/docker/.ssh'.
Your identification has been saved in /home/docker/.ssh/id_rsa.
Your public key has been saved in /home/docker/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:QAvFJbSeO6AUw1Rekk14V5lVPij+FtBu1sfPby2IbK0 docker@102
The key's randomart image is:
+---[RSA 2048]----+
| ..+OB....+... |
| o .o=++. o. o |
| + ..+. o o o |
| o . o . + . o |
| . . o S . = . o|
| . . . . + . o.|
| . o . oo. +|
| . +.o . +|
| .E. o.|
+----[SHA256]-----+
[docker@102 ~]$ cd .ssh # 进入密钥对存放目录
[docker@102 .ssh]$ ls
id_rsa id_rsa.pub
[docker@102 .ssh]$ cat id_rsa.pub >> authorized_keys # 导入自身的公钥到authorized_keys文件,等同直接创建
[docker@102 .ssh]$ cat authorized_keys # 查看
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9PH/Uz1+Dbf8Xptsu/WhiLXJ9rsHYewE/bX4NpB0FMrqBXSB5Ywy4pe5sFI9ShX4ejbbzouQDm5+zZi0esZYwX1aNQdhsu2X7apXCBCbLf/BKlFQn9j8cubqrc7ue3INX/ajGZKBv/tHDAb+n7B0F+aRzcZde7PEuD5PSVxYmCRGjJoKYP9yTWO+6V7odIcL9e3VYtTeEROsOwEDtNlvbnXK51h+9z1TOU0R1etB7Pm2ZSx6fpbWpiRIjuJh+6m5c7M7GXcqQANHo58AdEXU3w9mHr4h3lY2UVu11ecWL2fl6Yyf3c379DhICK+g03K7xz34Cb7RhMOlBvaXgAfWf docker@102
[docker@102 .ssh]$ ll
总用量 16
-rw-rw-r-- 1 docker docker 392 4月 19 15:36 authorized_keys #创建文件默认权限644,不对,需要修改
-rw------- 1 docker docker 1679 4月 19 15:36 id_rsa
-rw-r--r-- 1 docker docker 392 4月 19 15:36 id_rsa.pub
-rw-r--r-- 1 docker docker 177 4月 19 15:37 known_hosts
[docker@102 .ssh]$ chmod 600 authorized_keys #修改权限600
[docker@102 .ssh]$ ll
总用量 16
-rw------- 1 docker docker 392 4月 19 15:36 authorized_keys #600权限正确
-rw------- 1 docker docker 1679 4月 19 15:36 id_rsa
-rw-r--r-- 1 docker docker 392 4月 19 15:36 id_rsa.pub
-rw-r--r-- 1 docker docker 177 4月 19 15:37 known_hosts
#在103主机上
[root@103 ~]# su docker #切换docker用户
[docker@103 root]$ cd
[docker@103 ~]$
[docker@103 ~]$ ls -a # 此时是没有.ssh目录的,传也没用,必须先生成该目录
. .. .bash_logout .bash_profile .bashrc
[docker@103 ~]$ ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:RQtfZBp7A0NgbvSg3cfEM1/+ef2MnFgO7CEqL6takjM.
ECDSA key fingerprint is MD5:00:1d:81:ec:31:02:b1:15:08:e5:bd:a9:64:31:bd:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
docker@localhost's password: #输入密码pwd123
Last failed login: Wed Apr 19 15:39:49 CST 2023 from 127.0.0.1 on ssh:notty
There was 1 failed login attempt since the last successful login. # 成功登录
Last login: Wed Apr 19 15:38:11 2023
[docker@103 ~]$ ll -a # 再次查看已有.ssh目录
总用量 16
drwx------ 3 docker docker 95 4月 19 15:40 .
drwxr-xr-x. 4 root root 31 4月 19 15:35 ..
-rw------- 1 docker docker 11 4月 19 15:40 .bash_history
-rw-r--r-- 1 docker docker 18 4月 11 2018 .bash_logout
-rw-r--r-- 1 docker docker 193 4月 11 2018 .bash_profile
-rw-r--r-- 1 docker docker 231 4月 11 2018 .bashrc
drwx------ 2 docker docker 39 4月 19 15:40 .ssh #注意是目录。权限700
#切换102主机,将102的私钥传送给103主机docker用户的/home/docker/.ssh目录下
[docker@102 .ssh]$ scp id_rsa 192.168.100.103:/home/docker/.ssh/
The authenticity of host '192.168.100.103 (192.168.100.103)' can't be established.
ECDSA key fingerprint is SHA256:RQtfZBp7A0NgbvSg3cfEM1/+ef2MnFgO7CEqL6takjM.
ECDSA key fingerprint is MD5:00:1d:81:ec:31:02:b1:15:08:e5:bd:a9:64:31:bd:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.103' (ECDSA) to the list of known hosts.
docker@192.168.100.103's password:
id_rsa 100% 1679 1.3MB/s 00:00
#来到103主机上,查看:
[docker@103 .ssh]$ ll
总用量 8
-rw------- 1 docker docker 1679 4月 19 15:40 id_rsa # 已存在
-rw-r--r-- 1 docker docker 348 4月 19 15:40 known_hosts
#验证,在103主机上直接控制102主机,输出102主机名:
[docker@103 .ssh]$ ssh 192.168.100.102 hostname
102
# 成功!
3.多个私钥管理
162是服务端,124是客户端
现,124要免密登录162,采用私钥模式,因为简单,但是124上已经有别的主机得私钥,比如26主机的
也就是说,将162得私钥传给124,但是名称还不能一样,私钥也不可以追加
so,需要创建config文件来管理私钥,如下:
第一步:先在162上将自身的公钥导入到authorized_keys文件中,否则认证不成功。
第二步:传递162的私钥给124
162的私钥已经传了过来,传到124上:
[docker@124 .ssh]$ ll
total 24
-rw------- 1 ismg ismg 565 Aug 3 15:51 authorized_keys
-rw-r--r-- 1 ismg ismg 190 Jul 28 17:22 config
-rw------- 1 ismg ismg 2602 Jul 28 17:22 id_rsa_162
-rw------- 1 ismg ismg 2602 Jul 28 15:56 id_rsa_26
-rw-r----- 1 ismg ismg 3673 Aug 3 13:58 known_hosts
[docker@124 .ssh]$ cat config
#主机服务器
Host 10.147.36.162 #IP地址
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_162 #指定私钥位置
Host 10.147.36.26
PreferredAuthentications publickey
IdentityFile ~/.ssh/id_rsa_26
#想要多个私钥,后面追加就可,如此,就可以有多个私钥,可以免密登录162