歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

linux常用的服務--SSH以及ssh公鑰認證

linux常用的服務--SSH以及ssh公鑰認證   一、ssh(secure shell)安裝   SSH默認情況下已經安裝了,包裝包的名稱是openssh,使用源碼包安裝的方法是   [root@localhost logs]# yum install openssh   ………………………………   Downloading Packages: (1/4): openssh-5.3p1-84.1.el6.x86 | 236 kB     00:00      (2/4): openssh-askpass-5.3p1-84.1 |  53 kB     00:00      (3/4): openssh-clients-5.3p1-84.1 | 355 kB     00:00      (4/4): openssh-server-5.3p1-84.1. | 299 kB     00:00    ……………………   二、ssh相關的文件詳解   1、 /etc/ssh/sshd_config   ssh 服務的主配置文件,基本上所有的ssh相關設定都在這裡   # This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information.   # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options change a # default value.   #Port 22       -----sshd服務默認的端口22,為了安全考慮建議修改成其它端口   #AddressFamily any ListenAddress 192.168.1.1  -------------監聽的主機,只監聽來自192.168.1.1的ssh連接 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2           ----------------ssh的協議版本,這裡是2   # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key   # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h                -----------每個一個小時重新建立一次連接,這裡未開啟 #ServerKeyBits 1024       -----------server key的長度   # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH                           SyslogFacility AUTHPRIV      ------------當有人使用ssh登入系統的時候,ssh會記錄信息(/var/log/secure) #LogLevel INFO   # Authentication: #LoginGraceTime 2m #PermitRootLogin yes        -----------是否允許root登陸,默認是允許的,建議設置成no #StrictModes yes               -------------當使用者的host key改變之後,server就不接受其聯機 #MaxAuthTries 6               --------------最多root嘗試6次連接 #MaxSessions 10   #RSAAuthentication yes    -------------是否使用rsa認證,只針對version1 #PubkeyAuthentication yes ------------是否允許public key,只針對version2 #AuthorizedKeysFile     .ssh/authorized_keys  -------認證文件 #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody   # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no   ---------是否僅適用於rhosts認證,為了安全一定設置為否 # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no   --------------是否忽略掉~/.shosts files中的用戶 # Don't read the user's ~/.rhosts and ~/.shosts files   #IgnoreRhosts yes   # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes    --------------是否需要密碼認證 #PermitEmptyPasswords no       --------------不允許空密碼 PasswordAuthentication yes       -------------開啟密碼認證 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no   -----------不挑戰任何的密碼認證,任何login.conf規定的認證方式,都禁用 # Set this to 'yes' to enable PAM authentication, account processing,  # and session processing. If this is enabled, PAM authentication will be allowed through the #ChallengeResponseAuthentication and PasswordAuthentication.  Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypassthe setting of "PermitRootLogin without-#password". If you just want the PAM account and session checks to run without PAM authentication, then enable #this but set PasswordAuthentication and ChallengeResponseAuthentication to 'no'. UsePAM yes      -----------啟用pam模塊 # Accept locale-related environment variables          ------------環境變量 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #PrintMotd yes       ---------登陸後是否顯示一些默認信息 #PrintLastLog yes  ---------顯示上次登錄的信息 #TCPKeepAlive yes  -------ssh server會傳keepalive信息給client以此確保兩者的聯機正常,任何一端死後,馬上斷開 #UseLogin no #UsePrivilegeSeparation yes   -------------使用者的權限設定 #PermitUserEnvironment no #PidFile /var/run/sshd.pid #MaxStartups 10     ----------最大聯機畫面 #PermitTunnel no #ChrootDirectory none # override default of no subsystems Subsystem       sftp    /usr/libexec/openssh/sftp-server         ----------  sftp服務的設置   ++++++++++++以上是sshd服務端+++++++下面是客戶端++++++++   2、/etc/ssh/ssh_config    -------ssh客戶端配置文件   # This is the ssh client system-wide configuration file.  See # ssh_config(5) for more information.  This file provides defaults for # users, and the values can be changed in per-user configuration files or on the command line. # Host *   -----------只匹配設定的主機,這裡默認是匹配所有的主機 #   ForwardAgent no     ------------連接是否經過驗證代理 #   ForwardX11 no        ------------x11連接是否被自動重定向到安全的通道和顯示集; #   RhostsRSAAuthentication no  -----是否使用rsa算法的基於rhosts的安全驗證 #   RSAAuthentication yes    ----------是否使用rsa算法驗證 #   PasswordAuthentication yes  ----------是否使用密碼驗證 #   CheckHostIP yes    -------------是否驗證ip #   AddressFamily any #   ConnectTimeout 0   ----------連接超時時間 #   StrictHostKeyChecking ask #   IdentityFile ~/.ssh/identity #   IdentityFile ~/.ssh/id_rsa #   IdentityFile ~/.ssh/id_dsa #   Port 22          ------------連接遠程主機的端口 #   Protocol 2,1  -----------采用的協議版本 #   Cipher 3des #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc #   MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 #   EscapeChar ~   --------------設置escape字符 #   Tunnel no #   TunnelDevice any:any #   PermitLocalCommand no #   VisualHostKey no Host *         GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes.         ForwardX11Trusted yes # Send locale-related environment variables         SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES          SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT          SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE         SendEnv XMODIFIERS   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   3、~/.ssh/known_hosts文件的作用   ssh 會把每個你訪問過的計算機的公鑰(public key)都記錄到~/.ssh/known_hosts文件中,當你下次訪問該計算機時,openss會核對公鑰。如果公鑰不同,那openssh就會發出警告,避免你收到DNSHijack等攻擊       三、ssh服務控制命令   啟動ssh服務: service sshd start   關閉ssh服務:service sshdstop   重啟ssh服務: service sshd restart    [root@localhost softs]# netstat -anpt | grep sshd     ----------查看sshd的22端口是否打開   tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2854/sshd        ssh命令常用的參數   -l  指定用戶;   -p指定端口號;   -X開啟x協議轉發   [root@localhost softs]# ssh [email protected] The authenticity of host '192.168.254.46 (192.168.254.46)' can't be established. RSA key fingerprint is 18:5f:3e:08:d0:a7:f1:93:f9:34:63:41:31:24:2a:02. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.254.46' (RSA) to the list of known hosts. [email protected]'s password:           #輸入密碼   Last login: Wed Oct 23 10:20:19 2013 from 192.168.254.152      -----登陸成功   [root@localhost ~]# exit -------斷開ssh連接 logout Connection to 192.168.254.46 closed.   [root@localhost softs]# ssh -p 22 -l root 192.168.254.46   #P默認為22,可以省略 [email protected]'s password:    [root@localhost softs]# ssh 192.168.254.46 [email protected]'s password:   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   四、ssh的公鑰認證   1.生成密鑰文件   [root@localhost ~]# lsb_release -a   -------先看一下我的linux版本 LSB Version:    :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch Distributor ID: RedHatEnterpriseServer Description:    Red Hat Enterprise Linux Server release 5.5 (Tikanga) Release:        5.5 Codename:       Tikanga       [root@localhost ~]# ssh-keygen -t rsa         #生成密鑰對 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):         #輸入私鑰文件的名稱,直接回車使用默認名稱 Enter passphrase (empty for no passphrase):    #輸入密鑰文件的密碼,直接回車不設置密碼 Enter same passphrase again:                          #再次輸入密碼確認 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: d3:41:dd:41:56:a2:ca:7a:81:9a:64:74:d7:df:32:9e [email protected]   [root@localhost ~]# ll /root/.ssh/ 總計 12 -rw------- 1 root root 1675 10-23 10:28 id_rsa      -------生成的私鑰 -rw-r--r-- 1 root root  408 10-23 10:28 id_rsa.pub  ------生成的公鑰 -rw-r--r-- 1 root root  396 10-23 10:20 known_hosts ------登陸者的信息   2、將公鑰復制到遠程主機   [root@localhost ~]# scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys   ------將公鑰復制到遠程服務器指定的目錄下,並且重命名為authorized_keys。scp是openssh自帶的工具。   [email protected]'s password:      --------輸入遠程主機的密碼 id_rsa.pub                 100%  408     0.4KB/s   00:00    3、登錄到遠程主機   [root@localhost ~]# ssh 192.168.254.46 [email protected]'s password:   查看該主機的系統版本   [root@localhost ~]# cat /proc/version  Linux version 2.6.32-71.el6.x86_64 ([email protected]) (gcc version 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) ) #1 SMP Fri May 20 03:51:51 BST 2011 [root@localhost ~]#    然後再該主機上同樣生成公鑰   [root@localhost ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):  Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase):  Enter same passphrase again:  Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 6b:35:ba:70:2d:06:ee:3e:80:37:7b:ee:9c:1f:c1:2e [email protected] The key's randomart image is: +--[ RSA 2048]----+ |                 | |                 | |                 | |       .         | |   .  . S o      | |  . +. o * .     | |   . +E X .      | |    .ooB +       | |     =Boo        | +-----------------+     將公鑰傳到192.168.254.153上面   [root@localhost ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]   ======另外一種遠程傳公鑰的方法 The authenticity of host '192.168.254.153 (192.168.254.153)' can't be established. RSA key fingerprint is 4d:24:b3:e8:82:11:bf:e1:a0:0c:45:27:57:8e:a1:c8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.254.153' (RSA) to the list of known hosts. [email protected]'s password:     ----------------輸入192.168.254.153的密碼   Now try logging into the machine, with "ssh '[email protected]'", and check in:     .ssh/authorized_keys   to make sure we haven't added extra keys that you weren't expecting.   [root@localhost ~]# ssh [email protected] Last login: Wed Oct 23 09:55:54 2013 from 192.168.254.152    ----------不用輸密碼可以直接登陸了   五 、ssh客戶端的使用   ssh 客戶端的命令主要包括ssh ,scp和sftp   1、ssh的使用    ssh [email protected] 以root身份 遠程登錄遠程主機   2、scp命令   scp命令可以用來通過安全加密的連接在機器之間進行文件的傳輸,與rcp相似。它傳文件的一般語法為   scp localfile username@hostip:/newfilename   localfile  本地文件名稱,username 遠程主機用戶名 hostip遠程主機的ip地址   舉例:scp  /var/log/httpd/access.log  [email protected]:/var/log/   把本地/var/log/httpd/下的access.log文件傳到遠程主機對應的/var/log/下面   3、sftp命令   sftp工具可以用來打開一次安全互動的ftp對話。與ftp類似,但是sftp使用安全加密的連接,一般語法為   sftp [email protected]   [root@localhost .ssh]# sftp 192.168.254.153   sftp登陸,因為我交換了公鑰,所以無需密碼認證 Connecting to 192.168.254.153... sftp> ls  ---------查看有哪些文件  Desktop                                                  anaconda-ks.cfg                                          glibc-2.7-2.i386.rpm                                     glibc-common-2.7-2.i386 .rpm                             glibc-devel-2.7-2.i386.rpm                               glibc-headers-2.7-2.i386.rpm                             index.php                                                install.log                                              install.log.syslog                                       jdk1.7.0                                                 mbox                                                     my.cnf                                                   phpMyAdmin-4.0.8-all-languages.tar.gz                    sftp> get my.cnf           我隨便下載了一個文件 Fetching /root/my.cnf to my.cnf     /root/my.cnf          100% 4920     4.8KB/s   00:00     sftp> quit   六、訪問控制   /etc/host.allow和/etc/hosts.deny   這兩個文件時控制遠程訪問設置的,通過該設置可以允許或者拒絕某個ip或者ip段訪問linux的某項服務。   [root@localhost .ssh]# vi /etc/hosts.allow   sshd:192.168.0.*:allow  允許該網段訪問   sshd:192.168.1.15:allow  允許該ip地址訪問   [root@localhost .ssh]# vi /etc/hosts.deny   sshd:all:deny   -------表示拒絕所有的sshd遠程連接   當/etc/hosts.deny 跟/etc/hosts.allow沖突時會以哪個為准?這裡有個規則   首先檢查hosts.allow文件,若找到相關的策略則允許訪問,否則繼續檢查hosts.deny ,若找到相關的策略則拒絕訪問;如果兩個文件中都沒有匹配的策略則允許訪問;如果二者沖突時以hosts.allow為准。   注意:如果這兩個文件配置修改了,必須要重啟service xinetd服務才能生效  
Copyright © Linux教程網 All Rights Reserved