[关闭]
@q8517220 2018-11-20T12:45:14.000000Z 字数 4269 阅读 464

ssh服务

作者:李浩

ssh介绍

进行数据传输之前,ssh先对数据加密了再传输。版本不一样,连不上

1.两个功能:----

①远程连接②远程拷贝

  1. 安装包
  2. [root@localhost ~]# rpm -qa openssh openssl
  3. openssl-1.0.1e-15.el6.x86_64
  4. openssh-5.3p1-94.el6.x86_64

2.ssh认证

2.1基于口令---知道服务器的账号和密码
2.2基于秘钥----基于密钥的安全的验证的方式是指,需要依靠密钥,必须事先建立一对密钥对,然后把公用密钥放在需要访问的目标服务器上,另外,还需要私有密钥放到SSH客户端或对应的客户端服务器上。

修改配置前要备份(备份、备份、备份)
Port 22修改默认端口
ListenAddress 0.0.0.0改单个IP
PermitRootLogin yes改成no
PasswordAuthentication yes改成no
UseDNS yes改成no
GSSAPIAuthentication yes改成no

  1. [root@localhost ~]# cp -ap /etc/ssh/sshd_config{,.bak}  
  2. [root@localhost ~]# ll /etc/ssh/sshd_config*
  3. -rw-------. 1 root root 3879 11 23 2013 /etc/ssh/sshd_config
  4. -rw-------. 1 root root 3879 11 23 2013 /etc/ssh/sshd_config.bak
  5. [root@localhost ~]# vim /etc/ssh/sshd_config

如何防止SSH登录入侵小结
1.用密钥登录,不用密码登录
2.牤牛阵法:解决SSH安全问题
①防火墙封闭SSH指定源IP限制
②开启SSH只监听本地内网IP
3.尽量不给服务器外网IP
SSH客户端命令:

ssh -p22 lihao@172.16.10.10

scp拷贝

scp -P22 /etc/hosts lihao@172.16.10.22:/tmp/   #将本地的/etc/hosts文件推送到对面的/tmp


scp -P22  lihao@172.16.10.22:/tmp/ /data/   #这个是拉功能

小结
1.scp是加密的远程拷贝,而cp仅为本地拷贝
2.可以把数据从一台机器推送到另一台机器,也可以从其他机器把数据拉回来
3.每次都是完备,效率不高,适合第一次使用,如果需要增量拷贝用rsync。

ssh服务附带的sftp功能

  1. [root@localhost ~]# sftp root@172.16.10.40
  2. Connecting to 172.16.10.40...
  3. The authenticity of host '172.16.10.40 (172.16.10.40)' can't be established.
  4. RSA key fingerprint is f3:af:42:ba:f8:ab:74:8b:cf:f9:59:d6:27:41:6c:1d.
  5. Are you sure you want to continue connecting (yes/no)? yes
  6. Warning: Permanently added '172.16.10.40' (RSA) to the list of known hosts.
  7. root@172.16.10.40's password: 
  8. sftp> ls
  9. anaconda-ks.cfg     install.log         install.log.syslog  ipvsadm-1.26        
  10. keepalived-1.1.19   
  11. sftp> put /etc/hosts   #上传数据#get是下载
  12. Uploading /etc/hosts to /root/hosts
  13. /etc/hosts                                    100%  158     0.2KB/s   00:00    
  14. sftp> pwd
  15. Remote working directory: /root
  16. sftp> put /etc/hosts /tmp
  17. Uploading /etc/hosts to /tmp/hosts
  18. /etc/hosts                                    100%  158     0.2KB/s   00:00    
  19. sftp> cd /tmp
  20. sftp> ls
  21. hosts     yum.log   
  22. sftp> pwd
  23. Remote working directory: /tmp

ssh批量管理

基于口令的-expect 、pssh 、sshpass
基于密钥
1.创建用户及密码

useradd xiaoxue
echo 123456|passwd --stdin xiaoxue
su - xiaoxue

2.创建密钥对
ssh-keygen -t dsa 一直回车

  1. 2.[root@MBA ~]# su - xiaoxue
  2. [xiaoxue@MBA ~]$ ssh-keygen -t dsa
  3. Generating public/private dsa key pair.
  4. Enter file in which to save the key (/home/xiaoxue/.ssh/id_dsa): 
  5. Created directory '/home/xiaoxue/.ssh'.
  6. Enter passphrase (empty for no passphrase): 
  7. Enter same passphrase again: 
  8. Your identification has been saved in /home/xiaoxue/.ssh/id_dsa.
  9. Your public key has been saved in /home/xiaoxue/.ssh/id_dsa.pub.
  10. The key fingerprint is:
  11. 72:19:99:31:84:b6:41:95:74:a3:04:64:6b:f6:41:0e xiaoxue@MBA
  12. The key's randomart image is:
  13. +--[ DSA 1024]----+
  14. |     oE*O.o      |
  15. |     .+*.B .     |
  16. |     .+oB        |
  17. |     o.. +       |
  18. |      . S        |
  19. |       o         |
  20. |                 |
  21. |                 |
  22. |                 |
  23. +-----------------+
  24. [xiaoxue@MBA ~]$ ll /home/xiaoxue/.ssh/
  25. 总用量 8
  26. -rw------- 1 xiaoxue xiaoxue 668 11月  3 01:06 id_dsa
  27. -rw-r--r-- 1 xiaoxue xiaoxue 601 11月  3 01:06 id_dsa.pub

非交互式创建密钥:一键创建

  1. 1.ssh-keygen -t dsa -P '' -f~/.ssh/id_dsa >/dev/null 2>&1
  2. 2.echo -e "\n"|ssh-keygen -t dsa -N ""

3.管理机分发公钥
ssh默认端口22
ssh-copy-id -i .ssh/id_dsa.pub xiaoxue@172.16.10.10
更改过端口:
ssh-copy-id -i .ssh/id_dsa.pub "-p 1314 xiaoxue@172.16.10.30"

  1. 传送密钥:
  2. ssh-copy-id -i .ssh/id_dsa.pub "-p 1314 xiaoxue@172.16.10.30"
  1. 4.测试  #全部机器连接不需要密码
  2. [xiaoxue@MBA ~]$ ssh -p1314 xiaoxue@172.16.10.30 /sbin/ifconfig 
  3. eth0      Link encap:Ethernet  HWaddr 00:0C:29:FF:73:81  
  4.           inet addr:192.168.20.137  Bcast:192.168.20.255  Mask:255.255.255.0
  5.           inet6 addr: fe80::20c:29ff:feff:7381/64 Scope:Link
  6.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  7.           RX packets:893 errors:0 dropped:0 overruns:0 frame:0
  8.           TX packets:293 errors:0 dropped:0 overruns:0 carrier:0
  9.           collisions:0 txqueuelen:1000 
  10.           RX bytes:87817 (85.7 KiB)  TX bytes:24158 (23.5 KiB)
  12. eth1      Link encap:Ethernet  HWaddr 00:0C:29:FF:73:8B  
  13.           inet addr:172.16.10.30  Bcast:172.16.255.255  Mask:255.255.0.0
  14.           inet6 addr: fe80::20c:29ff:feff:738b/64 Scope:Link
  15.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  16.           RX packets:962 errors:0 dropped:0 overruns:0 frame:0
  17.           TX packets:363 errors:0 dropped:0 overruns:0 carrier:0
  18.           collisions:0 txqueuelen:1000 
  19.           RX bytes:92411 (90.2 KiB)  TX bytes:44909 (43.8 KiB)
  21. lo        Link encap:Local Loopback  
  22.           inet addr:127.0.0.1  Mask:255.0.0.0
  23.           inet6 addr: ::1/128 Scope:Host
  24.           UP LOOPBACK RUNNING  MTU:16436  Metric:1
  25.           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  26.           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  27.           collisions:0 txqueuelen:0 
  28.           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

企业里实现ssh方案:
1.直接root登录
2.sudo提权
配置sudoers:

  1. echo "xiaoxue ALL=   NOPASSWD: /usr/bin/rsync" >>/etc/sudoers
  2. visudo -c

3.利用suid实现没有权限用户拷贝

rsync -avz hosts -e 'ssh -p 1314' xiaoxue@172.16.10.30:~ #rsync 隧道模式
1.增量、加密

  1. 批量分发脚本
  2. #!/bin/bash
  3. . /etc/init.d/functions
  5. if [ $# -ne 1 ]
  6.  then
  7.    echo "USAGE:/bin/bash $0 ARG1"
  8.    exit 1
  9. fi
  10. for n in 10 30 40
  11.    do
  12.     echo ::::::172.16.10.$n::::::
  13.    ssh -p1314 xiaoxue@172.16.10.$n "$1"
  14.    done
添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注