SSH

Posted 2020-10-19 physique

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了SSH相关的知识，希望对你有一定的参考价值。

SSH

1、ssh是安全的加密协议，用于远程连接linux服务器。

2、ssh默认端口是22，安全协议版本ssh2。

3、ssh服务端主要包含两个服务功能ssh远程连接，sftp服务。

4、linux ssh客户端包含ssh远程连接命令，以及远程拷贝scp命令等。

SSH服务认证类型

基于口令的安全验证

[[email protected] ~]# ssh -p22 [email protected]
The authenticity of host ‘192.168.31.132 (192.168.31.132)‘ can‘t be established.
RSA key fingerprint is a0:60:7f:c8:e1:2c:d4:3b:2c:63:b7:3d:66:ad:f2:18.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.31.132‘ (RSA) to the list of known hosts.
[email protected]‘s password:
Last login: Mon Feb 6 13:33:19 2017 from 192.168.31.1
[[email protected] ~]#

ssh连接远程主机命令的基本语法：

-p接端口，默认22端口

@前面为用户名

@后面为要连接的服务器ip

[[email protected] ~]# cat ~/.ssh/known_hosts
192.168.31.132 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzH2jCItapPoUp5IKjVNtNOfXM5FmPQ3i27SjDQzzblL2vVaqAzfA10IsHw/QLfUbBpVERmbxZMW1SRrdcxXOWPFatuYmZMJDja4gi2FstEVxvV+ozelhuxEF9khZEYJHndfh5jqBXOYAe6NXOhY6rheEUmao3Wi5FLqdQ9cE0PBfI7SEn6dWCZ5dTJ76qtyLbctTmHC/tgCi3bqmrMR+hCH+PoiHYitEztwXAEWYxAka0d0ET96Z19DMDF9ai8YsrfAH/BgRiAoeUgNhtc/LrmVKWSeeHk15UvvY8Ba2nzI1jYkVH2UOROYn4jnYhSlY7cI7umdkU5LflGvrHmfJcQ==

ssh总结：

1、切换到别的机器上ssh -p52113 [email protected]。

2、到其他机器执行命令（不会切换到别的机器上）ssh -p 52113 [email protected] 命令（全路径）。

3、当第一次ssh连接的时候，本地会产生一个密钥文件~/.ssh/known_hosts（多个密钥）。

基于密钥的安全验证

事先建立一对密钥对，然后把公用密钥（public key）放在需要访问的目标服务器上，另外，还需要把私有密钥（private key）放到ssh的客户端对应的客户端服务器上。

根据端口号（111）查出对应的服务：

lsof -i:111

netstat -lntup|grep 111

根据进程名（sshd）查出对应的端口号：

netstat -lntup|grep sshd

更改默认ssh登录配置

#更改前备份
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.ori
vi /etc/ssh/sshd_config
Port 52113 #默认22端口，为了提高安全级别建议修改
PermitRootLogin no #root超级用户禁止远程登录
PermiEmptyPasswords no #禁止空密码登录
UseDNS no #不使用DNS
GSSAPIAuthenication no

ssh客户端附带的远程拷贝scp命令

[[email protected] ~]# scp -P22 -r -p /etc [email protected]:/tmp
[email protected]‘s password:
system-release-cpe 100% 25 0.0KB/s 00:00
K89rdisc 100% 1513 1.5KB/s 00:00

-P（大写）接端口。

-r递归，表示拷贝目录。

-p表示在拷贝前后保持文件或目录属性

-l limit限制速度

scp总结：

1、scp是加密的远程拷贝，cp仅为本地拷贝。

2、可以把数据从一台机器推送到另一台机器，也可以从其它服务器把数据拉回到本地执行命令的服务器。

3、每次都是全量完整拷贝，因此，效率不高，适合第一次拷贝用，如果需要增量拷贝用rsync。

sftp

1、linux下连接命令sftp -oPort=22 [email protected]

2、上传put加客户端本地路径put /etc/hosts，也可以指定路径上传put /etc/hosts /tmp。

3、下载get服务端的内容get hosts，linux下载到本地连接前的目录，也可以指定下载路径get /etc/hosts /tmp。

4、连接的远端家目录为默认目录，也可以切换到其他有权限的目录下。

批量分发文件、执行命令

配置ip主机名

[[email protected] ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.31.128 server
192.168.31.134 lnmp
192.168.31.133 lamp
192.168.31.132 backup

IT公司企业级批量分发、管理方案

1、中小企业基本sshkey密钥的方案。

2、门户网站sina puppet（复制、太重）。

3、赶集、小米saltstack批量管理（轻量）。

创建用户oldgirl，密码system

[[email protected] data]# useradd oldgirl
[[email protected] data]# echo system|passwd --stdin oldgirl
Changing password for user oldgirl.
passwd: all authentication tokens updated successfully.

创建公私钥

[[email protected] data]# su - oldgirl
[[email protected] ~]$ ssh
ssh ssh-agent sshd ssh-keyscan
ssh-add ssh-copy-id ssh-keygen
[[email protected] ~]$ ssh-keygen -t dsa #dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oldgirl/.ssh/id_dsa): #存放密钥的路径
Created directory ‘/home/oldgirl/.ssh‘.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oldgirl/.ssh/id_dsa.
Your public key has been saved in /home/oldgirl/.ssh/id_dsa.pub.
The key fingerprint is:
5a:64:22:18:c1:4c:70:ea:dd:64:9d:82:81:0b:99:07 [email protected]
The key‘s randomart image is:
+--[ DSA 1024]----+
|EO*o |
|+++oo . . |
|o.o..+.oo |
|... +..+ |
| . . . S |
| o |
| . |
| |
| |
+-----------------+

[[email protected] ~]$ ls -l .ssh/
total 8
-rw-------. 1 oldgirl oldgirl 668 Feb 7 09:41 id_dsa #私钥
-rw-r--r--. 1 oldgirl oldgirl 604 Feb 7 09:41 id_dsa.pub #公钥

分发公钥

[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected] #默认22端口
ssh: connect to host 182.168.31.134 port 22: Connection refused
[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
The authenticity of host ‘192.168.31.134 (192.168.31.134)‘ can‘t be established.
RSA key fingerprint is c1:0f:e0:45:05:79:c9:f0:48:d3:2f:6b:dc:66:6a:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.31.134‘ (RSA) to the list of known hosts.
[email protected]‘s password:
Now try logging into the machine, with "ssh ‘[email protected]‘", and check in:
.ssh/authorized_keys
to make sure we haven‘t added extra keys that you weren‘t expecting.

[[email protected] ~]# su - oldgirl
[[email protected] ~]$ ls -l .ssh/
total 4
-rw-------. 1 oldgirl oldgirl 604 Feb 7 09:49 authorized_keys #权限600，名字改变

如果不是22端口（52113端口）：ssh-copy-id -i .ssh/id_dsa.pub "-P 52113 [email protected]"

[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
[[email protected] ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]

测试免密查询ip

[[email protected] ~]$ ssh -P22 [email protected] /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:03:06:08
inet addr:192.168.31.134 Bcast:192.168.31.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe03:608/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4867 errors:0 dropped:0 overruns:0 frame:0
TX packets:585 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:473730 (462.6 KiB) TX bytes:91553 (89.4 KiB)

分发文件

[[email protected] ~]$ cp /etc/hosts .
[[email protected] ~]$ ls
hosts
[[email protected] ~]$ scp -P22 hosts [email protected]:~
hosts 100% 243 0.2KB/s 00:00

[[email protected] ~]# ls /home/oldgirl/
hosts

编写批量分发脚本

[[email protected] ~]$ cat fenfa.sh
scp -P22 hosts [email protected]:~
scp -P22 hosts [email protected]:~
scp -P22 hosts [email protected]:~

[[email protected] ~]$ sh fenfa.sh
hosts 100% 243 0.2KB/s 00:00
hosts 100% 243 0.2KB/s 00:00
hosts 100% 243 0.2KB/s 00:00

[[email protected] ~]$ cat fenfa.sh
#!/bin/sh
for n in 132 133 134
do
scp -P22 hosts [email protected]$n:~
done

[[email protected] ~]$ cat fenfa.sh
#!/bin/sh
. /etc/init.d/functions
for n in 132 133 134
do
scp -P22 $1 o l d g i r l @ 192.168.31.$
if [ $? -eq 0 ]
then
action "fenfa $1 ok" /bin/true
else
action "fenfa $1 error" /bin/false
fi
done

[[email protected] ~]$ sh fenfa.sh hosts
fenfa hosts ok [ OK ]
fenfa hosts ok [ OK ]
fenfa hosts ok [ OK ]

[[email protected] ~]$ cp /server/scripts/inotify.sh .
[[email protected] ~]$ sh fenfa.sh inotify.sh
fenfa inotify.sh ok [ OK ]
fenfa inotify.sh ok [ OK ]
fenfa inotify.sh ok [ OK ]

[[email protected] ~]$ cat fenfa.sh
#!/bin/sh
. /etc/init.d/functions
if [ $# -ne 1 ]
then
echo "USAGE:$0 {FILENAME|DIRNAME}"
exit 1
fi
for n in 132 133 134
do
scp -P22 -r $1 o l d g i r l @ 192.168.31.$
if [ $? -eq 0 ]
then
action "fenfa $1 ok" /bin/true
else
action "fenfa $1 error" /bin/false
fi
done

[[email protected] ~]$ sh fenfa.sh
USAGE:fenfa.sh {FILENAME|DIRNAME}
[[email protected] ~]$ cp -r /data/ .
[[email protected] ~]$ sh fenfa.sh data/
fenfa data/ ok [ OK ]
fenfa data/ ok [ OK ]
fenfa data/ ok [ OK ]

[[email protected] ~]$ cat view.sh
#!/bin/sh
if [ $# -ne 1 ]
then
echo "USAGE:$0 COMMAND"
exit 1
fi
for n in 132 133 134
do
ssh -p22 [email protected] $n$
done

[[email protected] ~]$ sh view.sh
USAGE:view.sh COMMAND
[[email protected] ~]$ sh view.sh "cat /etc/redhat-release"
CentOS release 6.6 (Final)
CentOS release 6.6 (Final)
CentOS release 6.6 (Final)

ssh批量分发与管理

1、利用root做ssh key验证。

优点：简单、易用。

缺点：安全差，同时无法禁止root远程连接这个功能。

2、利用普通用户（推荐）

先把分发的文件拷贝到服务器用户家目录，然后sudo提权拷贝分发的文件。

优点：安全。无需停止root远程连接这个功能。

缺点：配置比较复杂。

3、设置suid对固定命令

优点：相对安全

缺点：复杂，安全性较差。任何人都可以处理带有suid权限的命令。

[[email protected] ~]# echo ‘oldgirl ALL=(ALL) NOPASSWD:/usr/bin/rsync‘ >>/etc/sudoers
[[email protected] ~]# visudo -c
/etc/sudoers: parsed OK
[[email protected] ~]# grep oldgirl /etc/sudoers
oldgirl ALL=(ALL) NOPASSWD:/usr/bin/rsync