Linux服务之SSH

一、ssh（secure shell）安装

 

view sourceprint?

01.[root@localhost logs]# yum install openssh

02. 

03.………………………………

04. 

05.Downloading Packages:

06.(1/4): openssh-5.3p1-84.1.el6.x86 | 236 kB     00:00    

07.(2/4): openssh-askpass-5.3p1-84.1 |  53 kB     00:00    

08.(3/4): openssh-clients-5.3p1-84.1 | 355 kB     00:00    

09.(4/4): openssh-server-5.3p1-84.1. | 299 kB     00:00

10. 

11. 

12.……………………

二、ssh相关的文件详解

 

view sourceprint?

001.1、 /etc/ssh/sshd_config  ssh 服务的主配置文件，基本上所有的ssh相关设定都在这里

002. 

003. 

004.# This is the sshd server system-wide configuration file.  See

005.# sshd_config(5) for more information.

006. 

007.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

008.# The strategy used for options in the default sshd_config shipped with

009.# OpenSSH is to specify options with their default value where

010.# possible, but leave them commented.  Uncommented options change a

011.# default value.

012. 

013. 

014.#Port 22       -----sshd服务默认的端口22，为了安全考虑建议修改成其它端口

015. 

016.#AddressFamily any

017.ListenAddress 192.168.1.1  -------------监听的主机，只监听来自192.168.1.1的ssh连接

018.#ListenAddress ::

019.# Disable legacy (protocol version 1) support in the server for new

020.# installations. In future the default will change to require explicit

021.# activation of protocol 1

022.Protocol 2           ----------------ssh的协议版本，这里是2

023. 

024.# HostKey for protocol version 1

025.#HostKey /etc/ssh/ssh_host_key

026.# HostKeys for protocol version 2

027.#HostKey /etc/ssh/ssh_host_rsa_key

028.#HostKey /etc/ssh/ssh_host_dsa_key

029. 

030.# Lifetime and size of ephemeral version 1 server key

031.#KeyRegenerationInterval 1h                -----------每个一个小时重新建立一次连接，这里未开启

032.#ServerKeyBits 1024       -----------server key的长度

033. 

034.# Logging

035.# obsoletes QuietMode and FascistLogging

036.#SyslogFacility AUTH                         

037.SyslogFacility AUTHPRIV      ------------当有人使用ssh登入系统的时候，ssh会记录信息（/var/log/secure）

038.#LogLevel INFO

039. 

040.# Authentication:

041.#LoginGraceTime 2m

042.#PermitRootLogin yes        -----------是否允许root登陆，默认是允许的，建议设置成no

043.#StrictModes yes               -------------当使用者的host key改变之后，server就不接受其联机

044.#MaxAuthTries 6               --------------最多root尝试6次连接

045.#MaxSessions 10

046. 

047.#RSAAuthentication yes    -------------是否使用rsa认证，只针对version1

048.#PubkeyAuthentication yes ------------是否允许public key，只针对version2

049.#AuthorizedKeysFile     .ssh/authorized_keys  -------认证文件

050.#AuthorizedKeysCommand none

051.#AuthorizedKeysCommandRunAs nobody

052. 

053.# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

054.#RhostsRSAAuthentication no   ---------是否仅适用于rhosts认证，为了安全一定设置为否

055.# similar for protocol version 2

056.#HostbasedAuthentication no

057.# Change to yes if you don't trust ~/.ssh/known_hosts for

058.# RhostsRSAAuthentication and HostbasedAuthentication

059.#IgnoreUserKnownHosts no   --------------是否忽略掉~/.shosts files中的用户

060.# Don't read the user's ~/.rhosts and ~/.shosts files 

061.#IgnoreRhosts yes

062. 

063.# To disable tunneled clear text passwords, change to no here!

064.#PasswordAuthentication yes    --------------是否需要密码认证

065.#PermitEmptyPasswords no       --------------不允许空密码

066.PasswordAuthenticationyes       -------------开启密码认证

067.# Change to no to disable s/key passwords

068.#ChallengeResponseAuthentication yes

069.ChallengeResponseAuthentication no   -----------不挑战任何的密码认证，任何login.conf规定的认证方式，都禁用

070.# Set this to 'yes' to enable PAM authentication, account processing,

071.# and session processing. If this is enabled, PAM authentication will be allowed through the #ChallengeResponseAuthentication and PasswordAuthentication.  Depending on your PAM configuration,

072.# PAM authentication via ChallengeResponseAuthentication may bypassthe setting of "PermitRootLogin without-#password". If you just want the PAM account and session checks to run without PAM authentication, then enable #this but set PasswordAuthentication and ChallengeResponseAuthentication to 'no'.

073.UsePAMyes      -----------启用pam模块

074.# Accept locale-related environment variables          ------------环境变量

075.AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

076.AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

077.AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

078.AcceptEnv XMODIFIERS

079.#PrintMotd yes       ---------登陆后是否显示一些默认信息

080.#PrintLastLog yes  ---------显示上次登录的信息

081.#TCPKeepAlive yes  -------ssh server会传keepalive信息给client以此确保两者的联机正常，任何一端死后，马上断开

082.#UseLogin no

083.#UsePrivilegeSeparation yes   -------------使用者的权限设定

084.#PermitUserEnvironment no

085.#PidFile /var/run/sshd.pid

086.#MaxStartups 10     ----------最大联机画面

087.#PermitTunnel no

088.#ChrootDirectory none

089.# override default of no subsystems

090. 

091.Subsystem      sftp    /usr/libexec/openssh/sftp-server         ---------- sftp服务的设置

092. 

093.++++++++++++以上是sshd服务端+++++++下面是客户端++++++++

094. 

095.2、/etc/ssh/ssh_config    -------ssh客户端配置文件

096. 

097.# This is the ssh client system-wide configuration file.  See

098.# ssh_config(5) for more information.  This file provides defaults for

099.# users, and the values can be changed in per-user configuration files or on the command line.

100.# Host *   -----------只匹配设定的主机，这里默认是匹配所有的主机

101.#   ForwardAgent no     ------------连接是否经过验证代理

102.#   ForwardX11 no        ------------x11连接是否被自动重定向到安全的通道和显示集；

103.#   RhostsRSAAuthentication no  -----是否使用rsa算法的基于rhosts的安全验证

104.#   RSAAuthentication yes    ----------是否使用rsa算法验证

105.#   PasswordAuthentication yes  ----------是否使用密码验证

106.#   CheckHostIP yes    -------------是否验证ip

107.#   AddressFamily any

108.#   ConnectTimeout 0   ----------连接超时时间

109.#   StrictHostKeyChecking ask

110.#   IdentityFile ~/.ssh/identity

111.#   IdentityFile ~/.ssh/id_rsa

112.#   IdentityFile ~/.ssh/id_dsa

113.#   Port 22          ------------连接远程主机的端口

114.#   Protocol 2,1  -----------采用的协议版本

115.#   Cipher 3des

116.#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

117.#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

118.#   EscapeChar ~   --------------设置escape字符

119.#   Tunnel no

120.#   TunnelDevice any:any

121.#   PermitLocalCommand no

122.#   VisualHostKey no

123.Host *

124.GSSAPIAuthenticationyes

125.# If this option is set to yes then remote X11 clients will have full access

126.# to the original X11 display. As virtually no X11 client supports the untrusted

127.# mode correctly we set this to yes.

128.ForwardX11Trustedyes

129.# Send locale-related environment variables

130.SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

131.SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

132.SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE

133.SendEnv XMODIFIERS

134. 

135. 

136.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

3、~/.ssh/known_hosts文件的作用

ssh 会把每个你访问过的计算机的公钥（public key）都记录到~/.ssh/known_hosts文件中，当你下次访问该计算机时，openss会核对公钥。如果公钥不同，那openssh就会发出警告，避免你收到DNSHijack等攻击

 

三、ssh服务控制命令

启动ssh服务： service sshd start

关闭ssh服务：service sshdstop

重启ssh服务： service sshd restart

 

view sourceprint?

1.[root@localhost softs]# netstat -anpt | grep sshd     ----------查看sshd的22端口是否打开

2. 

3.tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      2854/sshd

ssh命令常用的参数

-l  指定用户；   -p指定端口号；   -X开启x协议转发

 

view sourceprint?

01.[root@localhost softs]# ssh root@192.168.254.46

02.The authenticity of host '192.168.254.46 (192.168.254.46)' can't be established.

03.RSA key fingerprint is 18:5f:3e:08:d0:a7:f1:93:f9:34:63:41:31:24:2a:02.

04.Are you sure you want tocontinue connecting (yes/no)?yes

05.Warning: Permanently added '192.168.254.46' (RSA) to the list of known hosts.

06.root@192.168.254.46's password:          #输入密码

07. 

08. 

09.Last login: Wed Oct 23 10:20:19 2013 from 192.168.254.152      -----登陆成功

10. 

11. 

12.[root@localhost ~]# exit -------断开ssh连接

13.logout

14.Connection to 192.168.254.46 closed.

15. 

16. 

17.[root@localhost softs]# ssh -p 22 -l root 192.168.254.46   #P默认为22，可以省略

18.root@192.168.254.46's password:

19. 

20. 

21.[root@localhost softs]# ssh 192.168.254.46

22.root@192.168.254.46's password:

23. 

24.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

四、ssh的公钥认证

1.生成密钥文件

 

view sourceprint?

01.[root@localhost ~]# lsb_release -a   -------先看一下我的linux版本

02.LSB Version:    :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch

03.Distributor ID: RedHatEnterpriseServer

04.Description:    Red Hat Enterprise <a href="http://www.it165.net/os/oslin/"target="_blank" class="keylink">Linux</a> Server release 5.5 (Tikanga)

05.Release:        5.5

06.Codename:       Tikanga

07. 

08. 

09. 

10. 

11. 

12.[root@localhost ~]# ssh-keygen -t rsa         #生成密钥对

13.Generating public/private rsa key pair.

14.Enterfile in which to save the key (/root/.ssh/id_rsa):        #输入私钥文件的名称，直接回车使用默认名称

15.Enter passphrase (emptyfor no passphrase):    #输入密钥文件的密码，直接回车不设置密码

16.Enter same passphrase again:                         #再次输入密码确认

17.Your identification has been savedin /root/.ssh/id_rsa.

18.Your public key has been savedin /root/.ssh/id_rsa.pub.

19.The key fingerprint is:

20.d3:41:dd:41:56:a2:ca:7a:81:9a:64:74:d7:df:32:9e root@localhost.localdomain

21. 

22. 

23.[root@localhost ~]# ll /root/.ssh/

24.总计 12

25.-rw------- 1 root root 1675 10-23 10:28 id_rsa      -------生成的私钥

26.-rw-r--r-- 1 root root  408 10-23 10:28 id_rsa.pub  ------生成的公钥

27.-rw-r--r-- 1 root root  396 10-23 10:20 known_hosts ------登陆者的信息

2、将公钥复制到远程主机

 

view sourceprint?

1.[root@localhost ~]# scp ~/.ssh/id_rsa.pub root@192.168.254.46:~/.ssh/authorized_keys

2. 

3.------将公钥复制到远程服务器指定的目录下，并且重命名为authorized_keys。scp是openssh自带的工具。

4. 

5.root@192.168.254.46's password:      --------输入远程主机的密码

6.id_rsa.pub                 100%  408     0.4KB/s   00:00

3、登录到远程主机

 

view sourceprint?

1.[root@localhost ~]# ssh 192.168.254.46

2.root@192.168.254.46's password:

查看该主机的系统版本

 

view sourceprint?

1.[root@localhost ~]# cat /proc/version

2.<a href="http://www.it165.net/os/oslin/"target="_blank" class="keylink">Linux</a> version 2.6.32-71.el6.x86_64 (mockbuild@c6b6.centos.org) (gcc version 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) )#1 SMP Fri May 20 03:51:51 BST 2011

3.[root@localhost ~]#

然后再该主机上同样生成公钥

 

view sourceprint?

01.[root@localhost ~]# ssh-keygen -t rsa

02.Generating public/private rsa key pair.

03.Enterfile in which to save the key (/root/.ssh/id_rsa):

04.Created directory '/root/.ssh'.

05.Enter passphrase (emptyfor no passphrase):

06.Enter same passphrase again:

07.Your identification has been savedin /root/.ssh/id_rsa.

08.Your public key has been savedin /root/.ssh/id_rsa.pub.

09.The key fingerprint is:

10.6b:35:ba:70:2d:06:ee:3e:80:37:7b:ee:9c:1f:c1:2e root@localhost.localdomain

11.The key's randomart image is:

12.+--[ RSA 2048]----+

13.|                 |

14.|                 |

15.|                 |

16.|       .         |

17.|   .  . S o      |

18.|  . +. o * .     |

19.|   . +E X .      |

20.|    .ooB +       |

21.|     =Boo        |

22.+-----------------+

  将公钥传到192.168.254.153上面

 

view sourceprint?

01.[root@localhost ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.254.153   ======另外一种远程传公钥的方法

02.The authenticity of host '192.168.254.153 (192.168.254.153)' can't be established.

03.RSA key fingerprint is 4d:24:b3:e8:82:11:bf:e1:a0:0c:45:27:57:8e:a1:c8.

04.Are you sure you want tocontinue connecting (yes/no)?yes

05.Warning: Permanently added '192.168.254.153' (RSA) to the list of known hosts.

06.root@192.168.254.153's pass<a href="http://www.it165.net/edu/ebg/"target="_blank" class="keylink">word</a>:     ----------------输入192.168.254.153的密码

07. 

08. 

09.Now try logging into the machine, with"ssh 'root@192.168.254.153'", and checkin:

10. 

11..ssh/authorized_keys

12. 

13.tomake sure we haven't added extra keys that you weren't expecting.

14. 

15. 

16.[root@localhost ~]# ssh root@192.168.254.153

17.Last login: Wed Oct 23 09:55:54 2013 from 192.168.254.152    ----------不用输密码可以直接登陆了

五 、ssh客户端的使用

ssh 客户端的命令主要包括ssh ，scp和sftp

1、ssh的使用

ssh root@192.168.0.12 以root身份 远程登录远程主机

2、scp命令

scp命令可以用来通过安全加密的连接在机器之间进行文件的传输，与rcp相似。它传文件的一般语法为

scp localfile username@hostip:/newfilename

localfile  本地文件名称，username 远程主机用户名 hostip远程主机的ip地址

举例：scp  /var/log/httpd/access.log  root@192.168.1.115:/var/log/

把本地/var/log/httpd/下的access.log文件传到远程主机对应的/var/log/下面

3、sftp命令

sftp工具可以用来打开一次安全互动的ftp对话。与ftp类似，但是sftp使用安全加密的连接，一般语法为

view sourceprint?

01.sftpusername@hostname.com

02. 

03.[root@localhost .ssh]# sftp 192.168.254.153   sftp登陆，因为我交换了公钥，所以无需密码认证

04.Connecting to 192.168.254.153...

05.sftp>ls  ---------查看有哪些文件

06.Desktop                                                

07.anaconda-ks.cfg                                        

08.glibc-2.7-2.i386.rpm                                   

09.glibc-common-2.7-2.i386 .rpm                           

10.glibc-devel-2.7-2.i386.rpm                             

11.glibc-headers-2.7-2.i386.rpm                           

12.index.php                                              

13.install.log                                            

14.install.log.syslog                                     

15.jdk1.7.0                                               

16.mbox                                                   

17.my.cnf                                                 

18.phpMyAdmin-4.0.8-all-languages.tar.gz                  

19.sftp> get my.cnf           我随便下载了一个文件

20.Fetching /root/my.cnf to my.cnf   

21./root/my.cnf          100% 4920     4.8KB/s   00:00   

22.sftp> quit

六、访问控制

/etc/host.allow和/etc/hosts.deny

这两个文件时控制远程访问设置的，通过该设置可以允许或者拒绝某个ip或者ip段访问linux的某项服务。

[root@localhost .ssh]# vi /etc/hosts.allow

sshd:192.168.0.*:allow  允许该网段访问

sshd:192.168.1.15:allow  允许该ip地址访问

[root@localhost .ssh]# vi /etc/hosts.deny

sshd:all:deny   -------表示拒绝所有的sshd远程连接

当/etc/hosts.deny 跟/etc/hosts.allow冲突时会以哪个为准？这里有个规则

首先检查hosts.allow文件，若找到相关的策略则允许访问，否则继续检查hosts.deny ，若找到相关的策略则拒绝访问；如果两个文件中都没有匹配的策略则允许访问；如果二者冲突时以hosts.allow为准。

注意：如果这两个文件配置修改了，必须要重启service xinetd服务才能生效