CentOS 7设置NTP、SSH服务

【1】配置NTP服务

1、安装ntpd并配置ntp服务

[root@vdevops ~]# yum -y install ntp 

 # 18行: 添加允许同步的网络段restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap<pre name="code" class="html">[root@vdevops ~]# <a target=_blank href="https://www.server-world.info/en/command/html/systemctl.html" style="color: #ffff00">systemctl</a> start ntpd 

[root@vdevops ~]# systemctl enable ntpd

2、如果当前系统的Firewalld是运行状态，需要执行下面命令

[root@vdevops ~]# firewall-cmd --add-service=ntp --permanentsuccess[root@vdevops ~]# firewall-cmd --reloadsuccess 

3、确认ntp服务是否正常[root@vdevops ~]# ntpq -p     remote           refid      st t when poll reach   delay   offset  jitter==============================================================================*time5.aliyun.co 10.137.38.86     2 u   92   64   36   30.174    0.236   0.524

4、同步aliyun的时间服务器

[root@linuxprobe ~]# ntpdate times.aliyun.com26 Oct 11:51:30 ntpdate[2935]: step time server 120.25.115.19 offset 15075.743514 sec

【2】配置SSH服务

1、即使您使用“最小安装”安装了CentOS，OpenSSH也已默认安装，因此不必安装新软件包。您可以默认使用密码验证登录，但更改一些设置为安全如下：

[root@vdevops ~]# vi /etc/ssh/sshd_config# 48行: 取消注释改变yes为弄 ( 禁止root远程登录 )PermitRootLogin no# 77 行:取消注释PermitEmptyPasswords noPasswordAuthentication yes[root@vdevops ~]# systemctl restart sshd 

2、如果Firewalld是运行状态，需要添加以下策略

[root@vdevops ~]# firewall-cmd --add-service=ssh --permanentsuccess[root@vdevops ~]# firewall-cmd --reloadsuccess 

3、ssh文件传输

使用SCP（安全复制）的例子

yum -y install openssh-clients

拷贝本地的测试文件到远程主机,使用scp前设置hosts文件，保证每台主机上包含对方的主机IP和域名解析，并且对应起来

[root@vdevops ~]# scp test.txt wang@linuxprobe.org:/tmpThe authenticity of host 'linuxprobe.org (10.1.1.53)' can't be established.ECDSA key fingerprint is d1:bd:3c:7f:68:71:79:44:4f:e5:2c:42:f1:06:49:14.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'linuxprobe.org,10.1.1.53' (ECDSA) to the list of known hosts.wang@linuxprobe.org's password: test.txt [root@vdevops ~]# scp -P22 wang@linuxprobe.org:/tmp/test.txt ./wang@linuxprobe.org's password: test.txt    

 4、使用sftp传输文件# sftp [Option] [user@host] 操作参数[redhat@vdevops ~]$ sftp wang@linuxprobe.org          #连接远程服务器wang@linuxprobe.org's password:# password of the userConnected to linuxprobe.orgsftp># 查看远程服务器当前目录sftp> pwdRemote working directory: /home/wang# 查看本地服务器当前目录sftp> !pwd/home/redhat# 查看ftp服务器期当前目录文件sftp> ls -ldrwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html-rw-rw-r--    1 wang     wang           10 Jul 28 22:53 test.txt# 查看本地服务器当前目录文件sftp> !ls -ltotal 4-rw-rw-r-- 1 redhat redhat 10 Jul 29 21:31 test.txtsftp> cd public_html                #切换目录sftp> pwdRemote working directory: /home/wang/public_html# 上传本地文件到远程服务器sftp> put test.txt redhat.txtUploading test.txt to /home/wang/redhat.txttest.txt 100% 10 0.0KB/s 00:00sftp> ls -ldrwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt-rw-rw-r--    1 wang     wang           10 Jul 28 22:53 test.txtsftp> put *.txtUploading test.txt to /home/wang/test.txttest.txt 100% 10 0.0KB/s 00:00Uploading test2.txt to /home/wang/test2.txttest2.txt 100% 0 0.0KB/s 00:00sftp> ls -ldrwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt-rw-rw-r--    1 wang     wang           10 Jul 29 21:46 test2.txt# 从远程服务器上面下载单个文件sftp> get test.txtFetching /home/wang/test.txt to test.txt/home/wang/test.txt 100% 10 0.0KB/s 00:00# 从远程服务器上面下载多个文件sftp> get *.txtFetching /home/wang/redhat.txt to redhat.txt/home/wang/redhat.txt 100% 10 0.0KB/s 00:00Fetching /home/wang/test.txt to test.txt/home/wang/test.txt 100% 10 0.0KB/s 00:00Fetching /home/wang/test2.txt to test2.txt/home/wang/test2.txt 100% 10 0.0KB/s 00:00# create a directory on remote serversftp> mkdir testdirsftp> ls -ldrwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt-rw-rw-r--    1 wang     wang           10 Jul 29 21:46 test2.txtdrwxrwxr-x    2 wang     wang            6 Jul 29 21:53 testdir# 删除远程服务器上面的目录sftp> rmdir testdirrmdir ok, `testdir' removedsftp> ls -ldrwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt-rw-rw-r--    1 wang     wang           10 Jul 29 21:46 test2.txt# 删除远程服务上面的文件sftp> rm test2.txtRemoving /home/wang/test2.txtsftp> ls -ldrwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt# execute commands with "![command]"sftp> !cat /etc/passwdroot:x:0:0:root:/root:/bin/bashbin:x:1:1:bin:/bin:/sbin/nologin......redhat:x:1001:1001::/home/redhat:/bin/bash# exitsftp> quit  #退出sftp连接

5、SSH keys认证

为每个用户创建密钥对，因此使用普通用户登录并按如下所示工作。

[wang@vdevops ~]$ ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/wang/.ssh/id_rsa): Created directory '/home/wang/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/wang/.ssh/id_rsa.Your public key has been saved in /home/wang/.ssh/id_rsa.pub.The key fingerprint is:af:58:16:e9:f9:02:bc:95:5d:ec:4d:bd:6a:2b:39:06 wang@vdevops.comThe key's randomart image is:+--[ RSA 2048]----+|                 ||                 ||           .   . ||         .  o . .||     .  So o o  .||      o.oE. . .. ||       += o . .  ||      .+.o = o   ||      . ..o +..  |+-----------------+[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys[wang@vdevops ~]$ chmod 600 ~/.ssh/authorized_keys 

两台服务器其中vdevops.com作为服务端，linuxprobe.org作为客户端，拷贝服务的id_rsa文件到客户端，客户端上面对象的用户可以通过认证文件登录到服务端

#在linuxprobe.org上

[wang@linuxprobe ~]$ ls -a.  ..  .bash_logout  .bash_profile  .bashrc[wang@linuxprobe ~]$ mkdir ~/.ssh[wang@linuxprobe ~]$ chmod 700 ~/.ssh[wang@linuxprobe ~]$ scp wang@vdevops.com:/home/wang/.ssh/id_rsa ~/.ssh/The authenticity of host 'vdevops.com (10.1.1.56)' can't be established.ECDSA key fingerprint is f8:d2:55:54:8f:e8:43:e0:ee:aa:d6:8d:53:8c:8e:85.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'vdevops.com,10.1.1.56' (ECDSA) to the list of known hosts.wang@vdevops.com's password: id_rsa                                                                                                       100% 1679     1.6KB/s   00:00    [wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa wang@vdevops.comLast login: Wed Oct 26 15:39:18 2016                   #登录成功

#如果想要更加安全的登录远程服务器，可以设置PasswordAuthentication=no，重启sshd服务，这样从本地登录远程服务器的时候不仅需要密码验证还需要key文件验证

6、设置SFTP和Chroot

应用此设置的某些用户只能使用SFTP访问，或者访问制定允许的目录。

例如,设置Chroot目录/ home

 # 针对SFTP创建一个特定的组[root@vdevops ~]# groupadd sftp_users# 把用户wang加到sftp组中[root@vdevops ~]# usermod -G sftp_users cent[root@vdevops ~]# vi /etc/ssh/sshd_config# line 147: 取消注释并添加一行#Subsystem sftp /usr/libexec/openssh/sftp-serverSubsystem sftp internal-sftp# 在下面增加下面几行内容Match Group sftp_users  X11Forwarding no  AllowTcpForwarding no  ChrootDirectory /home  ForceCommand internal-sftp[root@vdevops ~]# systemctl restart sshd    #重启sshd服务

6.2、测试用户登录

[root@linuxprobe ~]# ssh wang@10.1.1.56wang@10.1.1.56's password: Could not chdir to home directory /home/wang: No such file or directoryThis service allows sftp connections only.Connection to 10.1.1.56 closed.[root@linuxprobe ~]# sftp wang@10.1.1.56wang@10.1.1.56's password: Connected to 10.1.1.56.sftp> ls -ldrwx------    2 1000     1000           59 Oct 25 17:02 shaondrwx------    2 1002     1003           59 Oct 26  2016 testuserdrwx------    3 1001     1001           90 Oct 26 07:39 wangsftp> pwdRemote working directory: /sftp> exit

7、SSH端口转发

例如，配置转发设置，将本地的8081转发到本地的5901（VNC）。

# forward the connection to 8081 to 5901 on local[wang@linuxprobe ~]$ ssh -L 0.0.0.0:8081:localhost:5901 wang@localhostwang@localhost's password:   # the password of the working user (it means the login to local to local)Last login: Thu Jul 10 01:35:15 2014# confirm[wang@linuxprobe ~]$ netstat -lnp | grep 8081(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      3238/ssh# keep this session and go next# it's possbile to start the process on background as a daemon with "-f" option but then it needs to kill it by hand after working.

#然后通过8081端口连接VNC服务端

8、使用SSHPass自动输入密码身份验证密码
这很方便，但有安全隐患（密码泄漏），如果你使用它时要格外小心。

<div class="color2"># 从EPEL源安装</div>[root@vdevops ~]# yum --enablerepo=epel -y install sshpass# 使用sshpass[root@vdevops ~]# sshpass -p fangbuxia..0 ssh 10.1.1.53 hostnamelinuxprobe.org[root@vdevops ~]# echo "fangbuxia..0" sshpass.txtfangbuxia..0 sshpass.txt[root@vdevops ~]# echo "fangbuxia..0" > sshpass.txt[root@vdevops ~]# chmod 600 sshpass.txt [root@vdevops ~]# sshpass -f sshpass.txt ssh 10.1.1.53 hostnamelinuxprobe.org[root@vdevops ~]# export SSHPASS=fangbuxia..0[root@vdevops ~]# sshpass -e ssh 10.1.1.53 hostnamelinuxprobe.org

9、用SSH-Agent自动输入密钥对身份验证的密码

9.1、SSH密钥验证

配置SSH服务器以使用密钥验证进行登录。为客户端创建一个私钥，并为服务器创建一个公钥。

以vdevops.com为服务端：

为每个用户创建密钥对，因此使用普通用户登录并按如下所示工作：

[wang@vdevops ~]$ ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/wang/.ssh/id_rsa): /home/wang/.ssh/id_rsa already exists.Overwrite (y/n)? yEnter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/wang/.ssh/id_rsa.Your public key has been saved in /home/wang/.ssh/id_rsa.pub.The key fingerprint is:75:6c:9b:02:0a:00:78:3b:aa:6a:10:71:99:42:a7:62 wang@vdevops.comThe key's randomart image is:+--[ RSA 2048]----+|+o.+             ||+ B.       .     ||.E ..   . . +    ||+ o  . . o o o   || o .  . S . o    ||o          .     ||o                ||..               ||+                |+-----------------+[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys [wang@vdevops ~]$ chmod 600 ~/.ssh/authorized_keys 

将在服务器上创建的密钥传输到客户端，然后可以使用密钥身份验证登录。

linuxprobe.org作为客户端：

[wang@linuxprobe ~]$ mkdir ~/.ssh              #创建存放密钥文件的默认路径，如果已存在不需要重复创建[wang@linuxpeobe ~]$ mkdir 700 ~/.ssh[wang@linuxprobe ~]$ scp wang@10.1.1.56:/home/wang/.ssh/id_rsa ~/.ssh/   #拷贝服务端的私钥wang@10.1.1.56's password: id_rsa                                                                                                       100% 1675     1.6KB/s   00:00    [wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa wang@10.1.1.56                 #使用服务端的私钥登录到服务端Last login: Thu Oct 27 09:24:18 2016[wang@vdevops ~]$   #登录成功#客户端创建公钥文件[wang@linuxprobe ~]$ ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/wang/.ssh/id_rsa): yEnter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in y.Your public key has been saved in <span style="color:#FF6666;">y.pub</span>.The key fingerprint is:3e:de:94:77:cc:11:8c:a5:df:38:30:63:32:25:a1:81 wang@linuxprobe.orgThe key's randomart image is:+--[ RSA 2048]----+|       .. o.. .  ||      E  o o =   ||        . o B o  ||           + = + ||        S     = .||       .   . o o ||        o o . +  ||       . + . .   ||        . .      |+-----------------+#把y.pub拷贝到服务端加入到authorized_keys里面，即可从服务端免密码登录到客户端

10、使用并行SSH

[1] 安装pssh# 从EPEL源安装[root@vdevops ~]# yum --enablerepo=epel -y install pssh[2] 如何使用PSSH.确保服务器之间设置好密钥对认证# 连接到服务器上执行命令[wang@vdevops ~]$ pssh -H "10.1.1.51 10.1.1.52" -i "hostname"[1] 17:28:02 [SUCCESS] 10.1.1.51node01.linuxprobe[2] 17:28:02 [SUCCESS] 10.1.1.52node02.linuxprobe# it's possible to read host list fron a file[wang@vdevops ~]$ vi pssh_hosts.txt# 自定义host文件，按照下面的格式wang@10.1.1.51wang@10.1.1.52[wang@vdevops ~]$ pssh -h pssh_hosts.txt -i "uptime"[1] 19:37:59 [SUCCESS] wang@10.1.1.52 19:37:59 up  1:35,  0 users,  load average: 0.00, 0.00, 0.00[2] 19:37:59 [SUCCESS] wang@10.1.1.51 19:37:59 up  1:35,  0 users,  load average: 0.00, 0.00, 0.00[3] 可以采用密码认证的方式，但是需要保证host文件中定义的主机同一账户的密码是相同的[wang@vdevops ~]$ pssh -h pssh_hosts.txt -A -O PreferredAuthentications=password -i "uname -r"Warning: do not enter your password if anyone else has superuserprivileges or access to your account.Password: # input password[1] 12:54:06 [SUCCESS] wang@10.1.1.512.6.32-504.12.2.el6.x86_64[2] 12:54:06 [SUCCESS] wang@10.1.1.522.6.32-504.12.2.el6.x86_64<span id="transmark" style="display: none; width: 0px; height: 0px;"></span>

#总结：在CentOS配置相关服务时，建议多配置几篇，大致了解服务的原理。