linux基础练习（九）

1.openssh-server

功能：让远程主机可以通过网络访问sshd服务，开始一个安全shell

ssh    远程主机用户@远程主机ip
[kiosk@foundation91 Desktop]$ ssh root@172.25.254.191                                        ##远程连接该台主机
The authenticity of host '172.25.254.191 (172.25.254.191)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes                                       ##首次登陆需要确定建立认证关系
Warning: Permanently added '172.25.254.191' (ECDSA) to the list of known hosts.
root@172.25.254.191's password:                                                                                   ##输入需要登陆的用户密码
Last login: Wed Apr 12 04:32:50 2017

[root@localhost ~]#                                                                                                                ##登陆成功

ssh 远程主机用户@远程主机ip -X                ##调用远程主机图形工具
ssh     远程主机用户@远程主机ip        command        ##直接在远程主机运行某条命令

3.sshkey加密

1.生成公钥私钥

[root@localhost Desktop]# ssh-keygen         ##在服务器端，生成公钥私钥工具
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):     ##按[enter]键，加密字符保存文件（建议用默认）
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):                ##按[enter]键，密钥密码，必须>4个字符
Enter same passphrase again:                                          ##按[enter]键，确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:                        
2c:f5:ce:ld:8a:9d:af:5d:73:8e:fa:9d:75:97:33:ef  root@localhost
The key's randomart image is:
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|        .        |
|       o .       |
|      . S . .    |
|       . = + .  .|
|        . * . o+=|
|           o . *O|
|          ..+oooE|
+-----------------+
[root@localhost Desktop]# ls /root/.ssh/
authorized_keys  id_rsa  id_rsa.pub
[root@localhost Desktop]#
id_rsa                                       ##私钥，就是钥匙

id_rsa.pub                                ##公钥，就是锁

2.添加key认证方式
[root@localhost Desktop]# ssh-copy-id -i /root/.ssh/id_rsa.pub  root@172.25.254.206
ssh-copy-id                      ##添加key认证方式的工具
-i                                         ##指定加密key文件
/root/.ssh/id_rsa.pub     ##加密key
root                                   ##加密用户为root

172.25.254.206             ##被加密主机ip

3.分发钥匙给client主机

[root@localhost Desktop]# scp /root/.ssh/id_rsa root@172.25.254.191:/root/.ssh/

4.测试(用客户端尝试登陆服务器端）

[root@localhost Desktop]# ssh root@172.25.254.206       ##通过id_rsa直接连接不需要输入用户密码

Last login: Wed Apr 12 05:43:33 2017 from 172.25.254.191

[root@localhost Desktop]#

4.提升openssh的安全级别

1.openssh-server配置文件（更改服务器端文件）
/etc/ssh/sshd_config
78 PasswordAuthentication yes|no        ##是否开启用户密码认证，yes为支持no为关闭
48 PermitRootLogin yes|no            ##是否允许超级用户登陆
49 AllowUsers student westos            ##用户白名单，只有在名单中出现的用户可以使用sshd建立shell
50 DenyUsers westos                ##用户黑名单