ssh: secure shell, protocol, 22/tcp, 安全的远程登录,代替 telnet
具体的软件实现:
SSH协议版本
OpenSSH是SSH (Secure SHell) 协议的免费开源实现,一般在各种Linux版本中会默认安装,基于C/S结构
Openssh软件相关包:
范例:相关包
[root@centos8 ~]#rpm -qa openssh*
openssh-7.8p1-4.el8.x86_64
openssh-server-7.8p1-4.el8.x86_64
openssh-clients-7.8p1-4.el8.x86_64
[root@centos8 ~]#rpm -ql openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/lib/.build-id
/usr/lib/.build-id/03
/usr/lib/.build-id/03/212a76e490c8ccc32963c2675b069229bd423b
/usr/lib/.build-id/9f
/usr/lib/.build-id/9f/89f685cc7bef45de96019b2c34fec2ea889a90
/usr/lib/systemd/system/sshd-keygen.target
/usr/lib/systemd/system/sshd-keygen@.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd.socket
/usr/lib/systemd/system/sshd@.service
/usr/lib/tmpfiles.d/openssh.conf
/usr/lib64/fipscheck/sshd.hmac
/usr/libexec/openssh/sftp-server
/usr/libexec/openssh/sshd-keygen
/usr/sbin/sshd
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd
[root@centos8 ~]#rpm -ql openssh-clients
/etc/ssh/ssh_config
/etc/ssh/ssh_config.d
/etc/ssh/ssh_config.d/05-redhat.conf
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-id
/usr/bin/ssh-keyscan
/usr/lib/.build-id
/usr/lib/.build-id/38
/usr/lib/.build-id/38/6a9c79f2e3a51119fab4e75f398cfc43f741fd
/usr/lib/.build-id/75
/usr/lib/.build-id/75/5b836d8fff0a025f2e0c2fd000eb882af20aef
/usr/lib/.build-id/84
/usr/lib/.build-id/84/1c0e0f02ef345a3011ef1c4586d363571f843e
/usr/lib/.build-id/94
/usr/lib/.build-id/94/082ac0ca7e553a4a371ec89f58128a76938f03
/usr/lib/.build-id/b7
/usr/lib/.build-id/b7/6976366baf16c87b1c09401342b605f03b48d5
/usr/lib/.build-id/c4
/usr/lib/.build-id/c4/febf93dea86402d74f22f0abf21a5ee67eaa5f
/usr/lib/.build-id/d4
/usr/lib/.build-id/d4/a2bd907d4b91d0474e60dd6ffe894f9477209d
/usr/lib64/fipscheck/ssh.hmac
/usr/libexec/openssh/ssh-pkcs11-helper
/usr/share/man/man1/scp.1.gz
/usr/share/man/man1/sftp.1.gz
/usr/share/man/man1/ssh-add.1.gz
/usr/share/man/man1/ssh-agent.1.gz
/usr/share/man/man1/ssh-copy-id.1.gz
/usr/share/man/man1/ssh-keyscan.1.gz
/usr/share/man/man1/ssh.1.gz
/usr/share/man/man5/ssh_config.5.gz
/usr/share/man/man8/ssh-pkcs11-helper.8.gz
[root@centos8 ~]#rpm -ql openssh
/etc/ssh
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/lib/.build-id
/usr/lib/.build-id/7d
/usr/lib/.build-id/7d/09bd161027e05ad5e2503070fedcc024eead1d
/usr/lib/.build-id/81
/usr/lib/.build-id/81/391a95e2a2c2cccaab881225095ae2735abc2b
/usr/libexec/openssh
/usr/libexec/openssh/ssh-keysign
/usr/share/doc/openssh
/usr/share/doc/openssh/CREDITS
/usr/share/doc/openssh/ChangeLog
/usr/share/doc/openssh/INSTALL
/usr/share/doc/openssh/OVERVIEW
/usr/share/doc/openssh/PROTOCOL
/usr/share/doc/openssh/PROTOCOL.agent
/usr/share/doc/openssh/PROTOCOL.certkeys
/usr/share/doc/openssh/PROTOCOL.chacha20poly1305
/usr/share/doc/openssh/PROTOCOL.key
/usr/share/doc/openssh/PROTOCOL.krl
/usr/share/doc/openssh/PROTOCOL.mux
/usr/share/doc/openssh/README
/usr/share/doc/openssh/README.dns
/usr/share/doc/openssh/README.platform
/usr/share/doc/openssh/README.privsep
/usr/share/doc/openssh/README.tun
/usr/share/doc/openssh/TODO
/usr/share/licenses/openssh
/usr/share/licenses/openssh/LICENCE
/usr/share/man/man1/ssh-keygen.1.gz
/usr/share/man/man8/ssh-keysign.8.gz
服务器:/usr/sbin/sshd
Unit 文件:/usr/lib/systemd/system/sshd.service
客户端:
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问
当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host*key.pub文件中的公钥到客户机d的~./ssh/know_hosts中。下次连接时,会自动匹配相应私钥,不能匹配,将拒绝连接
ssh客户端配置文件:/etc/ssh/ssh_config
主要配置
#StrictHostKeyChecking ask
首次登录不显示检查提示
StrictHostKeyChecking no
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_ecdsa
# IdentityFile ~/.ssh/id_ed25519
# Port 22
范例:禁止首次连接的询问过程
[root@centos7 ~]#sed -i.bak '/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config
格式:
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常见选项
-p port:远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持x11转发
-t:强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
范例:
[root@centos8 ~]#ssh -t 10.0.0.8 ssh -t 10.0.0.77 ssh 10.0.0.6
root@10.0.0.8's password:
root@10.0.0.77's password:
root@10.0.0.6's password:
Last login: Thu May 21 22:17:57 2020 from 10.0.0.77
[root@centos6 ~]#
范例:远程执行命令
[root@centos6 ~]#ssh 10.0.0.8 "sed -i.bak '/StrictHostKeyChecking/s/.*/StrictHostKeyChecking no/' /etc/ssh/ssh_config"
root@10.0.0.8's password:
[root@centos6 ~]#
范例:在远程主机运行本地shell脚本(很实用)
[root@centos8 ~]#hostname -I
10.0.0.88 192.168.122.1
[root@centos8 ~]#cat test.sh
#!/bin/bash
hostname -I
[root@centos8 ~]#ssh 10.0.0.8 /bin/bash < test.sh
root@10.0.0.8's password:
10.0.0.8 192.168.122.1
范例:
[root@centos8 ~]#lastb -f btmp-test | awk '{print $3}'|sort |uniq -c|sort -
nr|head
86294 58.218.92.37
43148 58.218.92.26
18036 112.85.42.201
10501 111.26.195.101
10501 111.231.235.49
10501 111.204.186.207
10501 111.11.29.199
10499 118.26.23.225
6288 42.7.26.142
4236 58.218.92.30
[root@centos8 ~]#lastb -f btmp-test | awk '{ip[$3]++}END{for(i in ip){print
ip[i],i}}'|sort -nr|head
86294 58.218.92.37
43148 58.218.92.26
18036 112.85.42.201
10501 111.26.195.101
10501 111.231.235.49
10501 111.204.186.207
10501 111.11.29.199
10499 118.26.23.225
6288 42.7.26.142
4236 58.218.92.30
ssh服务登录的验证方式
基于用户和口令登录验证
1 客户端发起ssh请求,服务器会把自己的公钥发送给用户
2 用户会根据服务器发来的公钥对密码进行加密
3 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
基于密钥的登录方式
1 首先在客户端生成一对密钥(ssh-keygen)
2 并将客户端的公钥ssh-copy-id 拷贝到服务端
3 当客户端再次发送一个连接请求,包括ip、用户名
4 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生成一
个字符串,例如:magedu
5 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
6 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
在客户端生成密钥对
ssh-keygen -t rsa [-P 'password'] [-f “~/.ssh/id_rsa"]
#可以直接执行ssh-keygen ,后面的一串可以生成
#默认rsa加密,~/.shh是默认路径,密码视情况而定
把公钥文件传输至远程服务器对应用户的家目录
ssh-copy-id [-i [identity_file]] [user@]host
重设私钥口令:
ssh-keygen –p
验证代理(authentication agent)保密解密后的密钥,口令就只需要输入一次,在GNOME中,代理被自动提供给root用户
#启用代理
ssh-agent bash
#钥匙通过命令添加给代理
ssh-add
在SecureCRT或Xshell实现基于key验证
在SecureCRT工具—>创建公钥—>生成Identity.pub文件
转化为openssh兼容格式(适合SecureCRT,Xshell不需要转化格式),并复制到需登录主机上相应文件authorized_keys中,注意权限必须为600,在需登录的ssh主机上执行:
ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys
范例:实现基于 key 验证
[root@centos8 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #回车,接受默认值
Enter passphrase (empty for no passphrase): #回车,接受默认值,空密码
Enter same passphrase again: #回车,接受默认值
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PVFtcR4yEjnfLW22d8mj6t/KX83oWVT37+TLK7/SmU4 root@centos8
The key‘s randomart image is:
+---[RSA 3072]----+
| o++.o.|
| +. =o.|
| . o...=|
| . . ...O|
| S o .+=|
| . O=|
| +E&|
| .=+X.|
| .oo+XX*|
+----[SHA256]-----+
[root@centos8 ~]#ll .ssh/
total 12
-rw------- 1 root root 2602 May 22 22:40 id_rsa
-rw-r--r-- 1 root root 566 May 22 22:40 id_rsa.pub
[root@centos8 ~]#cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbzJCv07jz13pWXljBT5HdWQoK71Oa537kxQ5e4uRbvUGYHfOei5YKX2Ke7f9pm5OycPgYId6fjAphcl7FkqF03SNIrds8HfLA2BbyXLP76hh/XzyK1lAXlMQL964kCtEdllHxBM+Z6ymAsepDj4bYaQx5jyYW66e/sbjNbQlqtnevWd3W/9ifd9xC9RdU/xEFxiphCEBXNo9hS8zEFhqaXqHHJkWfTyb8O735GMC8yDXtUyAs+zNVDY7k7EDSGMD7t25R5DcBXI9rrCQICoIHU/UWAiXeHu8To2ryr7j0g4UeI8DvksTo3BSwLOTzYb8bM41s1ZiP4gwtlgsIP1F1fJKQi1xVmQsL+h44pN/QGvPUEOEk5CvCD1SRu3gOrkDNhA6Cwpq9HDGpF3KkbCuTXU0ZL4b4O6+6zD8jemI5pfBzrhp05t/X5ZX10BGrqNDb0r22jgwy8E8CGUEuSt0OkJQR07W0l1/m/ivRvIufb7C1B/ATKiaLd4ZLPXGlNJc= root@centos8
[root@centos8 ~]#cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA28yQr9O489d6Vl5YwU+R3VkKCu9Tmud+5MUOXuLkW71BmB3znouW
Cl9inu3/aZuTsnD4GCHen4wKYXJexZKhdN0jSK3bPB3ywNgW8lyz++oYf188itZQF5TEC/
euJArRHZZR8QTPmespgLHqQ4+G2GkMeY8mFuunv7G4zW0JarZ3r1nd1v/Yn3fcQvUXVP8R
BcYqYQhAVzaPYUvMxBYaml6hxyZFn08m/Du9+RjAvMg17VMgLPszVQ2O5OxA0hjA+7duUe
Q3AVyPa6wkCAqCB1P1FgIl3h7vE6Nq8q+49IOFHiPA75LE6NwUsCzk82G/GzONbNWYj+IM
LZYLCD9RdXySkItcVZkLC/oeOKTf0Brz1BDhJOQrwg9Ukbt4Dq5AzYQOgsKavRwxqRdypG
wrk11NGS+G+Duvusw/I3piOaXwc64adObf1+WV9dARq6jQ29K9to4MMvBPAhlBLkrdDpCU
EdO1tJdf5v4r0byLn2+wtQfwEyomi3eGSz1xpTSXAAAFiFWWQVFVlkFRAAAAB3NzaC1yc2
EAAAGBANvMkK/TuPPXelZeWMFPkd1ZCgrvU5rnfuTFDl7i5Fu9QZgd856LlgpfYp7t/2mb
k7Jw+Bgh3p+MCmFyXsWSoXTdI0it2zwd8sDYFvJcs/vqGH9fPIrWUBeUxAv3riQK0R2WUf
EEz5nrKYCx6kOPhthpDHmPJhbrp7+xuM1tCWq2d69Z3db/2J933EL1F1T/EQXGKmEIQFc2
j2FLzMQWGppeoccmRZ9PJvw7vfkYwLzINe1TICz7M1UNjuTsQNIYwPu3blHkNwFcj2usJA
gKggdT9RYCJd4e7xOjavKvuPSDhR4jwO+SxOjcFLAs5PNhvxszjWzVmI/iDC2WCwg/UXV8
kpCLXFWZCwv6Hjik39Aa89QQ4STkK8IPVJG7eA6uQM2EDoLCmr0cMakXcqRsK5NdTRkvhv
g7r7rMPyN6Yjml8HOuGnTm39fllfXQEauo0NvSvbaODDLwTwIZQS5K3Q6QlBHTtbSXX+b+
K9G8i59vsLUH8BMqJot3hks9caU0lwAAAAMBAAEAAAGBAK+AerL6Ij8JedSGxuWrzDNqih
tLF32jhG3UbnITRvV9e2ej2sdoe2hS22M9c+h2YgtkKqTSPnk0j4FZmhS1zReMD0VUFK6+
1vtmT4Q7wzbNp7vkZmoRT6hUj+liXfjHbkvqoAkLp1wmKmBpLz2815Xq4xwY0fgROENW+9
GDU7aSdaRc5EZsySIjyYrpOjUS6RusLGCH/x/kH743kQus/pbuIszqYUMgJ2fVqA3C1vql
/nE+I33nIgiyp7tgbS2Utt+81sg1jkI4yyYY+4NirQB+tCJUYa0I2ENQMwRjtAYqy5lEtd
IO8HmRPfoXPtHXIQVEK4miNDVMnW1d1X7lvyFjLq4Bzw7NR9k+yF/Gtsi01Yp9s7uscUxb
0bCN5wwDvGC2jx2NUK94yjRmG8jOPbZe0s38DUFDo7eCsDMfJoU/anO6QvjD8GNKiJm3Xa
oSPHUFBD5FMvULH1ZCwOBZ4973vQ+6MDuCeDVOz6/hD1Am3cLJWB8JJjoDAZ42lhzcoQAA
AMEAp/QDlAXpiQAxdE2IjEpB77L0s93LkHQbhRwPXcZgV01OKB+puQ6gxrvHSupxdQYKCv
/DIqNK/PcGxXqAmd/8t0a+oC7+xufmyxKclP77KTmscvQusMuQL0nz07+5JGQKQF57EfOr
CVSrFF4/lWxpK/+4LGKwwIfnvHDZxy3UzeH8fsYgv7iHYv17rU3OZIcsMTtcaL35Glgn20
LplR9uATdJbBjMLxibX1El8bUjqcLW34y95OuFH2+bCzg5DqC/AAAAwQD5Ye+8KZZ/WGuW
QIG4jd6+V27xvApgg1WBXuhJvOb95qgLjyyzRYT6X6PQrPoPwvUr+EWAjWcBHPkq8GWEVo
eCYtcL4BL4QQeygubucS6y6ok438cPdh3sPq9i5c/tThhuhqvWjV2aMrh6bTcyfyG6Xe/A
kc+9b/3wxZhF+IgdjUtG0o2H8kOOQK74U87k6AgwTHGW/2k6itiNgRzKo6WdWc9zKtYcSk
+FFXBXLmQdhea/7GNJbjAO/6sHOLOzowcAAADBAOGhqs33nCPqeBxgC+Z7O12h8/hAgsGo
3GlkQ3hrhYPFYFt59yfLjpCr1Ajn0SG2HDkWSGOBHT49za8jIBV5K4W7C4rtuejsm7KMVk
7eWxQ9CDHUNEi6VQqDLZ9a/5tbXwxSrjOf8JXf5qwIrv4XDy1UimJNnaWvKejfrXw4gZCz
S+muLDBIB784y/H+c/5wy4fZUgCQOvZo5ScO/uK/MRkMyyD/04SLDvH8qvMjOym6F1K+DB
bLLRJd3I+gFHut8QAAAAxyb290QGNlbnRvczgBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
[root@centos8 ~]#ssh-copy-id root@10.0.0.77
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.77’s password: #输入远程用户的密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.0.0.77'"
and check to make sure that only the key(s) you wanted were added.
[root@Centos7 ~]#ll .ssh/
total 8
-rw------- 1 root root 566 May 22 22:42 authorized_keys
[root@Centos7 ~]#cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbzJCv07jz13pWXljBT5HdWQoK71Oa537kxQ5e4uRbvUGYHfOei5YKX2Ke7f9pm5OycPgYId6fjAphcl7FkqF03SNIrds8HfLA2BbyXLP76hh/XzyK1lAXlMQL964kCtEdllHxBM+Z6ymAsepDj4bYaQx5jyYW66e/sbjNbQlqtnevWd3W/9ifd9xC9RdU/xEFxiphCEBXNo9hS8zEFhqaXqHHJkWfTyb8O735GMC8yDXtUyAs+zNVDY7k7EDSGMD7t25R5DcBXI9rrCQICoIHU/UWAiXeHu8To2ryr7j0g4UeI8DvksTo3BSwLOTzYb8bM41s1ZiP4gwtlgsIP1F1fJKQi1xVmQsL+h44pN/QGvPUEOEk5CvCD1SRu3gOrkDNhA6Cwpq9HDGpF3KkbCuTXU0ZL4b4O6+6zD8jemI5pfBzrhp05t/X5ZX10BGrqNDb0r22jgwy8E8CGUEuSt0OkJQR07W0l1/m/ivRvIufb7C1B/ATKiaLd4ZLPXGlNJc= root@centos8
[root@centos8 ~]#ssh 10.0.0.77
Last login: Fri May 22 18:45:18 2020 from 10.0.0.8
[root@Centos7 ~]#exit
logout
Connection to 10.0.0.77 closed.
[root@centos8 ~]#scp /etc/fstab 10.0.0.77:/data
fstab 100% 709 202.1KB/s 00:00
#对私钥加密
[root@centos8 ~]#ssh-keygen -p
Enter file in which the key is (/root/.ssh/id_rsa):
Key has comment 'root@centos8'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
[root@centos8 ~]#ssh 10.0.0.77
Enter passphrase for key '/root/.ssh/id_rsa': #输入私钥的密码
Last login: Fri May 22 23:20:50 2020 from 10.0.0.8
[root@centos7 ~]#exit
logout
Connection to 10.0.0.77 closed.
#启用ssh代理
[root@centos8 ~]#ssh-agent bash
[root@centos8 ~]#ps aux |grep agent
root 5931 0.0 0.0 29444 548 ? Ss 23:48 0:00 ssh-agent bash
root 5958 0.0 0.0 12108 964 pts/0 S+ 23:48 0:00 grep --color=auto agent
[root@centos8 ~]#ssh-add
Identity added: /root/.ssh/id_rsa (root@centos8)
[root@centos8 ~]#ssh 10.0.0.77
Last login: Fri May 22 23:43:11 2020 from 10.0.0.8
范例:基于key验证实现批量主机管理
[root@centos8 ~]#cat hosts.txt
10.0.0.7
10.0.0.6
[root@centos8 ~]#for i in `cat hosts.txt`;do ssh $i hostname -I ;done
10.0.0.7
10.0.0.6
范例:实现xshell的基于key验证
[root@centos8 ~]#rz -E
rz waiting to receive.
[root@centos8 ~]#ls
anaconda-ks.cfg id_rsa_1024(xshell).pub
[root@centos8 ~]#cat id_rsa_1024(xshell).pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw4zT+e9iFU691e+oRs32VMZppWm9EKK11HqogMqIQ8sQkun4lOCdE8nbsrSFTESV/x9yztRHwWTDU7366t0WfTC549MXxpu921+IZd5JzkOHuc8D+AxNPLRp/F4kZTE2wlwuRaawU2OFsKf9whLwFR52JqciTdueGgbzA2OB4Q8=[root@centos8 ~]#
[root@centos8 ~]#cat id_rsa_1024(xshell).pub > .ssh/authorized_keys
[root@centos8 ~]#chmod 600 .ssh/authorized_keys
[root@centos8 ~]#ll .ssh/authorized_keys
-rw------- 1 root root 208 May 23 00:03 .ssh/authorized_keys
范例:expect实现批量基于ssh的key部署
[root@centos8 ~]#cat push_ssh_key.sh
#!/bin/bash
PASS=1433236299
rpm -q expect &> /dev/null || yum install -y expect &> /dev/null
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa &> /dev/null && echo "ssh key is created"
while read IP ;do
expect <<EOF &> /dev/null #或者 expect &> /dev/null <<EOF
set timeout 20
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$IP
expect {
"yes/no" { send "yes/no";exp_continue }
"password" { send "$PASS\n" }
}
expect eof
EOF
echo $IP is ready
done < hosts.txt
[root@centos8 ~]#cat hosts.txt
10.0.0.6
10.0.0.77
[root@centos8 ~]#bash push_ssh_key.sh
ssh key is created
10.0.0.6 is ready
10.0.0.77 is ready
[root@centos8 ~]#ssh 10.0.0.6
Last login: Fri May 22 18:53:04 2020 from 10.0.0.1
[root@centos6 ~]#exit
logout
Connection to 10.0.0.6 closed.
[root@centos8 ~]#ssh 10.0.0.77
Last login: Sat May 23 15:20:19 2020 from 10.0.0.1
[root@Centos7 ~]#exit
logout
Connection to 10.0.0.77 closed.
范例:如何实现三个主机之间互相的key验证
3.4.1 scp命令
scp [options] SRC... DEST/
#前面是源地址,后面是目标地址
两种方式:
scp [options] [user@]host:/sourcefile /destpath
scp [options] /sourcefile [user@]host:/destpath
常用选项:
-C 压缩数据流
-r 递归复制
-p 保持原文件的属性信息
-q 静默模式
-P PORT 指明remote host的监听的端口
3.4.2 rsync 命令
基于ssh和rsync协议实现高效率的远程系统之间复制文件,使用安全的shell连接做为传输方式,比scp更快,基于增量数据同步,即只复制两方不同的文件,此工具来自于rsync包
注意:通信两端主机都需要安装rsync软件
rsync -av /etc server1:/tmp #复制目录和目录下文件
rsync -av /etc/ server1:/tmp #只复制目录下文件
常用选项:
-n 模拟复制过程
-v 显示详细过程
-r 递归复制目录树
-p 保留权限
-t 保留修改时间戳
-g 保留组信息
-o 保留所有者信息
-l 将软链接文件本身进行复制(默认)
-L 将软链接文件指向的文件复制
-u 如果接收者的文件比发送者的文件较新,将忽略同步
-z 压缩
-a 存档,相当于–rlptgoD,但不保留ACL(-A)和SELinux属性(-X)
--delete 源数据删除,目标数据也自动同步删除
范例:
[root@centos8 ~]#rsync -auv --delete /data/test 10.0.0.7:/data
3.4.3 sftp命令
交互式文件传输工具,用法和传统的ftp工具相似,利用ssh服务实现安全的文件上传和下载
使用ls cd mkdir rmdir pwd get put等指令,可用?或help获取帮助信息
sftp [user@]host
sftp> help
3.5.1 SSH本地端口转(特定场合会用到)
SSH 会自动加密和解密所有 SSH 客户端与服务端之间的网络数据。但是,SSH 还能够将其他 TCP 端口的网络数据通过 SSH 链接来转发,并且自动提供了相应的加密及解密服务。这一过程也被叫做“隧道”(tunneling),这是因为 SSH 为其他 TCP 链接提供了一个安全的通道来进行传输而得名。例如,Telnet,SMTP,LDAP 这些 TCP 应用均能够从中得益,避免了用户名,密码以及隐私信息的明文传输。而与此同时,如果工作环境中的防火墙限制了一些网络端口的使用,但是允许 SSH 的连接,也能够通过将 TCP 端口转发来使用 SSH 进行通讯
SSH 端口转发能够提供两大功能:
SSH本地端口转发
ssh -L localport:remotehost:remotehostport sshserver
选项:
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能
范例:
#当访问本机的9527的端口时,被加密后转发到sshsrv的ssh服务,再解密被转发到telnetsrv:23
#data<-->localhost:9527 <-->localhost:XXXXX<-->sshsrv:22<-->sshsrv:YYYYY<-->telnetsrv:23
ssh –L 9527:telnetsrv:23 -Nfg sshsrv
telnet 127.0.0.1 9527
范例:本地端口转发
[root@centos8 ~]#ssh -fNL 9527:10.0.0.28:80 10.0.0.18
[root@centos8 ~]#curl 127.0.0.1:9527
3.5.2 SSH远程端口转发
ssh -R sshserverport:remotehost:remotehostport sshserver
示例:
#让sshsrv侦听9527端口的访问,如有访问,就加密后通过ssh服务转发请求到本机ssh客户端,再由本机解密后转发到telnetsrv:23
#Data<-->sshsrv:9527<-->sshsrv:22<-->localhost:XXXXX<-->localhost:YYYYY<--
>telnetsrv:23
ssh –R 9527:telnetsrv:23 –Nf sshsrv
范例:远程端口转发并实现网关功能
[root@lan-server ~]#yum -y install httpd;systemctl start httpd;echo website On
10.0.0.28 > /var/www/html/index.html
[root@ssh-server ~]#vim /etc/ssh/sshd_config
GatewayPorts yes
[root@ssh-server ~]#systemctl restart sshd
[root@ssh-client ~]#ssh -fNgR 9527:10.0.0.28:80 10.0.0.8
root@10.0.0.8's password:
[root@centos6 ~]#curl 10.0.0.8:9527
website On 10.0.0.28
[root@centos7 ~]#curl 10.0.0.8:9527
website On 10.0.0.28
3.5.3 SSH动态端口转发
#当用firefox访问internet时,本机的1080端口做为代理服务器,firefox的访问请求被转发到
sshserver上,由sshserver替之访问internet
ssh -D 1080 root@sshserver -fNg
#在本机firefox设置代理socket proxy:127.0.0.1:1080
curl --socks5 127.0.0.1:1080 http://www.google.com
范例:动态端口转发实现科学上网方式1
[root@centos8 ~]#ssh -fND 9527 10.0.0.18
范例:动态端口转发实现科学上网方式2
[root@vps ~]#ssh -gfND 9527 10.0.0.18
[root@centos6 ~]#curl --socks5 10.0.0.18:9527 http://10.0.0.28
google On 10.0.0.28
[root@centos7 ~]#curl --socks5 10.0.0.18:9527 http://10.0.0.28
google On 10.0.0.28
3.5.4 X 协议转发
所有图形化应用程序都是X客户程序,能够通过tcp/ip连接远程X服务器,数据没有加密,但是它通过ssh连接隧道安全进行
#remotehost主机上的gedit工具,将会显示在本机的X服务器上,传输的数据将通过ssh连接加密
ssh -X user@remotehost gedit
范例:在windows上使用mobaXtrem的X server 显示 Linux 的图形工具
[root@centos ~]#yum install xorg-x11-xauth xorg-x11-fonts-* xorg-x11-font-utils xorg-x11-fonts-Type1 firefox
[root@centos ~]#exit
[root@centos ~]#firefox
范例:在windows上使用xshell的X server 显示 Linux 的图形工具
[root@centos ~]# export DISPLAY=10.0.0.1:0.0
[root@centos ~]# yum -y install xclock
服务器端:sshd
服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助:man 5 sshd_config
常用参数:
Port
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes #检查.ssh/文件的所有者,权限等
MaxAuthTries 6 #最大错误连接次数(除二,查看man帮助)
MaxSessions 10 #同一个连接最大会话
PubkeyAuthentication yes #基于key验证
PermitEmptyPasswords no #空密码连接
PasswordAuthentication yes #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups
范例:设置ssh 空闲60s 自动注销
Vim /etc/ssh/sshd_config
ClientAliveInterval 60
ClientAliveCountMax 0
Service sshd restart
#注意:新开一个连接才有效
范例:解决ssh登录缓慢的问题
vim /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
systemctl restart sshd
范例:在 ubuntu 上启用root 远程ssh登录
#修改sshd服务配置文件
vim /etc/ssh/sshd_config
#PermitRootLogin prohibit-password 注释掉此行
PermitRootLogin yes 修改为下面形式
systemctl restart sshd
ssh服务的最佳实践
由EPEL源提供,目前CentOS8 还没有提供,可以利用ssh协议挂载远程目录
[root@centos7 ~]#yum install fuse-sshfs
[root@centos7 ~]#sshfs 10.0.0.8:/data /mnt
[root@centos7 ~]#df /mnt
Filesystem 1K-blocks Used Available Use% Mounted on
10.0.0.8:/data 52403200 398576 52004624 1% /mnt
由EPEL源提供,ssh登陆不能在命令行中指定密码。sshpass的出现,解决了这一问题sshpass用于非交互SSH的密码验证,一般用在sh脚本中,无须再次输入密码(本机known_hosts文件中有的主机才能生效)。它允许你用 -p 参数指定明文密码,然后直接登录远程服务器,它支持密码从命令行、文件、环境变量中读取。
格式:
sshpass [option] command parameters
常见选项
-p password #后跟密码它允许你用 -p 参数指定明文密码,然后直接登录远程服务器
-f filename #后跟保存密码的文件名,密码是文件内容的第一行。
-e #将环境变量SSHPASS作为密码
范例:
[root@centos8 ~]#yum -y install sshpass
[root@centos8 ~]#rpm -ql sshpass
/usr/bin/sshpass
/usr/lib/.build-id
/usr/lib/.build-id/1f
/usr/lib/.build-id/1f/c5d6cf03500df846a1a801aab749f478845a4d
/usr/share/doc/sshpass
/usr/share/doc/sshpass/AUTHORS
/usr/share/doc/sshpass/COPYING
/usr/share/doc/sshpass/ChangeLog
/usr/share/doc/sshpass/NEWS
/usr/share/man/man1/sshpass.1.gz
[root@centos8 ~]# sshpass -p 123456 ssh -o StrictHostKeyChecking=no
root@10.0.0.8
[root@centos8 ~]#sshpass -p 123456 ssh -o StrictHostKeyChecking=no 10.0.0.7
hostname -I
Warning: Permanently added '10.0.0.7' (ECDSA) to the list of known hosts.
10.0.0.7
[root@centos8 ~]#sshpass -p 123456 ssh -o StrictHostKeyChecking=no 10.0.0.6
hostname -I
Warning: Permanently added '10.0.0.6' (RSA) to the list of known hosts.
10.0.0.6
[root@centos8 ~]# cat pass.txt
123456
[root@centos8 ~]# sshpass -f pass.txt ssh root@10.0.0.8
[root@centos8 ~]# export SSHPASS=123456
[root@centos8 ~]# sshpass -e ssh root@10.0.0.8
范例:批量修改多台主机的root密码为随机密码
[root@centos8 ~]#cat change_root_password.sh
#!/bin/bash
rpm -q sshpass &> /dev/null || yum install -y sshpass
export SSHPASS=magedu
NET=10.0.0
for i in {5..19};do
{
PASS=`openssl rand -base64 9`
sshpass -e ssh $NET.$i "echo $PASS| passwd --stdin root &> /dev/null"
echo $NET.$i:$PASS >> host.txt
}&
done
wait
范例:批量部署多台主机基于key验证脚本1
[root@centos8 ~]#cat sshpass.sh
#!/bin/bash
NET=10.0.0
PASS=magedu
ssh-keygen -P "" -f /root/.ssh/id_rsa &> /dev/null
rpm -q sshpass &> /dev/null || yum -y install sshpass &> /dev/null
for i in {1..100};do
{
sshpass -p $PASS ssh-copy-id -o StrictHostKeyChecking=no -i
/root/.ssh/id_rsa.pub $NET.$i &> /dev/null
}&
done
wait
范例:批量部署多台主机基于key验证脚本2
[root@centos8 ~]#cat sshpass2.sh
#!/bin/bash
HOSTS="
10.0.0.6
10.0.0.18
10.0.0.77
"
PASS=magedu
ssh-keygen -P "" -f /root/.ssh/id_rsa &> /dev/null
rpm -q sshpass &> /dev/null || yum install -y sshpass &> /dev/null
for i in $HOSTS;do
{
ssh -p $PASS ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $i &> /dev/null
}&
done
wait
EPEL源中提供了多个自动化运维工具
pssh 命令选项如下:
-H:主机字符串,内容格式”[user@]host[:port]”
-h file:主机列表文件,内容格式”[user@]host[:port]”
-A:手动输入密码模式
-i:每个服务器内部处理信息输出
-l:登录使用的用户名
-p:并发的线程数【可选】
-o:输出的文件目录【可选】
-e:错误输出文件【可选】
-t:TIMEOUT 超时时间设置,0无限制【可选】
-O:SSH的选项
-P:打印出服务器返回信息
-v:详细模式
--version:查看版本
范例:
#默认使用ssh的key认证,通过 -A选项,使用密码认证批量执行指令
pssh -H "192.168.1.10" -A hostname
#输出信息
pssh -H wang@192.168.1.10 -A -i hostname
#通过pssh批量关闭seLinux
pssh -H root@192.168.1.10 -i ‘sed -i "s/^SELINUX=.*/SELINUX=disabled/"
/etc/selinux/config’
#多台主机
pssh -H "192.168.1.10 192.168.1.20" -i hostname
#多台主机
cat hosts.txt
10.0.0.8
10.0.0.6
pssh -h hosts.txt -i hostname
#将标准错误和标准正确重定向分别保存至本地主机的/data/stdout和/data/stderr目录下
pssh -H 192.168.1.10 -o /data/stdout -e /data/stderr -i “hostname”
#变量需要加单引号引起来
[root@centos7 ~]#cat hosts.txt
10.0.0.8
10.0.0.6
[root@centos7 ~]#pssh -h hosts.txt -i echo $HOSTNAME
[1] 16:47:00 [SUCCESS] 10.0.0.6
centos7.wangxiaochun.com
[2] 16:47:01 [SUCCESS] 10.0.0.8
centos7.wangxiaochun.com
[root@centos7 ~]#pssh -h hosts.txt -i 'echo $HOSTNAME'
[1] 16:48:05 [SUCCESS] 10.0.0.6
centos6.localdomain
[2] 16:48:05 [SUCCESS] 10.0.0.8
centos8.localdomain
#*需要用双或单引号引起来
[root@centos7 ~]#pssh -h hosts.txt -i ls /data/*
[1] 16:48:29 [FAILURE] 10.0.0.6 Exited with error code 2
Stderr: ls: cannot access /data/10.0.0.6: No such file or directory
ls: cannot access /data/10.0.0.8: No such file or directory
[2] 16:48:29 [FAILURE] 10.0.0.8 Exited with error code 2
Stderr: ls: cannot access '/data/10.0.0.6': No such file or directory
ls: cannot access '/data/10.0.0.8': No such file or directory
[root@centos7 ~]#pssh -h hosts.txt -i 'ls /data/*'
[1] 16:48:47 [SUCCESS] 10.0.0.6
[2] 16:48:47 [SUCCESS] 10.0.0.8
/data/centos7.log
/data/f1.txt
/data/f2.txt
/data/host_pass.txt
pscp.pssh命令
pscp.pssh功能是将本地文件批量复制到远程主机
pscp [-vAr] [-h hosts_file] [-H [user@]host[:port]] [-l user] [-p par] [-o
outdir] [-e errdir] [-t timeout] [-O options] [-x args] [-X arg] local remote
pscp-pssh选项
-v 显示复制过程
-r 递归复制目录
范例:
#将本地curl.sh 复制到/app/目录
pscp.pssh -H 192.168.1.10 /root/test/curl.sh /app/
pscp.pssh -h host.txt /root/test/curl.sh /app/
#将本地多个文件批量复制到/app/目录
pscp.pssh -H 192.168.1.10 /root/f1.sh /root/f2.sh /app/
#将本地目录批量复制到/app/目录
pscp.pssh -H 192.168.1.10 -r /root/test/ /app/
pslurp命令
pslurp功能是将远程主机的文件批量复制到本地
pslurp [-vAr] [-h hosts_file] [-H [user@]host[:port]] [-l user] [-p par][-o
outdir] [-e errdir] [-t timeout] [-O options] [-x args] [-X arg] [-L localdir]
remote local(本地名)
pslurp选项
-L 指定从远程主机下载到本机的存储的目录,local是下载到本地后的名称
-r 递归复制目录
范例:
#批量下载目标服务器的passwd文件至/app下,并更名为user
pslurp -H 192.168.1.10 -L /app /etc/passwd user
[root@centos7 ~]#pslurp -h hosts.txt -L /data/ /etc/redhat-release version
[1] 17:50:57 [SUCCESS] 10.0.0.6
[2] 17:50:57 [SUCCESS] 10.0.0.8
[root@centos7 ~]#tree /data
/data
├── 10.0.0.6
│ └── version
└── 10.0.0.8
└── version
2 directories, 2 files
由Matt Johnston所开发的Secure Shell软件。Dropbear是一个相对较小的SSH服务器和客户端。它运行在一个基于POSIX的各种平台。 Dropbear是开源软件,在麻省理工学院式的许可证。Dropbear是特别有用的“嵌入”式的Linux(或其他Unix)系统,如无线路由器,期望在存储器与运算能力有限的情况下取代OpenSSH,尤其是嵌入式系统
官网:http://matt.ucc.asn.au/dropbear/dropbear.html
范例:编译安装dropbear
#安装相关包:
[root@centos8 ~]#yum install gcc zlib-devel
#下载
[root@centos8 ~]#wget http://matt.ucc.asn.au/dropbear/releases/dropbear-2019.78.tar.bz2
[root@centos8 ~]#tar xf dropbear-2019.78.tar.bz2
#编译安装
[root@centos8 ~]#cd dropbear-2019.78/
[root@centos8 dropbear-2019.78]#less INSTALL README
[root@centos8 dropbear-2019.78]#./configure --prefix=/apps/dropbear --sysconfdir=/etc/dropbear
[root@centos8 dropbear-2019.78]#make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"
[root@centos8 dropbear-2019.78]#make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install
[root@centos8 dropbear-2019.78]#tree /apps/
/apps/
└── dropbear
├── bin
│ ├── dbclient
│ ├── dropbearconvert
│ ├── dropbearkey
│ └── scp
├── sbin
│ └── dropbear
└── share
└── man
├── man1
│ ├── dbclient.1
│ ├── dropbearconvert.1
│ └── dropbearkey.1
└── man8
└── dropbear.8
7 directories, 9 files
#配置PATH变量
[root@centos8 ~]#echo 'PATH=/apps/dropbear/sbin:/apps/dropbear/bin:$PATH' > /etc/profile.d/dropbear.sh
[root@centos8 ~]#. /etc/profile.d/dropbear.sh
#生成私钥
[root@centos8 ~]#/apps/dropbear/sbin -h
[root@centos8 ~]#mkdir /etc/dropbear
[root@centos8 ~]#dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s
2048
[root@centos8 ~]#dropbearkey -t dss -f /etc/dropbear/dropbear_dsa_host_key
#启动ssh服务:
[root@centos8 ~]#dropbear -p :2222 -FE #前台运行,相当于sshd
[root@centos8 ~]#dropbear -p :2222 #后台运行
#客户端访问:
[root@centos8 ~]#ssh -p 2222 root@127.0.0.1
[root@centos8 ~]#dbclient -p 2222 root@127.0.0.1 #相当于ssh