成功不易,加倍努力!
- ssh服务
- 1 ssh服务介绍
-
- 2 openssh
- 2.1 客户端ssh命令
- 2.2 ssh登录验证方式介绍
- 2.3 实现基于密钥的登录方式
- 3.4 其它ssh客户端工具
- 3.5 ssh高级应用
- 3.6 ssh服务器配置
- 4 ssh 其它相关工具
- 4.1 挂载远程ssh目录 sshfs
- 4.2 自动登录ssh工具sshpass
- 4.3 轻量级自动化运维工具 pssh
- 5 dropbear
ssh服务
1 ssh服务介绍
ssh: secure shell, protocol, 22/tcp, 安全的远程登录,代替 telnet
具体的软件实现:
- OpenSSH: ssh协议的开源实现,CentOS默认安装
- dropbear:另一个开源实现
SSH协议版本
- v1: 基于CRC-32做MAC,不安全;man-in-middle
- v2:双方主机协议选择安全的MAC方式,基于DH算法做密钥交换,基于RSA或DSA实现身份认证
1.1 公钥交换原理
- 客户端发起链接请求
- 服务端返回自己的公钥,以及一个会话ID(这一步客户端得到服务端公钥)
- 客户端生成密钥对
- 客户端用自己的公钥异或会话ID,计算出一个值Res,并用服务端的公钥加密
- 客户端发送加密后的值到服务端,服务端用私钥解密,得到Res
- 服务端用解密后的值Res异或会话ID,计算出客户端的公钥(这一步服务端得到客户端公钥)
- 最终:双方各自持有三个秘钥,分别为自己的一对公、私钥,以及对方的公钥,之后的所有通讯都会被加密
1.2 ssh加密通讯原理
2 openssh
OpenSSH是SSH (Secure SHell) 协议的免费开源实现,一般在各种Linux版本中会默认安装,基于C/S结构
Openssh软件相关包:
- openssh
- openssh-clients
- openssh-server
范例:相关包
[root@centos8 ~]
openssh-7.8p1-4.el8.x86_64
openssh-server-7.8p1-4.el8.x86_64
openssh-clients-7.8p1-4.el8.x86_64
[root@centos8 ~]
/etc/pam.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/lib/.build-id
/usr/lib/.build-id/03
/usr/lib/.build-id/03/212a76e490c8ccc32963c2675b069229bd423b
/usr/lib/.build-id/9f
/usr/lib/.build-id/9f/89f685cc7bef45de96019b2c34fec2ea889a90
/usr/lib/systemd/system/sshd-keygen.target
/usr/lib/systemd/system/sshd-keygen@.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd.socket
/usr/lib/systemd/system/sshd@.service
/usr/lib/tmpfiles.d/openssh.conf
/usr/lib64/fipscheck/sshd.hmac
/usr/libexec/openssh/sftp-server
/usr/libexec/openssh/sshd-keygen
/usr/sbin/sshd
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd
[root@centos8 ~]
/etc/ssh/ssh_config
/etc/ssh/ssh_config.d
/etc/ssh/ssh_config.d/05-redhat.conf
/usr/bin/scp
/usr/bin/sftp
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-id
/usr/bin/ssh-keyscan
/usr/lib/.build-id
/usr/lib/.build-id/38
/usr/lib/.build-id/38/6a9c79f2e3a51119fab4e75f398cfc43f741fd
/usr/lib/.build-id/75
/usr/lib/.build-id/75/5b836d8fff0a025f2e0c2fd000eb882af20aef
/usr/lib/.build-id/84
/usr/lib/.build-id/84/1c0e0f02ef345a3011ef1c4586d363571f843e
/usr/lib/.build-id/94
/usr/lib/.build-id/94/082ac0ca7e553a4a371ec89f58128a76938f03
/usr/lib/.build-id/b7
/usr/lib/.build-id/b7/6976366baf16c87b1c09401342b605f03b48d5
/usr/lib/.build-id/c4
/usr/lib/.build-id/c4/febf93dea86402d74f22f0abf21a5ee67eaa5f
/usr/lib/.build-id/d4
/usr/lib/.build-id/d4/a2bd907d4b91d0474e60dd6ffe894f9477209d
/usr/lib64/fipscheck/ssh.hmac
/usr/libexec/openssh/ssh-pkcs11-helper
/usr/share/man/man1/scp.1.gz
/usr/share/man/man1/sftp.1.gz
/usr/share/man/man1/ssh-add.1.gz
/usr/share/man/man1/ssh-agent.1.gz
/usr/share/man/man1/ssh-copy-id.1.gz
/usr/share/man/man1/ssh-keyscan.1.gz
/usr/share/man/man1/ssh.1.gz
/usr/share/man/man5/ssh_config.5.gz
/usr/share/man/man8/ssh-pkcs11-helper.8.gz
[root@centos8 ~]
/etc/ssh
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/lib/.build-id
/usr/lib/.build-id/7d
/usr/lib/.build-id/7d/09bd161027e05ad5e2503070fedcc024eead1d
/usr/lib/.build-id/81
/usr/lib/.build-id/81/391a95e2a2c2cccaab881225095ae2735abc2b
/usr/libexec/openssh
/usr/libexec/openssh/ssh-keysign
/usr/share/doc/openssh
/usr/share/doc/openssh/CREDITS
/usr/share/doc/openssh/ChangeLog
/usr/share/doc/openssh/INSTALL
/usr/share/doc/openssh/OVERVIEW
/usr/share/doc/openssh/PROTOCOL
/usr/share/doc/openssh/PROTOCOL.agent
/usr/share/doc/openssh/PROTOCOL.certkeys
/usr/share/doc/openssh/PROTOCOL.chacha20poly1305
/usr/share/doc/openssh/PROTOCOL.key
/usr/share/doc/openssh/PROTOCOL.krl
/usr/share/doc/openssh/PROTOCOL.mux
/usr/share/doc/openssh/README
/usr/share/doc/openssh/README.dns
/usr/share/doc/openssh/README.platform
/usr/share/doc/openssh/README.privsep
/usr/share/doc/openssh/README.tun
/usr/share/doc/openssh/TODO
/usr/share/licenses/openssh
/usr/share/licenses/openssh/LICENCE
/usr/share/man/man1/ssh-keygen.1.gz
/usr/share/man/man8/ssh-keysign.8.gz
服务器:/usr/sbin/sshd
Unit 文件:/usr/lib/systemd/system/sshd.service
客户端:
- Linux Client: ssh, scp, sftp,slogin
- Windows Client:xshell, MobaXterm,putty, securecrt, sshsecureshellclient
2.1 客户端ssh命令
ssh命令是ssh客户端,允许实现对远程系统经验证地加密安全访问
当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host*key.pub文件中的公钥到客户机d的~./ssh/know_hosts中。下次连接时,会自动匹配相应私钥,不能匹配,将拒绝连接
ssh客户端配置文件:/etc/ssh/ssh_config
主要配置
首次登录不显示检查提示
StrictHostKeyChecking no
范例:禁止首次连接的询问过程
[root@centos7 ~]
格式:
ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]
常见选项
-p port:远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持x11转发
-t:强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等
范例:
[root@centos8 ~]
root@10.0.0.8's password:
root@10.0.0.77's password:
root@10.0.0.6's password:
Last login: Thu May 21 22:17:57 2020 from 10.0.0.77
[root@centos6 ~]
范例:远程执行命令
[root@centos6 ~]
root@10.0.0.8's password:
[root@centos6 ~]
范例:在远程主机运行本地shell脚本(很实用)
[root@centos8 ~]
10.0.0.88 192.168.122.1
[root@centos8 ~]
hostname -I
[root@centos8 ~]
root@10.0.0.8's password:
10.0.0.8 192.168.122.1
范例:
[root@centos8 ~]
nr|head
86294 58.218.92.37
43148 58.218.92.26
18036 112.85.42.201
10501 111.26.195.101
10501 111.231.235.49
10501 111.204.186.207
10501 111.11.29.199
10499 118.26.23.225
6288 42.7.26.142
4236 58.218.92.30
[root@centos8 ~]
ip[i],i}}'|sort -nr|head
86294 58.218.92.37
43148 58.218.92.26
18036 112.85.42.201
10501 111.26.195.101
10501 111.231.235.49
10501 111.204.186.207
10501 111.11.29.199
10499 118.26.23.225
6288 42.7.26.142
4236 58.218.92.30
2.2 ssh登录验证方式介绍
ssh服务登录的验证方式
基于用户和口令登录验证
1 客户端发起ssh请求,服务器会把自己的公钥发送给用户
2 用户会根据服务器发来的公钥对密码进行加密
3 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
基于密钥的登录方式
1 首先在客户端生成一对密钥(ssh-keygen)
2 并将客户端的公钥ssh-copy-id 拷贝到服务端
3 当客户端再次发送一个连接请求,包括ip、用户名
4 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生成一
个字符串,例如:magedu
5 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
6 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
2.3 实现基于密钥的登录方式
在客户端生成密钥对
ssh-keygen -t rsa [-P 'password'] [-f “~/.ssh/id_rsa"]
把公钥文件传输至远程服务器对应用户的家目录
ssh-copy-id [-i [identity_file]] [user@]host
重设私钥口令:
ssh-keygen –p
验证代理(authentication agent)保密解密后的密钥,口令就只需要输入一次,在GNOME中,代理被自动提供给root用户
ssh-agent bash
ssh-add
在SecureCRT或Xshell实现基于key验证
在SecureCRT工具—>创建公钥—>生成Identity.pub文件
转化为openssh兼容格式(适合SecureCRT,Xshell不需要转化格式),并复制到需登录主机上相应文件authorized_keys中,注意权限必须为600,在需登录的ssh主机上执行:
ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys
范例:实现基于 key 验证
[root@centos8 ~]
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:PVFtcR4yEjnfLW22d8mj6t/KX83oWVT37+TLK7/SmU4 root@centos8
The key‘s randomart image is:
+---[RSA 3072]----+
| o++.o.|
| +. =o.|
| . o...=|
| . . ...O|
| S o .+=|
| . O=|
| +E&|
| .=+X.|
| .oo+XX*|
+----[SHA256]-----+
[root@centos8 ~]
total 12
-rw------- 1 root root 2602 May 22 22:40 id_rsa
-rw-r--r-- 1 root root 566 May 22 22:40 id_rsa.pub
[root@centos8 ~]
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbzJCv07jz13pWXljBT5HdWQoK71Oa537kxQ5e4uRbvUGYHfOei5YKX2Ke7f9pm5OycPgYId6fjAphcl7FkqF03SNIrds8HfLA2BbyXLP76hh/XzyK1lAXlMQL964kCtEdllHxBM+Z6ymAsepDj4bYaQx5jyYW66e/sbjNbQlqtnevWd3W/9ifd9xC9RdU/xEFxiphCEBXNo9hS8zEFhqaXqHHJkWfTyb8O735GMC8yDXtUyAs+zNVDY7k7EDSGMD7t25R5DcBXI9rrCQICoIHU/UWAiXeHu8To2ryr7j0g4UeI8DvksTo3BSwLOTzYb8bM41s1ZiP4gwtlgsIP1F1fJKQi1xVmQsL+h44pN/QGvPUEOEk5CvCD1SRu3gOrkDNhA6Cwpq9HDGpF3KkbCuTXU0ZL4b4O6+6zD8jemI5pfBzrhp05t/X5ZX10BGrqNDb0r22jgwy8E8CGUEuSt0OkJQR07W0l1/m/ivRvIufb7C1B/ATKiaLd4ZLPXGlNJc= root@centos8
[root@centos8 ~]
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA28yQr9O489d6Vl5YwU+R3VkKCu9Tmud+5MUOXuLkW71BmB3znouW
Cl9inu3/aZuTsnD4GCHen4wKYXJexZKhdN0jSK3bPB3ywNgW8lyz++oYf188itZQF5TEC/
euJArRHZZR8QTPmespgLHqQ4+G2GkMeY8mFuunv7G4zW0JarZ3r1nd1v/Yn3fcQvUXVP8R
BcYqYQhAVzaPYUvMxBYaml6hxyZFn08m/Du9+RjAvMg17VMgLPszVQ2O5OxA0hjA+7duUe
Q3AVyPa6wkCAqCB1P1FgIl3h7vE6Nq8q+49IOFHiPA75LE6NwUsCzk82G/GzONbNWYj+IM
LZYLCD9RdXySkItcVZkLC/oeOKTf0Brz1BDhJOQrwg9Ukbt4Dq5AzYQOgsKavRwxqRdypG
wrk11NGS+G+Duvusw/I3piOaXwc64adObf1+WV9dARq6jQ29K9to4MMvBPAhlBLkrdDpCU
EdO1tJdf5v4r0byLn2+wtQfwEyomi3eGSz1xpTSXAAAFiFWWQVFVlkFRAAAAB3NzaC1yc2
EAAAGBANvMkK/TuPPXelZeWMFPkd1ZCgrvU5rnfuTFDl7i5Fu9QZgd856LlgpfYp7t/2mb
k7Jw+Bgh3p+MCmFyXsWSoXTdI0it2zwd8sDYFvJcs/vqGH9fPIrWUBeUxAv3riQK0R2WUf
EEz5nrKYCx6kOPhthpDHmPJhbrp7+xuM1tCWq2d69Z3db/2J933EL1F1T/EQXGKmEIQFc2
j2FLzMQWGppeoccmRZ9PJvw7vfkYwLzINe1TICz7M1UNjuTsQNIYwPu3blHkNwFcj2usJA
gKggdT9RYCJd4e7xOjavKvuPSDhR4jwO+SxOjcFLAs5PNhvxszjWzVmI/iDC2WCwg/UXV8
kpCLXFWZCwv6Hjik39Aa89QQ4STkK8IPVJG7eA6uQM2EDoLCmr0cMakXcqRsK5NdTRkvhv
g7r7rMPyN6Yjml8HOuGnTm39fllfXQEauo0NvSvbaODDLwTwIZQS5K3Q6QlBHTtbSXX+b+
K9G8i59vsLUH8BMqJot3hks9caU0lwAAAAMBAAEAAAGBAK+AerL6Ij8JedSGxuWrzDNqih
tLF32jhG3UbnITRvV9e2ej2sdoe2hS22M9c+h2YgtkKqTSPnk0j4FZmhS1zReMD0VUFK6+
1vtmT4Q7wzbNp7vkZmoRT6hUj+liXfjHbkvqoAkLp1wmKmBpLz2815Xq4xwY0fgROENW+9
GDU7aSdaRc5EZsySIjyYrpOjUS6RusLGCH/x/kH743kQus/pbuIszqYUMgJ2fVqA3C1vql
/nE+I33nIgiyp7tgbS2Utt+81sg1jkI4yyYY+4NirQB+tCJUYa0I2ENQMwRjtAYqy5lEtd
IO8HmRPfoXPtHXIQVEK4miNDVMnW1d1X7lvyFjLq4Bzw7NR9k+yF/Gtsi01Yp9s7uscUxb
0bCN5wwDvGC2jx2NUK94yjRmG8jOPbZe0s38DUFDo7eCsDMfJoU/anO6QvjD8GNKiJm3Xa
oSPHUFBD5FMvULH1ZCwOBZ4973vQ+6MDuCeDVOz6/hD1Am3cLJWB8JJjoDAZ42lhzcoQAA
AMEAp/QDlAXpiQAxdE2IjEpB77L0s93LkHQbhRwPXcZgV01OKB+puQ6gxrvHSupxdQYKCv
/DIqNK/PcGxXqAmd/8t0a+oC7+xufmyxKclP77KTmscvQusMuQL0nz07+5JGQKQF57EfOr
CVSrFF4/lWxpK/+4LGKwwIfnvHDZxy3UzeH8fsYgv7iHYv17rU3OZIcsMTtcaL35Glgn20
LplR9uATdJbBjMLxibX1El8bUjqcLW34y95OuFH2+bCzg5DqC/AAAAwQD5Ye+8KZZ/WGuW
QIG4jd6+V27xvApgg1WBXuhJvOb95qgLjyyzRYT6X6PQrPoPwvUr+EWAjWcBHPkq8GWEVo
eCYtcL4BL4QQeygubucS6y6ok438cPdh3sPq9i5c/tThhuhqvWjV2aMrh6bTcyfyG6Xe/A
kc+9b/3wxZhF+IgdjUtG0o2H8kOOQK74U87k6AgwTHGW/2k6itiNgRzKo6WdWc9zKtYcSk
+FFXBXLmQdhea/7GNJbjAO/6sHOLOzowcAAADBAOGhqs33nCPqeBxgC+Z7O12h8/hAgsGo
3GlkQ3hrhYPFYFt59yfLjpCr1Ajn0SG2HDkWSGOBHT49za8jIBV5K4W7C4rtuejsm7KMVk
7eWxQ9CDHUNEi6VQqDLZ9a/5tbXwxSrjOf8JXf5qwIrv4XDy1UimJNnaWvKejfrXw4gZCz
S+muLDBIB784y/H+c/5wy4fZUgCQOvZo5ScO/uK/MRkMyyD/04SLDvH8qvMjOym6F1K+DB
bLLRJd3I+gFHut8QAAAAxyb290QGNlbnRvczgBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
[root@centos8 ~]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.0.0.77’s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.0.0.77'"
and check to make sure that only the key(s) you wanted were added.
[root@Centos7 ~]
total 8
-rw------- 1 root root 566 May 22 22:42 authorized_keys
[root@Centos7 ~]
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbzJCv07jz13pWXljBT5HdWQoK71Oa537kxQ5e4uRbvUGYHfOei5YKX2Ke7f9pm5OycPgYId6fjAphcl7FkqF03SNIrds8HfLA2BbyXLP76hh/XzyK1lAXlMQL964kCtEdllHxBM+Z6ymAsepDj4bYaQx5jyYW66e/sbjNbQlqtnevWd3W/9ifd9xC9RdU/xEFxiphCEBXNo9hS8zEFhqaXqHHJkWfTyb8O735GMC8yDXtUyAs+zNVDY7k7EDSGMD7t25R5DcBXI9rrCQICoIHU/UWAiXeHu8To2ryr7j0g4UeI8DvksTo3BSwLOTzYb8bM41s1ZiP4gwtlgsIP1F1fJKQi1xVmQsL+h44pN/QGvPUEOEk5CvCD1SRu3gOrkDNhA6Cwpq9HDGpF3KkbCuTXU0ZL4b4O6+6zD8jemI5pfBzrhp05t/X5ZX10BGrqNDb0r22jgwy8E8CGUEuSt0OkJQR07W0l1/m/ivRvIufb7C1B/ATKiaLd4ZLPXGlNJc= root@centos8
[root@centos8 ~]
Last login: Fri May 22 18:45:18 2020 from 10.0.0.8
[root@Centos7 ~]
logout
Connection to 10.0.0.77 closed.
[root@centos8 ~]
fstab 100% 709 202.1KB/s 00:00
[root@centos8 ~]
Enter file in which the key is (/root/.ssh/id_rsa):
Key has comment 'root@centos8'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
[root@centos8 ~]
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Fri May 22 23:20:50 2020 from 10.0.0.8
[root@centos7 ~]
logout
Connection to 10.0.0.77 closed.
[root@centos8 ~]
[root@centos8 ~]
root 5931 0.0 0.0 29444 548 ? Ss 23:48 0:00 ssh-agent bash
root 5958 0.0 0.0 12108 964 pts/0 S+ 23:48 0:00 grep --color=auto agent
[root@centos8 ~]
Identity added: /root/.ssh/id_rsa (root@centos8)
[root@centos8 ~]
Last login: Fri May 22 23:43:11 2020 from 10.0.0.8
范例:基于key验证实现批量主机管理
[root@centos8 ~]#cat hosts.txt
10.0.0.7
10.0.0.6
[root@centos8 ~]#for i in `cat hosts.txt`;do ssh $i hostname -I ;done
10.0.0.7
10.0.0.6
范例:实现xshell的基于key验证
[root@centos8 ~]
rz waiting to receive.
[root@centos8 ~]
anaconda-ks.cfg id_rsa_1024(xshell).pub
[root@centos8 ~]
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw4zT+e9iFU691e+oRs32VMZppWm9EKK11HqogMqIQ8sQkun4lOCdE8nbsrSFTESV/x9yztRHwWTDU7366t0WfTC549MXxpu921+IZd5JzkOHuc8D+AxNPLRp/F4kZTE2wlwuRaawU2OFsKf9whLwFR52JqciTdueGgbzA2OB4Q8=[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
-rw------- 1 root root 208 May 23 00:03 .ssh/authorized_keys
范例:expect实现批量基于ssh的key部署
[root@centos8 ~]
PASS=1433236299
rpm -q expect &> /dev/null || yum install -y expect &> /dev/null
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa &> /dev/null && echo "ssh key is created"
while read IP ;do
expect <<EOF &> /dev/null
set timeout 20
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$IP
expect {
"yes/no" { send "yes/no";exp_continue }
"password" { send "$PASS\n" }
}
expect eof
EOF
echo $IP is ready
done < hosts.txt
[root@centos8 ~]
10.0.0.6
10.0.0.77
[root@centos8 ~]
ssh key is created
10.0.0.6 is ready
10.0.0.77 is ready
[root@centos8 ~]
Last login: Fri May 22 18:53:04 2020 from 10.0.0.1
[root@centos6 ~]
logout
Connection to 10.0.0.6 closed.
[root@centos8 ~]
Last login: Sat May 23 15:20:19 2020 from 10.0.0.1
[root@Centos7 ~]
logout
Connection to 10.0.0.77 closed.
范例:如何实现三个主机之间互相的key验证
3.4 其它ssh客户端工具
3.4.1 scp命令
scp [options] SRC... DEST/
两种方式:
scp [options] [user@]host:/sourcefile /destpath
scp [options] /sourcefile [user@]host:/destpath
常用选项:
-C 压缩数据流
-r 递归复制
-p 保持原文件的属性信息
-q 静默模式
-P PORT 指明remote host的监听的端口
3.4.2 rsync 命令
基于ssh和rsync协议实现高效率的远程系统之间复制文件,使用安全的shell连接做为传输方式,比scp更快,基于增量数据同步,即只复制两方不同的文件,此工具来自于rsync包
注意:通信两端主机都需要安装rsync软件
rsync -av /etc server1:/tmp
rsync -av /etc/ server1:/tmp
常用选项:
-n 模拟复制过程
-v 显示详细过程
-r 递归复制目录树
-p 保留权限
-t 保留修改时间戳
-g 保留组信息
-o 保留所有者信息
-l 将软链接文件本身进行复制(默认)
-L 将软链接文件指向的文件复制
-u 如果接收者的文件比发送者的文件较新,将忽略同步
-z 压缩
-a 存档,相当于–rlptgoD,但不保留ACL(-A)和SELinux属性(-X)
--delete 源数据删除,目标数据也自动同步删除
范例:
[root@centos8 ~]
3.4.3 sftp命令
交互式文件传输工具,用法和传统的ftp工具相似,利用ssh服务实现安全的文件上传和下载
使用ls cd mkdir rmdir pwd get put等指令,可用?或help获取帮助信息
sftp [user@]host
sftp> help
3.5 ssh高级应用
3.5.1 SSH本地端口转(特定场合会用到)
SSH 会自动加密和解密所有 SSH 客户端与服务端之间的网络数据。但是,SSH 还能够将其他 TCP 端口的网络数据通过 SSH 链接来转发,并且自动提供了相应的加密及解密服务。这一过程也被叫做“隧道”(tunneling),这是因为 SSH 为其他 TCP 链接提供了一个安全的通道来进行传输而得名。例如,Telnet,SMTP,LDAP 这些 TCP 应用均能够从中得益,避免了用户名,密码以及隐私信息的明文传输。而与此同时,如果工作环境中的防火墙限制了一些网络端口的使用,但是允许 SSH 的连接,也能够通过将 TCP 端口转发来使用 SSH 进行通讯
SSH 端口转发能够提供两大功能:
- 加密 SSH Client 端至 SSH Server 端之间的通讯数据
- 突破防火墙的限制完成一些之前无法建立的 TCP 连接
SSH本地端口转发
ssh -L localport:remotehost:remotehostport sshserver
选项:
-f 后台启用
-N 不打开远程shell,处于等待状态
-g 启用网关功能
范例:
ssh –L 9527:telnetsrv:23 -Nfg sshsrv
telnet 127.0.0.1 9527
范例:本地端口转发
[root@centos8 ~]
[root@centos8 ~]
3.5.2 SSH远程端口转发
ssh -R sshserverport:remotehost:remotehostport sshserver
示例:
>telnetsrv:23
ssh –R 9527:telnetsrv:23 –Nf sshsrv
范例:远程端口转发并实现网关功能
[root@lan-server ~]
10.0.0.28 > /var/www/html/index.html
[root@ssh-server ~]
GatewayPorts yes
[root@ssh-server ~]
[root@ssh-client ~]
root@10.0.0.8's password:
[root@centos6 ~]
website On 10.0.0.28
[root@centos7 ~]
website On 10.0.0.28
3.5.3 SSH动态端口转发
sshserver上,由sshserver替之访问internet
ssh -D 1080 root@sshserver -fNg
curl --socks5 127.0.0.1:1080 http://www.google.com
范例:动态端口转发实现科学上网方式1
[root@centos8 ~]
范例:动态端口转发实现科学上网方式2
[root@vps ~]
[root@centos6 ~]
google On 10.0.0.28
[root@centos7 ~]
google On 10.0.0.28
3.5.4 X 协议转发
所有图形化应用程序都是X客户程序,能够通过tcp/ip连接远程X服务器,数据没有加密,但是它通过ssh连接隧道安全进行
ssh -X user@remotehost gedit
范例:在windows上使用mobaXtrem的X server 显示 Linux 的图形工具
[root@centos ~]
[root@centos ~]
[root@centos ~]
范例:在windows上使用xshell的X server 显示 Linux 的图形工具
[root@centos ~]
[root@centos ~]
3.6 ssh服务器配置
服务器端:sshd
服务器端的配置文件: /etc/ssh/sshd_config
服务器端的配置文件帮助:man 5 sshd_config
常用参数:
Port
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
MaxSessions 10
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
GatewayPorts no
ClientAliveInterval 10
ClientAliveCountMax 3
UseDNS yes
GSSAPIAuthentication yes
MaxStartups
Banner /path/file
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups
范例:设置ssh 空闲60s 自动注销
Vim /etc/ssh/sshd_config
ClientAliveInterval 60
ClientAliveCountMax 0
Service sshd restart
范例:解决ssh登录缓慢的问题
vim /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no
systemctl restart sshd
范例:在 ubuntu 上启用root 远程ssh登录
vim /etc/ssh/sshd_config
PermitRootLogin yes 修改为下面形式
systemctl restart sshd
ssh服务的最佳实践
- 建议使用非默认端口
- 禁止使用protocol version 1
- 限制可登录用户
- 设定空闲会话超时时长
- 利用防火墙设置ssh访问策略
- 仅监听特定的IP地址
- 基于口令认证时,使用强密码策略,比如:tr -dc A-Za-z0-9_ < /dev/urandom | head -c 12|xargs
- 使用基于密钥的认证
- 禁止使用空密码
- 禁止root用户直接登录
- 限制ssh的访问频度和并发在线数
- 经常分析日志
4 ssh 其它相关工具
4.1 挂载远程ssh目录 sshfs
由EPEL源提供,目前CentOS8 还没有提供,可以利用ssh协议挂载远程目录
[root@centos7 ~]
[root@centos7 ~]
[root@centos7 ~]
Filesystem 1K-blocks Used Available Use% Mounted on
10.0.0.8:/data 52403200 398576 52004624 1% /mnt
4.2 自动登录ssh工具sshpass
由EPEL源提供,ssh登陆不能在命令行中指定密码。sshpass的出现,解决了这一问题sshpass用于非交互SSH的密码验证,一般用在sh脚本中,无须再次输入密码(本机known_hosts文件中有的主机才能生效)。它允许你用 -p 参数指定明文密码,然后直接登录远程服务器,它支持密码从命令行、文件、环境变量中读取。
格式:
sshpass [option] command parameters
常见选项
-p password
-f filename
-e
范例:
[root@centos8 ~]
[root@centos8 ~]
/usr/bin/sshpass
/usr/lib/.build-id
/usr/lib/.build-id/1f
/usr/lib/.build-id/1f/c5d6cf03500df846a1a801aab749f478845a4d
/usr/share/doc/sshpass
/usr/share/doc/sshpass/AUTHORS
/usr/share/doc/sshpass/COPYING
/usr/share/doc/sshpass/ChangeLog
/usr/share/doc/sshpass/NEWS
/usr/share/man/man1/sshpass.1.gz
[root@centos8 ~]
root@10.0.0.8
[root@centos8 ~]
hostname -I
Warning: Permanently added '10.0.0.7' (ECDSA) to the list of known hosts.
10.0.0.7
[root@centos8 ~]
hostname -I
Warning: Permanently added '10.0.0.6' (RSA) to the list of known hosts.
10.0.0.6
[root@centos8 ~]
123456
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
范例:批量修改多台主机的root密码为随机密码
[root@centos8 ~]
rpm -q sshpass &> /dev/null || yum install -y sshpass
export SSHPASS=magedu
NET=10.0.0
for i in {5..19};do
{
PASS=`openssl rand -base64 9`
sshpass -e ssh $NET.$i "echo $PASS| passwd --stdin root &> /dev/null"
echo $NET.$i:$PASS >> host.txt
}&
done
wait
范例:批量部署多台主机基于key验证脚本1
[root@centos8 ~]
NET=10.0.0
PASS=magedu
ssh-keygen -P "" -f /root/.ssh/id_rsa &> /dev/null
rpm -q sshpass &> /dev/null || yum -y install sshpass &> /dev/null
for i in {1..100};do
{
sshpass -p $PASS ssh-copy-id -o StrictHostKeyChecking=no -i
/root/.ssh/id_rsa.pub $NET.$i &> /dev/null
}&
done
wait
范例:批量部署多台主机基于key验证脚本2
[root@centos8 ~]
HOSTS="
10.0.0.6
10.0.0.18
10.0.0.77
"
PASS=magedu
ssh-keygen -P "" -f /root/.ssh/id_rsa &> /dev/null
rpm -q sshpass &> /dev/null || yum install -y sshpass &> /dev/null
for i in $HOSTS;do
{
ssh -p $PASS ssh-copy-id -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa.pub $i &> /dev/null
}&
done
wait
4.3 轻量级自动化运维工具 pssh
EPEL源中提供了多个自动化运维工具
- pssh:基于python编写,可在多台服务器上执行命令的工具,也可实现文件复制,提供了基于ssh和scp的多个并行工具,项目:http://code.google.com/p/parallel-ssh/, CentOS8上目前没提供
- pdsh:Parallel remote shell program,是一个多线程远程shell客户端,可以并行执行多个远程主机上的命令。 可使用几种不同的远程shell服务,包括rsh,Kerberos IV和ssh,项目: https://pdsh.googlecode.com/
- mussh:Multihost SSH wrapper,是一个shell脚本,允许使用命令在多个主机上通过ssh执行命令。 可使用ssh-agent和RSA/DSA密钥,以减少输入密码,项目:http://www.sourceforge.net/projects/mussh
pssh 命令选项如下:
-H:主机字符串,内容格式”[user@]host[:port]”
-h file:主机列表文件,内容格式”[user@]host[:port]”
-A:手动输入密码模式
-i:每个服务器内部处理信息输出
-l:登录使用的用户名
-p:并发的线程数【可选】
-o:输出的文件目录【可选】
-e:错误输出文件【可选】
-t:TIMEOUT 超时时间设置,0无限制【可选】
-O:SSH的选项
-P:打印出服务器返回信息
-v:详细模式
--version:查看版本
范例:
pssh -H "192.168.1.10" -A hostname
pssh -H wang@192.168.1.10 -A -i hostname
pssh -H root@192.168.1.10 -i ‘sed -i "s/^SELINUX=.*/SELINUX=disabled/"
/etc/selinux/config’
pssh -H "192.168.1.10 192.168.1.20" -i hostname
cat hosts.txt
10.0.0.8
10.0.0.6
pssh -h hosts.txt -i hostname
pssh -H 192.168.1.10 -o /data/stdout -e /data/stderr -i “hostname”
[root@centos7 ~]
10.0.0.8
10.0.0.6
[root@centos7 ~]
[1] 16:47:00 [SUCCESS] 10.0.0.6
centos7.wangxiaochun.com
[2] 16:47:01 [SUCCESS] 10.0.0.8
centos7.wangxiaochun.com
[root@centos7 ~]
[1] 16:48:05 [SUCCESS] 10.0.0.6
centos6.localdomain
[2] 16:48:05 [SUCCESS] 10.0.0.8
centos8.localdomain
[root@centos7 ~]
[1] 16:48:29 [FAILURE] 10.0.0.6 Exited with error code 2
Stderr: ls: cannot access /data/10.0.0.6: No such file or directory
ls: cannot access /data/10.0.0.8: No such file or directory
[2] 16:48:29 [FAILURE] 10.0.0.8 Exited with error code 2
Stderr: ls: cannot access '/data/10.0.0.6': No such file or directory
ls: cannot access '/data/10.0.0.8': No such file or directory
[root@centos7 ~]
[1] 16:48:47 [SUCCESS] 10.0.0.6
[2] 16:48:47 [SUCCESS] 10.0.0.8
/data/centos7.log
/data/f1.txt
/data/f2.txt
/data/host_pass.txt
pscp.pssh命令
pscp.pssh功能是将本地文件批量复制到远程主机
pscp [-vAr] [-h hosts_file] [-H [user@]host[:port]] [-l user] [-p par] [-o
outdir] [-e errdir] [-t timeout] [-O options] [-x args] [-X arg] local remote
pscp-pssh选项
-v 显示复制过程
-r 递归复制目录
范例:
pscp.pssh -H 192.168.1.10 /root/test/curl.sh /app/
pscp.pssh -h host.txt /root/test/curl.sh /app/
pscp.pssh -H 192.168.1.10 /root/f1.sh /root/f2.sh /app/
pscp.pssh -H 192.168.1.10 -r /root/test/ /app/
pslurp命令
pslurp功能是将远程主机的文件批量复制到本地
pslurp [-vAr] [-h hosts_file] [-H [user@]host[:port]] [-l user] [-p par][-o
outdir] [-e errdir] [-t timeout] [-O options] [-x args] [-X arg] [-L localdir]
remote local(本地名)
pslurp选项
-L 指定从远程主机下载到本机的存储的目录,local是下载到本地后的名称
-r 递归复制目录
范例:
pslurp -H 192.168.1.10 -L /app /etc/passwd user
[root@centos7 ~]
[1] 17:50:57 [SUCCESS] 10.0.0.6
[2] 17:50:57 [SUCCESS] 10.0.0.8
[root@centos7 ~]
/data
├── 10.0.0.6
│ └── version
└── 10.0.0.8
└── version
2 directories, 2 files
5 dropbear
由Matt Johnston所开发的Secure Shell软件。Dropbear是一个相对较小的SSH服务器和客户端。它运行在一个基于POSIX的各种平台。 Dropbear是开源软件,在麻省理工学院式的许可证。Dropbear是特别有用的“嵌入”式的Linux(或其他Unix)系统,如无线路由器,期望在存储器与运算能力有限的情况下取代OpenSSH,尤其是嵌入式系统
官网:http://matt.ucc.asn.au/dropbear/dropbear.html
范例:编译安装dropbear
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 dropbear-2019.78]
[root@centos8 dropbear-2019.78]
[root@centos8 dropbear-2019.78]
[root@centos8 dropbear-2019.78]
[root@centos8 dropbear-2019.78]
/apps/
└── dropbear
├── bin
│ ├── dbclient
│ ├── dropbearconvert
│ ├── dropbearkey
│ └── scp
├── sbin
│ └── dropbear
└── share
└── man
├── man1
│ ├── dbclient.1
│ ├── dropbearconvert.1
│ └── dropbearkey.1
└── man8
└── dropbear.8
7 directories, 9 files
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
2048
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
[root@centos8 ~]
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)