SSH遠端管理服務實戰
阿新 • • 發佈:2021-08-07
SSH遠端管理服務實戰
目錄SSH基本概述
SSH是一個安全協議,在進行資料傳輸時,會對資料包進行加密處理,加密後在進行資料傳輸。確保了數
據傳輸安全。
SSH服務主要功能
1.提供遠端連線伺服器的服務
2.對傳輸的資料進行加密
ssh協議和telnet協議的區別
ssh服務會對傳輸資料進行加密, 監聽在本地22/tcp埠, ssh服務預設支援roo使用者登入
telnet服務不對資料進行加密, 監聽在本地23/tcp埠, Telnet預設不支援root使用者登入
ssh相關命令
ssh遠端登入伺服器命令
ssh [email protected] -p 22
#root:指定用哪個使用者連線(遠端伺服器的使用者),當前使用者是root就可以不加
#@:分隔符
#10.0.0.41:遠端主機的IP
#-p:指定遠端主機埠,ssh預設22可以省略
ssh [email protected] 'ifconfig'
在遠端機器上執行命令,不用連線過去
[root@backup ~]$ ssh [email protected] 'ifconfig' The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established. ECDSA key fingerprint is SHA256:3enksfMN5/ep92kZMkIEC39u/yyFXAX8gO9F83Lm1vE. ECDSA key fingerprint is MD5:84:3b:b2:f2:ea:31:9f:96:b1:d8:45:2b:13:b7:62:eb. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts. [email protected]'s password: eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 172.16.1.31 netmask 255.255.255.0 broadcast 172.16.1.255 inet6 fe80::20c:29ff:fea7:5d90 prefixlen 64 scopeid 0x20<link> ether 00:0c:29:a7:5d:90 txqueuelen 1000 (Ethernet) RX packets 2110 bytes 128819 (125.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1098 bytes 68693 (67.0 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
scp -rp /oldboy/ [email protected]:/opt
遠端拷貝(全量)走的是ssh協議
[root@backup ~]$ scp -rp /oldboy/ [email protected]:/opt The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established. ECDSA key fingerprint is SHA256:3enksfMN5/ep92kZMkIEC39u/yyFXAX8gO9F83Lm1vE. ECDSA key fingerprint is MD5:84:3b:b2:f2:ea:31:9f:96:b1:d8:45:2b:13:b7:62:eb. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts. [email protected]'s password: 1.txt 100% 0 0.0KB/s [root@web01 ~]$ ll /opt/ total 0 drwxr-xr-x 2 root root 19 Jul 9 19:44 oldboy
SSH的驗證方式
建立祕鑰對 (公鑰私鑰)
公鑰:管理機發給遠端機
私鑰:管理機用來開啟遠端機的鎖(公鑰)
#在管理機上生成公鑰和私鑰
[root@m01 ~]$ ssh-keygen
[root@m01 ~]$ ll .ssh/
total 12
-rw------- 1 root root 1679 Jul 9 10:49 id_rsa #私鑰(鑰匙)
-rw-r--r-- 1 root root 390 Jul 9 10:49 id_rsa.pub #公鑰(鎖)
-rw-r--r-- 1 root root 682 Jul 9 11:21 known_hosts #第一次利用公鑰連線遠端機時會有互動(輸入yes),輸入後就會在這個檔案中產生遠端機ip資訊,表示已經第一次連線就輸入過了,以後再連線就不用再輸入了
[root@m01 ~]$ cat .ssh/known_hosts
10.0.0.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.31 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.8 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
#將公鑰傳送給被管理端
[root@m01 ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
#被管理端的伺服器公鑰儲存後
[root@backup ~]$ ll .ssh/
total 8
-rw------- 1 root root 390 Jul 9 10:53 authorized_keys #存放公鑰的檔案
-rw-r--r-- 1 root root 345 Jul 9 19:45 known_hosts
ssh-copy-id這個命令都幫我們做了哪些事
# 1.在被管理端建立了一個.ssh目錄在家目錄下
mkdir ~/.ssh
# 2.將.ssh目錄許可權修改為700
chmod 700 ~/.ssh
# 3.建立公鑰存放的檔案
[root@backup ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu8ecP9QulOO45n79fI2oDFW8VQsfvDTCZBnAJm9sqU97QhBwqHs7fCLs5bgIMh7OEwNXQVQqHBLO1gCQVbU5D1YWpR7xnL0+lOevpvk48D5JVO3KvHO86Cg4CNk7Yergf/DqMZf0WB9UtNNmiE+wrYdbbtbsKAvYQye4/MZ7IklZcWZ2l4lHikz3gJsxTdpTvDFZO/aBfKef5qoxpx9r9L6BB0cfwIueah/gUhsTacWdgApYSZgTsb05XxFxYTnfxeOkWSGjZ8lI4g27hrqhpobueU5lx7PU+QFd6PoKUgWYLSFGKt5SWrMVsPKMmr4WqhZL/OUEkIxB2Ro3pgigl root@m01
# 4.修改公鑰存放檔案的許可權
chmod 600 ~/.ssh/authorized_keys
ssh優化
[root@m01 ~]$ vim /etc/ssh/sshd_config
#埠
17 Port 22
#允許root登入
38 #PermitRootLogin yes
#允許密碼登入
65 PasswordAuthentication yes
#GSS介面認證
79 GSSAPIAuthentication no
#使用DNS的反向解析
115 UseDNS no
重啟ssh服務
[root@m01 ~]$ systemctl restart sshd