ssh客戶端及基於key登陸
ssh名字為secure shell,目前使用的版本號為2,所使用的端口號為tcp的22號端口,可以實現安全的遠程登錄。
ssh協議版本有v1版和v2版本:
v1是基於CRC-32做MAC,不安全,無法防止中間人***。
V2版本雙方主機協議選擇安全的MAC方式基於DH算法做密鑰交換,基於RSA或DSA實現身份認證
ssh具體的軟件實現為:Openssh和dropbear
Openssh
openssh是ssh的一種實現,它能允許遠程系統經驗證地加密安全訪問。當用戶遠程連接ssh服務器時,會復制ssh服務器/etc/ssh/ssh_host_ecdsa_key.pub文件中的公鑰到客戶機的~/.ssh/know_hosts中。下次連接時會自動匹配相應私鑰,不能匹配的將拒絕連接
ssh軟件的組成
openssh是由openssh、openssh-clients、openssh-server這幾個包組成。
由於ssh是基於C/S結構,所以它分別有客戶端的配置和服務器端的配置。
openssh客戶端
一、配置文件
ssh客戶端的配置存放在/etc/ssh/ssh_config文件內,一般客戶端的配置文件不做修改,使用默認配置,但其中有幾項選項稍作了解。
1.StrictHostKeyChecking
當客戶端第一次訪問服務器時,客戶端會詢問所訪問的主機是否是你真正想想要訪問的主機。默認是每次都會詢問,當設置為no時,不會再詢問。
StrictHostKeyChecking no
2.port
此項為連接服務器時的端口號。默認為22號端口,當服務器的ssh服務的端口為非標時,將配置文件的port進行修改,也可以使用ssh -p PORT來指定端口號。
修改配置文件方法
port 9527 #找到port行修改為指定端口
手動指定端口號方法:
[[email protected] ~]# ssh [email protected] -p 9527
二、ssh的用戶登陸方式
ssh有2中登錄方式,一種是基於口令的登陸方式,另一種是基於Key的登登錄方式。
基於口令的登陸方式
基於口令的登陸方式依賴於ssh命令
ssh的使用方法:
ssh [option] [[email protected]]host [COMMAND]
選項 | 說明 |
---|---|
-p port | 指定遠程服務器監聽的端口 |
-b | 指定連接的源IP |
-v | 調試模式 |
-C | 壓縮方式 |
-X | 支持x11轉發 |
-t | 強制偽tty分配 |
常用選項示例:
-p:可以用來指定連接遠程主機的端口號,常用在服務器端口號為非標的情況下
[[email protected] ~]# ssh [email protected] -p 9527
-C:壓縮方法連接,常用在帶寬較小的情況下
[[email protected] ~]# ssh -C [email protected]
-X:支持x11轉發功能
x11轉發功能可以實現將遠程的主機的圖形化桌面拉取到本機,從而實現圖形操作。
[[email protected] ~]# ssh -X [email protected]
-t:強制偽tty分配
強制偽tty分配使用的場合為有a、b、c、d,4臺主機,a要去連接d,但d,c,b只能通過單線去連接,a無法直接連接到的d,需要b,c上依次登錄才能登錄到d,使用-t選項可以實現一條命令直接登錄至d主機
[[email protected] ~]# ssh -t 192.168.73.132 ssh -t 192.168.73.133 ssh 192.168.73.134
[email protected]‘s password:
The authenticity of host ‘192.168.73.133 (192.168.73.133)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.133‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
The authenticity of host ‘192.168.73.134 (192.168.73.134)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.134‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
Last failed login: Tue Apr 16 11:41:25 CST 2019 from 192.168.73.133 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Tue Apr 16 07:15:03 2019 from 192.168.73.1
基於密鑰方式的登錄
一、交互式方法實現密鑰登錄
1.先在本機生成私鑰
[[email protected] ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:7s3nPNrHugMdkip+8ozUvE2pYeUnvGGhylzVHMhaPMk [email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| |
| + o |
| E.. |
| oo+.. |
| S.+oo. |
| .+.*.o. |
| ...O O... |
| +oB.X B+ o |
| =+* *+** |
+----[SHA256]-----+
2.將密鑰文件發送給遠端的主機
[[email protected] ~]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘[email protected]‘"
and check to make sure that only the key(s) you wanted were added.
二、非交互式方法實現密鑰登陸
1.生成密鑰,存放在~/.ssh/id_rsa
[[email protected] ~]# ssth-keygen - rsa -N "" -f ~/.ssh/id_rs
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:q+dIP5AXsmfJT71CleOlW8pR27c/SBdDJaRBK/n3ibo [email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| .o.o o|
| . + o |
| o o.. |
| . . o+ oo |
| =So +.=.oo|
| + *.o =o+o+|
| .=.+ ..Bo.+|
| . +o o *. o |
| ooo. E. +|
+----[SHA256]-----+
2.復制密鑰至遠程主機
[[email protected] ~]# ssh-copy-id 192.168.73.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.
註意:key驗證必須保證key的安全,若私鑰文件被偷走,別人可以利用私鑰文件進行免密登陸,為防止密鑰被別人盜走後被別人免密登陸,可以對私鑰進行加密。
3.密鑰的加密
[[email protected] .ssh]# ssh-keygen -t rsa -P "111111" -f ~/.ssh/id_rsa #創建密鑰時對密鑰進行加密
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+kwhjUafA73ra7CoTaR59wemYBSGMummrZbHwubPUlI [email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| . . |
|+ . o . |
|.o . .o . |
| o E.. = o |
|o.... + S |
|...=o..oo+ |
|..B.ooo=o. |
|.B.*..o*. . |
|+.*+. .*o |
+----[SHA256]-----+
[[email protected] .ssh]# ssh-copy-id 192.168.73.128 #將密鑰復制到遠程主機
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host ‘192.168.73.128 (192.168.73.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.
[[email protected] .ssh]# ssh 192.168.73.128
Enter passphrase for key ‘/root/.ssh/id_rsa‘: #再次登陸時要求輸入密鑰的密碼
Last login: Tue Apr 16 21:15:58 2019 from 192.168.73.132
由於每次需要輸入密碼太過麻煩,也可以使用代理,先輸一次密碼,只有所有登陸時所需要的輸入的密碼都由代理來輸入,達到免密的方法
4.ssh-agent代理的使用
[[email protected] .ssh]# ssh-agent bash #運行代理
[[email protected] .ssh]# ssh-add #將密鑰通過命令添加給代理
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[[email protected] .ssh]# ssh 192.168.73.128
Last login: Tue Apr 16 21:21:40 2019 from 192.168.73.128 #再次實現免密登陸
[[email protected] ~]#
5.集群模式下的基於key驗證。
假設有3臺設備,要實現相互間key驗證登陸,那我們就需要依次坐在每臺主機上,執行創建密鑰和公鑰分發的操作,由於此方法過於繁瑣,有沒有更加便捷的方法呢?
實現思路:3臺主機公用一個公私鑰
5.1現在一臺主機上創建私鑰文件
[[email protected] ~]# mkdir .ssh
[[email protected] ~]# ssh-keygen -P "" -t rsa -f .ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+pUkZANYvXQPGCF2VC5dpF7FNnZvLVyZZRNg7Av33f8 [email protected]
The key‘s randomart image is:
+---[RSA 2048]----+
| o=o==..++ooB|
| .. ++ooo.o=++|
| .=o+oo+ +o|
| o.+ o.oo +|
| S o o ooo|
| . o . . .o|
| . o .|
| . . .|
| . E|
+----[SHA256]-----+
5.2對自己創建authorized_keys文件
[[email protected] ~]# ssh-copy-id 192.168.73.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host ‘192.168.73.128 (192.168.73.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.
5.3將整個.ssh目錄分發給另外兩臺主機
[[email protected] ~]# scp -rp .ssh 192.168.73.132:/root/
[email protected]‘s password:
id_rsa 100% 1675 1.3MB/s 00:00
id_rsa.pub 100% 406 389.1KB/s 00:00
known_hosts 100% 352 536.8KB/s 00:00
authorized_keys 100% 406 660.1KB/s 00:00
[[email protected] ~]# scp .ssh 192.168.73.133:/root/
The authenticity of host ‘192.168.73.133 (192.168.73.133)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.133‘ (ECDSA) to the list of known hosts.
[email protected]‘s password:
.ssh: not a regular file
[[email protected] ~]# scp -rp .ssh 192.168.73.133:/root/
[email protected]‘s password:
id_rsa 100% 1675 1.2MB/s 00:00
id_rsa.pub 100% 406 365.0KB/s 00:00
known_hosts 100% 528 1.1MB/s 00:00
authorized_keys 100% 406 619.8KB/s 00:00
5.4登錄測試
[[email protected] ~]# ssh 192.168.73.133
Last login: Tue Apr 16 06:23:20 2019
[[email protected] ~]# ssh 192.168.73.132
Last login: Tue Apr 16 13:50:51 2019 from 192.168.73.1
[[email protected] ~]# ssh 192.168.73.128
Last login: Tue Apr 16 21:50:38 2019 from 192.168.73.1
ssh客戶端及基於key登陸