####################
###### 第七单元 ######
####################
####################1.进程定义####################
进程就是cpu未完成的工作
进程状态包括:
running ##正在运行
sleeping ##休眠,释放资源
stopped ##停止
zombie ##僵尸进程,不释放资源
[root@localhost Desktop]# gnome-system-monitor ##在图形中查看进程
####################2.ps命令####################
ps 参数
a ##关于当前环境的所有进程
x ##与当前环境无关的所有进程
f ##显示进程从属关系
e ##显示当前用户环境中的所有进程
l ##长列表显示进程的详细信息
u ##显示进程的用户信息
通常情况下:aux一起用,ef一起用
------------------------------baidu---------------------
具体命令解释如下:
1)ps a 显示现行终端机下的所有程序,包括其他用户的程序。
2)ps -A 显示所有程序。
3)ps c 列出程序时,显示每个程序真正的指令名称,而不包含路径,参数或常驻服务的标示。
4)ps -e 此参数的效果和指定"A"参数相同。 例如: ps -e|grep sshd
5)ps e 列出程序时,显示每个程序所使用的环境变量。
6)ps f 用ASCII字符显示树状结构,表达程序间的相互关系。
7)ps -H 显示树状结构,表示程序间的相互关系。
8)ps -N 显示所有的程序,除了执行ps指令终端机下的程序之外。
9)ps s 采用程序信号的格式显示程序状况。
10)ps S 列出程序时,包括已中断的子程序资料。
11)ps -t <终端机编号> 指定终端机编号,并列出属于该终端机的程序的状况。
12)ps u 以用户为主的格式来显示程序状况。
13)ps x 显示所有程序,不以终端机来区分。
最常用的方法是ps -aux,然后再利用一个管道符号导向到grep去查找特定的进程,然后再对特定的进程进行操作。
----------------------------------------------------------
####################
[root@localhost Desktop]# ps a
PID TTY STAT TIME COMMAND
592 tty1 Ss+ 0:18 /usr/bin/Xorg :0 -background none -verbose -auth /run
2151 pts/0 Ss 0:00 -bash
4410 pts/0 R+ 0:00 ps a
[root@localhost Desktop]# ps e
PID TTY STAT TIME COMMAND
592 tty1 Ss+ 0:18 /usr/bin/Xorg :0 -background none -verbose -auth /run
2151 pts/0 Ss 0:00 -bash LC_PAPER=en_US.UTF-8 LC_MONETARY=en_US.UTF-8 LC
4411 pts/0 R+ 0:00 ps e LC_PAPER=en_US.UTF-8 XDG_SESSION_ID=2 HOSTNAME=l
##在没有其他用户(仅"root")登入的情况下,"ps a"和"ps e"没有太大区别,"ps e"仅仅比"ps a"多显示了环境变量
[root@localhost Desktop]# su - student
Last login: Thu Oct 13 00:29:36 EDT 2016 on pts/0
[student@localhost ~]$ ps a
PID TTY STAT TIME COMMAND
592 tty1 Ss+ 0:18 /usr/bin/Xorg :0 -background none -verbose -auth /run
2151 pts/0 Ss 0:00 -bash
4415 pts/0 S 0:00 su - student
4416 pts/0 S 0:00 -bash
4451 pts/0 R+ 0:00 ps a
[student@localhost ~]$ ps a -o user
USER
root
root
root
student
student
[student@localhost ~]$ ps e
PID TTY STAT TIME COMMAND
4416 pts/0 S 0:00 -bash TERM=xterm-256color HOME=/home/student SHELL=/b
4453 pts/0 R+ 0:00 ps e XDG_SESSION_ID=2 HOSTNAME=localhost SHELL=/bin/b
[student@localhost ~]$ ps e -o user
USER
student
student
##在有其他用户登入的情况下,"ps a"显示所有用户shell中的所有进程,"ps e"显示当前用户shell中的所有进程
[student@localhost ~]$ ps
PID TTY TIME CMD
4416 pts/0 00:00:00 bash
4720 pts/0 00:00:00 ps
[student@localhost ~]$ ps -o user
USER
student
student
[student@localhost ~]$ exit
logout
[root@localhost Desktop]# ps
PID TTY TIME CMD
2151 pts/0 00:00:00 bash
4733 pts/0 00:00:00 ps
[root@localhost Desktop]# ps -o user
USER
root
root
##"ps"仅显示当前用户在当前shell中的进程
[root@localhost Desktop]# ps x -o user
...... ##显示全是"root"
##显示当前用户的所有进程(包括当前用户shell中的进程和当前用户shell之外的进程)
[root@localhost Desktop]# ps ax -o user
...... ##显示多个用户
##显示所有进程(所有用户,所有用户shell中的进程,所有用户shell之外的进程)
以上实验中的"-o user"也可以用"-o uid"和"-o euid"来代替
"uid"表示该进程是哪个用户创建的
"euid"表示该进程具备哪个用户的权限
一般来说,"uid"="euid"。特殊情况:"u+s"
使用"euid"来做实验是最准确的,但是非"特殊情况"下,没有区别
####################
ps ax -o %cpu,%mem,user,group,comm,nice ##指定显示进程的某些信息
%cpu ##显示进程cpu负载
%mem ##显示进程内存负载
user ##进程用户
group ##进程组
comm ##进程名称
nice ##进程优先级
ps ax -o %cpu,comm --sort <+|-%cpu> <+|-%mem> ##进程按指定方式排序
+ ##正序
- ##倒序
%cpu ##cpu负载排序
%mem ##内存负载
pstree ##查看系统进程树
####################3.进程优先级####################
1.进程的优先级范围
-20~19
数值越低表示越优先被处理
普通用户只能在0~19之间取值,超级用户可以在-20~19之间任意取值
####################
[root@localhost Desktop]# vim &
[1] 1719
[root@localhost Desktop]# renice -n -21 1719
1719 (process ID) old priority 0, new priority -20
[1]+ Stopped vim
[root@localhost Desktop]# ps af -o pid,nice,comm
PID NI COMMAND
2151 0 bash
1719 -20 \_ vim ##输入-21,最多只能改到-20
1725 0 \_ ps
592 0 Xorg
[root@localhost Desktop]# renice -n 20 1719
1719 (process ID) old priority -20, new priority 19
[root@localhost Desktop]# ps af -o pid,nice,comm
PID NI COMMAND
2151 0 bash
1719 19 \_ vim ##输入20,最多只能改到19
1731 0 \_ ps
592 0 Xorg
####################
####################
[student@localhost ~]$ nice -n 1 vim &
[1] 1038
[student@localhost ~]$ nice -n -1 vim &
[2] 1039
[1]+ Stopped nice -n 1 vim
[student@localhost ~]$ nice: cannot set niceness: Permission denied ##nice取值超越权限
[2]+ Stopped nice -n -1 vim
[student@localhost ~]$ ps a -o pid,nice,comm
PID NI COMMAND
592 0 Xorg
907 0 su
908 0 bash
1038 1 vim
1039 0 vim
1067 0 ps
2151 0 bash
3745 0 bash
[student@localhost ~]$ renice -n -2 1038
renice: failed to set priority for 1038 (process ID): Permission denied ##nice取值超越权限
[student@localhost ~]$ ps a -o pid,nice,comm
PID NI COMMAND
592 0 Xorg
907 0 su
908 0 bash
1038 1 vim
1039 0 vim
1067 0 ps
####################
2.优先级查看
ps ax -o pid,nice,comm
3.指定某个优先级开启进程
nice -n 优先级数字 进程名称
nice -n -5 vim & ##开启vim并且指定程序优先级为-5
4.改变进程优先级
renice -n 优先级数字 进程pid
renice -n -5 1806 ##改变1806进程的优先级为-5
[root@localhost Desktop]# ps a -o pid,nice,comm
PID NI COMMAND
614 0 Xorg
1128 0 agetty
1625 0 bash
1785 0 vim
1806 -5 vim
1824 -5 vim
1835 0 ps
####################
[root@localhost Desktop]# ps af -o pid,nice,comm
PID NI COMMAND
2107 0 bash
533 0 \_ ps
585 0 Xorg
[root@localhost Desktop]# renice -n -5 2107
2107 (process ID) old priority 0, new priority -5
[root@localhost Desktop]# ps af -o pid,nice,comm
PID NI COMMAND
2107 -5 bash
580 -5 \_ ps
585 0 Xorg
[root@localhost Desktop]# nice -n -5 vim &
[1] 592
[1]+ Stopped nice -n -5 vim
[root@localhost Desktop]# ps af -o pid,nice,comm
PID NI COMMAND
2107 -5 bash
592 -10 \_ vim ##在父进程的优先级上加上“-5”,变成“-10”
598 -5 \_ ps
585 0 Xorg
[root@localhost Desktop]# renice -n -5 592
592 (process ID) old priority -10, new priority -5
[root@localhost Desktop]# ps af -o pid,nice,comm
PID NI COMMAND
2107 -5 bash
592 -5 \_ vim ##被强制改成了“-5”
740 -5 \_ ps
585 0 Xorg
####################
####################4.环境中进程的前后台调用####################
jobs ##查看被打入环境后台的进程
ctrl+z ##把占用终端的进程打入后台停止
fg [job号] ##把后台进程调回前台
bg [job号] ##把后台暂停的进程运行
comm & ##让命令直接在后台运行
####################
[root@localhost Desktop]# vim &
[1] 8682
[root@localhost Desktop]# jobs
[1]+ Stopped vim
[root@localhost Desktop]# vim &
[2] 8685
[root@localhost Desktop]# jobs
[1]- Stopped vim
[2]+ Stopped vim
[root@localhost Desktop]# vim &
[3] 8687
[root@localhost Desktop]# jobs
[1] Stopped vim
[2]- Stopped vim
[3]+ Stopped vim
jobs命令下,"+"表示优先处理,"-"表示次优先处理,没有符号表示等待
可以使用命令"man bg",查看jobs命令下"+"和"-"的意思
####################
####################
[root@localhost Desktop]# vim &
[1] 8530
[root@localhost Desktop]# jobs
[1]+ Stopped vim
[root@localhost Desktop]# bg
[1]+ vim &
[root@localhost Desktop]# jobs
[1]+ Stopped vim
发现使用"bg"没有效果
因为启用vim要占用终端,否则vim没有交互界面,就无法工作
####################
####################5.进程信号####################
1.常用信号等级
1 ##进程重新加载配置,不重启服务(reload进程)
2 ##删除进程在内存中的数据(ctrl+c)
3 ##删除鼠标在内存中的数据
9 ##强行结束单个进程
15 ##正常关闭进程
18 ##运行停止的进程
19 ##停止某个进程
20 ##把进程打入后台(ctrl+z)
9和19不能被系统阻塞,忽略和停止
15和20可以被系统阻塞,忽略和停止
信号等级的内容还有很多,自行百度“Linux 信号”查找
也可以使用"man 7 signal"来查看解释
把鼠标放在shell上,按"ctrl"+"反斜杠",鼠标消失
???自己电脑上实验不出来:物理机没反应,虚拟机输入任意字符都会消失???
???kill -3也实验不出来???
2.信号的发起
kill的作用是向内核传递一个信号
kill -信号 进程pid
killall -信号 进程名字
pkill -u [username] -信号
pkill -t pts/0 -9 ##把终端0强行关闭
####################
终端1:
[root@localhost Desktop]# su - student
Last login: Thu Oct 13 03:37:26 EDT 2016 on pts/1
[student@localhost ~]$ vim
终端0:
[root@localhost Desktop]# ps af
PID TTY STAT TIME COMMAND
12418 pts/1 Ss 0:00 /bin/bash
12450 pts/1 S 0:00 \_ su - student
12451 pts/1 S 0:00 \_ -bash
12569 pts/1 S+ 0:00 \_ vim
10387 pts/0 Ss 0:00 -bash
12571 pts/0 R+ 0:00 \_ ps af
592 tty1 Ss+ 1:13 /usr/bin/Xorg :0 -background none -verbose -auth /run
10419 pts/0 S 0:00 dbus-launch --autolaunch=946cb0e817ea4adb916183df8c4f
[root@localhost Desktop]# kill -15 12451
[root@localhost Desktop]# ps af
PID TTY STAT TIME COMMAND
12418 pts/1 Ss 0:00 /bin/bash
12450 pts/1 S 0:00 \_ su - student
12451 pts/1 S 0:00 \_ -bash ##信号15被系统忽略了
12569 pts/1 S+ 0:00 \_ vim
10387 pts/0 Ss 0:00 -bash
12575 pts/0 R+ 0:00 \_ ps af
592 tty1 Ss+ 1:13 /usr/bin/Xorg :0 -background none -verbose -auth /run
10419 pts/0 S 0:00 dbus-launch --autolaunch=946cb0e817ea4adb916183df8c4f
[root@localhost Desktop]# kill -9 12451
[root@localhost Desktop]# ps af
PID TTY STAT TIME COMMAND
12418 pts/1 Ss+ 0:00 /bin/bash
10387 pts/0 Ss 0:00 -bash
12582 pts/0 R+ 0:00 \_ ps af
592 tty1 Ss+ 1:13 /usr/bin/Xorg :0 -background none -verbose -auth /run
12569 pts/1 S 0:00 vim
10419 pts/0 S 0:00 dbus-launch --autolaunch=946cb0e817ea4adb916183df8c4f
PID为"12451"的进程被杀死了,但是子进程没有被杀死
切换至终端1时出现故障
--------------------------------------------------
[root@localhost Desktop]# vim &
[1] 13234
[root@localhost Desktop]# vim &
[2] 13236
[1]+ Stopped vim
[root@localhost Desktop]# vim &
[3] 13243
[2]+ Stopped vim
[root@localhost Desktop]# ps
PID TTY TIME CMD
10387 pts/0 00:00:00 bash
10419 pts/0 00:00:00 dbus-launch
13234 pts/0 00:00:00 vim
13236 pts/0 00:00:00 vim
13243 pts/0 00:00:00 vim
13247 pts/0 00:00:00 ps
[3]+ Stopped vim
[root@localhost Desktop]# killall -9 vim
[1] Killed vim
[2]- Killed vim
[3]+ Killed vim
[root@localhost Desktop]# ps
PID TTY TIME CMD
10387 pts/0 00:00:00 bash
10419 pts/0 00:00:00 dbus-launch
13266 pts/0 00:00:00 ps
所有名字为vim的进程全被强行关闭
--------------------------------------------------
终端1:
[root@localhost Desktop]# su - student
Last login: Thu Oct 13 04:17:08 EDT 2016 on pts/1
[student@localhost ~]$ vim
终端0:
[root@localhost Desktop]# ps auf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 12826 0.0 0.1 116260 2780 pts/1 Ss 04:17 0:00 /bin/bash
root 12859 0.0 0.1 182780 2268 pts/1 S 04:17 0:00 \_ su - studen
student 12860 0.0 0.1 116144 2756 pts/1 S 04:17 0:00 \_ -bash
student 12935 1.0 0.2 151368 4520 pts/1 S+ 04:18 0:00 \_ vim
root 10387 0.0 0.1 116276 2976 pts/0 Ss 03:29 0:00 -bash
root 12937 0.0 0.0 123352 1288 pts/0 R+ 04:18 0:00 \_ ps auf
root 592 0.2 1.9 188628 37596 tty1 Ss+ Oct12 1:15 /usr/bin/Xorg :
root 10419 0.0 0.0 16040 588 pts/0 S 03:29 0:00 dbus-launch --a
[root@localhost Desktop]# pkill -u student -9
[root@localhost Desktop]# ps auf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 12826 0.0 0.1 116260 2836 pts/1 Ss+ 04:17 0:00 /bin/bash
root 10387 0.0 0.1 116276 2980 pts/0 Ss 03:29 0:00 -bash
root 12952 0.0 0.0 123352 1288 pts/0 R+ 04:18 0:00 \_ ps auf
root 592 0.2 1.9 188628 37596 tty1 Ss+ Oct12 1:15 /usr/bin/Xorg :
root 10419 0.0 0.0 16040 588 pts/0 S 03:29 0:00 dbus-launch --a
所有USER为student的进程全部被强行关闭
####################
####################6.用户登陆审计####################
1.
w ##查看使用系统的当前用户有哪些
w -f ##"-f"查看使用地点
2.
last ##查看用户登陆成功历史
3.
lastb ##查看用户登陆未成功历史
####################7.top命令####################
top ##监控系统负载工具
top用法:
u username
k pid-->信号
h 帮助
s 刷新时间,默认3秒
m 是否显示内存信息
c 切换"命令行/命令名"
虚拟机下打开top,按"k"后千万不敢双击回车
否则会默认选取"gnome-shell"进程,默认使用信号15
图形就挂了
其它用法自行百度top命令详解
####################
虚拟机图形挂了怎么办?
点虚拟机左上角Send key-->ctrl+alt+f6
init 3
init 5
####################
######################
###### 第八单元 ######
######################
1.systemd
系统初始化程序,系统开始的第一个进程,pid为1
什么是服务(service)?
服务就是在系统中运行的软件,这个软件主要是对外提供某项功能,那么我们把这一类软件叫做服务
简单来说,服务就是:自己不用,开了给别人用
2.systemctl命令
systemctl list-units ##列出当前系统服务的状态
systemctl list-unit-files ##查看服务的开机状态
systemctl status sshd ##查看指定服务的状态
systemctl stop sshd ##关闭指定服务
systemctl start sshd ##开启指定服务
systemctl restart sshd ##重新启动服务
systemctl enable sshd ##设定指定服务开机启动
systemctl disable sshd ##设定指定服务开机关闭
systemctl reload sshd ##使指定服务重新加载配置(不关闭重启)
systemctl list-dependencies sshd ##查看指定服务的依赖关系
systemctl mask sshd ##冻结指定服务
systemctl unmask sshd ##启用服务
systemctl set-default multi-user.target ##开机不启动图形
systemctl set-default graphical.target ##开机启动图形
systemctl = systemctl list-units
####################
[root@localhost Desktop]# cd /etc/ssh/
[root@localhost ssh]# ls
moduli sshd_config ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub
ssh_config ssh_host_ecdsa_key ssh_host_rsa_key
[root@localhost ssh]# rm -fr ssh_host_*
[root@localhost ssh]# ls
moduli ssh_config sshd_config
[root@localhost ssh]# systemctl restart sshd.service
[root@localhost ssh]# ll
total 268
-rw-------. 1 root root 242153 Mar 19 2014 moduli
-rw-r--r--. 1 root root 2123 Mar 19 2014 ssh_config
-rw-r--r--. 1 root root 4439 Jul 10 2014 sshd_config
-rw-r-----. 1 root ssh_keys 227 Oct 13 05:22 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 Oct 13 05:22 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 1679 Oct 13 05:22 ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Oct 13 05:22 ssh_host_rsa_key.pub
被删除的文件全部恢复
####################
####################
[root@foundation50 Desktop]# which rht-vmctl
/usr/local/bin/rht-vmctl
[root@foundation50 Desktop]# whereis rht-vmctl
rht-vmctl: /usr/local/bin/rht-vmctl
[root@foundation50 Desktop]# uname -r
3.10.0-327.el7.x86_64 ##显示操作系统的发行编号
[root@foundation50 Desktop]# uname -a
Linux foundation50.ilt.example.com 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux ##显示操作系统全部信息
####################
3.服务状态
systemctl status 服务名称
loaded ##系统服务已经初始化完成,加载过配置
active(running) ##服务正在被系统利用
active(exited) ##服务已经加载配置,等待被系统利用
active(waiting) ##服务等待被系统处理
inactive ##服务关闭
enabled ##服务开机启动
disabled ##服务开机不自启
static ##服务开机启动项不可被管理
failed ##系统配置错误
active(exited)和active(waiting)的区别:
exited已经加载配置
waiting还没有加载配置
【老李课堂上想展示"exited"状态,但是没成功,可遇不可求】
####################
[root@localhost ssh]# systemctl status sshd
sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Thu 2016-10-13 05:22:50 EDT; 10min ago ##active (running)
Process: 2901 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
Main PID: 2914 (sshd)
CGroup: /system.slice/sshd.service
└─2914 /usr/sbin/sshd -D
Oct 13 05:22:49 localhost systemd[1]: Starting OpenSSH server daemon...
Oct 13 05:22:50 localhost sshd-keygen[2901]: Generating SSH2 RSA host key: [...]
Oct 13 05:22:50 localhost sshd-keygen[2901]: Generating SSH2 ECDSA host key:...]
Oct 13 05:22:50 localhost systemd[1]: Started OpenSSH server daemon.
Oct 13 05:22:50 localhost sshd[2914]: Server listening on 0.0.0.0 port 22.
Oct 13 05:22:50 localhost sshd[2914]: Server listening on :: port 22.
Hint: Some lines were ellipsized, use -l to show in full.
####################
Linux之前版本init的定义:
init 0 ##Halt[停机]
init 1 ##Single user[单用户模式]
init 2 ##multi user without network[多用户,没有NFS(net file system)]
init 3 ##Multi user[完全多用户模式(标准的运行级)]
init 4 ##unuse[安全模式]
init 5 ##X11(xwindow)[图形化模式]
init 6 ##Reboot[重新启动]
Linux企业7把单用户,无图形,无网络都改成init 3
######################
###### 第九单元 ######
######################
####################1.openssh-sever####################
功能:让远程主机可以通过网络访问sshd服务,开启一个安全的shell
####################2.客户端连接方式####################
ssh 远程主机用户@远程主机ip
[root@foundation50 Desktop]# rm -fr /root/.ssh/*
[root@foundation50 Desktop]# ssh root@172.25.50.100
The authenticity of host ‘172.25.50.100 (172.25.50.100)‘ can‘t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes ##连接陌生主机时需要建立认证关系
Warning: Permanently added ‘172.25.50.100‘ (ECDSA) to the list of known hosts.
root@172.25.50.100‘s password: ##远程用户密码
Last login: Thu Oct 13 06:02:16 2016
[root@localhost ~]# ##登陆成功
ssh 远程主机用户@远程主机ip -X ##调用远程主机图形工具
ssh 远程主机用户@远程主机ip command ##直接在远程主机运行某条命令
####################
[root@foundation50 Desktop]# sftp root@172.25.50.100
The authenticity of host ‘172.25.50.100 (172.25.50.100)‘ can‘t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.50.100‘ (ECDSA) to the list of known hosts.
root@172.25.50.100‘s password:
Connected to 172.25.50.100.
sftp> ls
Desktop Documents Downloads Music
Pictures Public Templates Videos
sftp> exit
[root@foundation50 Desktop]#
[root@foundation50 Desktop]# ssh root@172.25.50.100 -X "gedit 123 & firefox"
"gedit 123"后如果不跟"&"就会被打入后台,从而影响shell,导致"firefox"无法执行
####################
####################3.sshkey加密####################
1.生成公钥私钥
[root@localhost Desktop]# ssh-keygen ##生成公钥私钥工具
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##加密字符保存文件(建议用默认)
Created directory ‘/root/.ssh‘.
Enter passphrase (empty for no passphrase): ##密钥密码,必须>4个字符
Enter same passphrase again: ##确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e0:03:1a:6c:43:26:61:5a:3e:14:bc:5b:3d:62:09:4f root@localhost
The key‘s randomart image is:
+--[ RSA 2048]----+
|o+*. |
|oOo E |
|. B=.o. |
| ..=*oo. |
| .+ .o.S |
| . . |
| |
| |
| |
+-----------------+
[root@localhost Desktop]# ls /root/.ssh/
id_rsa id_rsa.pub
id_rsa ##私钥,就是钥匙
id_rsa.pub ##公钥,就是锁
2.添加key认证方式
[root@localhost Desktop]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.50.100
ssh-copy-id ##添加key认证方式的工具
-i ##指定加密key文件
/root/.ssh/id_rsa.pub ##加密key
root ##加密用户为root
172.25.50.100 ##被加密主机ip
authorized_keys ##此文件在目标用户家目录的.ssh中,这个文件就是目标用户被加密的标识,文件内容为公钥内容。
3.分发钥匙给client主机
[root@localhost Desktop]# scp /root/.ssh/id_rsa root@172.25.50.250:/root/.ssh/
4.测试
[root@foundation50 Desktop]# ssh root@172.25.50.100 ##通过id_rsa直接连接不需要输入用户密码
Last login: Thu Oct 13 22:01:14 2016 from 172.25.50.250
[root@localhost ~]#
/root/.ssh/known_hosts ##ssh第一次连接后就会把信息记录在这里,下次连接就不问"yes/no"了
####################4.提升openssh的安全级别####################
1.openssh-server配置文件
/etc/ssh/sshd_config ##sshd服务的配置文件
78 PasswordAuthentication yes|no ##是否开启用户密码认证,yes为支持,no为不支持
48 PermitRootLogin yes|no ##是否允许超级用户登陆
AllowUsers root ##用户白名单,只有在名单中出现的用户可以使用sshd建立shell
DenyUsers student ##用户黑名单
####################
真机:
[root@foundation50 Desktop]# cat /root/.ssh/known_hosts
172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
[root@foundation50 Desktop]# rm -fr /root/.ssh/*
虚拟机:
[root@localhost Desktop]# rm -fr /root/.ssh/
[root@localhost Desktop]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh‘.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
e0:03:1a:6c:43:26:61:5a:3e:14:bc:5b:3d:62:09:4f root@localhost
The key‘s randomart image is:
+--[ RSA 2048]----+
|o+*. |
|oOo E |
|. B=.o. |
| ..=*oo. |
| .+ .o.S |
| . . |
| |
| |
| |
+-----------------+
[root@localhost Desktop]# ls /root/.ssh/ ##查看公钥和私钥
id_rsa id_rsa.pub
[root@localhost Desktop]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.50.100
The authenticity of host ‘172.25.50.100 (172.25.50.100)‘ can‘t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.50.100‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘root@172.25.50.100‘"
and check to make sure that only the key(s) you wanted were added.
[root@localhost Desktop]# ls /root/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[root@localhost Desktop]# vim /etc/ssh/sshd_config
--------------------------------------------------
/authorized_keys ##查看解释
56 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
57 # but this is overridden so installations will only check .ssh/authorized_keys
58 AuthorizedKeysFile .ssh/authorized_keys
:wq
--------------------------------------------------
[root@localhost Desktop]# cat /root/.ssh/known_hosts
172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
[root@localhost Desktop]# scp /root/.ssh/id_rsa root@172.25.50.250:/root/.ssh/
The authenticity of host ‘172.25.50.250 (172.25.50.250)‘ can‘t be established.
ECDSA key fingerprint is de:97:57:f9:3c:66:ed:4b:7c:9d:00:28:c2:33:1f:9b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.50.250‘ (ECDSA) to the list of known hosts.
root@172.25.50.250‘s password:
id_rsa 100% 1679 1.6KB/s 00:00
[root@localhost Desktop]# cat /root/.ssh/known_hosts
172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
172.25.50.250 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDrRBCFotaacwrRRPy27SsJTuIPW5AFe41r8VJEaX7N+rUEocdlASfAsVyyYQfHSC2LE8r8EqCyeoaUI20fUHK4=
真机:
[root@foundation50 Desktop]# ls /root/.ssh/
id_rsa
[root@foundation50 Desktop]# ssh root@172.25.50.100 ##第一次登陆要询问是否建立连接
The authenticity of host ‘172.25.50.100 (172.25.50.100)‘ can‘t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.50.100‘ (ECDSA) to the list of known hosts.
Last login: Thu Oct 13 22:00:13 2016 from 172.25.50.250
[root@localhost ~]# exit
logout
Connection to 172.25.50.100 closed.
[root@foundation50 Desktop]# ssh root@172.25.50.100 ##直接登陆
Last login: Thu Oct 13 22:01:14 2016 from 172.25.50.250
[root@localhost ~]# exit
logout
[root@foundation50 Desktop]# ls /root/.ssh/
id_rsa known_hosts
[root@foundation50 Desktop]# cat /root/.ssh/known_hosts
172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
虚拟机:
[root@localhost Desktop]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXSB6ejnSiwy6OWS7bpBDI8PH5aaUeWhAeVvwbgHgLXCGOSPnb+6iH3WjdCyIY+QoHsFNQA4XyshN6xA6K1+X72Ntx2DeQSK4jyF1B5CEJ6oLJ9mhPI+jG1vwmJ6BIhGmdZ6dbOAf4c3yRqIEkBguG1KUJf/fhfT8CsK+pMsZ2dXb0+wcMhb//pYpqiaJTco/ncwPp3gZM5fepT9J3fvsca6p/QMGOq0aQvZjedBl77wgQ9XcI/utAHESEPBOTbx5PXWaka3xxZ/UoK5Q37DOfnpInLKDmlW0VoOINnx63QZAOGlFUwA4IPyavOUtv74NOpp7xLECLd+2RIMaIZ80B root@localhost
[root@localhost Desktop]# cat /root/.ssh/id_rsa.pub ##id_rsa.pub和authorized_keys的内容一样
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXSB6ejnSiwy6OWS7bpBDI8PH5aaUeWhAeVvwbgHgLXCGOSPnb+6iH3WjdCyIY+QoHsFNQA4XyshN6xA6K1+X72Ntx2DeQSK4jyF1B5CEJ6oLJ9mhPI+jG1vwmJ6BIhGmdZ6dbOAf4c3yRqIEkBguG1KUJf/fhfT8CsK+pMsZ2dXb0+wcMhb//pYpqiaJTco/ncwPp3gZM5fepT9J3fvsca6p/QMGOq0aQvZjedBl77wgQ9XcI/utAHESEPBOTbx5PXWaka3xxZ/UoK5Q37DOfnpInLKDmlW0VoOINnx63QZAOGlFUwA4IPyavOUtv74NOpp7xLECLd+2RIMaIZ80B root@localhost
[root@localhost Desktop]# rm -fr /root/.ssh/authorized_keys ##删除认证key
真机:
[root@foundation50 Desktop]# ssh root@172.25.50.100
root@172.25.50.100‘s password: ##变成密码登陆,证明认证key失效
^C
[root@foundation50 Desktop]#
虚拟机:
[root@localhost Desktop]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys ##复制认证key
真机:
[root@foundation50 Desktop]# ssh root@172.25.50.100 ##登陆成功
Last login: Thu Oct 13 22:04:51 2016
虚拟机:
[root@localhost Desktop]# vim /etc/ssh/sshd_config
--------------------------------------------------
78 PasswordAuthentication no ##关闭密码认证方式
:wq
--------------------------------------------------
[root@localhost Desktop]# systemctl restart sshd.service
真机:
[root@foundation50 Desktop]# ssh student@172.25.50.100
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
虚拟机:
[root@localhost Desktop]# vim /etc/ssh/sshd_config
--------------------------------------------------
78 PasswordAuthentication yes ##启用密码认证方式
:wq
--------------------------------------------------
[root@localhost Desktop]# systemctl restart sshd.service
真机:
[root@foundation50 Desktop]# ssh student@172.25.50.100
student@172.25.50.100‘s password:
Last login: Thu Oct 13 22:05:53 2016 from 172.25.50.250
[student@localhost ~]$ exit
logout
Connection to 172.25.50.100 closed.
[root@foundation50 Desktop]#
虚拟机:
[root@localhost Desktop]# man 5 sshd_config
--------------------------------------------------
/PermitRootLogin
发现"The default is “yes”."
q
--------------------------------------------------
[root@localhost Desktop]# vim /etc/ssh/sshd_config
--------------------------------------------------
48 PermitRootLogin no ##不允许root登陆
:wq
--------------------------------------------------
[root@localhost ~]# systemctl restart sshd.service
真机:
[root@foundation50 Desktop]# ssh root@172.25.50.100
root@172.25.50.100‘s password:
Permission denied, please try again. ##登陆失败
root@172.25.50.100‘s password:
[root@foundation50 Desktop]#
虚拟机:
[root@localhost Desktop]# vim /etc/ssh/sshd_config
--------------------------------------------------
48 PermitRootLogin yes ##允许root登陆
49 AllowUsers root ##设置白名单,只允许"root"用户通过
:wq
--------------------------------------------------
或者
--------------------------------------------------
48 PermitRootLogin yes ##允许root登陆
49 DenyUsers student ##设置黑名单,阻止"student"用户通过
:wq
--------------------------------------------------
[root@localhost Desktop]# systemctl restart sshd.service
真机:
[root@foundation50 Desktop]# ssh root@172.25.50.100
Last login: Thu Oct 13 22:07:46 2016 from 172.25.50.250 ##登陆成功
[root@localhost ~]# exit
logout
Connection to 172.25.50.100 closed.
[root@foundation50 Desktop]# ssh student@172.25.50.100
student@172.25.50.100‘s password:
Permission denied, please try again. ##登陆失败
student@172.25.50.100‘s password:
^C
[root@foundation50 Desktop]#
####################
####################
如果使用两台虚拟机做实验,为防止卡顿,建议在实验前改小虚拟机内存
步骤如下:
关闭虚拟机
Applications-->Virtual Machine Manager-->双击"desktop"-->点击“灯泡”-->Memory-->将内存改为1024MB
打开虚拟机
####################
本文出自 “施超Linux学习笔记” 博客,谢绝转载!
原文:http://shichao.blog.51cto.com/5804953/1863119