OpenSSH 是一组用于安全地访问远程计算机的连接工具。 它可以作为 rlogin、 rsh rcp 以及 telnet 的直接替代品使用。 更进一步, 其他任何 TCP/IP 连接都可以通过 SSH 安全地进行隧道/转发。 OpenSSH 对所有的传输进行加密, 从而有效地阻止了窃听、 连接劫持, 以及其他网络级的攻击。OpenSSH 由 OpenBSD project 维护。
登录过程和使用 rlogin 或 telnet 建立的会话非常类似。 在连接时, SSH 会利用一个密钥指纹系统来验证服务器的真实性。 只有在第一次连接时, 用户会被要求输入 yes。 之后的连接将会验证预先保存下来的密钥指纹。 如果保存的指纹与登录时接收到的不符, 则将会给出警告。 指纹保存在 ~/.ssh/known_hosts 中, 对于 SSH v2 指纹, 则是 ~/.ssh/known_hosts2。
默认情况下, 较新版本的 OpenSSH 只接受 SSH v2 连接。 如果能用版本 2 则客户程序会自动使用, 否则它会返回使用版本 1 的模式。 此外, 也可以通过命令行参数 -1 或 -2 来相应地强制使用版本 1 或 2。 保持客户端的版本 1 能力是为了考虑较早版本的兼容性。
openssh: C/S S: sshd C: ssh putty xshell securecrt sshshellclient
openssh的客户端组件:
ssh: 配置/etc/ssh/ssh_config
ssh [username@]host [COMMAND]
ssh -l username host [COMMAND]
-p PORT
[root@bogon ~]# cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 0.25 2009/02/17 01:28:32 djm Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. # Host * # 通配符*连接所有主机 # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # 询问当前用户是否接受主机密钥 # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 #默认端口号 # Protocol 2,1 # Cipher 3des #加密算法3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no Host * GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. ForwardX11Trusted yes # Send locale-related environment variables SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE SendEnv XMODIFIERS
基于密钥的ssh登陆
[root@bogon ~]# ssh-keygen -t rsa #生存密钥:公钥和私钥 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory ‘/root/.ssh‘. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: f7:08:86:07:d6:65:79:23:6e:86:cd:96:75:38:07:80 root@bogon The key‘s randomart image is: +--[ RSA 2048]----+ | .+o.o | | .Eoo * o | | o .= = = | | . o. O | | . S+. | | o o o | | . . | | | | | +-----------------+ [root@bogon ~]# ls .ssh/ id_rsa id_rsa.pub [root@bogon ~]# rm .ssh/* rm: remove regular file `.ssh/id_rsa‘? rm: remove regular file `.ssh/id_rsa.pub‘? [root@bogon ~]# ssh-keygen -t rsa -P ‘‘ -f ‘/home/root/.ssh/id_rsa‘ #-P 指定密码,-f 指定保存目录 Generating public/private rsa key pair. open /home/root/.ssh/id_rsa failed: No such file or directory. Saving the key failed: /home/root/.ssh/id_rsa. [root@bogon ~]# ls .ssh/ id_rsa id_rsa.pub [root@bogon ~]# [root@bogon ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.1.29 # ssh-copy-id将公钥上传至目的主机 The authenticity of host ‘192.168.1.29 (192.168.1.29)‘ can‘t be established. RSA key fingerprint is 65:62:07:a9:06:32:39:e1:af:21:8d:5b:cf:53:27:e2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.1.29‘ (RSA) to the list of known hosts. reverse mapping checking getaddrinfo for bogon [192.168.1.29] failed - POSSIBLE BREAK-IN ATTEMPT! root@192.168.1.29‘s password: Now try logging into the machine, with "ssh ‘root@192.168.1.29‘", and check in: .ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting. [root@bogon ~]# ssh root@192.168.1.29 #验证登陆成功 reverse mapping checking getaddrinfo for bogon [192.168.1.29] failed - POSSIBLE BREAK-IN ATTEMPT! Last login: Sun Jul 2 04:27:29 2017 from 192.168.1.30 [root@bogon ~]# ls .ssh/ authorized_keys [root@bogon ~]# cat .ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAs4m1xsgo2tQjJ+KRGHgGUUZ2ySYnqt+XRp3AikmuYFRFipX2B3vLTBCyq1XuOCThEws1STRXyZkNcLSVYafmuhshDuL5LM+13hFLbniVzrysuoUWKmaX/bjAY4+FZrt01OpkJjLZesn3TxxfAcigd+26sM5rM9MbFvfm2dZZXyfe7PUC1pTdVz0xVvQPq3L8rCD0dcp130VrD3cTNUJ46MwJ9wiefkHz2ho90NUyWZO7Y42Z19sq0OabNWdwgcLjKMY5cfOFEDFGhjL51VlfdOtaDN/JKkX6o5FKJuNLRIRhrwVGcQQUWmqM/E2J3LojEOXJMxe6q95BH9+V5ra3aQ== root@bogon [root@bogon ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:A2:54:0A inet addr:192.168.1.29 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fea2:540a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:32835 errors:0 dropped:0 overruns:0 frame:0 TX packets:9144 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:24448860 (23.3 MiB) TX bytes:989133 (965.9 KiB)
scp: 利用ssh协议在主机之间实现安全文件传输的工具
scp SRC1... DEST
分两种情形:
1、源文件在本机,目标为远程 # scp /path/to/somefile... USERNAME@HOST:/path/to/somewhere 2、源文件在远程,本地为目标 # scp USERNAME@HOST:/path/to/somewhere /path/to/somewhere -r: 复制目录时使用,递归复制 -p: 保持源文件的元数据信息,包括mode和timestamp,属主,属组信息 -q: 静默模式 -P PORT: 指定ssh协议监听的端口
sftp: 基于ssh的ftp服务
用法:sftp USERNAME@HOST
[root@bogon ~]# sftp 192.168.1.29 Connecting to 192.168.1.29... reverse mapping checking getaddrinfo for bogon [192.168.1.29] failed - POSSIBLE BREAK-IN ATTEMPT! sftp> ls Desktop Documents Downloads Music Pictures Public Templates Videos anaconda-ks.cfg apache-tomcat-6.0.53.tar.gz bison-3.0 bison-3.0.tar.gz cmake-2.8.8 cmake-2.8.8.tar.gz demo icbc_auto_platform install.log install.log.syslog jdk-8u131-linux-x64.rpm libevent-1.4.13-4.el6.x86_64.rpm libevent-devel-1.4.13-4.el6.x86_64.rpm libevent-doc-1.4.13-4.el6.noarch.rpm libevent-headers-1.4.13-4.el6.noarch.rpm main mariadb-5.5.44-linux-x86_64.tar.gz someTest static tornado-3.1.0 tree-1.7.0.tgz v3.1.0.tar.gz sftp>
openssh的服务器端:sshd
配置文件:/etc/ssh/sshd_config
服务脚本:/etc/rc.d/init.d/sshd
脚本配置文件:/etc/sysconfig/sshd
[root@bogon ~]# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #监听端口 #AddressFamily any #ListenAddress 0.0.0.0 #ipv4监听本地所有地址 #ListenAddress :: #ipv6本地所有地址 # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 #ssh版本,默认为sshV2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #密钥生存时间 #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #登陆超时时间 #PermitRootLogin yes #是否允许管理员账号直接登陆 #StrictModes yes #MaxAuthTries 6 #最大尝试次数 #MaxSessions 10 #最大会话数 #RSAAuthentication yes #是否支持rsa认证 #PubkeyAuthentication yes #是否支持pubkey #AuthorizedKeysFile .ssh/authorized_keys #公钥保存目录 .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don‘t trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don‘t read the user‘s ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes #基于口令认证 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no #挑战式认证 # Kerberos options #守护神认证方式,大规模统一认证 #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPI认证 #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to ‘yes‘ to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to ‘no‘. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no # X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #DNS域名解析,使用no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server #是否启用sftp子系统 # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server [root@bogon ~]#
配置参数:
# man sshd_config
经常需要修改的参数:
Port: 修改默认监听的端口
ListenAddress
sshd认证方式:
1、基于口令的认证;
2、基于密钥的认证;
# ssh-keygen -t rsa
默认密钥为id_rsa, id_rsa.pub
-f /path/to/somefile: 密钥文件保存位置
-P ‘‘: 指定oldpassword
# ssh-copy-id -i .ssh/id_rsa.pub USERNAME@HOST
原文:http://f1yinsky.blog.51cto.com/12568071/1945543