linux常用的服務--SSH以及ssh公鑰認證

linux常用的服務--SSH以及ssh公鑰認證 一、ssh（secure shell）安裝 SSH默認情況下已經安裝了，包裝包的名稱是openssh，使用源碼包安裝的方法是 [root@localhost logs]# yum install openssh ……………………………… Downloading Packages: (1/4): openssh-5.3p1-84.1.el6.x86 | 236 kB 00:00 (2/4): openssh-askpass-5.3p1-84.1 | 53 kB 00:00 (3/4): openssh-clients-5.3p1-84.1 | 355 kB 00:00 (4/4): openssh-server-5.3p1-84.1. | 299 kB 00:00 …………………… 二、ssh相關的文件詳解 1、 /etc/ssh/sshd_config ssh 服務的主配置文件，基本上所有的ssh相關設定都在這裡 # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 -----sshd服務默認的端口22，為了安全考慮建議修改成其它端口 #AddressFamily any ListenAddress 192.168.1.1 -------------監聽的主機，只監聽來自192.168.1.1的ssh連接 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 ----------------ssh的協議版本，這裡是2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -----------每個一個小時重新建立一次連接，這裡未開啟 #ServerKeyBits 1024 -----------server key的長度 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV ------------當有人使用ssh登入系統的時候，ssh會記錄信息（/var/log/secure） #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes -----------是否允許root登陸，默認是允許的，建議設置成no #StrictModes yes -------------當使用者的host key改變之後，server就不接受其聯機 #MaxAuthTries 6 --------------最多root嘗試6次連接 #MaxSessions 10 #RSAAuthentication yes -------------是否使用rsa認證，只針對version1 #PubkeyAuthentication yes ------------是否允許public key，只針對version2 #AuthorizedKeysFile .ssh/authorized_keys -------認證文件 #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no ---------是否僅適用於rhosts認證，為了安全一定設置為否 # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no --------------是否忽略掉~/.shosts files中的用戶 # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes --------------是否需要密碼認證 #PermitEmptyPasswords no --------------不允許空密碼 PasswordAuthentication yes -------------開啟密碼認證 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no -----------不挑戰任何的密碼認證，任何login.conf規定的認證方式，都禁用 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will be allowed through the #ChallengeResponseAuthentication and PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypassthe setting of "PermitRootLogin without-#password". If you just want the PAM account and session checks to run without PAM authentication, then enable #this but set PasswordAuthentication and ChallengeResponseAuthentication to 'no'. UsePAM yes -----------啟用pam模塊 # Accept locale-related environment variables ------------環境變量 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #PrintMotd yes ---------登陸後是否顯示一些默認信息 #PrintLastLog yes ---------顯示上次登錄的信息 #TCPKeepAlive yes -------ssh server會傳keepalive信息給client以此確保兩者的聯機正常，任何一端死後，馬上斷開 #UseLogin no #UsePrivilegeSeparation yes -------------使用者的權限設定 #PermitUserEnvironment no #PidFile /var/run/sshd.pid #MaxStartups 10 ----------最大聯機畫面 #PermitTunnel no #ChrootDirectory none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server ---------- sftp服務的設置 ++++++++++++以上是sshd服務端+++++++下面是客戶端++++++++ 2、/etc/ssh/ssh_config -------ssh客戶端配置文件 # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files or on the command line. # Host * -----------只匹配設定的主機，這裡默認是匹配所有的主機 # ForwardAgent no ------------連接是否經過驗證代理 # ForwardX11 no ------------x11連接是否被自動重定向到安全的通道和顯示集； # RhostsRSAAuthentication no -----是否使用rsa算法的基於rhosts的安全驗證 # RSAAuthentication yes ----------是否使用rsa算法驗證 # PasswordAuthentication yes ----------是否使用密碼驗證 # CheckHostIP yes -------------是否驗證ip # AddressFamily any # ConnectTimeout 0 ----------連接超時時間 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 ------------連接遠程主機的端口 # Protocol 2,1 -----------采用的協議版本 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160 # EscapeChar ~ --------------設置escape字符 # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no Host * GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. ForwardX11Trusted yes # Send locale-related environment variables SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE SendEnv XMODIFIERS +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3、~/.ssh/known_hosts文件的作用 ssh 會把每個你訪問過的計算機的公鑰（public key）都記錄到~/.ssh/known_hosts文件中，當你下次訪問該計算機時，openss會核對公鑰。如果公鑰不同，那openssh就會發出警告，避免你收到DNSHijack等攻擊 三、ssh服務控制命令 啟動ssh服務： service sshd start 關閉ssh服務：service sshdstop 重啟ssh服務： service sshd restart [root@localhost softs]# netstat -anpt | grep sshd ----------查看sshd的22端口是否打開 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2854/sshd ssh命令常用的參數 -l 指定用戶； -p指定端口號； -X開啟x協議轉發 [root@localhost softs]# ssh [email protected] The authenticity of host '192.168.254.46 (192.168.254.46)' can't be established. RSA key fingerprint is 18:5f:3e:08:d0:a7:f1:93:f9:34:63:41:31:24:2a:02. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.254.46' (RSA) to the list of known hosts. [email protected]'s password: #輸入密碼 Last login: Wed Oct 23 10:20:19 2013 from 192.168.254.152 -----登陸成功 [root@localhost ~]# exit -------斷開ssh連接 logout Connection to 192.168.254.46 closed. [root@localhost softs]# ssh -p 22 -l root 192.168.254.46 #P默認為22，可以省略 [email protected]'s password: [root@localhost softs]# ssh 192.168.254.46 [email protected]'s password: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 四、ssh的公鑰認證 1.生成密鑰文件 [root@localhost ~]# lsb_release -a -------先看一下我的linux版本 LSB Version: :core-3.1-ia32:core-3.1-noarch:graphics-3.1-ia32:graphics-3.1-noarch Distributor ID: RedHatEnterpriseServer Description: Red Hat Enterprise Linux Server release 5.5 (Tikanga) Release: 5.5 Codename: Tikanga [root@localhost ~]# ssh-keygen -t rsa #生成密鑰對 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): #輸入私鑰文件的名稱，直接回車使用默認名稱 Enter passphrase (empty for no passphrase): #輸入密鑰文件的密碼，直接回車不設置密碼 Enter same passphrase again: #再次輸入密碼確認 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: d3:41:dd:41:56:a2:ca:7a:81:9a:64:74:d7:df:32:9e [email protected] [root@localhost ~]# ll /root/.ssh/ 總計 12 -rw------- 1 root root 1675 10-23 10:28 id_rsa -------生成的私鑰 -rw-r--r-- 1 root root 408 10-23 10:28 id_rsa.pub ------生成的公鑰 -rw-r--r-- 1 root root 396 10-23 10:20 known_hosts ------登陸者的信息 2、將公鑰復制到遠程主機 [root@localhost ~]# scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys ------將公鑰復制到遠程服務器指定的目錄下，並且重命名為authorized_keys。scp是openssh自帶的工具。 [email protected]'s password: --------輸入遠程主機的密碼 id_rsa.pub 100% 408 0.4KB/s 00:00 3、登錄到遠程主機 [root@localhost ~]# ssh 192.168.254.46 [email protected]'s password: 查看該主機的系統版本 [root@localhost ~]# cat /proc/version Linux version 2.6.32-71.el6.x86_64 ([email protected]) (gcc version 4.4.4 20100726 (Red Hat 4.4.4-13) (GCC) ) #1 SMP Fri May 20 03:51:51 BST 2011 [root@localhost ~]# 然後再該主機上同樣生成公鑰 [root@localhost ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 6b:35:ba:70:2d:06:ee:3e:80:37:7b:ee:9c:1f:c1:2e [email protected] The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . | | . . S o | | . +. o * . | | . +E X . | | .ooB + | | =Boo | +-----------------+ 將公鑰傳到192.168.254.153上面 [root@localhost ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] ======另外一種遠程傳公鑰的方法 The authenticity of host '192.168.254.153 (192.168.254.153)' can't be established. RSA key fingerprint is 4d:24:b3:e8:82:11:bf:e1:a0:0c:45:27:57:8e:a1:c8. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.254.153' (RSA) to the list of known hosts. [email protected]'s password: ----------------輸入192.168.254.153的密碼 Now try logging into the machine, with "ssh '[email protected]'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [root@localhost ~]# ssh [email protected] Last login: Wed Oct 23 09:55:54 2013 from 192.168.254.152 ----------不用輸密碼可以直接登陸了 五 、ssh客戶端的使用 ssh 客戶端的命令主要包括ssh ，scp和sftp 1、ssh的使用 ssh [email protected] 以root身份 遠程登錄遠程主機 2、scp命令 scp命令可以用來通過安全加密的連接在機器之間進行文件的傳輸，與rcp相似。它傳文件的一般語法為 scp localfile username@hostip:/newfilename localfile 本地文件名稱，username 遠程主機用戶名 hostip遠程主機的ip地址 舉例：scp /var/log/httpd/access.log [email protected]:/var/log/ 把本地/var/log/httpd/下的access.log文件傳到遠程主機對應的/var/log/下面 3、sftp命令 sftp工具可以用來打開一次安全互動的ftp對話。與ftp類似，但是sftp使用安全加密的連接，一般語法為 sftp [email protected] [root@localhost .ssh]# sftp 192.168.254.153 sftp登陸，因為我交換了公鑰，所以無需密碼認證 Connecting to 192.168.254.153... sftp> ls ---------查看有哪些文件 Desktop anaconda-ks.cfg glibc-2.7-2.i386.rpm glibc-common-2.7-2.i386 .rpm glibc-devel-2.7-2.i386.rpm glibc-headers-2.7-2.i386.rpm index.php install.log install.log.syslog jdk1.7.0 mbox my.cnf phpMyAdmin-4.0.8-all-languages.tar.gz sftp> get my.cnf 我隨便下載了一個文件 Fetching /root/my.cnf to my.cnf /root/my.cnf 100% 4920 4.8KB/s 00:00 sftp> quit 六、訪問控制 /etc/host.allow和/etc/hosts.deny 這兩個文件時控制遠程訪問設置的，通過該設置可以允許或者拒絕某個ip或者ip段訪問linux的某項服務。 [root@localhost .ssh]# vi /etc/hosts.allow sshd:192.168.0.*:allow 允許該網段訪問 sshd:192.168.1.15:allow 允許該ip地址訪問 [root@localhost .ssh]# vi /etc/hosts.deny sshd:all:deny -------表示拒絕所有的sshd遠程連接 當/etc/hosts.deny 跟/etc/hosts.allow沖突時會以哪個為准？這裡有個規則 首先檢查hosts.allow文件，若找到相關的策略則允許訪問，否則繼續檢查hosts.deny ，若找到相關的策略則拒絕訪問；如果兩個文件中都沒有匹配的策略則允許訪問；如果二者沖突時以hosts.allow為准。 注意：如果這兩個文件配置修改了，必須要重啟service xinetd服務才能生效