写作指标
- 了解 ssh 服务的两种认证形式
- 把握 ssh 服务的根本配置
-
把握 ssh 服务客户端工具的应用
–一、SSH 介绍
- SSH 是 Linux 下远程管理的工具,相比 Telnet 平安,运维人员必备的神器!
- SSH 的全称 Secure Shell,平安的 shell,是 Client/Server 架构,默认端口号为 22,TCP/IP 协定
二、SSH 加密算法
- des 对称的公钥加密算法, 平安低,数据传输速度快;应用同一个秘钥进行加密或解密
- rsa 非对称的公钥加密算法, 平安, 数据传输速度慢,SSH 默认的加密算法
补充理解:
DSA 数字签名, 非对称加密的另一种实现。
DSA-Digital Signature Algorithm 是 Schnorr 和 ElGamal 签名算法的变种。简略的说, 这是一种更高级的验证形式, 用作数字签名。不单单只有公钥、私钥, 还有数字签名。私钥加密生成数字签名, 公钥验证数据及签名。如果数据和签名不匹配则认为验证失败! 数字签名的作用就是校验数据在传输过程中不被批改。
三、SSH 服务的认证形式
基于用户明码的认证
[root@MissHou ~]# ssh 192.168.10.171
The authenticity of host '192.168.10.171 (192.168.10.171)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)?
提示信息:无奈确认主机 192.168.10.171 的真实性,指纹是9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
,你确定想要持续吗?
阐明:实践上应该是对公钥的确认,因为公钥通过 RSA 算法加密,太长,不好间接比拟,所以给公钥生成一个 hash 的指纹,不便比拟。
[root@MissHou ~]# ssh 192.168.10.171
The authenticity of host '192.168.10.171 (192.168.10.171)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.171' (RSA) to the list of known hosts.
root@192.168.10.171's password:
阐明:
当客户端输出 yes 确认对方的公钥指纹后,server 端的公钥就会被寄存到客户机的用户家目录里~/.ssh/known_hosts 文件中,下次再拜访就间接通过明码登录,不须要再确认公钥。
[root@client ~]# su - stu1
[stu1@client ~]$ ssh 10.1.1.2
The authenticity of host '10.1.1.2 (10.1.1.2)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.2' (RSA) to the list of known hosts.
stu1@10.1.1.2's password:
//ssh 工具指定用户名拜访
[stu1@client ~]$ ssh root@10.1.1.2
root@10.1.1.2's password:
Last login: Mon Apr 16 15:12:45 2018 from 10.1.1.3
[root@MissHou ~]# exit
四、SSH 服务根本配置
- 基于秘钥对认证(免明码登录)——> 重点把握
需要:client 端有一个用户 user01, 该用户应用 root 用户免明码登录 server 端
环境:须要一台云服务器,我用的是 3A 网络,部署简略,适宜小白。
client:10.1.1.3
server:10.1.1.2
思路:
- client 端生成一对秘钥
- 将生成的公钥近程拷贝到 server 端
步骤:
- client 端的 user01 用户生成一对秘钥对
[root@client ~]# useradd user01
[root@client ~]# su - user01
[user01@client ~]$ ls -a
. .. .bash_logout .bash_profile .bashrc .emacs .gnome2 .mozilla
[user01@client ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user01/.ssh/id_rsa):
Created directory '/home/user01/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user01/.ssh/id_rsa.
Your public key has been saved in /home/user01/.ssh/id_rsa.pub.
The key fingerprint is:
df:5b:4f:f8:26:38:0f:5f:f0:df:4c:78:54:bd:94:9e user01@client
The key's randomart image is:
将刚刚生成的公钥近程拷贝到 server 端的 root 家目录里指定地位
[user01@client ~]$ scp .ssh/id_rsa.pub root@10.1.1.2:/root/.ssh/authorized_keys
或者
[user01@client ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@10.1.1.2(举荐)The authenticity of host '10.1.1.2 (10.1.1.2)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.2' (RSA) to the list of known hosts.
root@10.1.1.2's password:
Now try logging into the machine, with "ssh'root@10.1.1.2'", and check in:
测试验证
[user01@client ~]$ ssh root@10.1.1.2
Last login: Mon Apr 16 16:00:55 2018 from 10.1.1.1
[root@server ~]#