乐趣区

关于运维:ssh服务详解

写作指标

  • 了解 ssh 服务的两种认证形式
  • 把握 ssh 服务的根本配置
  • 把握 ssh 服务客户端工具的应用

    一、SSH 介绍

  • SSH 是 Linux 下远程管理的工具,相比 Telnet 平安,运维人员必备的神器!
  • SSH 的全称 Secure Shell,平安的 shell,是 Client/Server 架构,默认端口号为 22,TCP/IP 协定

二、SSH 加密算法

  • des 对称的公钥加密算法, 平安低,数据传输速度快;应用同一个秘钥进行加密或解密
  • rsa 非对称的公钥加密算法, 平安, 数据传输速度慢,SSH 默认的加密算法

补充理解:

DSA 数字签名, 非对称加密的另一种实现。

​ DSA-Digital Signature Algorithm 是 Schnorr 和 ElGamal 签名算法的变种。简略的说, 这是一种更高级的验证形式, 用作数字签名。不单单只有公钥、私钥, 还有数字签名。私钥加密生成数字签名, 公钥验证数据及签名。如果数据和签名不匹配则认为验证失败! 数字签名的作用就是校验数据在传输过程中不被批改。

三、SSH 服务的认证形式
基于用户明码的认证

[root@MissHou ~]# ssh 192.168.10.171
The authenticity of host '192.168.10.171 (192.168.10.171)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)?

提示信息:无奈确认主机 192.168.10.171 的真实性,指纹是9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.,你确定想要持续吗?

阐明:实践上应该是对公钥的确认,因为公钥通过 RSA 算法加密,太长,不好间接比拟,所以给公钥生成一个 hash 的指纹,不便比拟。

[root@MissHou ~]# ssh 192.168.10.171
The authenticity of host '192.168.10.171 (192.168.10.171)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.171' (RSA) to the list of known hosts.
root@192.168.10.171's password: 

阐明:

当客户端输出 yes 确认对方的公钥指纹后,server 端的公钥就会被寄存到客户机的用户家目录里~/.ssh/known_hosts 文件中,下次再拜访就间接通过明码登录,不须要再确认公钥。

[root@client ~]# su - stu1
[stu1@client ~]$ ssh 10.1.1.2
The authenticity of host '10.1.1.2 (10.1.1.2)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.2' (RSA) to the list of known hosts.
stu1@10.1.1.2's password: 

//ssh 工具指定用户名拜访
[stu1@client ~]$ ssh root@10.1.1.2
root@10.1.1.2's password: 
Last login: Mon Apr 16 15:12:45 2018 from 10.1.1.3
[root@MissHou ~]# exit

四、SSH 服务根本配置

  • 基于秘钥对认证(免明码登录)——> 重点把握

需要:client 端有一个用户 user01, 该用户应用 root 用户免明码登录 server 端

环境:须要一台云服务器,我用的是 3A 网络,部署简略,适宜小白。

client:10.1.1.3

server:10.1.1.2

思路:

  • client 端生成一对秘钥
  • 将生成的公钥近程拷贝到 server 端

步骤:

  1. client 端的 user01 用户生成一对秘钥对
[root@client ~]# useradd user01
[root@client ~]# su - user01
[user01@client ~]$ ls -a
.  ..  .bash_logout  .bash_profile  .bashrc  .emacs  .gnome2  .mozilla
[user01@client ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user01/.ssh/id_rsa): 
Created directory '/home/user01/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user01/.ssh/id_rsa.
Your public key has been saved in /home/user01/.ssh/id_rsa.pub.
The key fingerprint is:
df:5b:4f:f8:26:38:0f:5f:f0:df:4c:78:54:bd:94:9e user01@client
The key's randomart image is:

将刚刚生成的公钥近程拷贝到 server 端的 root 家目录里指定地位

[user01@client ~]$ scp .ssh/id_rsa.pub root@10.1.1.2:/root/.ssh/authorized_keys
或者
[user01@client ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@10.1.1.2(举荐)The authenticity of host '10.1.1.2 (10.1.1.2)' can't be established.
RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.2' (RSA) to the list of known hosts.
root@10.1.1.2's password: 
Now try logging into the machine, with "ssh'root@10.1.1.2'", and check in:

测试验证

[user01@client ~]$ ssh root@10.1.1.2
Last login: Mon Apr 16 16:00:55 2018 from 10.1.1.1
[root@server ~]# 
退出移动版