写作指标

  • 了解ssh服务的两种认证形式
  • 把握ssh服务的根本配置

  • 把握ssh服务客户端工具的应用
    -

    一、SSH介绍

  • SSH是Linux下远程管理的工具,相比Telnet平安,运维人员必备的神器!
  • SSH的全称Secure Shell,平安的shell,是Client/Server架构,默认端口号为22,TCP/IP协定

二、SSH加密算法

  • des 对称的公钥加密算法,平安低,数据传输速度快;应用同一个秘钥进行加密或解密
  • rsa 非对称的公钥加密算法,平安,数据传输速度慢 ,SSH默认的加密算法

补充理解:

DSA数字签名,非对称加密的另一种实现。

DSA-Digital Signature Algorithm 是Schnorr和ElGamal签名算法的变种。简略的说,这是一种更高级的验证形式,用作数字签名。不单单只有公钥、私钥,还有数字签名。私钥加密生成数字签名,公钥验证数据及签名。如果数据和签名不匹配则认为验证失败!数字签名的作用就是校验数据在传输过程中不被批改。

三、SSH服务的认证形式
基于用户明码的认证

[root@MissHou ~]# ssh 192.168.10.171The authenticity of host '192.168.10.171 (192.168.10.171)' can't be established.RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.Are you sure you want to continue connecting (yes/no)?

提示信息:无奈确认主机192.168.10.171的真实性,指纹是9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.,你确定想要持续吗?

阐明: 实践上应该是对公钥的确认,因为公钥通过RSA算法加密,太长,不好间接比拟,所以给公钥生成一个hash的指纹,不便比拟。

[root@MissHou ~]# ssh 192.168.10.171The authenticity of host '192.168.10.171 (192.168.10.171)' can't be established.RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.10.171' (RSA) to the list of known hosts.root@192.168.10.171's password:

阐明:

当客户端输出yes确认对方的公钥指纹后,server端的公钥就会被寄存到客户机的用户家目录里~/.ssh/known_hosts文件中,下次再拜访就间接通过明码登录,不须要再确认公钥。

[root@client ~]# su - stu1[stu1@client ~]$ ssh 10.1.1.2The authenticity of host '10.1.1.2 (10.1.1.2)' can't be established.RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.1.1.2' (RSA) to the list of known hosts.stu1@10.1.1.2's password: //ssh工具指定用户名拜访[stu1@client ~]$ ssh root@10.1.1.2root@10.1.1.2's password: Last login: Mon Apr 16 15:12:45 2018 from 10.1.1.3[root@MissHou ~]# exit

四、SSH服务根本配置

  • 基于秘钥对认证(免明码登录)——>重点把握

需要:client端有一个用户user01,该用户应用root用户免明码登录server端

环境:须要一台云服务器,我用的是3A网络,部署简略,适宜小白。

client:10.1.1.3

server:10.1.1.2

思路:

  • client端生成一对秘钥
  • 将生成的公钥近程拷贝到server端

步骤:

  1. client端的user01用户生成一对秘钥对
[root@client ~]# useradd user01[root@client ~]# su - user01[user01@client ~]$ ls -a.  ..  .bash_logout  .bash_profile  .bashrc  .emacs  .gnome2  .mozilla[user01@client ~]$ ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/home/user01/.ssh/id_rsa): Created directory '/home/user01/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user01/.ssh/id_rsa.Your public key has been saved in /home/user01/.ssh/id_rsa.pub.The key fingerprint is:df:5b:4f:f8:26:38:0f:5f:f0:df:4c:78:54:bd:94:9e user01@clientThe key's randomart image is:

将刚刚生成的公钥近程拷贝到server端的root家目录里指定地位

[user01@client ~]$ scp .ssh/id_rsa.pub root@10.1.1.2:/root/.ssh/authorized_keys或者[user01@client ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@10.1.1.2    (举荐)The authenticity of host '10.1.1.2 (10.1.1.2)' can't be established.RSA key fingerprint is 9f:71:de:3c:86:25:dd:f0:06:78:ab:ba:96:5a:e4:95.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.1.1.2' (RSA) to the list of known hosts.root@10.1.1.2's password: Now try logging into the machine, with "ssh 'root@10.1.1.2'", and check in:

测试验证

[user01@client ~]$ ssh root@10.1.1.2Last login: Mon Apr 16 16:00:55 2018 from 10.1.1.1[root@server ~]#