[TOC]
SSH 服务
标签 (空格分隔): 作者: 一毛钱
SSH 介绍
进行数据传输之前, SSH 先对数据加密了再传输. 版本不一样, 连不上
1. 两个功能:----
1远程连接2远程拷贝
安装包
- [root@localhost ~]# rpm -qa openssh openssl
- openssl-1.0.1e-15.el6.x86_64
- openssh-5.3p1-94.el6.x86_64
2.SSH 认证
2.1 基于口令 --- 知道服务器的账号和密码
2.2 基于秘钥 ---- 基于密钥的安全的验证的方式是指, 需要依靠密钥, 必须事先建立一对密钥对, 然后把公用密钥放在需要访问的目标服务器上, 另外, 还需要私有密钥放到 SSH 客户端或对应的客户端服务器上.
修改配置前要备份 (备份, 备份, 备份)
Port 22 修改默认端口
ListenAddress 0.0.0.0 改单个 IP
PermitRootLogin yes 改成 no
PasswordAuthentication yes 改成 no
UseDNS yes 改成 no
GSSAPIAuthentication yes 改成 no
- [root@localhost ~]# cp -ap /etc/SSH/sshd_config{
- ,.bak
- }
- [root@localhost ~]# ll /etc/SSH/sshd_config*
-rw-------. 1 root root 3879 11 月 23 2013 /etc/SSH/sshd_config
-rw-------. 1 root root 3879 11 月 23 2013 /etc/SSH/sshd_config.bak
[root@localhost ~]# VIM /etc/SSH/sshd_config
如何防止 SSH 登录 *** 小结:
1. 用密钥登录, 不用密码登录
2. 牤牛阵法: 解决 SSH 安全问题
1防火墙封闭 SSH 指定源 IP 限制
2开启 SSH 只监听本地内网 IP
3. 尽量不给服务器外网 IP
SSH 客户端命令:
SSH -p22 lihao@172.16.10.10
scp 拷贝
- scp -P22 /etc/hosts lihao@172.16.10.22:/tmp/ #将本地的 / etc/hosts 文件推送到对面的 / tmp
- scp -P22 lihao@172.16.10.22:/tmp/ /data/ #这个是拉功能
小结
1.scp 是加密的远程拷贝, 而 cp 仅为本地拷贝
2. 可以把数据从一台机器推送到另一台机器, 也可以从其他机器把数据拉回来
3. 每次都是完备, 效率不高, 适合第一次使用, 如果需要增量拷贝用 rsync.
- [root@localhost ~]# sftp root@172.16.10.40
- Connecting to 172.16.10.40...
- The authenticity of host '172.16.10.40 (172.16.10.40)' can't be established.
- RSA key fingerprint is f3:af:42:ba:f8:ab:74:8b:cf:f9:59:d6:27:41:6c:1d.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '172.16.10.40' (RSA) to the list of known hosts.
- root@172.16.10.40's password:
- sftp> ls
- anaconda-ks.cfg install.log install.log.syslog ipvsadm-1.26
- keepalived-1.1.19
- sftp> put /etc/hosts #上传数据 #get 是下载
- Uploading /etc/hosts to /root/hosts
- /etc/hosts 100% 158 0.2KB/s 00:00
- sftp> pwd
- Remote working directory: /root
- sftp> put /etc/hosts /tmp
- Uploading /etc/hosts to /tmp/hosts
- /etc/hosts 100% 158 0.2KB/s 00:00
- sftp> cd /tmp
- sftp> ls
- hosts yum.log
- sftp> pwd
- Remote working directory: /tmp
- useradd xiaoxue
- echo 123456|passwd --stdin xiaoxue
- su - xiaoxue
- 2.[root@MBA ~]# su - xiaoxue
- [xiaoxue@MBA ~]$ SSH-keygen -t dsa
- Generating public/private dsa key pair.
- Enter file in which to save the key (/home/xiaoxue/.SSH/id_dsa):
- Created directory '/home/xiaoxue/.ssh'.
- Enter passphrase (empty for no passphrase):
- Enter same passphrase again:
- Your identification has been saved in /home/xiaoxue/.SSH/id_dsa.
- Your public key has been saved in /home/xiaoxue/.SSH/id_dsa.pub.
- The key fingerprint is:
- 72:19:99:31:84:b6:41:95:74:a3:04:64:6b:f6:41:0e xiaoxue@MBA
- The key's randomart image is:
- +--[ DSA 1024]----+
- | oE*O.o |
- | .+*.B . |
- | .+oB |
- | o.. + |
- | . S |
- | o |
- | |
- | |
- | |
- +-----------------+
- [xiaoxue@MBA ~]$ ll /home/xiaoxue/.SSH/
- SSH-keygen -t dsa -P '' -f~/.SSH/id_dsa>/dev/null 2>&1
- echo -e "\n"|SSH-keygen -t dsa -N ""
- [xiaoxue@MBA ~]$ SSH -p1314 xiaoxue@172.16.10.30 /sbin/ifconfig
- eth0 Link encap:Ethernet HWaddr 00:0C:29:FF:73:81
- .NET addr:192.168.20.137 Bcast:192.168.20.255 Mask:255.255.255.0
- inet6 addr: fe80::20c:29ff:feff:7381/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:893 errors:0 dropped:0 overruns:0 frame:0
- TX packets:293 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:87817 (85.7 KiB) TX bytes:24158 (23.5 KiB)
- eth1 Link encap:Ethernet HWaddr 00:0C:29:FF:73:8B
- .NET addr:172.16.10.30 Bcast:172.16.255.255 Mask:255.255.0.0
- inet6 addr: fe80::20c:29ff:feff:738b/64 Scope:Link
- UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
- RX packets:962 errors:0 dropped:0 overruns:0 frame:0
- TX packets:363 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:1000
- RX bytes:92411 (90.2 KiB) TX bytes:44909 (43.8 KiB)
- lo Link encap:Local Loopback
- .NET addr:127.0.0.1 Mask:255.0.0.0
- inet6 addr: ::1/128 Scope:Host
- UP LOOPBACK RUNNING MTU:16436 Metric:1
- RX packets:0 errors:0 dropped:0 overruns:0 frame:0
- TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
- collisions:0 txqueuelen:0
- RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
- echo "xiaoxue ALL= NOPASSWD: /usr/bin/rsync">>/etc/sudoers
- visudo -c
- #!/bin/bash
- . /etc/init.d/functions
- if [ $# -ne 1 ]
- then
- echo "USAGE:/bin/bash $0 ARG1"
- exit 1
- fi
- for n in 10 30 40
- do
- echo ::::::172.16.10.$n::::::
- SSH -p1314 xiaoxue@172.16.10.$n "$1"
- done
来源: http://www.bubuko.com/infodetail-2970976.html