ssh远程访问及控制
一、ssh远程管理
1.1 概述
ssh是一种安全通道协议
主要功能:实现字符界面的远程登录,远程复制
ssh对通信双方的数据传输进行加密处理,包括用户的口令,具有很好的安全性
1.2 ssh的配置文件
ssh_config:针对客户端的配置文件
sshd_config:针对服务端的配置文件(经常修改)
1.3 ssh组成结构
1、传输层协议:ssh-trans
作用:服务器认证;提供加密技术;校验数据完整;数据压缩
一般运行在TCP/IP的链接上,也可能用于其他可靠的数据流上
2、用户认证协议:ssh-userauth
向服务器提供客户端用户鉴别的功能
运行在ssh-trans之上
作用:开始执行用户认证,从底层协议接收会话标识符;认证私钥的所有权
3、连接协议:ssh-connet
将多个加密隧道分成逻辑隧道
运行在用户认证之上,提供交互式登录会话;远程命令的执行;转发TCP/IP的链接
二、实验
实验一:远程登录
[root@localhost /]# vim /etc/ssh/sshd_config
[root@localhost /]# systemctl restart sshd
切换到虚拟机2
[root@localhost ~]# ssh -p 10022 root@192.168.147.100 //-p表示指定端口号 root@192.168.147.100's password: //输入虚拟机1的root用户的密码 Last login: Wed May 24 10:56:56 2023 from 192.168.147.1 //成功登陆
实验二:远程复制
2.1 复制文件
虚拟机2:
[root@localhost ~]# cd /opt/ [root@localhost opt]# touch 123.txt [root@localhost opt]# ls 123.txt backup rh
虚拟机1:
[root@localhost ~]# cd / [root@localhost /]# scp root@192.168.147.101:/opt/123.txt /opt/ root@192.168.147.101's password: 123.txt 100% 0 0.0KB/s 00:00 [root@localhost /]# cd opt/ [root@localhost opt]# ls 123.txt rh
2.2 复制目录
虚拟机1
[root@localhost opt]# ls 123.txt rh [root@localhost opt]# mkdir aa [root@localhost opt]# cd aa/ [root@localhost aa]# touch jkl.txt [root@localhost aa]# ls jkl.txt [root@localhost aa]# echo 7458 > jkl.txt
虚拟机2
[root@localhost /]# scp -rP 10022 root@192.168.147.100:/opt/aa /opt/ ##-r:复制目录 -P:指定端口号 root@192.168.147.100's password: jkl.txt 100% 5 7.2KB/s 00:00
三、sftp
3.1 sftp概述
使用加密技术,基于ssh,传输效率比ftp低,但是安全性更高。使用语法和ftp相同
3.2 实验
虚拟机2
[root@localhost opt]# sftp -P 10022 root@192.168.147.100 root@192.168.147.100's password: Connected to 192.168.147.100. sftp> pwd Remote working directory: /root sftp> cd /opt sftp> pwd Remote working directory: /opt sftp> get abcd ##下载虚拟机1中opt目录下的abcd文件 Fetching /opt/abcd to abcd /opt/abcd 100% 5 2.4KB/s 00:00 sftp> put qwer ##上传虚拟机2中opt目录下的qwer文件 Uploading qwer to /opt/qwer qwer 100% 4 2.6KB/s 00:00 sftp> exit [root@localhost opt]# ls 123.txt aa abcd backup qwer rh
虚拟机1
[root@localhost opt]# ls 123.txt aa abcd qwer rh
四、用户登录限制
[root@localhost /]# vim /etc/ssh/sshd_config AllowUsers 用户名 (用户名@IP 限制只能从某某终端登录) DenyUsers 用户名 :wq! [root@localhost /]# systemctl restart sshd
五、免密登录
5.1 过程
- 创建秘钥对
- 上传公钥文件
- 导入公钥信息
- 使用密钥对验证方式
5.2 密钥种类
rsa edusa dsa
5.3 密钥两种形式
对称密钥 非对称密钥
5.4 两种加密方式
用户账户登录密码 密钥登录
5.5 rsa免密登录
[root@localhost ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:7GaCEiKeooUERamzK4Gy1Dg/rRAveMhj/vx30veDs4U root@localhost.localdomain The key's randomart image is: +---[RSA 2048]----+ | .o. | | .. | |.. | |+ . | |+=+ S | |@B+o . . . | |B%*.o . = E.. | |Oo=+ . * o +.. | |o..++.. o ..+.. | +----[SHA256]-----+ [root@localhost ~]# cd .ssh [root@localhost .ssh]# ls id_rsa id_rsa.pub known_hosts [root@localhost .ssh]# ssh-copy-id -i id_rsa.pub root@192.168.147.101 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.147.101's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.147.101'" and check to make sure that only the key(s) you wanted were added. [root@localhost .ssh]# ssh-agent bash [root@localhost .ssh]# ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) [root@localhost .ssh]# ssh root@192.168.147.101 //没有输入密码,实验成功 Last login: Thu May 25 00:02:54 2023 from 192.168.147.1
