- telnet
- [root@rhel6 ~]# rpm -qa | grep telnet
- telnet-server-0.17-47.el6.x86_64
- telnet-0.17-47.el6.x86_64
- [root@rhel6 ~]# vi /etc/xinetd.d/telnet //telnet是依赖于xinetd的
- # default: on
- # description: The telnet server serves telnet sessions; it uses \
- # unencrypted username/password pairs for authentication.
- service telnet
- {
- flags = REUSE
- socket_type = stream
- wait = no
- user = root
- server = /usr/sbin/in.telnetd
- log_on_failure += USERID
- disable = no
- instances = 1 //设置服务器最大连接数(即只允许1个用户通过telnet登录)
- # bind = 192.168.0.90 //只允许经由该适配器的数据包进来
- # only_from = 192.168.0.0/24 //只允许该网段通过telnet访问
- # no_access = 192.168.0.100 //不允许该IP通过telnet访问
- # access_times = 9:00-18:00 //telnet服务开放的时间
- }
- [root@rhel6 ~]# /etc/init.d/xinetd restart
- Stopping xinetd: [ OK ]
- Starting xinetd: [ OK ]
- [root@rhel5 ~]# telnet rhel6
- Trying 192.168.0.90...
- Connected to rhel6.
- Escape character is '^]'.
- Red Hat Enterprise Linux Server release 6.2 (Santiago)
- Kernel 2.6.32-220.el6.x86_64 on an x86_64
- login: root
- Password:
- Login incorrect //默认禁止root用户通过telnet登录
- login: xfcy
- Password:
- Last login: Wed Dec 26 17:17:08 from rhel6
- [xfcy@rhel6 ~]$ who
- root pts/0 2012-12-27 12:01 (192.168.0.90)
- xfcy pts/1 2012-12-27 12:18 (rhel5)
- [xfcy@rhel6 ~]$ telnet rhel6
- Trying 192.168.0.90...
- Connected to rhel6.
- Escape character is '^]'.
- Connection closed by foreign host. //不允许第2个用户通过telnet登录
- [root@rhel6 ~]# netstat -lntp | grep :23 //默认监听23号端口
- tcp 0 0 :::23 :::* LISTEN 5169/xinetd
- [xfcy@rhel6 ~]$ vi /etc/services //修改telnet服务的监听端口为230
- telnet 230/tcp
- telnet 230/udp
- [root@rhel6 ~]# /etc/init.d/xinetd restart
- Stopping xinetd: [ OK ]
- Starting xinetd: [ OK ]
- [root@rhel6 ~]# netstat -lntp | grep :23
- tcp 0 0 :::230 :::* LISTEN 5319/xinetd
- [root@rhel5 ~]# telnet rhel6
- Trying 192.168.0.90... //默认通过23号端口无法访问telnet服务
- telnet: connect to address 192.168.0.90: Connection refused
- telnet: Unable to connect to remote host: Connection refused
- [root@rhel5 ~]# telnet rhel6 230 //通过230端口可成功访问telnet服务
- Trying 192.168.0.90...
- Connected to rhel6.xfcy.org (192.168.0.90).
- Escape character is '^]'.
- Red Hat Enterprise Linux Server release 6.2 (Santiago)
- Kernel 2.6.32-220.el6.x86_64 on an x86_64
- login: xfcy
- Password:
- Last login: Thu Dec 27 12:50:16 from rhel5
- [xfcy@rhel6 ~]$ netstat -an | grep :23
- tcp 0 0 192.168.0.90:230 192.168.0.89:51147 ESTABLISHED
- tcp 0 0 :::230 :::* LISTEN
-
默认情况下,linux不允许root用户以telnet方式登录linux主机,若要允许root用户登录,可采取以下3种方法之一: - 1.修改login文件
- redhat中对于远程登录的限制体现在/etc/pam.d/login 文件中,如果把限制的内容注销掉,那么限制将不起作用。
- [root@rhel5 ~]# vi /etc/pam.d/login
- #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
- auth include system-auth
- #account required pam_nologin.so
- account include system-auth
- password include system-auth
- # pam_selinux.so close should be the first session rule
- session required pam_selinux.so close
- session include system-auth
- session required pam_loginuid.so
- session optional pam_console.so
- # pam_selinux.so open should only be followed by sessions to be executed in the user context
- session required pam_selinux.so open
- session optional pam_keyinit.so force revoke
- 2.移除securetty文件
- 验证规则设置在/etc/securetty 文件中,该文件定义root用户只能在tty1-tty11的终端上记录,移除该文件即可避开验证规则实现root用户远程登录。
- [root@rhel5 ~]# mv /etc/securetty /etc/securetty.bak
- 3.修改securetty文件
- [root@rhel5 ~]# vi /etc/securetty
- console
- vc/1
- vc/2
- vc/3
- vc/4
- vc/5
- vc/6
- vc/7
- vc/8
- vc/9
- vc/10
- vc/11
- tty1
- tty2
- tty3
- tty4
- tty5
- tty6
- tty7
- tty8
- tty9
- tty10
- tty11
- pts/1
- pts/2
- pts/3
- pts/4
- pts/5
- pts/6
- pts/7
- pts/8
- pts/9
- pts/10
- pts/11
- ssh
- [root@rhel6 ~]# rpm -qa | grep openssh
- openssh-server-5.3p1-70.el6.x86_64
- openssh-clients-5.3p1-70.el6.x86_64
- openssh-5.3p1-70.el6.x86_64
- openssh-askpass-5.3p1-70.el6.x86_64
- [root@rhel6 ~]# cat /etc/ssh/sshd_config
- #Port 22 //设置ssh服务的端口
- #MaxStartups 10 //设置最大连接数
- #ListenAddress 0.0.0.0
- #PermitRootLogin yes
- Protocol 2 //只允许SSH2协议
- SyslogFacility AUTHPRIV
- PasswordAuthentication yes
- ChallengeResponseAuthentication no
- GSSAPIAuthentication yes
- GSSAPICleanupCredentials yes
- UsePAM yes
- AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
- AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
- AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
- AcceptEnv XMODIFIERS
- X11Forwarding yes
- Subsystem sftp /usr/libexec/openssh/sftp-server
- 当客户端登入远程服务器时,客户端会主动的接收到的服务器的公钥(public key) 去比对 ~/.ssh/known_hosts 有无相关的公钥, 然后进行底下的动作:
- 若接收的公钥尚未记录,则询问用户是否记录。若接受则写入 ~/.ssh/known_hosts 且继续登入的后续工作;若不接收则不写入该文件,并且离开登入工作;
- 若接收到的公钥已有记录,则比对记录是否相同,若相同则继续登入动作;若不相同,则出现警告信息,且离开登入的动作。
- [root@rhel6 ~]# rm -f .ssh/known_hosts
- [root@rhel6 ~]# ssh rhel6
- The authenticity of host 'rhel6 (192.168.1.119)' can't be established.
- RSA key fingerprint is 1a:cf:92:de:28:7d:f2:e0:e8:e6:ad:f1:7c:40:6a:67.
- Are you sure you want to continue connecting (yes/no)? yes //接受并在known_hosts中创建公钥
- Warning: Permanently added 'rhel6,192.168.1.119' (RSA) to the list of known hosts.
- root@rhel6's password:
- Last login: Mon Dec 31 11:27:22 2012 from 192.168.1.19
- [root@rhel6 ~]# cat .ssh/known_hosts
- rhel6,192.168.1.119 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA08gfRmTgp6wM1GPgbVBsAiL6dOaKoViS9w/aL3P/NVGjYANfKQQxx2yagOxqOIFV5wefnrutdgoEmYm9sWl+9AtIf4XgMHupGWlq3jK4LWkKrN2Lg7HdijpbKzH2XuHcI1k9sRzB6F2Xhx3YdTnQKyT8wb9spKp9hzTL4ztGXrrcRW9lXBrz7jp9m4HOwim44j6SSVPTAVrCZWho2X+I27f/6DbCHNfFXV1mi+g7ERo2c8e4KwoKComXaa+E/PsBPKWOuvJgujl1VPQ2hTAWPSVXA67eR9o+39c/cOliDPq/SGsGXtWxZei9FM7G+OZAI5RdZ/Fqmbvivzfweg7IZQ==
- 每一次启动sshd服务时,sshd服务端都会主动去找/etc/ssh/ssh_host*的公私钥文件,如果不存在则会重新创建公私钥
- [root@rhel6 ~]# ls /etc/ssh/ssh_host_*
- /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key //私钥
- /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key.pub //公钥
- [root@rhel6 ~]# rm -f /etc/ssh/ssh_host_*
- [root@rhel6 ~]# ls /etc/ssh/ssh_host_*
- ls: cannot access /etc/ssh/ssh_host_*: No such file or directory
- [root@rhel6 ~]# /etc/init.d/sshd restart
- Stopping sshd: [ OK ]
- Generating SSH1 RSA host key: [ OK ] //创建SSH1的RSA公私钥
- Generating SSH2 RSA host key: [ OK ] //创建SSH2的RSA公私钥
- Generating SSH2 DSA host key: [ OK ] //创建SSH2的DSA公私钥
- Starting sshd: [ OK ]
- [root@rhel6 ~]# ls /etc/ssh/ssh_host_*
- /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key.pub
- [root@rhel6 ~]# ssh rhel6
- @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
- @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
- Someone could be eavesdropping on you right now (man-in-the-middle attack)!
- It is also possible that the RSA host key has just been changed.
- The fingerprint for the RSA key sent by the remote host is
- 16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b.
- Please contact your system administrator.
- Add correct host key in /root/.ssh/known_hosts to get rid of this message.
- Offending key in /root/.ssh/known_hosts:1 //由于更新了公私钥,故提示known_hosts文件中第1行的信息不匹配
- RSA host key for rhel6 has changed and you have requested strict checking.
- Host key verification failed.
- [root@rhel6 ~]# sed -i '1d' .ssh/known_hosts //删除known_hosts的第一行内容
- [root@rhel6 ~]# ssh rhel6
- The authenticity of host 'rhel6 (192.168.1.119)' can't be established.
- RSA key fingerprint is 16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b.
- Are you sure you want to continue connecting (yes/no)? yes //重新更新known_hosts中的公钥
- Warning: Permanently added 'rhel6,192.168.1.119' (RSA) to the list of known hosts.
- root@rhel6's password:
- Last login: Mon Dec 31 13:28:30 2012 from rhel6
- ssh [-f] [-p port_num] [user@]IP [CMD]
- -f :需要配合后面的[CMD],不登入远程主机直接发送一个指令,若不加-f参数则需等待后面的CMD指令执行完毕才会离开远程主机
- -p :指定sshd监听的端口
- -X :开启X11 Forwarding(X11 forwarding是基于SSH使用远程X-Windows应用,需配合xhost +)
- -Y :开启X11 Forwarding
- [root@rhel6 ~]# vi ssh_test.sh //创建一个用于测试的脚本
- #!/bin/sh
- echo '####### ssh without "-f" ############'
- date
- ssh rhel6 sleep 10
- date
- echo '####### ssh with "-f" ############'
- date
- ssh -f rhel6 sleep 10
- date
- [root@rhel6 ~]#chmod +x ssh_test.sh
- [root@rhel6 ~]# ./ssh_test.sh
- ####### ssh without "-f" ############
- Mon Dec 31 14:24:26 CST 2012
- Mon Dec 31 14:24:36 CST 2012 //需等待远程主机的指令执行完毕才会离开
- ####### ssh with "-f" ############
- Mon Dec 31 14:24:36 CST 2012
- Mon Dec 31 14:24:36 CST 2012 //远程主机执行指令后立即离开
- [root@rhel6 ~]# ssh rhel6
- Last login: Mon Dec 31 15:13:16 2012 from rhel6
- [root@rhel6 ~]# echo $DISPLAY
- [root@rhel6 ~]# exit
- [root@rhel6 ~]# ssh -X rhel6
- Last login: Mon Dec 31 15:17:19 2012 from rhel6
- [root@rhel6 ~]# echo $DISPLAY
- localhost:10.0
==================================================================================
ssh等价性
- [root@rhel5-1 .ssh]# ssh-keygen -t rsa
- Generating public/private rsa key pair. "以下全部回车即可"
- Enter file in which to save the key (/root/.ssh/id_rsa):
- Enter passphrase (empty for no passphrase):
- Enter same passphrase again:
- Your identification has been saved in /root/.ssh/id_rsa.
- Your public key has been saved in /root/.ssh/id_rsa.pub.
- The key fingerprint is:
- a1:ef:d7:94:03:da:bb:64:f2:7d:4f:73:ad:92:29:a1 root@rhel5-1.xfcy.org
- [root@rhel5-1 .ssh]# ls
- id_rsa id_rsa.pub "id_rsa文件必须存在"
- [root@rhel5-1 .ssh]# cat id_rsa.pub >> key
- [root@rhel5-1 .ssh]# scp key rhel5-2:/root/.ssh/
- The authenticity of host 'rhel5-2 (192.168.1.22)' can't be established.
- RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added 'rhel5-2,192.168.1.22' (RSA) to the list of known hosts.
- root@rhel5-2's password:
- key 100% 403 0.4KB/s 00:00
- [root@rhel5-2 .ssh]# ls
- key
- [root@rhel5-2 .ssh]# ssh-keygen -t rsa
- Generating public/private rsa key pair.
- Enter file in which to save the key (/root/.ssh/id_rsa):
- Enter passphrase (empty for no passphrase):
- Enter same passphrase again:
- Your identification has been saved in /root/.ssh/id_rsa.
- Your public key has been saved in /root/.ssh/id_rsa.pub.
- The key fingerprint is:
- 19:51:ec:c9:87:b3:7e:de:b0:e2:7d:b4:89:09:60:8f root@rhel5-2.xfcy.org
- [root@rhel5-2 .ssh]# ls
- id_rsa id_rsa.pub key
- [root@rhel5-2 .ssh]# cat id_rsa.pub >> authorized_keys
- [root@rhel5-2 .ssh]# cat key >> authorized_keys
- [root@rhel5-2 .ssh]# scp authorized_keys rhel5-1:/root/.ssh/
- The authenticity of host 'rhel5-1 (192.168.1.11)' can't be established.
- RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added 'rhel5-1,192.168.1.11' (RSA) to the list of known hosts.
- root@rhel5-1's password:
- authorized_keys 100% 806 0.8KB/s 00:00
- [root@rhel5-2 .ssh]# ls
- authorized_keys id_rsa id_rsa.pub key known_hosts
- [root@rhel5-2 .ssh]# ssh rhel5-1
- Last login: Thu Aug 30 15:41:33 2012 from rhel5-2.xfcy.org
- 此时从rhel5-2通过ssh登录到rhel5-1已不需要密码,rhel5-1通过ssh登录到rhel5-2也不需要密码
- 注:两端的id_rsa文件必须存在
本文转自Vnimos51CTO博客,原文链接:http://blog.51cto.com/vnimos/1105117,如需转载请自行联系原作者