远程之SSH

最新推荐文章于 2025-06-29 16:42:09 发布

转载最新推荐文章于 2025-06-29 16:42:09 发布 · 2.3k 阅读

0 ·

CC 4.0 BY-SA版权

原文链接：http://www.cnblogs.com/Yuanbangchen/p/5795983.html

文章标签：

#运维 #网络 #开发工具

本文详细介绍了SSH协议的基本概念，包括其安全特性、安装配置方法、常见命令使用及高级功能，如端口转发、免密码登录等。

远程之SSH

SSH(Secure Shell的缩写)，由 IETF 的网络工作小组（Network Working Group）所制定；SSH 为建立在应用层和传输层基础上的安全协议。SSH 是目前较可靠，专为远程登录会话和其他网络服务提供安全性的协议。咱们传统的远程网络服务如ftp、telnet等在本质上都是不安全的，因为它们在网络上用明文传送口令和数据，别有用心的人非常容易就可以截获这些口令和数据。当如果出现第三方假冒服务器来接收到咱们发送过去的明文数据时，此时可能就会发生严重问题。但是如果通过使用SSH，你可以把所有传输的数据进行加密，这样恶意用户的这种攻击方式就不可能实现了，而且也能够防止DNS欺骗和IP欺骗。使用SSH，还有一个额外的好处就是传输的数据是经过压缩的，所以可以加快传输的速度。SSH有很多功能，它既可以代替Telnet，又可以为FTP、POP甚至为PPP提供一个安全的"通道"。

ssh协议目前有SSH1和SSH2，SSH2协议兼容SSH1。目前实现SSH1和SSH2协议的主要软件有OpenSSH和SSH Communications Security Corporation　公司的SSH Communications 软件。前者是OpenBSD组织开发的一款免费的SSH软件，后者是商业软件，因此在linux、FreeBSD、OpenBSD、NetBSD等免费类UNIX系统种，通畅都使用OpenSSH作为SSH协议的实现软件。

1.通过yum 或rpm安装包进行安装

yum install ssh

2.查询安装包
[root@client01 opt]# rpm -qa|grep openssh
openssh-clients-5.3p1-52.el6.x86_64
openssh-5.3p1-52.el6.x86_64
openssh-server-5.3p1-52.el6.x86_64

3.查询配置文件
[root@client01opt]# rpm -ql openssh-server

/etc/ssh/sshd_config

4.通过 ssh -V 命令来查看安装的ssh版本信息：

[root@localhost Server]# ssh -V

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

5.SSH分为服务器端和客户端，对于服务器端，SSH是默认开机启动的，作为常驻服务存在，我们可以通过 service sshd status 命令来查看

[root@localhost Server]#service sshd status

6.sshd服务的开机启动情况

[root@localhost Server]# chkconfig --list | grep sshd

sshd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭

7.查看sshd服务绑定的端口号

[root@localhost Server]# netstat -anp | grep sshd

tcp 0 0 :::22 :::* LISTEN 3583/sshd

8.远程连接SSH，需要把22端口在防火墙

[root@localhost Server]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

9.查看防火墙规则信息。

[root@localhost Server]# iptables --list -n

我们可以通过 ssh 命令用以以SSH协议登陆其他主机，因为这里我们的windows是没有默认安装ssh客户端的，所以我这里也是在虚拟机中的 centos 里面远程登录

我们可以通过 ssh root@172.25.215.40 命令来进行登陆，root是我们需要登陆的用户名，@后面跟的是我们的ip地址

[root@xiaoluo ~]# ssh root@172.25.215.40
The authenticity of host '172.25.215.40 (172.25.215.40)' can't be established.
RSA key fingerprint is 53:61:a6:9c:32:92:85:12:1d:97:c9:2c:0c:9b:f6:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.215.40' (RSA) to the list of known hosts.

root@172.25.215.40's password:

我们看到，当我们输入该命令以后，其会提示我们是否生成一个密钥，因为我们的SSH是加密的，所以我们输入 yes ，此时就会给该远程登录端生成一个加密的密钥，这个密钥是保存在用户家目录下的 .ssh/ 目录中，我们可以看一下里面的内容：

[root@xiaoluo ~]# cat ./.ssh/known_hosts 

172.25.215.40 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwOaEBlkF3n1+m/Dern0+cjoGFUDs68JRnuihDTKckxV1IuEsys1HX/YMp6fzjGzDAKd/dsWS0O9bwEmLgK1q8QobQHqUIp7a6VJe+6e3VCUDNhX6GB848O+xvYcgeZjVvMs37+RUvmy7YwQ9FrM5RLm9/RpAVf08gLHoqCleh1QJ2j33AfBNjsUUkrr4UQ3kKTuIJBnsyFHF9zpXHcgtcqGzgzaF7AfZw85DXC//5+cRNvF2wwXyEhbrYR3x50SG/f7FSqDd0JX8/+eMu3Wnmjv6dFZS7qt9s+nh7LUGqqy1lNncXxECFZa2HiSduWkwIW667LBsNVB1pIba7uBn/Q==

我们看到，其实这里保存的就是我们远程登录管理的一个ssh密钥。使用哪个用户名登陆，就会在该用户家目录下生成有给密钥，我们输入用户密码，就能远程登录上我们的主机了

我们可以通过 ssh root@172.25.215.40 命令远程登录到我们的主机，我们有时如果登陆远程主机只是为了执行某条命令，此时我们可以直接在后面跟命令名字即可，例如 ssh root@172.25.215.40 ls，这样我们就只会登陆远程主机然后执行完命令就返回了

对于其他一些常用的SSH命令，还有 scp 、rsync等这些命令

scp 命令是用以在两台计算机之间进行快速的、加密的数据传输，命令的语法格式为：

scp 源文件目标地址

例如我们要将当前目录下的 xiaoluo.txt 这个文件复制到 172.25.215.40 这台主机的 /root 目录下，我们可以使用如下命令：

[root@xiaoluo ~]# scp xiaoluo.txt root@172.25.215.40:/root/

这样我们的文件就会复制到172.25.215.40 这台主机的 root目录下了，我们还可以为该命令加一些参数，例如 -R 递归、 -p 传输时保留文件权限和时间戳 -C 传输时进行数据压缩等参数。

===========================================================

ssh_config和sshd_config都是ssh服务器的配置文件，二者区别在于，前者是针对客户端的配置文件，后者则是针对服务端的配置文件。两个配置文件都允许你通过设置不同的选项来改变客户端程序的运行方式。

‍‍1、编辑 /etc/ssh/ssh_config 文件

# Site-wide defaults for various options
   Host *
        ForwardAgent no
        ForwardX11 no
        RhostsAuthentication no
        RhostsRSAAuthentication no
    ‍    RSAAuthentication yes
        PasswordAuthentication yes
        FallBackToRsh no
        UseRsh no
        BatchMode no
        CheckHostIP yes
        StrictHostKeyChecking no
        IdentityFile ~/.ssh/identity
        Port 22
        Cipher blowfish
        EscapeChar ~

下面对上述选项参数逐进行解释：

# Site-wide defaults for various options
带“#”表示该句为注释不起作，该句不属于配置文件原文，意在说明下面选项均为系统初始默认的选项。说明一下，实际配置文件中也有很多选项前面加有“#”注释，虽然表示不起作用，其实是说明此为系统默认的初始化设置。

Host *
"Host"只对匹配后面字串的计算机有效，“*”表示所有的计算机。从该项格式前置一些可以看出，这是一个类似于全局的选项，表示下面缩进的选项都适用于该设置，可以指定某计算机替换*号使下面选项只针对该算机器生效。

ForwardAgent no
"ForwardAgent"设置连接是否经过验证代理（如果存在）转发给远程计算机。

ForwardX11 no
"ForwardX11"设置X11连接是否被自动重定向到安全的通道和显示集（DISPLAY set）。

RhostsAuthentication no
"RhostsAuthentication"设置是否使用基于rhosts的安全验证。

RhostsRSAAuthentication no
"RhostsRSAAuthentication"设置是否使用用RSA算法的基于rhosts的安全验证。

RSAAuthentication yes
"RSAAuthentication"设置是否使用RSA算法进行安全验证。

PasswordAuthentication yes
"PasswordAuthentication"设置是否使用口令验证。

FallBackToRsh no
"FallBackToRsh"设置如果用ssh连接出现错误是否自动使用rsh，由于rsh并不安全，所以此选项应当设置为"no"。

UseRsh no
"UseRsh"设置是否在这台计算机上使用"rlogin/rsh"，原因同上，设为"no"。

BatchMode no
"BatchMode"：批处理模式，一般设为"no"；如果设为"yes"，交互式输入口令的提示将被禁止，这个选项对脚本文件和批处理任务十分有用。

CheckHostIP yes
"CheckHostIP"设置ssh是否查看连接到服务器的主机的IP地址以防止DNS欺骗。建议设置为"yes"。

StrictHostKeyChecking no
"StrictHostKeyChecking"如果设为"yes"，ssh将不会自动把计算机的密匙加入"$HOME/.ssh/known_hosts"文件，且一旦计算机的密匙发生了变化，就拒绝连接。

IdentityFile ~/.ssh/identity
"IdentityFile"设置读取用户的RSA安全验证标识。

Port 22
"Port"设置连接到远程主机的端口，ssh默认端口为22。

Cipher blowfish
“Cipher”设置加密用的密钥，blowfish可以自己随意设置。

EscapeChar ~
“EscapeChar”设置escape字符。

2、编辑 /etc/ssh/sshd_config 文件：‍

# This is ssh server systemwide configuration file.
          Port 22
          ListenAddress 192.168.1.1
          HostKey /etc/ssh/ssh_host_key
          ServerKeyBits 1024
          LoginGraceTime 600
          KeyRegenerationInterval 3600
          PermitRootLogin no
          IgnoreRhosts yes
          IgnoreUserKnownHosts yes
          StrictModes yes
          X11Forwarding no
          PrintMotd yes
          SyslogFacility AUTH
          LogLevel INFO
          RhostsAuthentication no
          RhostsRSAAuthentication no
          RSAAuthentication yes
          PasswordAuthentication yes
          PermitEmptyPasswords no
          AllowUsers admin

‍下面逐行说明上面的选项设置：

Port 22
"Port"设置sshd监听的端口号。

ListenAddress 192.168.1.1
"ListenAddress”设置sshd服务器绑定的IP地址。

HostKey /etc/ssh/ssh_host_key
"HostKey”设置包含计算机私人密匙的文件。

ServerKeyBits 1024
"ServerKeyBits”定义服务器密匙的位数。

LoginGraceTime 600
"LoginGraceTime”设置如果用户不能成功登录，在切断连接之前服务器需要等待的时间（以秒为单位）。

KeyRegenerationInterval 3600
"KeyRegenerationInterval”设置在多少秒之后自动重新生成服务器的密匙（如果使用密匙）。重新生成密匙是为了防止用盗用的密匙解密被截获的信息。

PermitRootLogin no
"PermitRootLogin”设置是否允许root通过ssh登录。这个选项从安全角度来讲应设成"no"。

IgnoreRhosts yes
"IgnoreRhosts”设置验证的时候是否使用“rhosts”和“shosts”文件。

IgnoreUserKnownHosts yes
"IgnoreUserKnownHosts”设置ssh daemon是否在进行RhostsRSAAuthentication安全验证的时候忽略用户的"$HOME/.ssh/known_hosts”

StrictModes yes
"StrictModes”设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所有权。这通常是必要的，因为新手经常会把自己的目录和文件设成任何人都有写权限。

X11Forwarding no
"X11Forwarding”设置是否允许X11转发。

PrintMotd yes
"PrintMotd”设置sshd是否在用户登录的时候显示“/etc/motd”中的信息。

SyslogFacility AUTH
"SyslogFacility”设置在记录来自sshd的消息的时候，是否给出“facility code”。

LogLevel INFO
"LogLevel”设置记录sshd日志消息的层次。INFO是一个好的选择。查看sshd的man帮助页，已获取更多的信息。

RhostsAuthentication no
"RhostsAuthentication”设置只用rhosts或“/etc/hosts.equiv”进行安全验证是否已经足够了。

RhostsRSAAuthentication no
"RhostsRSA”设置是否允许用rhosts或“/etc/hosts.equiv”加上RSA进行安全验证。

RSAAuthentication yes
"RSAAuthentication”设置是否允许只有RSA安全验证。

PasswordAuthentication yes
"PasswordAuthentication”设置是否允许口令验证。

PermitEmptyPasswords no
"PermitEmptyPasswords”设置是否允许用口令为空的帐号登录。

AllowUsers admin
"AllowUsers”的后面可以跟任意的数量的用户名的匹配串，这些字符串用空格隔开。主机名可以是域名或IP地址。

=============================================================================

#带有d：守护
#查询安装包
[root@client01 opt]# rpm -qa|grep openssh
openssh-clients-5.3p1-52.el6.x86_64
openssh-5.3p1-52.el6.x86_64
openssh-server-5.3p1-52.el6.x86_64
[root@client01opt]# rpm -ql openssh-server
/etc/pam.d/ssh-keycat
/etc/pam.d/sshd
/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/libexec/openssh/sftp-server
/usr/libexec/openssh/ssh-keycat
/usr/sbin/.sshd.hmac
/usr/sbin/sshd
/usr/share/doc/openssh-server-5.3p1
/usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd

#telnet：明文传输，不安全。不建议使用
[root@client01 opt]# cd /etc/ssh/
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root   2047 Apr 5 2011 ssh_config
-rw-------. 1 root root   3872 Apr 5 2011 sshd_config
-rw-------. 1 root root    668 Jul 23 00:58 ssh_host_dsa_key
-rw-r--r--. 1 root root    590 Jul 23 00:58 ssh_host_dsa_key.pub
-rw-------. 1 root root    963 Jul 23 00:58 ssh_host_key
-rw-r--r--. 1 root root    627 Jul 23 00:58 ssh_host_key.pub
-rw-------. 1 root root   1675 Jul 23 00:58 ssh_host_rsa_key
-rw-r--r--. 1 root root    382 Jul 23 00:58 ssh_host_rsa_key.pub
#ssh_config：ssh命令的配置文件
#sshd_config：重点学习

[root@client01 ssh]# rm -rf~/.ssh/known_hosts

[root@larrywen /]# ssh 192.168.1.12
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@   WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOINGSOMETHING NASTY!
Someone could be eavesdropping on you rightnow (man-in-the-middle attack)!
It is also possible that the RSA host keyhas just been changed.
The fingerprint for the RSA key sent by theremote host is
3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Please contact your system administrator.
Add correct host key in/root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:7
RSA host key for 192.168.1.12 has changedand you have requested strict checking.
Host key verification failed.

#出现上述问题，删除该文件
[root@client01 ssh]# rm -rf~/.ssh/known_hosts
#如果还是不行，本机也删除
[root@larrywen .ssh]# rm -rf known_hosts
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root   2047 Apr 5 2011 ssh_config
-rw-------. 1 root root   3872 Apr 5 2011 sshd_config
-rw-------. 1 root root    668 Jul 23 00:58 ssh_host_dsa_key
-rw-r--r--. 1 root root    590 Jul 23 00:58 ssh_host_dsa_key.pub
-rw-------. 1 root root    963 Jul 23 00:58 ssh_host_key
-rw-r--r--. 1 root root    627 Jul 23 00:58 ssh_host_key.pub
-rw-------. 1 root root   1675 Jul 23 00:58 ssh_host_rsa_key
-rw-r--r—. 1 root root    382 Jul 23 00:58 ssh_host_rsa_key.pub

#我们删除ssh_host_*文件，然后重启服务，发现文件自动生成了
[root@client01 ssh]# rm -f ssh_host_*
[root@client01 ssh]# ll
total 132
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root   2047 Apr 5 2011 ssh_config
-rw-------. 1 root root   3872 Apr 5 2011 sshd_config
[root@client01 ssh]# /etc/init.d/sshdrestart
Stopping sshd:       [ OK ]
Generating SSH1 RSA host key:                              [ OK ]
Generating SSH2 RSA host key:                              [ OK ]
Generating SSH2 DSA host key:                              [ OK ]
Starting sshd:        [ OK ]
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root   2047 Apr 5 2011 ssh_config
-rw-------. 1 root root   3872 Apr 5 2011 sshd_config
-rw-------. 1 root root    672 Aug 6 10:38 ssh_host_dsa_key
-rw-r--r--. 1 root root    590 Aug 6 10:38 ssh_host_dsa_key.pub
-rw-------. 1 root root    963 Aug 6 10:38 ssh_host_key
-rw-r--r--. 1 root root    627 Aug 6 10:38 ssh_host_key.pub
-rw-------. 1 root root   1675 Aug 6 10:38 ssh_host_rsa_key
-rw-r--r--. 1 root root    382 Aug 6 10:38 ssh_host_rsa_key.pub

[root@client01 ssh]# man 5 sshd_config

#修改端口，然后重启，重新登录
[root@client01 ssh]# vim sshd_config
[root@client01 ssh]# grep "Port"sshd_config
#Port 22
Port 2222
#GatewayPorts no
[root@client01 ssh]# /etc/init.d/sshdrestart
Stopping sshd:       [ OK ]
Starting sshd:       [ OK ]
[root@client01 ~]# netstat -lanput | grepsshd
tcp       0      0 0.0.0.0:2222                0.0.0.0:*                   LISTEN      1814/sshd
tcp       0      0 :::2222                     :::*                        LISTEN      1814/sshd

#修改端口后按照以前的登录方式会出错
[root@larrywen /]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refu sed

#指定端口，参数可以放在前面或者后面
[root@larrywen /]# ssh 192.168.1.11 -p 2222
The authenticity of host'[192.168.1.11]:2222 ([192.168.1.11]:2222)' can't be established.
RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added'[192.168.1.11]:2222' (RSA) to the list of known hosts.
root@192.168.1.11's password:
Last login: Tue Aug 6 09:54:46 2013 from 192.168.1.1
[root@client01 ~]# exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh -p 2222 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug 6 10:42:48 2013 from 192.168.1.1

#scp：借助SSH服务
[root@larrywen begin]# scp ule-begin.pdf 192.168.1.11:/root-P 2222
2222: No such file or directory
[root@larrywen begin]# scp -P 2222ule-begin.pdf 192.168.1.11:/root
root@192.168.1.11's password:
ule-begin.pdf     100%   14MB 13.6MB/s   00:00

二、ssh修改端口

#修改端口：安全考虑
[root@client01 ~]# vim /etc/ssh/sshd_config
[root@client01 ~]# service sshd restart
Stopping sshd:       [ OK ]
Starting sshd:        [ OK ]
[root@client01 ~]# netstat -langput | grepsshd
tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1969/sshd
tcp       0      0 :::22                       :::*                        LISTEN     1969/sshd

[root@client01 ~]# ifconfig eth0:1192.168.1.111 netmask 255.255.255.0
[root@client01 ~]# ifconfig
eth0     Link encap:Ethernet HWaddr00:0C:29:07:DD:3B
         inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
         inet6 addr: fe80::20c:29ff:fe07:dd3b/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
         RX packets:13261 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2665 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:15228499 (14.5 MiB) TXbytes:402371 (392.9 KiB)

eth0:1   Link encap:Ethernet HWaddr00:0C:29:07:DD:3B
         inet addr:192.168.1.111 Bcast:192.168.1.255 Mask:255.255.255.0
         UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

lo       Link encap:Local Loopback
         inet addr:127.0.0.1 Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING MTU:16436 Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:0 (0.0 b) TX bytes:0(0.0 b)

[root@larrywen /]# ssh -p 2222192.168.1.111
ssh: connect to host 192.168.1.111 port2222: Connection refused
[root@larrywen /]# ssh 192.168.1.111
The authenticity of host '192.168.1.111(192.168.1.111)' can't be established.
RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.111'(RSA) to the list of known hosts.
root@192.168.1.111's password:
Last login: Tue Aug 6 10:57:55 2013 from 192.168.1.1
[root@client01 ~]#

[root@client01 ssh]# grep "ListenAddress"sshd_config
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.1.111

[root@client01 ~]# exit
logout
Connection to 192.168.1.111 closed.
[root@larrywen /]# ssh 192.168.1.111
root@192.168.1.111's password:
Last login: Tue Aug 6 11:05:55 2013 from 192.168.1.1
[root@client01 ~]# netstat -langput | grepsshd
tcp       0      0 192.168.1.111:22            0.0.0.0:*                   LISTEN      2011/sshd

[root@larrywen /]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refused

三、ssh实现只允许内网登录，不允许外网登录

#添加一张网卡，网段是172.16.1.0
#默认情况都可以访问
[root@larrywen /]# ssh 172.16.1.11
The authenticity of host '172.16.1.11(172.16.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '172.16.1.11'(RSA) to the list of known hosts.
root@172.16.1.11's password:
Last login: Tue Aug 6 19:15:21 2013 from 192.168.1.1

#绑定 IP地址，内网可以访问，外网不绑定
[root@serv01 ~]# vim /etc/ssh/sshd_config
[root@serv01 ~]# grep "Address"/etc/ssh/sshd_config
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.1.11
#重启服务
[root@serv01 ~]# /etc/init.d/sshd restart
Stopping sshd:        [ OK ]
Starting sshd:       [ OK ]
[root@serv01 ~]# exit
logout
Connection to 172.16.1.11 closed.
#连接172.16.1.11，不可以
[root@larrywen /]# ssh 172.16.1.11
ssh: connect to host 172.16.1.11 port 22:Connection refused

#连接192.168.1.11，可以正常登录
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug 6 19:13:51 2013
[root@serv01 ~]# exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug 6 19:15:33 2013 from 172.16.1.1

#查看网络状态
[root@serv01 ~]# netstat -lanput | grepsshd
tcp       0      0 192.168.1.11:22             0.0.0.0:*     LISTEN      1375/sshd

四、ssh登录不需要密码实现

#不要密码
[root@serv01 ~]# vim /etc/ssh/sshd_config
[root@serv01 ~]# grep"#PermitEmptyPasswords" /etc/ssh/sshd_config -n
65:#PermitEmptyPasswords no
[root@serv01 ~]# grep"PermitEmptyPasswords" /etc/ssh/sshd_config -n
65:#PermitEmptyPasswords no
67:PermitEmptyPasswords yes

#添加用户
[root@serv01 ssh]# useradd hongyi
[root@serv01 ssh]# vim /etc/passwd
[root@serv01 ssh]# tail -n1 /etc/passwd
hongyi::500:500::/home/hongyi:/bin/bash
[root@serv01 ssh]# /etc/init.d/sshd restart
Stopping sshd:        [ OK ]
Starting sshd:       [ OK ]

[root@larrywen /]# ssh hongyi@192.168.1.11
[hongyi@serv01 ~]$

五、ssh不允许root用户登录

[root@serv01 ssh]# grep"PermitRootLogin" sshd_config -n
42:#PermitRootLogin yes
43:PermitRootLogin no
93:# the setting of "PermitRootLoginwithout-password".
[root@serv01 ssh]# man sshd_config
[root@serv01 ssh]# /etc/init.d/sshd restart
Stopping sshd:       [ OK ]
Starting sshd:       [ OK ]
[root@serv01 ssh]# vim /etc/passwd
[root@serv01 ssh]# tail -n1 /etc/passwd
hongyi:x:500:500::/home/hongyi:/bin/bash
[root@serv01 ssh]# passwd hongyi

[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Permission denied, please try again.
[root@larrywen /]# ssh hongyi@192.168.1.11
hongyi@192.168.1.11's password:
Last login: Tue Aug 6 19:29:05 2013 from 192.168.1.1

六、ssh指定用户或者组登录

#允许用户拒绝用户
AllowUsers hongyi
AllowUsers hongyi up01
DenyUsers zhink
AllowGroups
DenyGroups
[root@serv01 ssh]# useradd zhink
[root@serv01 ssh]# passwd zhink

[root@serv01 ssh]# useradd up01
[root@serv01 ssh]# passwd up01

[root@serv01 ssh]# grep "Users"sshd_config -n
47:AllowUsers hongyi up01
48:DenyUsers zhink

[root@serv01 ssh]# service sshd restart
Stopping sshd:       [ OK ]
Starting sshd:       [ OK ]

[root@serv01 ssh]# man sshd_config
[root@larrywen /]# ssh hongyi@192.168.1.11
hongyi@192.168.1.11's password:
Last login: Tue Aug 6 19:40:50 2013 from 192.168.1.1
[hongyi@serv01 ~]$ exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh up01@192.168.1.11
up01@192.168.1.11's password:
[up01@serv01 ~]$ exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh zhink@192.168.1.11
zhink@192.168.1.11's password:
Permission denied, please try again.
zhink@192.168.1.11's password:

七、ssh等效性

#不用密码登录别人的机器
#ssh等效性

#生成认证文件：公钥私钥
[root@larrywen /]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
86:49:93:08:44:01:03:85:5c:f8:2b:de:2b:08:c2:4froot@larrywen.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|**Oo             |
|.+ . . .         |
| .. +          |
|   .. +         |
|. . o S        |
|oo E .         |
|= =              |
|.o o             |
| ...            |
+-----------------+

[root@larrywen /]# cd ~/.ssh/
[root@larrywen .ssh]# ls
id_rsa id_rsa.pub known_hosts

[root@larrywen .ssh]# ssh-copy-id -iid_rsa.pub 192.168.0.217
root@192.168.0.217's password:
Now try logging into the machine, with"ssh '192.168.0.217'", and check in:

.ssh/authorized_keys

[root@larrywen ssh]# ssh 192.168.0.217
Last login: Fri Aug 2 11:33:41 2013 from 192.168.0.10
[root@similar ~]#
to make sure we haven't added extra keysthat you weren't expecting.

[root@larrywen .ssh]# yum installopenssh-clients -y

#双向SSH等效性
[root@serv01 .ssh]# ssh-keygen
[root@serv01 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.12
The authenticity of host '192.168.1.12(192.168.1.12)' can't be established.
RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts.
root@192.168.1.12's password:
Now try logging into the machine, with"ssh '192.168.1.12'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keysthat you weren't expecting.

[root@serv01 .ssh]# ssh 192.168.1.12
Last login: Tue Aug 6 22:10:09 2013 from 192.168.1.11
[root@serv02 ~]#

[root@serv02 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
54:6b:99:8a:21:2c:28:0d:2f:89:2e:1a:b1:b3:ef:9eroot@serv02.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|.        .      |
|.* .    . +     |
|B + o . . =      |
|o+ . . + o       |
|=.   . S        |
|o+               |
|o                |
| . .             |
| oE              |
+-----------------+
[root@serv02 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.11
The authenticity of host '192.168.1.11(192.168.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts.
root@192.168.1.11's password:
Now try logging into the machine, with"ssh '192.168.1.11'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keysthat you weren't expecting.

[root@serv02 .ssh]# ssh 192.168.1.11
Last login: Tue Aug 6 22:09:27 2013 from 192.168.1.12
[root@serv01 ~]#

#私钥被Serv03拿去，可以登录
#私密加密
[root@serv01 /]# ssh-keygen
[root@serv01 .ssh]# ssh-copy-id -iid_rsa192.168.1.13

[root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.13
The authenticity of host '192.168.1.13(192.168.1.13)' can't be established.
RSA key fingerprint isac:ca:a2:ca:b4:27:b5:aa:5d:1a:eb:6e:5f:3c:2e:51.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.13'(RSA) to the list of known hosts.
root@192.168.1.13's password:
Now try logging into the machine, with"ssh '192.168.1.13'", and check in:
.ssh/authorized_keys

to make sure we haven't added extra keysthat you weren't expecting.
[root@serv01 .ssh]# ssh 192.168.1.13
Last login: Tue Aug 6 21:47:04 2013 from 192.168.1.1
[root@serv03 ~]#

#私密不需要密码——SSH代理
#重启后失效
[root@serv01 .ssh]# ssh-agent $SHELL
[root@serv01 .ssh]# ssh-add

[root@serv01 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bd:5d:d4:1b:52:32:2f:a3:4e:60:d1:7a:1d:91:c2:4croot@serv01.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|        .=E +o. |
|         .= o=. |
|        o. o+oo.|
|       .o...o+ o|
|       S oo .. |
|         oo .   |
|         ...    |
|                 |
|                 |
+-----------------+
[root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.12
The authenticity of host '192.168.1.12(192.168.1.12)' can't be established.
RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts.
root@192.168.1.12's password:
Now try logging into the machine, with"ssh '192.168.1.12'", and check in:

.ssh/authorized_keys
to make sure we haven't added extra keysthat you weren't expecting.

[root@serv01 .ssh]# ssh 192.168.1.12
Enter passphrase for key'/root/.ssh/id_rsa':
Last login: Tue Aug 6 22:14:11 2013 from 192.168.1.11
[root@serv02 ~]# exit
logout
Connection to 192.168.1.12 closed.
[root@serv01 .ssh]# ssh-agent $SHELL
[root@serv01 .ssh]# ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa(/root/.ssh/id_rsa)
[root@serv01 .ssh]# ssh 192.168.1.12
Last login: Tue Aug 6 22:18:36 2013 from 192.168.1.11

八、xinetd和ssh结合使用

#进程：
#1.独立守护进程：单独的向外提供服务，有单独的端口
#2.超级守护进程：管理其他服务 xinetd
#xinetd：不对外提供服务，管理服务
[root@serv01 .ssh]# yum install xinetd* -y
[root@serv01 .ssh]# chkconfig
auditd                0:off       1:off       2:on       3:on       4:on       5:on       6:off
avahi-daemon         0:off       1:off       2:off       3:on       4:on       5:on       6:off
crond                0:off       1:off       2:on       3:on       4:on       5:on       6:off
ip6tables      0:off       1:off       2:off       3:off       4:off       5:off       6:off
iptables       0:off       1:off       2:off       3:off       4:off       5:off       6:off
messagebus          0:off       1:off       2:on       3:on       4:on       5:on       6:off
netconsole     0:off       1:off       2:off       3:off       4:off       5:off       6:off
netfs                 0:off       1:off       2:off       3:on       4:on       5:on       6:off
network              0:off       1:off       2:on       3:on       4:on       5:on       6:off
postfix        0:off       1:off       2:on       3:on       4:on       5:on       6:off
rdisc                 0:off       1:off       2:off       3:off       4:off       5:off       6:off
restorecond    0:off       1:off       2:off       3:off       4:off       5:off       6:off
rhnsd                0:off       1:off       2:on       3:on       4:on       5:on       6:off
rhsmcertd            0:off       1:off       2:off       3:on       4:on       5:on       6:off
rsyslog        0:off       1:off       2:on       3:on       4:on       5:on       6:off
saslauthd      0:off       1:off       2:off       3:off       4:off       5:off       6:off
sshd                 0:off       1:off       2:on       3:on       4:on       5:on       6:off
udev-post             0:off       1:on       2:on       3:on       4:on       5:on       6:off
xinetd                0:off       1:off       2:off       3:on       4:on       5:on       6:off

xinetd based services:
       chargen-dgram:       off
       chargen-stream: off
       daytime-dgram:       off
       daytime-stream: off
       discard-dgram: off
       discard-stream:   off
       echo-dgram:          off
       echo-stream:   off
       tcpmux-server: off
       time-dgram:           off
       time-stream:   off

#服务被频繁地使用：不需要管理；比如Apache
#当然服务使用少，需要被管理

#包含文件：yum源日志切换
#配置文件
[root@serv01 etc]# ls /etc/xinetd.conf
/etc/xinetd.conf

[root@serv01 etc]# cd xinetd.d/
[root@serv01 xinetd.d]# ll
total 44
-rw-r--r--. 1 root root 1157 Feb 28 2011 chargen-dgram
-rw-r--r--. 1 root root 1159 Feb 28 2011 chargen-stream
-rw-r--r--. 1 root root 1157 Feb 28 2011 daytime-dgram
-rw-r--r--. 1 root root 1159 Feb 28 2011 daytime-stream
-rw-r--r--. 1 root root 1157 Feb 28 2011 discard-dgram
-rw-r--r--. 1 root root 1159 Feb 28 2011 discard-stream
-rw-r--r--. 1 root root 1148 Feb 28 2011 echo-dgram
-rw-r--r--. 1 root root 1150 Feb 28 2011 echo-stream
-rw-r--r--. 1 root root 1212 Feb 28 2011 tcpmux-server
-rw-r--r--. 1 root root 1149 Feb 28 2011 time-dgram
-rw-r--r--. 1 root root 1150 Feb 28 2011 time-stream

[root@serv01 xinetd.d]# man xinetd.conf
#stream：TCP
#dgram：UDP

#让xinetd服务管理sshd
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
       socket_type         = stream
       wait                = no
       nice                = 10
       user                = root
       server              =/usr/sbin/sshd
       disable             = no
}
#查看服务，可以看到显示on
[root@serv01 xinetd.d]# chkconfig
xinetd                0:off       1:off       2:off       3:on       4:on       5:on       6:off

xinetd based services:
       chargen-dgram:       off
       chargen-stream: off
       daytime-dgram:       off
       daytime-stream: off
       discard-dgram: off
       discard-stream:   off
       echo-dgram:          off
       echo-stream:   off
       ssh:                  on
       tcpmux-server: off
       time-dgram:           off
       time-stream:   off

#禁止，查看服务，可以看到显示off
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
       socket_type         = stream
       wait                = no
       nice                = 10
       user                = root
       server              =/usr/sbin/sshd
       disable             = yes
}

[root@serv01 xinetd.d]# chkconfig

xinetd                0:off       1:off       2:off       3:on       4:on       5:on       6:off

xinetd based services:
       chargen-dgram:       off
       chargen-stream: off
       daytime-dgram:       off
       daytime-stream: off
       discard-dgram: off
       discard-stream:   off
       echo-dgram:          off
       echo-stream:   off
       ssh:                  off
       tcpmux-server: off
       time-dgram:           off
       time-stream:   off

#关闭sshd服务
[root@serv01 xinetd.d]# /etc/init.d/sshdstop
Stopping sshd:       [ OK ]
#重启xinetd服务
[root@serv01 xinetd.d]# /etc/init.d/xinetdrestart
Stopping xinetd:     [FAILED]
Starting xinetd:      [ OK ]
#查看网络状态，发现没有xinetd
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp       0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1144/master
tcp       0      0 192.168.1.11:22             192.168.1.1:37741           ESTABLISHED 1377/0
tcp       0      0 ::1:25                      :::*                        LISTEN      1144/master
udp       0      0 0.0.0.0:5353                0.0.0.0:*                               1034/avahi-daemon:
udp       0      0 0.0.0.0:54455               0.0.0.0:*                               1034/avahi-daemon:
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ---------------------------
lo              1      224.0.0.1
eth1           1      224.0.0.251
eth1            1      224.0.0.1
eth0            1      224.0.0.251
eth0            1      224.0.0.1
lo              1      ff02::1
eth1            1      ff02::1:ff07:dd45
eth1            1      ff02::1
eth0            1      ff02::1:ff07:dd3b
eth0            1      ff02::1

#远程连接，发生失败
[root@larrywen .ssh]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refused
#再次编辑，加上     server_args      = -I
#可以通过man xinetd.conf查看server_args
[root@serv01 xinetd.d]# man xinetd.conf
server_args
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
       socket_type         = stream
       wait                = no
       nice                = 10
       user                = root
       server              =/usr/sbin/sshd
       disable             = no
       server_args      = -i
}
#重启服务
[root@serv01 xinetd.d]# /etc/init.d/xinetdrestart
Stopping xinetd:     [ OK ]
Starting xinetd:      [ OK ]
#再次查看，发现有xinetd服务
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp       0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1144/master
tcp       0      0 192.168.1.11:22             192.168.1.1:37741           ESTABLISHED 1377/0
tcp       0      0 :::22                       :::*                        LISTEN      2410/xinetd
tcp       0      0 ::1:25                      :::*                        LISTEN      1144/master
udp       0      0 0.0.0.0:5353                0.0.0.0:*                               1034/avahi-daemon:
udp       0      0 0.0.0.0:54455               0.0.0.0:*                               1034/avahi-daemon:
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ---------------------------
lo              1      224.0.0.1
eth1            1      224.0.0.251
eth1            1      224.0.0.1
eth0            1      224.0.0.251
eth0            1      224.0.0.1
lo              1      ff02::1
eth1            1      ff02::1:ff07:dd45
eth1            1      ff02::1
eth0           1      ff02::1:ff07:dd3b
eth0            1      ff02::1

#远程连接
[root@larrywen .ssh]# ssh 192.168.1.11
The authenticity of host '192.168.1.11(192.168.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts.
root@192.168.1.11's password:
Last login: Tue Aug 6 22:15:35 2013 from 192.168.1.12
[root@serv01 ~]#
#再次查看，发现有xinetd服务
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp       0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1144/master
tcp       0      0 192.168.1.11:22             192.168.1.1:37741           ESTABLISHED 1377/0
tcp       0      0 192.168.1.11:22             192.168.1.1:52605           ESTABLISHED 2413/1
tcp       0      0 :::22                       :::*                        LISTEN      2410/xinetd
tcp       0      0 ::1:25                      :::*                        LISTEN      1144/master
udp       0      0 0.0.0.0:5353                0.0.0.0:*                               1034/avahi-daemon:
udp       0      0 0.0.0.0:54455               0.0.0.0:*                               1034/avahi-daemon:
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ---------------------------
lo              1      224.0.0.1
eth1            1      224.0.0.251
eth1            1      224.0.0.1
eth0            1      224.0.0.251
eth0            1      224.0.0.1
lo              1      ff02::1
eth1            1      ff02::1:ff07:dd45
eth1            1      ff02::1
eth0            1      ff02::1:ff07:dd3b
eth0            1      ff02::1
#查看sshd命令的位置
[root@serv01 xinetd.d]# grep"SSHD" /etc/init.d/sshd -n
41:SSHD=/usr/sbin/sshd