Telnet 与 openssl

telnet

1. 安装telnet
   1. [root@repo ~]# yum install telnet telnet-server –y
   2. [root@repo ~]# chkconfig telnet on
   3. [root@repo ~]# service xinetd restart

      Stopping xinetd: [ OK ]

      Starting xinetd: [ OK ]

   4. [root@repo ~]# ss -tunl | grep 23

      tcp LISTEN 0 64 :::23 :::*

      

      超级守护进程：Xinetd 帮你监听。有用户访问唤醒进程

      瞬时守护进程：telnet等就是平时3、5天都不一定访问

   5. telnet不允许root登陆，必须创建普通用户。

Ssh

ssh: secure shell, protocol, 22/tcp, 安全的远程登录

OpenSSH: ssh协议的开源实现；

dropbear：另一个开源实现；

1. SSH协议版本
   

v1: 基于CRC-32做MAC，不安全；man-in-middle

v2：双方主机协议选择安全的MAC方式（单向加密算法）

1. 基于DH算法做密钥交换，（发送公钥）
2. 基于RSA或DSA算法实现身份认证；（验证身份）
3. 验证密码（对称加密，密码毕竟在网络传输）

1. 两种方式的用户登录认证：

基于password

基于key 客户端实现生成key然后保存到服务器端

1. C/S
   1. C: ssh, scp, sftp

Windows客户端：

xshell, putty, securecrt, sshsecureshellclient

1. S: sshd

1. 客户端组件：
   
   1. ssh,
      

配置文件：/etc/ssh/ssh_config

# ForwardX11 no 默认不支持

# GSSAPIAuthentication no 默认不支持

# StrictHostKeyChecking ask 如果询问用户

# Port 22

# Host *

# ForwardAgent no

# ForwardX11 no 默认不支持

# RhostsRSAAuthentication no

# RSAAuthentication yes

# PasswordAuthentication yes

# HostbasedAuthentication no

# GSSAPIAuthentication no 默认不支持

# GSSAPIDelegateCredentials no

# GSSAPIKeyExchange no

# GSSAPITrustDNS no

# BatchMode no

# CheckHostIP yes

# AddressFamily any

# ConnectTimeout 0

# StrictHostKeyChecking ask 如果询问用户

# IdentityFile ~/.ssh/identity

# IdentityFile ~/.ssh/id_rsa

# IdentityFile ~/.ssh/id_dsa

# Port 22

# Protocol 2,1

# Cipher 3des

# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

# EscapeChar ~

# Tunnel no

# TunnelDevice any:any

# PermitLocalCommand no

# VisualHostKey no

Host *

GSSAPIAuthentication yes

# If this option is set to yes then remote X11 clients will have full access

# to the original X11 display. As virtually no X11 client supports the untrusted

# mode correctly we set this to yes.

ForwardX11Trusted yes

# Send locale-related environment variables

SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE

SendEnv XMODIFIERS

1. 格式：ssh [user@]host [COMMAND]
   

ssh [-l user] host [COMMAND]

-p port：远程服务器监听的端口；

-X: 支持x11转发；（x开启类似foxfire浏览器一类，图形界面全部都基于x程序）

-Y：支持信任的x11转发；

Host PATTERN

PARAMETER VALUE

1. 基于密钥的认证：
   
   1. Linux
      1. 在客户端生成密钥对儿

ssh -t rsa [-P ”] [-f “~/.ssh/id_rsa”]

[root@repo ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

e8:5c:1e:87:97:fc:67:ad:0d:bf:b3:f1:c7:e8:9d:93 root@repo.zmjchina.cn

The key’s randomart image is:

+–[ RSA 2048]—-+

| |

| |

| |

| . o . |

| . S = |

| o o + . . |

| o . . ++o|

| o.E*|

| .o+@|

+—————–+

[root@repo ~]# ls .ssh/

id_rsa id_rsa.pub known_hosts

1. 把公钥传输至远程服务器对应用户的家目录

ssh-copy-id [-i [identity_file]] [user@]machine

[root@repo ~]# ssh-copy-id -i .ssh/id_rsa.pub root@172.16.31.124

The authenticity of host ‘172.16.31.124 (172.16.31.124)’ can’t be established.

RSA key fingerprint is b0:d8:92:1d:3e:13:b5:49:0d:eb:b9:08:67:3c:4b:20.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.16.31.124’ (RSA) to the list of known hosts.

root@172.16.31.124’s password:

Now try logging into the machine, with “ssh ‘root@172.16.31.124′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

1. 测试

[root@repo ~]# ssh root@172.16.31.124 ifconfig

enp0s29f0u2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 169.254.95.120 netmask 255.255.255.0 broadcast 169.254.95.255

inet6 fe80::9595:f2b8:7804:a435 prefixlen 64 scopeid 0x20<link>

ether 5e:f3:fc:bf:ef:7b txqueuelen 1000 (Ethernet)

RX packets 1085739 bytes 73334625 (69.9 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 544551 bytes 26075934 (24.8 MiB)

TX errors 1 dropped 0 overruns 0 carrier 0 collisions 0

enp11s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 172.16.31.124 netmask 255.255.255.0 broadcast 172.16.31.255

inet6 fe80::dd2d:7a6e:f10a:baac prefixlen 64 scopeid 0x20<link>

ether 5c:f3:fc:b9:ed:e8 txqueuelen 1000 (Ethernet)

RX packets 2504168 bytes 1183978664 (1.1 GiB)

RX errors 1 dropped 0 overruns 0 frame 1

TX packets 637853 bytes 72378917 (69.0 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

1. Windows
   1. 制作密钥

1. 导出密钥

打开公钥

1. 编辑：

[root@mx2 .ssh]# vim authorized_keys

1. 验证：

[jiazi@repo ~]$ ssh root@172.16.31.124 ‘hostname’

The authenticity of host ‘172.16.31.124 (172.16.31.124)’ can’t be established.

RSA key fingerprint is b0:d8:92:1d:3e:13:b5:49:0d:eb:b9:08:67:3c:4b:20.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.16.31.124’ (RSA) to the list of known hosts.

选择生成的密钥登陆成功。

root@172.16.31.124’s password:

mx2.cpe.com

1. scp命令：
   
   1. scp [options] SRC… DEST/
   2. 存在两种情形：
      1. PULL：

   scp [options] [user@]host:/PATH/FROM/SOMEFILE /PATH/TO/SOMEWHERE

   [root@repo ~]# scp root@172.16.31.124:/etc/fstab /home/bak/
   

   fstab 100% 628 0.6KB/s 00:00

   [root@repo ~]# ls -l /home/bak/

   total 4

   -rw-r–r– 1 root root 628 Feb 20 16:34 fstab

   1.     PUSH:

   scp [options] /PATH/FROM/SOMEFILE [user@]host:/PATH/TO/SOMEWHERE

[root@repo ~]# scp /etc/fstab root@172.16.31.124:/home/bak/

fstab

[root@repo ~]# ssh root@172.16.31.124 ls -l /home/bak

total 8

-rw-r–r–. 1 root root 944 Feb 20 11:48 fstab

常用选项：

-r: 递归复制；

-p: 保持原文件的属性信息；

-q: 静默模式

-P PORT: 指明remote host的监听的端口；

1. sftp命令：
   

sftp [user@]host

sftp> help

[root@repo ~]# sftp root@172.16.31.124

Connecting to 172.16.31.124…

sftp> ls

anaconda-ks.cfg xuexi

1. 服务器端：
   

sshd, 配置文件: /etc/ssh/sshd_config

#Port 22 修改端口

# The default requires explicit activation of protocol 1

#Protocol 2 只能用版本二登陆

#AddressFamily any ipv4 ipv6

#ListenAddress 0.0.0.0 监听地址

#ListenAddress ::    ipv6

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key crc32mac不安全

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key centos 7 才有的

HostKey /etc/ssh/ssh_host_ed25519_key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024 长度key

#SyslogFacility AUTH

SyslogFacility AUTHPRIV 日志放在/var/log/secure

#LoginGraceTime 2m 登陆等待时间

#PermitRootLogin yes 允许管理员登陆

#StrictModes yes 严格模式

#MaxAuthTries 6 尝试次数

#MaxSessions 10 最大连接数

#RSAAuthentication yes

#PubkeyAuthentication yes

#PasswordAuthentication yes 支持密钥后可以禁止

#PermitEmptyPasswords no

PasswordAuthentication yes

#ChallengeResponseAuthentication yes 明文双向

ChallengeResponseAuthentication no

# Kerberos options 实现第三方统一认证的 大规模统一帐号非常有用

Kbc+

X11Forwarding yes 启用图像转发

Subsystem    sftp    /usr/libexec/openssh/sftp-server 支持sftp

#UseDNS yes 加快客户端登陆速度。

1. 常用参数：

Port 22022

ListenAddress ip

PermitRootLogin yes

1. 限制可登录用户的办法：

AllowUsers user1 user2 user3

AllowGroups

ssh服务的最佳实践：

1. 不要使用默认端口；

   Port 2222 修改端口

2. 禁止使用protocol version 1；

   Protocol 2

3. 限制可登录用户；

   AllowUsers user1 user2 user3

   AllowGroups

4. 设定空闲会话超时时长；

   ClientAliveInterval 120

5. 利用防火墙设置ssh访问策略；

   Iptables

6. 仅监听特定的IP地址；

   ListenAddress 172.16.31.1

7. 基于口令认证时，使用强密码策略；

   # tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 | xargs

8. 使用基于密钥的认证；

   PasswordAuthentication yes

9. 禁止使用空密码；

   PermitEmptyPasswords no

10. 禁止root用户直接登录；

    PermitRootLogin yes

11. 限制ssh的访问频度和并发在线数；

    MaxSessions 10

12. 做好日志，经常分析；

    SyslogFacility AUTHPRIV

    Port 22022
    

    ListenAddress 192.168.3.10
    

    Protocol 2
    

    HostKey /etc/ssh/ssh_host_rsa_key
    

    HostKey /etc/ssh/ssh_host_ecdsa_key
    

    HostKey /etc/ssh/ssh_host_ed25519_key

    ServerKeyBits 2048
    

    SyslogFacility AUTHPRIV
    

    LoginGraceTime 1m
    

    PermitRootLogin no
    

    StrictModes yes
    

    MaxAuthTries 6
    

    MaxSessions 10
    

    RSAAuthentication yes
    

    PubkeyAuthentication yes
    

    AuthorizedKeysFile    .ssh/authorized_keys

    PermitEmptyPasswords no
    

    PasswordAuthentication yes
    

    ChallengeResponseAuthentication no

    GSSAPIAuthentication yes

    GSSAPICleanupCredentials no

    UsePAM yes

    X11Forwarding yes

    UsePrivilegeSeparation sandbox        # Default for new installations.

    ClientAliveInterval 120
    

    UseDNS yes
    

    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

    AcceptEnv XMODIFIERS

    Subsystem    sftp    /usr/libexec/openssh/sftp-server

ssh协议的另一个实现：dropbear

(1) dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key -s 2048

dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key

dropbear -p [ip:]port -F –E