目录
一.SSH协议的基础
1.SSH (Secure Shell) 协议
2.ssh协议的优点
3.OpenSSH
二.ssh原理
1.公钥传输
2.密钥对传输
3.服务端配置
三.TCP Wrappers
1.允许个别,拒绝所有
2.允许所有,拒绝个别
四.轻量级自动化运维工具pssh
一.SSH协议的基础
1.SSH (Secure Shell) 协议
- 是一种安全通道协议
- 对通信数据进行了加密处理,用于远程管理
- 是一种安全通道协议
- 对通信数据进行了加密处理,用于远程管理
是一种安全通道协议,主要用来实现字符界面的远程登录、远程复制等功能。SSH协议对通信双方的数据传输进行了加密处理,其中包括登录时输入的用户口令,SSH为建立在应用层和传输层基础上的安全协议。
2.ssh协议的优点
- 数据传输是加密的,可以防止信息泄露
- 数据传输是压缩的,可以提高传输速度
3.OpenSSH
- 服务名称:sshd
- 服务端主程序:/usr/sbin/sshd
- 服务端配置文件:/etc/ssh/sshd_config
- 客户端配置文件:/etc/ssh/ssh_config
- 服务名称:sshd
- 服务端主程序:/usr/sbin/sshd
- 服务端配置文件:/etc/ssh/sshd_config
- 客户端配置文件:/etc/ssh/ssh_config
ssh服务端主要包括两个服务功能 ssh远程链接和sftp服务
二.ssh原理
1.公钥传输
-
客户端发起链接请求
-
服务端返回自己的公钥,以及一个会话ID
-
客户端生成密钥对
-
客户端用自己的公钥异或会话ID,计算出一个值Res,并用服务端的公钥加密
-
客户端发送加密后的值到服务端,服务端用私钥解密,得到Res
-
服务端用解密后的值Res异或会话ID,计算出客户端的公钥
-
最终:双方各自持有三个秘钥,分别为自己的一对公、私钥,以及对方的公钥,之后的所有通讯都会被加密
2.密钥对传输
采用单钥密码系统的加密方法,同一个密钥可以同时用作信息的加密和解密,这种加密方法称为对称加密,由于其速度快,对称性加密通常在消息发送方需要加密大量数据时使用
[root@localhost .ssh]# ssh-keygen -t ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/root/.ssh/id_ecdsa): /root/.ssh/id_ecdsa already exists. Enter passphrase (empty for no passphrase): //为空则是不设密码 Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ecdsa. Your public key has been saved in /root/.ssh/id_ecdsa.pub. The key fingerprint is: SHA256:o/rkzqNa1K1Z95FAKEd2jOHsV1eiYA6iYXLrkZGlAOA root@localhost.localdomain The key's randomart image is: +---[ECDSA 256]---+ |+.o =oo.=== . .| |. =.B.=+*.. . o | | E * oo o o . | | . o o o o | | o . S o o | | . = + . . | | . = . | | . =. | | ..o+=. | +----[SHA256]-----+ [root@localhost .ssh]# ls id_ecdsa id_ecdsa.pub known_hosts [root@localhost .ssh]# pwd /root/.ssh [root@localhost .ssh]# ssh-copy-id -i /root/.ssh/id_ecdsa.pub root@192.168.68.105 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ecdsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.68.105's password: //这是输入的是被连接的主机的root登录密码 Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.68.105'" and check to make sure that only the key(s) you wanted were added. [root@localhost .ssh]# ssh root@192.168.68.105 Last failed login: Sat Oct 2 17:38:30 CST 2021 from 192.168.68.30 on ssh:notty There were 2 failed login attempts since the last successful login. Last login: Sat Oct 2 17:35:30 2021 from 192.168.68.30 //若之前未设密码则不需要密码直接登录
与用户密码无关,与IP地址无关,只与密钥对有关
所以当密码更新后,依旧可以登录
3.服务端配置
[root@localhost ~]# vim /etc/ssh/sshd_config
#Port 22
#ListenAddress 0.0.0.0
#LoginGraceTime 2m
PermitRootLogin no #禁止root用户登录
MaxAuthTries 6 #最大重试次数为 6
PermitEmptyPasswords no #禁止空密码用户登录
UseDNS no #禁用 DNS 反向解析,以提高服务器的响应速度
#PermitRootLogin yes //默认Ubuntu不允许root远程ssh登录
#StrictModes yes //检查.ssh/文件的所有者,权限等
#MaxAuthTries 6
#MaxSessions 10 //同一个连接最大会话
#PubkeyAuthentication yes //基于key验证
#PermitEmptyPasswords no //空密码连接
PasswordAuthentication yes //基于用户名和密码连接
AllowUsers zhangsan lisi oyyy@192.168.68.30 #多个用户以空格分隔
#禁止某些用户登录,用法于AllowUsers 类似(注意不要同时使用)
DenyUsers zhangsan
三.TCP Wrappers
- TCP Wrappers 像一个防护罩一样,保护着TCP服务程序,它代为监听TCP服务程序的端口,为其增加了一个安全检测过程,外来的连接请求必须先通过这层安全检测,获得许可后才能访问真正的服务程序。
- 大多数 Linux 发行版,TCP Wrappers 是默认提供的功能。
- 使用“rpm -q tcp_wrappers”安装
1.允许个别,拒绝所有
2.允许所有,拒绝个别
vim /etc/hosts.allow sshd:192.178.68.105 vim /etc/hosts.deny sshd:ALL
四.轻量级自动化运维工具pssh
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# ls
CentOS-base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo
CentOS-CR.repo CentOS-fasttrack.repo CentOS-Sources.repo
[root@localhost yum.repos.d]# vim CentOS-base.repo
最后一行添加
[epel]
name=epel
baseurl=https://mirrors.aliyun.com/epel/$releasever/x86_64
https://mirrors.cloud.tencent.com/epel/$releasever/x86_64
https://mirrors.huaweicloud.com/epel/$releasever/x86_64
https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/x86_64
gpgcheck=0
[root@localhost yum.repos.d]# yum clean all
已加载插件:fastestmirror, langpacks
正在清理软件源: base epel extras updates
Cleaning up everything
Maybe you want: rm -rf /var/cache/yum, to also free up space taken by orphaned data from disabled or removed repos
Cleaning up list of fastest mirrors
[root@localhost yum.repos.d]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:DpxRL6etEosAFicgW3OM8AMuBVUfkqFIwUdh7iOMBZ4 root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|XOBO*o. . |
|=XO=oo o . |
|=E*. o . o |
|=o.. . o = |
|.o.o = S . |
| .... = . |
| . o o |
| . |
| |
+----[SHA256]-----+
[root@localhost .ssh]# ssh-copy-id 192.168.68.105
[root@localhost .ssh]# ssh-copy-id 192.168.68.40
[root@localhost .ssh]# pssh -H "192.168.68.105 192.168.68.40" touch /mnt/abc
[1] 20:53:32 [SUCCESS] 192.168.68.105
[2] 20:53:32 [SUCCESS] 192.168.68.40
[root@localhost yum.repos.d]# vim CentOS-base.repo
