SSH远程登录协议和TCP Wrappers

• 一、SSH协议的基础
• • 1.SSH (Secure Shell) 协议
  • 2.ssh协议的优点
  • 3.OpenSSH
• 二、ssh原理
• • 1.公钥传输
  • 2密钥对传输
  • 3.服务端配置
• 三.TCP Wrappers
• • 1.允许个别，拒绝所有
  • 2.允许所有，拒绝个别
• 四.轻量级自动化运维工具pssh

是一种安全通道协议
对通信数据进行了加密处理，用于远程管理

是一种安全通道协议，主要用来实现字符界面的远程登录、远程复制等功能。SSH协议对通信双方的数据传输进行了加密处理，其中包括登录时输入的用户口令，SSH为建立在应用层和传输层基础上的安全协议。

数据传输是加密的，可以防止信息泄露
数据传输是压缩的，可以提高传输速度

服务名称：sshd
服务端主程序：/usr/sbin/sshd
服务端配置文件：/etc/ssh/sshd_config
客户端配置文件：/etc/ssh/ssh_config

ssh服务端主要包括两个服务功能 ssh远程链接和sftp服务

客户端发起链接请求

服务端返回自己的公钥，以及一个会话ID

客户端生成密钥对

客户端用自己的公钥异或会话ID，计算出一个值Res，并用服务端的公钥加密

客户端发送加密后的值到服务端，服务端用私钥解密，得到Res

服务端用解密后的值Res异或会话ID，计算出客户端的公钥

最终：双方各自持有三个秘钥，分别为自己的一对公、私钥，以及对方的公钥，之后的所有通讯都会被加密

采用单钥密码系统的加密方法，同一个密钥可以同时用作信息的加密和解密，这种加密方法称为对称加密，由于其速度快，对称性加密通常在消息发送方需要加密大量数据时使用

	[root@localhost .ssh]# ssh-keygen -t ecdsa
	Generating public/private ecdsa key pair.
	Enter file in which to save the key (/root/.ssh/id_ecdsa): 
	/root/.ssh/id_ecdsa already exists.
	Enter passphrase (empty for no passphrase):   //为空则是不设密码
	Enter same passphrase again: 
	Your identification has been saved in /root/.ssh/id_ecdsa.
	Your public key has been saved in /root/.ssh/id_ecdsa.pub.
	The key fingerprint is:
	SHA256:o/rkzqNa1K1Z95FAKEd2jOHsV1eiYA6iYXLrkZGlAOA root@localhost.localdomain
	The key's randomart image is:
	+---[ECDSA 256]---+
	|+.o =oo.===   . .|
	|.  =.B.=+*.. . o |
	| E  *  oo o o .  |
	|   . o o   o o   |
	|    o . S o o    |
	|   .   = + . .   |
	|    . =     .    |
	|   . =.          |
	|  ..o+=.         |
	+----[SHA256]-----+
	[root@localhost .ssh]# ls
	id_ecdsa  id_ecdsa.pub  known_hosts
	[root@localhost .ssh]# pwd
	/root/.ssh
	[root@localhost .ssh]# ssh-copy-id -i /root/.ssh/id_ecdsa.pub root@192.168.68.105
	/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: 		"/root/.ssh/id_ecdsa.pub"
	/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
	/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
	root@192.168.68.105's password:  //这是输入的是被连接的主机的root登录密码
	Number of key(s) added: 1

	Now try logging into the machine, with:   "ssh 'root@192.168.68.105'"
	and check to make sure that only the key(s) you wanted were added.

	[root@localhost .ssh]# ssh root@192.168.68.105
	Last failed login: Sat Oct  2 17:38:30 CST 2021 from 192.168.68.30 on ssh:notty
	There were 2 failed login attempts since the last successful login.
	Last login: Sat Oct  2 17:35:30 2021 from 192.168.68.30  //若之前未设密码则不需要密码直接登录

与用户密码无关，与IP地址无关，只与密钥对有关
所以当密码更新后，依旧可以登录

	[root@localhost ~]# vim /etc/ssh/sshd_config 

	#Port 22
	#ListenAddress 0.0.0.0
	#LoginGraceTime 2m
	PermitRootLogin no 						#禁止root用户登录
	MaxAuthTries 6 							#最大重试次数为 6

	PermitEmptyPasswords no 				#禁止空密码用户登录
	UseDNS no 								#禁用 DNS 反向解析，以提高服务器的响应速度

	#PermitRootLogin yes   //默认Ubuntu不允许root远程ssh登录
	#StrictModes yes       //检查.ssh/文件的所有者，权限等
	#MaxAuthTries 6
	#MaxSessions 10        //同一个连接最大会话

	#PubkeyAuthentication yes   //基于key验证
	#PermitEmptyPasswords no     //空密码连接
	PasswordAuthentication yes   //基于用户名和密码连接

	AllowUsers zhangsan lisi oyyy@192.168.68.30					#多个用户以空格分隔
	#禁止某些用户登录，用法于AllowUsers 类似（注意不要同时使用）
	DenyUsers zhangsan

TCP Wrappers 像一个防护罩一样，保护着TCP服务程序，它代为监听TCP服务程序的端口，为其增加了一个安全检测过程，外来的连接请求必须先通过这层安全检测，获得许可后才能访问真正的服务程序。
大多数 Linux 发行版，TCP Wrappers 是默认提供的功能。
使用“rpm -q tcp_wrappers”安装

	vim /etc/hosts.allow
	sshd:192.178.68.105

	vim /etc/hosts.deny
	sshd:ALL

	[root@localhost ~]# cd /etc/yum.repos.d/
	[root@localhost yum.repos.d]# ls
	CentOS-base.repo  CentOS-Debuginfo.repo  CentOS-Media.repo    CentOS-Vault.repo
	CentOS-CR.repo    CentOS-fasttrack.repo  CentOS-Sources.repo
	[root@localhost yum.repos.d]# vim CentOS-base.repo
	最后一行添加
	 [epel]
	 name=epel
	baseurl=https://mirrors.aliyun.com/epel/$releasever/x86_64
  	https://mirrors.cloud.tencent.com/epel/$releasever/x86_64
    https://mirrors.huaweicloud.com/epel/$releasever/x86_64
    https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/x86_64
	gpgcheck=0
	[root@localhost yum.repos.d]# yum clean all
	已加载插件：fastestmirror, langpacks
	正在清理软件源： base epel extras updates
	Cleaning up everything
	Maybe you want: rm -rf /var/cache/yum, to also free up space taken by 																																																															orphaned data from disabled or removed repos
	Cleaning up list of fastest mirrors
	[root@localhost yum.repos.d]# yum install -y pssh
			[root@localhost yum.repos.d]# ssh-keygen 
	Generating public/private rsa key pair.
	Enter file in which to save the key (/root/.ssh/id_rsa): 
	Created directory '/root/.ssh'.
	Enter passphrase (empty for no passphrase): 
	Enter same passphrase again: 
	Your identification has been saved in /root/.ssh/id_rsa.
	Your public key has been saved in /root/.ssh/id_rsa.pub.
	The key fingerprint is:
	SHA256:DpxRL6etEosAFicgW3OM8AMuBVUfkqFIwUdh7iOMBZ4 		root@localhost.localdomain
	The key's randomart image is:
	+---[RSA 2048]----+
	|XOBO*o. .        |
	|=XO=oo o .       |
	|=E*.  o . o      |
	|=o.. . o =       |
	|.o.o  = S .      |
	|  .... = .       |
	|    . o o        |
	|       .         |
	|                 |
	+----[SHA256]-----+
	[root@localhost .ssh]# ssh-copy-id 192.168.68.105
	[root@localhost .ssh]# ssh-copy-id 192.168.68.40
	[root@localhost .ssh]# pssh -H "192.168.68.105 192.168.68.40" touch 				/mnt/abc
	[1] 20:53:32 [SUCCESS] 192.168.68.105
	[2] 20:53:32 [SUCCESS] 192.168.68.40