SSH协议:安全外壳协议。为Secure Shell 缩写。SSH为建立在应用层和传输层基础上的安全协议。
1、检查SSH服务端安装情况
[root@rhel6_84 ~]# rpm -qpi /mnt/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm #rpm -qpi packetname 查看安装包的内容~]# rpm -qa |grep openssh #检查ssh安装情况。如果没有使用rpm安装一遍。openssh-5.3p1-94.el6.x86_64openssh-clients-5.3p1-94.el6.x86_64openssh-askpass-5.3p1-94.el6.x86_64openssh-server-5.3p1-94.el6.x86_64
2、启动SSHD服务
- [root@rhel-6 ~]# service sshd start
- [root@rhel-6 ~]# /etc/init.d/sshd start #绝对路径方式启动
- [root@rhel-6 ~]# chkconfig sshd on #设置sshd服务开机自启 on自启 off关闭自启
[root@rhel-6 ~]# chkconfig --list sshd #检查开机自启情况
sshd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭
3、客户端保存的密钥
[~]# cat .ssh/known_hosts #查看本机保存的服务端的密钥。192.168.3.81 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCzit8dq4s0xZCk1Gme5GJfYaWZzYHW37KHMfpaU7Fc2/npmJpHpufXGiYR+h9bAR6DBJvDzp5Mr/nmoaOxLb9WH4dsD9ZyLVTLzp3gaFpk9Fc7B8VRznIgveRYmIue146DoU3+Hjt7DWA19Cg4vxGZih/RekhmUgwEbKmxoC1KW6Qm6Aqd+F5oNIdign8KtFaIMzE4cNcL6YEb1wdYTk3fdUWhUip0Fir3sej9zjrGdCCA3HPxuPbsPE+3yaQ975yfelKRHI/DUpsKegQHK88RtfElLnDOVgle/yne8vsvDgnB1JYKZTGu8XuHG+vGwQAR+E2AelQcQDVFZ0+eJ+T
4、SSHD服务配置文件
[root@rhel6_84 ~]# cp /etc/ssh/sshd_config{,.back} #修改前备份此配置文件[root@rhel6_84 ~]# ls /etc/ssh/
moduli ssh_config sshd_config sshd_config.back ssh_host_dsa_key[root@rhel6_84 ~]# cat -n /etc/ssh/sshd_config#Port 22 #端口,默认是22,最好修改为其它[root@rhel6_84 ~]# netstat -anptu |grep ssh #修改好后,查看ssh服务是否正常监听新端口(222)
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2597/sshd
tcp 0 0 0.0.0.0: 0.0.0.0:* LISTEN 2765/sshd
tcp 0 52 192.168.3.84:22 192.168.3.130:57537 ESTABLISHED 2597/sshd
tcp 0 0 ::1:6010 :::* LISTEN 2597/sshd
tcp 0 0 :::222 :::* LISTEN 2765/sshd
5、新端口ssh连接
root@192.168.3.84 #加上-p参数 指定222端口 连接新服务器
6、SSHD配置文件详解
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $# This is the sshd server system-wide configuration file. See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin #ssh所执行的bash目录# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options change a# default value.Port222 #ssh服务端口号#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# Disable legacy (protocol version 1) support in the server for new# installations. In future the default will change to require explicit# activation of protocol 1# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2#HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_key# default value.#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress :: #指定只监听的IP地址,设置只允许此IP登陆# Disable legacy (protocol version 1) support in the server for new# installations. In future the default will change to require explicit# activation of protocol 1# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2#HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_key# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h#ServerKeyBits 1024 #定义密钥长度,默认长度1024# Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2m #连接断开前等待时间#PermitRootLogin yes #禁止root用户登陆#StrictModes yes#MaxAuthTries 6#MaxSessions 10#RSAAuthentication yes#PubkeyAuthentication yes#AuthorizedKeysFile .ssh/authorized_keys#AuthorizedKeysCommand none#AuthorizedKeysCommandRunAs nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes #是否允许使用账号和密码登陆,改为no将不允许使用账号和密码登陆,可使用私钥登陆。# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI options#GSSAPIAuthentication noGSSAPIAuthentication yes#GSSAPICleanupCredentials yesGSSAPICleanupCredentials yes#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.#UsePAM noUsePAM yes# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PrintMotd yes #是否打印 /etc/motd 连接时显示的信息#PrintLastLog yes #是否显示上次登陆信息#TCPKeepAlive yes#UseLogin no#UsePrivilegeSeparation yes #是否允许低权限用户产生新连接进程,no表示如何用户都是用root权限运行ssh#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS yes #是否启用DNS验证,外网需要启用#PidFile /var/run/sshd.pid #存放服务进程ID#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none# no default banner path#Banner none# override default of no subsystemsSubsystem sftp /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs# X11Forwarding no# AllowTcpForwarding no# ForceCommand cvs server