SSH远程管理服务实战
目录SSH基本概述
SSH是一个安全协议,在进行数据传输时,会对数据包进行加密处理,加密后在进行数据传输。确保了数
据传输安全。
SSH服务主要功能
1.提供远程连接服务器的服务
2.对传输的数据进行加密
ssh协议和telnet协议的区别
ssh服务会对传输数据进行加密, 监听在本地22/tcp端口, ssh服务默认支持roo用户登录
telnet服务不对数据进行加密, 监听在本地23/tcp端口, Telnet默认不支持root用户登录
ssh相关命令
ssh远程登录服务器命令
ssh root@10.0.0.41 -p 22
#root:指定用哪个用户连接(远端服务器的用户),当前用户是root就可以不加
#@:分隔符
#10.0.0.41:远端主机的IP
#-p:指定远端主机端口,ssh默认22可以省略
ssh root@172.16.1.31 'ifconfig'
在远端机器上执行命令,不用连接过去
[root@backup ~]$ ssh root@172.16.1.31 'ifconfig'
The authenticity of host '172.16.1.31 (172.16.1.31)' can't be established.
ECDSA key fingerprint is SHA256:3enksfMN5/ep92kZMkIEC39u/yyFXAX8gO9F83Lm1vE.
ECDSA key fingerprint is MD5:84:3b:b2:f2:ea:31:9f:96:b1:d8:45:2b:13:b7:62:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.31' (ECDSA) to the list of known hosts.
root@172.16.1.31's password:
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.1.31 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::20c:29ff:fea7:5d90 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:a7:5d:90 txqueuelen 1000 (Ethernet)
RX packets 2110 bytes 128819 (125.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1098 bytes 68693 (67.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
scp -rp /oldboy/ root@172.16.1.7:/opt
远程拷贝(全量)走的是ssh协议
[root@backup ~]$ scp -rp /oldboy/ root@172.16.1.7:/opt
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:3enksfMN5/ep92kZMkIEC39u/yyFXAX8gO9F83Lm1vE.
ECDSA key fingerprint is MD5:84:3b:b2:f2:ea:31:9f:96:b1:d8:45:2b:13:b7:62:eb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.
root@172.16.1.7's password:
1.txt 100% 0 0.0KB/s
[root@web01 ~]$ ll /opt/
total 0
drwxr-xr-x 2 root root 19 Jul 9 19:44 oldboy
SSH的验证方式
创建秘钥对 (公钥私钥)
公钥:管理机发给远程机
私钥:管理机用来打开远程机的锁(公钥)
#在管理机上生成公钥和私钥
[root@m01 ~]$ ssh-keygen
[root@m01 ~]$ ll .ssh/
total 12
-rw------- 1 root root 1679 Jul 9 10:49 id_rsa #私钥(钥匙)
-rw-r--r-- 1 root root 390 Jul 9 10:49 id_rsa.pub #公钥(锁)
-rw-r--r-- 1 root root 682 Jul 9 11:21 known_hosts #第一次利用公钥连接远程机时会有交互(输入yes),输入后就会在这个文件中产生远程机ip信息,表示已经第一次连接就输入过了,以后再连接就不用再输入了
[root@m01 ~]$ cat .ssh/known_hosts
10.0.0.41 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.31 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
10.0.0.8 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2D5teBiqz8QsHoJgZhSjikWfNTj3Z/fsyb+OREmH+ZeNRncYYNvJeGgTOXss9s6tCAbTjGw+i/fQ1UBzhGPpc=
#将公钥发送给被管理端
[root@m01 ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@10.0.0.41
#被管理端的服务器公钥保存后
[root@backup ~]$ ll .ssh/
total 8
-rw------- 1 root root 390 Jul 9 10:53 authorized_keys #存放公钥的文件
-rw-r--r-- 1 root root 345 Jul 9 19:45 known_hosts
ssh-copy-id这个命令都帮我们做了哪些事
# 1.在被管理端创建了一个.ssh目录在家目录下
mkdir ~/.ssh
# 2.将.ssh目录权限修改为700
chmod 700 ~/.ssh
# 3.创建公钥存放的文件
[root@backup ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu8ecP9QulOO45n79fI2oDFW8VQsfvDTCZBnAJm9sqU97QhBwqHs7fCLs5bgIMh7OEwNXQVQqHBLO1gCQVbU5D1YWpR7xnL0+lOevpvk48D5JVO3KvHO86Cg4CNk7Yergf/DqMZf0WB9UtNNmiE+wrYdbbtbsKAvYQye4/MZ7IklZcWZ2l4lHikz3gJsxTdpTvDFZO/aBfKef5qoxpx9r9L6BB0cfwIueah/gUhsTacWdgApYSZgTsb05XxFxYTnfxeOkWSGjZ8lI4g27hrqhpobueU5lx7PU+QFd6PoKUgWYLSFGKt5SWrMVsPKMmr4WqhZL/OUEkIxB2Ro3pgigl root@m01
# 4.修改公钥存放文件的权限
chmod 600 ~/.ssh/authorized_keys
ssh优化
[root@m01 ~]$ vim /etc/ssh/sshd_config
#端口
17 Port 22
#允许root登录
38 #PermitRootLogin yes
#允许密码登录
65 PasswordAuthentication yes
#GSS接口认证
79 GSSAPIAuthentication no
#使用DNS的反向解析
115 UseDNS no
重启ssh服务
[root@m01 ~]$ systemctl restart sshd