浅谈OpenSSH及SSH协议
浅谈OpenSSH及SSH协议
OpenSSH
⼀、SSH协议
ssh: secure shell,TCP连接,默认端⼝号22,安全的端⼝登录 软件实现:OpenSSH, dropbear
协议版本:当前使⽤ssh v2,基于DH算法做密钥交换,基于RSA或DSA实现⾝份认证登录认证⽅式:基于password和基于key两种⽅式拉线护套
⼆、OpenSSH
基于C/S结构
client: ssh, scp, xshell, securecrt
server: sshd
ssh客户端:
路径:/etc/ssh/ssh_config
配置项:
StrictHostKeyChecking ⾸次登录检查Key,默认为"ask"提⽰,设为"no"不提⽰
语法:
ssh [user@]host [COMMAND] 默认以当前本机登录⽤户名登录远程主机 ssh [-l user] host [COMMAND] -l指定⽤户登录远程主机
选项:
-b:指定连接的源IP
-v:调试模式
-
C:压缩⽅式
-X:⽀持x11转发
-Y:⽀持信任x11转发
-t:强制伪tty分配
//通过ssh直连remoteserver1实现间接连接⾄remoteserver2
ssh -t remoteserver1 ssh remoteserver2
OpenSSH远程验证
openssh实现远程主机验证的⽅式:
当⽤户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host*key.pub⽂件中的公钥到客户机的~./ssh/know_hosts中。下次连接时,会⾃动匹配相应私钥,不能匹配,将拒绝连接
ssh服务登录验证:基于⽤户/⼝令和基于密钥两种⽅式
基于⽤户/⼝令登录
step 1 客户端发起ssh请求,服务器会把⾃⼰的公钥发送给⽤户
step 2 ⽤户会根据服务器发来的公钥对密码进⾏加密 step 3 加密后的信息回传给服务器,服务器⽤⾃⼰的私钥解密,如果密码正确,则⽤户登录成功
基于密钥登录
step 1 ⾸先在客户端⽣成⼀对密钥
step 2 并将客户端的公钥拷贝到服务端
step 3 当客户端再次发送⼀个连接请求,包括ip, ⽤户名
step 4 服务端得到客户端的请求后,会到authorized_keys中查,如果有响应的IP和⽤户,就会随机⽣成⼀个字符串,例
如:acdf
step 5 服务端使⽤客户端拷贝过来的公钥进⾏加密,然后发送给客户端
step 6 得到服务端发来的消息后,客户端会使⽤私钥进⾏解密,然后将解密后的字符串发送给服务端
step 7 服务端接受到客户端发来的字符串后,跟之前的字符串进⾏对⽐,如果⼀致,就允许免密码登录实现基于密钥登录
在客户端⽣成密钥对,-P ‘’:私钥不设置密码
ssh-keygen -t rsa [-P ''] [-f "~/.ssh/id_rsa"]
[root@Centos7 ~]#ssh-keygen -t rsa -P ''-f ~/.ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
云盘控
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:GmCV/wiqDs4mJP/XWxuPRQ0UsCES7tC4DRi7NNtbJVo root@Centos7.server0
The key's randomart image is:
+---[RSA 2048]----+
|.+o. o.o.|
|+=...+|
|=* E....|
|.* X.o. o |
| o +.=.So ..|
|...
|+..... o .|
|+oo ...*|
|o+......o .|
+----[SHA256]-----+
把公钥⽂件传输⾄远程服务器对应⽤户的家⽬录
ssh-copy-id [-i [identity_file]] [user@]host溴代环丙烷
注意传输本机公钥到远程服务器直接可以ssh-copy-id [user@]host,默认选择本机公钥
[root@Centos7 ~]#ssh-copy-id -i ~/.ssh/id_rsa.pub 172.20.54.2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed:"/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO:1key(s) remain to be installed --if you are prompted now it is to install the new keys
root@172.20.54.2's password:
Number of key(s) added:1
Now try logging into the machine, with:"ssh '172.20.54.2'"
and check to make sure that only the key(s) you wanted were added.
[root@Centos7 ~]#ssh 172.20.54.2
Last login: Thu Nov 710:08:322019 from 172.20.3.69
修改私钥的密码
ssh-keygen -p
[root@Centos7 ~]#ssh-keygen -p
Enter file in which the key is (/root/.ssh/id_rsa):无人机控制系统
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
[root@Centos7 ~]#ssh 172.20.54.2
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Fri Nov 819:55:042019 from 172.20.54.1
使⽤验证代理,只需要输⼊⼀次密码,之后所有的ssh连接输⼊私钥密码的⼯作由代理完成。bash进程结束,代理⼯作结束;下次登录时,重新启动代理。
ssh-agent bash启⽤代理
ssh-add密码添加给代理
[root@Centos7 ~]#ssh-agent bash
[root@Centos7 ~]#ssh-add
Enter passphrase for/root/.ssh/id_rsa:
Identity added:/root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@Centos7 ~]#ssh 172.20.54.2
Last login: Fri Nov 819:55:462019 from 172.20.54.1
[root@Centos7 ~]#exit
logout
Connection to 172.20.54.2 closed.
[root@Centos7 ~]#ssh 172.20.54.2
赤纬角计算公式
Last login: Fri Nov 819:59:172019 from 172.20.54.1
加密⽂件传输⼯具:scp, rsysc, sftp, pssh
scp⼯具
来源于openssh-clients软件包
scp遇到相同⽂件直接覆盖操作
语法:
scp [options] DEST/
scp [options] [user@]host:/sourcefile /destpath:将远程主机⽂件复制到本地
scp [options] /sourcefile [user@]host:/destpath:将本地⽂件复制到远程主机
常⽤选项:
-C: 压缩数据流
-r: 递归复制
-p: 保持原⽂件的属性信息
-q: 静默模式
-P PORT: 指明remote host的监听端⼝
rsync⼯具
基于ssh和rsh服务实现⾼效率的远程系统之间复制⽂件
使⽤安全的shell连接做为传输⽅式
⽐scp更快,只复制不同的⽂件
语法:
rsync -av /etc server1:/tmp:复制⽬录和⽬录下⽂件
rsync -av /etc/ server1:/tmp:只复制⽬录下⽂件
选项:
-n 模拟复制过程
-v 显⽰详细过程
-r 递归复制⽬录树
-p 保留权限
-t 保留时间戳
-g 保留组信息
-o 保留所有者信息
-
l 将软链接⽂件本⾝进⾏复制(默认)
-L 将软链接⽂件指向的⽂件复制
-a 存档,相当于–rlptgoD,但不保留ACL(-A) 和SELinux属性(-X) [root@Centos7 /data/ceshi]#rsync -av ./* 172.20.54.2:/data
sending incremental file list
test1
test2
test3
172.20.54.2/
172.20.54.2/test1
172.20.54.2/test2
172.20.54.2/test3
sent 415 bytes received 142 bytes 371.33 bytes/sec
total size is 0 speedup is 0.00
[root@Centos7 /data/ceshi]#echo >> test3
[root@Centos7 /data/ceshi]#rsync -av ./* 172.20.54.2:/data
sending incremental file list
test3
sent 221 bytes received 36 bytes 514.00 bytes/sec
total size is 1 speedup is 0.00
sftp⼯具
交互式⽂件传输⼯具
⽤法和传统的ftp⼯具相似
利⽤ssh服务实现安全的⽂件上传和下载
使⽤ls cd mkdir rmdir pwd get put等指令,可⽤?或help获取帮助信息pssh⼯具
pssh是⼀个python编写可以在多台服务器上执⾏命令的⼯具,也可实现⽂件复制
选项如下:
–version:查看版本
-h:主机⽂件列表,内容格式"[user@]host[:port]"
-H:主机字符串,内容格式"[user@]host[:port]"
-l:登录使⽤的⽤户名
-o:输出的⽂件⽬录
-O:SSH的选项
-v:详细模式
-
A:⼿动输⼊密码模式
-x:额外的命令⾏参数使⽤空⽩符号,引号,反斜线处理
-X:额外的命令⾏参数,单个参数模式,同-x
-i:每个服务器内部处理信息输出
-P:打印出服务器返回信息
⽰例如下:
#通过pssh批量关闭seLinux
[root@Centos7 /pos.d]#pssh -H root@172.20.54.2-i 'sed -ri "s/^SELINUX=.*/SELINUX=disabled/" /etc/selinux/config' [1]20:36:49[SUCCESS] root@172.20.54.2
#批量发送指令
[root@Centos7 /pos.d]#pssh -H "root@172.20.54.2 yijie@172.20.54.2"-i hostname
[1]20:46:00[SUCCESS] root@172.20.54.2
Centos7.server0
[2]20:46:00[SUCCESS] yijie@172.20.54.2
Centos7.server0
#当不⽀持ssh的key认证时,通过-A选项,使⽤密码认证批量执⾏指令
pssh -H yijie@172.20.54.2-A -i hostname
#将标准错误和标准正确重定向都保存⾄本地主机的/data⽬录下
[root@Centos7 /pos.d]#pssh -H yijie@172.20.54.2-o /data -e /data -i hostname
[1]21:02:55[SUCCESS] yijie@172.20.54.2
Centos7.server0
[root@Centos7 /pos.d]#ls /data
yijie@172.20.54.2
#获取每台服务器的uptime:
pssh - -i uptime
[1]11:15:03[SUCCESS] Mar.mars.he
11:15:11 up 4 days,16:25,1 user, load average:0.00,0.00,0.00
[2]11:15:03[SUCCESS] Jan.mars.he
11:15:12 up 3 days,23:26,0 users, load average:0.00,0.00,0.00
[3]11:15:03[SUCCESS] Feb.mars.he
11:15:12 up 4 days,16:26,2 users, load average:0.08,0.02,0.0
#保存每台服务器运⾏的结果:
pssh - -i -o /tmp/pssh/ uptime
[1]11:19:47[SUCCESS] Feb.mars.he
11:19:55 up 4 days,16:31,2 users, load average:0.02,0.03,0.00
[2]11:19:47[SUCCESS] Jan.mars.he
11:19:56 up 3 days,23:30,0 users, load average:0.01,0.00,0.00
[3]11:19:47[SUCCESS] Mar.mars.he
焊割机11:19:56 up 4 days,16:30,1 user, load average:0.00,0.00,0.00
pscp.pssh命令
