ssh服务提供两个服务功能:一个是提供类似telnet远程服务,另一个就是类似ftp服务提供安全的传输

 

ssh安全的加密协议,用于远程连接服务器

默认端口22,,安全版本为2

ssh服务提供两个服务功能

ssh客户端包含ssh连接命令,以及远程拷贝scp命令等

 

ssh服务由openssh和客户端组成

 

ssh服务认证类型

基于口令

ssh -p52113 [email protected]

 

基于秘钥

公钥放在服务器上,私钥放在自己电脑上

 

给你一个端口如何查出对应的服务

[root@localhost ~]# lsof -i tcp:22

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

sshd    1023 root    3u  IPv4   9425      0t0  TCP *:ssh (LISTEN)

sshd    1023 root    4u  IPv6   9427      0t0  TCP *:ssh (LISTEN)

sshd    1134 root    3r  IPv4   9867      0t0  TCP 172.16.10.20:ssh->172.16.

 

losf -i tcp:52113

netstat -an |grep 52113

 

 

 

ssh安全优化

端口更改,禁止root登录,禁止空密码登录,不使用dns

 

免密码验证小结

1)免密码登录验证是单向的

2)基于用户的,最好不好跨不同用户

3ssh链接慢的问题

4)批量分发1000台初始都需要输入一次密码,并且第一次要正确

 

 

需求:在同一用户下,实现a机器分发数据数据到B C,在分发过程中不需要

B C提示系统密码验证,除了批量分发,还可以批量随意查询cpu,各种配置等信息

SSH批量分发实验

中心分发server172.16.10.10

接收节点1client172.16.10.20

接收节点2client172.16.10.30

 


 

实现前期准备

1添加系统账号,不用root这样更安全

[root@localhost ~]# useradd luliechu && echo "luliechu@123" |passwd --stdin luliechu

更改用户 luliechu 的密码 。

passwd: 所有的身份验证令牌已经成功更新。

 

2在任意一台机器上创建秘钥对都可以

[root@localhost ~]# su - luliechu

[luliechu@localhost ~]$ whoami

luliechu

[luliechu@localhost ~]$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/home/luliechu/.ssh/id_rsa):

Created directory '/home/luliechu/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/luliechu/.ssh/id_rsa.

Your public key has been saved in /home/luliechu/.ssh/id_rsa.pub.

The key fingerprint is:

eb:ff:1d:27:8a:f9:d1:80:aa:84:39:b4:96:14:e0:8f [email protected]

The key's randomart p_w_picpath is:

+--[ RSA 2048]----+

|  .              |

| . .             |

|  . .            |

|   o .     .     |

|  E +   S . .    |

|   o =   o   o   |

|    B . o   . + .|

|   . o o   o + + |

|      . ..+o+ .  |

+-----------------+

 

 

 

[luliechu@localhost ~]$ ll ~/ -la

总用量 24

drwx------  3 luliechu luliechu 4096 3月  28 22:33 .

drwxr-xr-x. 3 root     root     4096 3月  28 22:24 ..

-rw-r--r--  1 luliechu luliechu   18 7月  18 2013 .bash_logout

-rw-r--r--  1 luliechu luliechu  176 7月  18 2013 .bash_profile

-rw-r--r--  1 luliechu luliechu  124 7月  18 2013 .bashrc

drwx------  2 luliechu luliechu 4096 3月  28 22:34 .ssh

[luliechu@localhost ~]$ ls -l .ssh/

总用量 8

-rw------- 1 luliechu luliechu 1675 3月  28 22:34 id_rsa   这个是私钥匙

-rw-r--r-- 1 luliechu luliechu  412 3月  28 22:34 id_rsa.pub  这个是公钥,锁

这里注意权限问题,权限错了无法操作

 

 

做分发服务器,把公钥给b c  私钥留给自己

 

如果报错Host key verification failed.“的解决方案

[root@localhost ~]# sed -i '35s#ask#no#g' /etc/ssh/ssh_config   //更改配置文件改变安全级别

[root@localhost ~]# service sshd restart

停止 sshd:                                               [确定]

正在启动 sshd:                                           [确定]

 

 

在服务端172.16.10.10上   把秘钥分发给客户端

[luliechu@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub 172.16.10.20

The authenticity of host '172.16.10.20 (172.16.10.20)' can't be established.

RSA key fingerprint is 41:69:b2:97:ec:0f:99:4a:13:48:a3:39:3d:c7:80:79.

Are you sure you want to continue connecting (yes/no)? no

Host key verification failed.

[luliechu@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub 172.16.10.20

The authenticity of host '172.16.10.20 (172.16.10.20)' can't be established.

RSA key fingerprint is 41:69:b2:97:ec:0f:99:4a:13:48:a3:39:3d:c7:80:79.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.10.20' (RSA) to the list of known hosts.

[email protected]'s password:

Now try logging into the machine, with "ssh '172.16.10.20'", and check in:

 

  .ssh/authorized_keys 出现这个表示成功

 

to make sure we haven't added extra keys that you weren't expecting.

 

[luliechu@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub 172.16.10.30

The authenticity of host '172.16.10.30 (172.16.10.30)' can't be established.

RSA key fingerprint is 82:6d:9f:ba:a6:f1:98:07:dd:6b:5a:1c:d5:a1:dd:38.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.16.10.30' (RSA) to the list of known hosts.

[email protected]'s password:

Now try logging into the machine, with "ssh '172.16.10.30'", and check in:

 

  .ssh/authorized_keys   出现这个表示成功

 

to make sure we haven't added extra keys that you weren't expecting.

 

 

在客户端检查,发现名字就变了

[luliechu@localhost ~]$ ls -l .ssh/

总用量 4

-rw------- 1 luliechu luliechu 412 3月  30 05:33 authorized_keys

 

在服务器上测试:

[luliechu@localhost ~]$ ssh -p22 [email protected]

[luliechu@localhost ~]$ ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0C:29:BC:70:1A  

          inet addr:172.16.10.30  Bcast:172.16.10.255  Mask:255.255.255.0

很明显我们不需要再输入密码直接就进来了,也可以直接复制拷贝东西不再需要任何认证

 

 

------------到此这一步等于是把高速路修通了-------------,接着就可以批量分发东西了

 

在服务器上操作

[luliechu@localhost ~]$ echo 123.text >a.txt

[luliechu@localhost ~]$ scp -P22 a.txt [email protected]:~

a.txt                    100%    9     0.0KB/s   00:00    

[luliechu@localhost ~]$ scp -P22 a.txt [email protected]:~

a.txt                    100%    9     0.0KB/s   00:00    

 

在客户端上看到

[luliechu@localhost ~]$ ls

a.txt

很明显就直接就不要任何密码就过来了,证明实验成果

把需要拷贝的数据写在一个脚本里,自动执行,就实现了批量分发的功能

如果速度过慢,是因为dns的问题,解决方案如下:

ssh服务端上更改/etc/ssh/sshd_config文件中的配置为如下内容

UseDNS no

GSSAPIAuthentication no

重启sshd服务  service sshd restart

 

 

脚本写法;

[luliechu@localhost ~]$ vi fenfa.sh

for n in 20 30

do

    scp -p22 $1 [email protected].$n:~

done

 

$1你输入的第一条命令行的参数  

 

用法实例:在服务器上执行脚本

[luliechu@localhost ~]$ sh fenfa.sh /etc/hosts

hosts                    100%  158     0.2KB/s   00:00    

hosts                    100%  158     0.2KB/s   00:00

 

在客户端查看测试结果

[luliechu@localhost ~]$ ls

a.txt  hosts

 

很明显完美成果