ssh服务提供两个服务功能:一个是提供类似telnet远程服务,另一个就是类似ftp服务提供安全的传输
ssh安全的加密协议,用于远程连接服务器
默认端口22,,安全版本为2
ssh服务提供两个服务功能
ssh客户端包含ssh连接命令,以及远程拷贝scp命令等
ssh服务由openssh和客户端组成
ssh服务认证类型
基于口令
ssh -p52113 [email protected]
基于秘钥
公钥放在服务器上,私钥放在自己电脑上
给你一个端口如何查出对应的服务
[root@localhost ~]# lsof -i tcp:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1023 root 3u IPv4 9425 0t0 TCP *:ssh (LISTEN)
sshd 1023 root 4u IPv6 9427 0t0 TCP *:ssh (LISTEN)
sshd 1134 root 3r IPv4 9867 0t0 TCP 172.16.10.20:ssh->172.16.
losf -i tcp:52113
netstat -an |grep 52113
ssh安全优化
端口更改,禁止root登录,禁止空密码登录,不使用dns
免密码验证小结
1)免密码登录验证是单向的
2)基于用户的,最好不好跨不同用户
3)ssh链接慢的问题
4)批量分发1000台初始都需要输入一次密码,并且第一次要正确
需求:在同一用户下,实现a机器分发数据数据到B C,在分发过程中不需要
B C提示系统密码验证,除了批量分发,还可以批量随意查询cpu,各种配置等信息
SSH批量分发实验
中心分发server172.16.10.10
接收节点1client172.16.10.20
接收节点2client172.16.10.30
实现前期准备
1添加系统账号,不用root这样更安全
[root@localhost ~]# useradd luliechu && echo "luliechu@123" |passwd --stdin luliechu
更改用户 luliechu 的密码 。
passwd: 所有的身份验证令牌已经成功更新。
2在任意一台机器上创建秘钥对都可以
[root@localhost ~]# su - luliechu
[luliechu@localhost ~]$ whoami
luliechu
[luliechu@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/luliechu/.ssh/id_rsa):
Created directory '/home/luliechu/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/luliechu/.ssh/id_rsa.
Your public key has been saved in /home/luliechu/.ssh/id_rsa.pub.
The key fingerprint is:
eb:ff:1d:27:8a:f9:d1:80:aa:84:39:b4:96:14:e0:8f [email protected]
The key's randomart p_w_picpath is:
+--[ RSA 2048]----+
| . |
| . . |
| . . |
| o . . |
| E + S . . |
| o = o o |
| B . o . + .|
| . o o o + + |
| . ..+o+ . |
+-----------------+
[luliechu@localhost ~]$ ll ~/ -la
总用量 24
drwx------ 3 luliechu luliechu 4096 3月 28 22:33 .
drwxr-xr-x. 3 root root 4096 3月 28 22:24 ..
-rw-r--r-- 1 luliechu luliechu 18 7月 18 2013 .bash_logout
-rw-r--r-- 1 luliechu luliechu 176 7月 18 2013 .bash_profile
-rw-r--r-- 1 luliechu luliechu 124 7月 18 2013 .bashrc
drwx------ 2 luliechu luliechu 4096 3月 28 22:34 .ssh
[luliechu@localhost ~]$ ls -l .ssh/
总用量 8
-rw------- 1 luliechu luliechu 1675 3月 28 22:34 id_rsa 这个是私钥匙
-rw-r--r-- 1 luliechu luliechu 412 3月 28 22:34 id_rsa.pub 这个是公钥,锁
这里注意权限问题,权限错了无法操作
做分发服务器,把公钥给b 和c 私钥留给自己
如果报错Host key verification failed.“的解决方案
[root@localhost ~]# sed -i '35s#ask#no#g' /etc/ssh/ssh_config //更改配置文件改变安全级别
[root@localhost ~]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
在服务端172.16.10.10上 把秘钥分发给客户端
[luliechu@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub 172.16.10.20
The authenticity of host '172.16.10.20 (172.16.10.20)' can't be established.
RSA key fingerprint is 41:69:b2:97:ec:0f:99:4a:13:48:a3:39:3d:c7:80:79.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
[luliechu@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub 172.16.10.20
The authenticity of host '172.16.10.20 (172.16.10.20)' can't be established.
RSA key fingerprint is 41:69:b2:97:ec:0f:99:4a:13:48:a3:39:3d:c7:80:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.10.20' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '172.16.10.20'", and check in:
.ssh/authorized_keys 出现这个表示成功
to make sure we haven't added extra keys that you weren't expecting.
[luliechu@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub 172.16.10.30
The authenticity of host '172.16.10.30 (172.16.10.30)' can't be established.
RSA key fingerprint is 82:6d:9f:ba:a6:f1:98:07:dd:6b:5a:1c:d5:a1:dd:38.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.10.30' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '172.16.10.30'", and check in:
.ssh/authorized_keys 出现这个表示成功
to make sure we haven't added extra keys that you weren't expecting.
在客户端检查,发现名字就变了
[luliechu@localhost ~]$ ls -l .ssh/
总用量 4
-rw------- 1 luliechu luliechu 412 3月 30 05:33 authorized_keys
在服务器上测试:
[luliechu@localhost ~]$ ssh -p22 [email protected]
[luliechu@localhost ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:BC:70:1A
inet addr:172.16.10.30 Bcast:172.16.10.255 Mask:255.255.255.0
很明显我们不需要再输入密码直接就进来了,也可以直接复制拷贝东西不再需要任何认证
------------到此这一步等于是把高速路修通了-------------,接着就可以批量分发东西了
在服务器上操作
[luliechu@localhost ~]$ echo 123.text >a.txt
[luliechu@localhost ~]$ scp -P22 a.txt [email protected]:~
a.txt 100% 9 0.0KB/s 00:00
[luliechu@localhost ~]$ scp -P22 a.txt [email protected]:~
a.txt 100% 9 0.0KB/s 00:00
在客户端上看到
[luliechu@localhost ~]$ ls
a.txt
很明显就直接就不要任何密码就过来了,证明实验成果
把需要拷贝的数据写在一个脚本里,自动执行,就实现了批量分发的功能
如果速度过慢,是因为dns的问题,解决方案如下:
在ssh服务端上更改/etc/ssh/sshd_config文件中的配置为如下内容
UseDNS no
GSSAPIAuthentication no
重启sshd服务 service sshd restart
脚本写法;
[luliechu@localhost ~]$ vi fenfa.sh
for n in 20 30
do
scp -p22 $1 [email protected].$n:~
done
$1你输入的第一条命令行的参数
用法实例:在服务器上执行脚本
[luliechu@localhost ~]$ sh fenfa.sh /etc/hosts
hosts 100% 158 0.2KB/s 00:00
hosts 100% 158 0.2KB/s 00:00
在客户端查看测试结果
[luliechu@localhost ~]$ ls
a.txt hosts
很明显完美成果