ip | 主机名 | 环境 |
---|---|---|
192.168.69.134 | qy-server | cenos7 |
192.168.69.131 | qy-clicent | centos7 |
OpenSSH 这一术语指系统中使用的Secure Shell软件的软件实施。用于在远程系统上安全运行shell。如果您在可提供ssh服务的远程Linux系统中拥有用户帐户,则ssh是通常用来远程登录到该系统的命令。ssh命令也可用于在远程系统中运行命令。
[root@qy-server ~]# systemctl stop firewalld.service
[root@qy-server ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# systemctl stop firewalld.service
[root@qy-clicent ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# setenforce 0
[root@qy-server ~]# setenforce 0
[root@qy-server ~]# yum -y install openssh-server
[root@qy-clicent ~]# yum -y install openssh-clicent
[root@qy-clicent ~]# ssh-keygen -t rsa //使用 ssh-keygen 创建公钥-私钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:roUVEiCF9wH2YqxcjAVxadhXSEBpx0xAqSHHkqbd8Fg root@qy-clicent
The key's randomart image is:
+---[RSA 2048]----+
| o+X%&+o. |
|+.BOE.B. |
|o=.%*+o.. |
|..++o... . |
| o S |
| + |
| . o |
| o |
| . |
+----[SHA256]-----+
[root@qy-clicent ~]# ls .ssh/ 查看生成的公钥
id_rsa id_rsa.pub
[root@qy-clicent ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] //将公钥复制到远程系统上的正确位置
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.69.134 (192.168.69.134)' can't be established.
ECDSA key fingerprint is SHA256:+QHBnIuUCWJcNRAaDYncL/7+fjLKQszXzjEhQdvjgL4.
ECDSA key fingerprint is MD5:fa:38:e6:82:20:60:6d:9f:78:cd:76:98:95:95:72:2e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@qy-clicent ~]# ssh [email protected]
Last login: Mon Jan 7 11:20:02 2019 from 192.168.69.1
[root@qy-server ~]# ip a \\验证ip远程登录成功
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:4a:d8:ba brd ff:ff:ff:ff:ff:ff
inet 192.168.69.134/24 brd 192.168.69.255 scope global noprefixroute ens33
[root@qy-clicent ~]# ssh [email protected] "touch /root/abc" \\远程操作动作等等
[root@qy-server ~]# ls
abc anaconda-ks.cfg
注意在普通用户远程登陆中容易出现的一些问题会报错
1.no route to host 防⽕火墙
把虚拟机中的防火墙给清了一下。
[root@localhost ~]# sudo iptables -F
2.Connection refused 防⽕火墙或服务未启⽤
检查服务重启
Scp全量远程拷贝命令
-r //递归复制
-p //保持权限
-P //端口
-q //静默模式
-a //全部复制
推送文件
[root@qy-clicent ~]# scp -P22 -pr /root/abc.sh [email protected]:/tmp \\用端口22属性保持不变递归拷贝
abc.sh
[root@qy-server ~]# ls /tmp/
abc.sh systemd-private-694619a2b4ab4ae4b4c3b211c5865ac5-chronyd.service-k3Xwlk
拉取文件
[root@qy-server ~]# ls
anaconda-ks.cfg
[root@qy-clicent ~]# scp -l 20 -P22 -pr [email protected]:/root/anaconda-ks.cfg /root/
anaconda-ks.cfg
以下为常用配置
**
PermitRootLogin {yes|no} //是否允许root用户远程登录系统
PermitRootLogin without-password //仅允许root用户基于密钥方式远程登录
PasswordAuthentication {yes|no} //是否启用密码身份验证,默认开启**
举例说明修改sshd配置
[root@qy-server ~]# vi /etc/ssh/sshd_config
添加一下配置
PasswordAuthentication yes //是否允许root用户远程登录系统
#PermitEmptyPasswords no //仅允许root用户基于密钥方式远程登录
PasswordAuthentication yes //启用密码身份验证,默认开启
[root@qy-server ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs //生成30位的密码
zR9b0CkqmmQXchzEkeFTJUGyAPWVvh
[root@qy-server ~]# openssl rand 20 -base64 //生成20位随机密码
OHjHKnDRJMlMI+I/Jke75n8a+A0=
第一步、在管理服务器上创建私钥
useradd qinyong 创建用户
echo 123456|passwd --stdin qinyong 创建密码
su - qinyong
第二步非交互式分发密匙两种方法
第1种ssh-keygen -t dsa -P ‘’ -f ~/.ssh/id_dsa >/dev/null 2>&1 创建密钥回车回车
第2种echo -e “\n” | ssh-keygen -t dsa -N “”
第三步发送密匙
ssh-copy-id -i id_dsa.pub 用户名@ip发送公钥到被管理服务器上
ssh-copy-id -i id_dsa.“-p 1111 pub 用户名@ip” 被更改端口为1111的时候发送公钥
还可以一个脚本都分发:
cat /server/scripts/fenfa_sshkey.sh
#!/bin/bash
. /etc/init.d/functions
for i in 120 129
do
expect fenfa_sshkey.exp ~/.ssh/id_dsa.pub 192.168.43 .$i >/dev/null 2>&1
if [ $? -eq 0 ]
then
action "$i" /bin/true
else
action "$i" /bin/false
fi
done
第四步、验证
把所有服务器上的hosts解析文件给更新一遍,hosts文件内容如下
ssh [email protected] ifconfig ens33看网卡
cat /etc/hosts看解析
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.43.24 lb01
第一种只允许一个网段ip访问服务端,其他不允许访问
关闭ebtables和iptables
启动firewalls
[root@qy-server ~]# systemctl disable ebtables
[root@qy-server ~]# systemctl mask ebtables.service iptables
[root@qy-server ~]#systemctl mask iptables.service
[root@qy-server ~]# systemctl start firewalld.service
[root@qy-server ~]# systemctl starts firewalld.service
Unknown operation 'starts'.
[root@qy-server ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since 二 2019-01-08 05:03:15 CST; 5s ago
Docs: man:firewalld(1)
Main PID: 5143 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─5143 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
[root@qy-clicent ~]#vi /etc/hosts.allow
sshd:192.168.69.0/255.255.255.0 #允许局域网内所有机器访问服务器上的sshd进程
[root@qy-server ~]#vi /etc/hosts.deny
sshd:all //禁止所有
[root@qy-clicent ~]# ssh [email protected] \\在客户端登录验证成功
[email protected]'s password:
Last login: Mon Jan 7 21:58:53 2019 from 192.168.69.131
第二种、永久添加所有主机准许的规则
firewall-cmd --add-service=ssh --permanent
firwall-cmd --reload
第三种、永久添加指定主机允许的规则
firewall-cmd --add-rich-rules 'rule family=ipv4 source address=192.168.69.131/24 service name=ssh accept' --permanent
firwall-cmd --reload
[root@qy-server ~]# firewall-cmd --get-services 查看哪些服务能够被防火墙控制
第四种、准许指定IP拒绝其他用户登录
例如
主机 | ip | 环境 |
---|---|---|
服务端 | 192.168.69.131 | cenos7 |
客户端1 | 192.168.69.134 | centos7 |
客户端2 | 192.168.69.133 | redhat7 |
第一步服务端
[root@localhost ~]# vi /etc/hosts.allow
sshd: 192.168.69.134/32 \\最后一行添加
[root@localhost ~]# vi /etc/hosts.deny
ALL: all \\ \\最后一行添加
第二步验证
客户端1登陆验证成功
[root@localhost ~]# ssh [email protected] \\登陆成功
The authenticity of host '192.168.69.131 (192.168.69.131)' can't be established.
ECDSA key fingerprint is SHA256:PkvJs3SbQ+TiawuXQxrBkZ7EgZzjGxNQj61GeKcus+k.
客户端2登陆失败
[root@localhost ~]# ssh [email protected]
ssh_exchange_identification: read: Connection reset by peer