openssh

openssh

文章目录

    • openssh
      • 一、环境说明
      • 二、openssh介绍
      • 三、操作步骤
        • 1.关闭防火墙和SELinux
        • 2.安装ssh
        • 3.生成密钥
        • 4.scp的应用
      • 四、自定义 SSH 服务配置
      • 五、ssh密码生成密令
      • 六、企业案例批量分发
      • 关于防火墙设置管理

一、环境说明

ip 主机名 环境
192.168.69.134 qy-server cenos7
192.168.69.131 qy-clicent centos7

二、openssh介绍

openssh_第1张图片

OpenSSH 这一术语指系统中使用的Secure Shell软件的软件实施。用于在远程系统上安全运行shell。如果您在可提供ssh服务的远程Linux系统中拥有用户帐户,则ssh是通常用来远程登录到该系统的命令。ssh命令也可用于在远程系统中运行命令。

三、操作步骤

1.关闭防火墙和SELinux

[root@qy-server ~]# systemctl stop firewalld.service 
[root@qy-server ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# systemctl stop firewalld.service 
[root@qy-clicent ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# setenforce 0
[root@qy-server ~]# setenforce 0

2.安装ssh

[root@qy-server ~]# yum -y install openssh-server
[root@qy-clicent ~]# yum -y install openssh-clicent

3.生成密钥

[root@qy-clicent ~]# ssh-keygen -t rsa        //使用 ssh-keygen 创建公钥-私钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:roUVEiCF9wH2YqxcjAVxadhXSEBpx0xAqSHHkqbd8Fg root@qy-clicent
The key's randomart image is:
+---[RSA 2048]----+
| o+X%&+o.        |
|+.BOE.B.         |
|o=.%*+o..        |
|..++o... .       |
|  o     S        |
|       +         |
|      . o        |
|       o         |
|      .          |
+----[SHA256]-----+
[root@qy-clicent ~]# ls .ssh/ 查看生成的公钥
id_rsa  id_rsa.pub

[root@qy-clicent ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]  //将公钥复制到远程系统上的正确位置
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.69.134 (192.168.69.134)' can't be established.
ECDSA key fingerprint is SHA256:+QHBnIuUCWJcNRAaDYncL/7+fjLKQszXzjEhQdvjgL4.
ECDSA key fingerprint is MD5:fa:38:e6:82:20:60:6d:9f:78:cd:76:98:95:95:72:2e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@qy-clicent ~]# ssh [email protected]
Last login: Mon Jan  7 11:20:02 2019 from 192.168.69.1

[root@qy-server ~]# ip a               \\验证ip远程登录成功
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33:  mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:4a:d8:ba brd ff:ff:ff:ff:ff:ff
    inet 192.168.69.134/24 brd 192.168.69.255 scope global noprefixroute ens33
  [root@qy-clicent ~]# ssh [email protected] "touch /root/abc"   \\远程操作动作等等
  [root@qy-server ~]# ls 
abc  anaconda-ks.cfg


注意在普通用户远程登陆中容易出现的一些问题会报错
1.no route to host 防⽕火墙
把虚拟机中的防火墙给清了一下。
[root@localhost ~]# sudo iptables -F
2.Connection refused 防⽕火墙或服务未启⽤
检查服务重启

4.scp的应用

Scp全量远程拷贝命令
-r //递归复制
-p //保持权限
-P //端口
-q //静默模式
-a //全部复制

推送文件
[root@qy-clicent ~]# scp -P22 -pr  /root/abc.sh [email protected]:/tmp \\用端口22属性保持不变递归拷贝
abc.sh         
[root@qy-server ~]# ls /tmp/
abc.sh  systemd-private-694619a2b4ab4ae4b4c3b211c5865ac5-chronyd.service-k3Xwlk
拉取文件
[root@qy-server ~]# ls
anaconda-ks.cfg 
[root@qy-clicent ~]# scp -l 20 -P22 -pr [email protected]:/root/anaconda-ks.cfg    /root/  
anaconda-ks.cfg  

四、自定义 SSH 服务配置

以下为常用配置

**
PermitRootLogin {yes|no} //是否允许root用户远程登录系统
PermitRootLogin without-password //仅允许root用户基于密钥方式远程登录
PasswordAuthentication {yes|no} //是否启用密码身份验证,默认开启**

举例说明修改sshd配置

[root@qy-server ~]# vi /etc/ssh/sshd_config 
添加一下配置
PasswordAuthentication yes  //是否允许root用户远程登录系统
#PermitEmptyPasswords no  //仅允许root用户基于密钥方式远程登录
PasswordAuthentication yes  //启用密码身份验证,默认开启

五、ssh密码生成密令

[root@qy-server ~]#  tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs  //生成30位的密码
zR9b0CkqmmQXchzEkeFTJUGyAPWVvh
[root@qy-server ~]# openssl rand 20 -base64  //生成20位随机密码
OHjHKnDRJMlMI+I/Jke75n8a+A0=

六、企业案例批量分发

第一步、在管理服务器上创建私钥
useradd qinyong 创建用户
echo 123456|passwd --stdin qinyong 创建密码
su - qinyong
第二步非交互式分发密匙两种方法
第1种ssh-keygen -t dsa -P ‘’ -f ~/.ssh/id_dsa >/dev/null 2>&1 创建密钥回车回车
第2种echo -e “\n” | ssh-keygen -t dsa -N “”
第三步发送密匙
ssh-copy-id -i id_dsa.pub 用户名@ip发送公钥到被管理服务器上
ssh-copy-id -i id_dsa.“-p 1111 pub 用户名@ip” 被更改端口为1111的时候发送公钥
还可以一个脚本都分发:

cat /server/scripts/fenfa_sshkey.sh
#!/bin/bash

. /etc/init.d/functions

for i in 120 129
do 
  expect fenfa_sshkey.exp ~/.ssh/id_dsa.pub 192.168.43 .$i >/dev/null 2>&1
  if [ $? -eq 0 ]
  then
    action "$i" /bin/true
  else
    action "$i" /bin/false
  fi
done

第四步、验证
把所有服务器上的hosts解析文件给更新一遍,hosts文件内容如下

ssh [email protected] ifconfig ens33看网卡
cat /etc/hosts看解析
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.43.24      lb01

关于防火墙设置管理

第一种只允许一个网段ip访问服务端,其他不允许访问

关闭ebtables和iptables
启动firewalls
[root@qy-server ~]# systemctl disable ebtables
[root@qy-server ~]# systemctl mask ebtables.service  iptables
[root@qy-server ~]#systemctl mask iptables.service
[root@qy-server ~]# systemctl start firewalld.service
[root@qy-server ~]# systemctl starts firewalld.service
Unknown operation 'starts'.
[root@qy-server ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since 二 2019-01-08 05:03:15 CST; 5s ago
     Docs: man:firewalld(1)
 Main PID: 5143 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─5143 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
[root@qy-clicent ~]#vi /etc/hosts.allow
sshd:192.168.69.0/255.255.255.0        #允许局域网内所有机器访问服务器上的sshd进程
[root@qy-server ~]#vi /etc/hosts.deny
sshd:all      //禁止所有
[root@qy-clicent ~]# ssh [email protected]  \\在客户端登录验证成功
[email protected]'s password: 
Last login: Mon Jan  7 21:58:53 2019 from 192.168.69.131

第二种、永久添加所有主机准许的规则

 firewall-cmd --add-service=ssh --permanent 
 firwall-cmd --reload

第三种、永久添加指定主机允许的规则

 firewall-cmd --add-rich-rules 'rule family=ipv4 source address=192.168.69.131/24 service name=ssh accept' --permanent
 firwall-cmd --reload
[root@qy-server ~]#  firewall-cmd  --get-services 查看哪些服务能够被防火墙控制

第四种、准许指定IP拒绝其他用户登录
例如

主机 ip 环境
服务端 192.168.69.131 cenos7
客户端1 192.168.69.134 centos7
客户端2 192.168.69.133 redhat7

第一步服务端

[root@localhost ~]# vi /etc/hosts.allow 
sshd: 192.168.69.134/32      \\最后一行添加
[root@localhost ~]# vi /etc/hosts.deny
ALL: all             \\ \\最后一行添加

第二步验证
客户端1登陆验证成功

[root@localhost ~]# ssh [email protected]    \\登陆成功
The authenticity of host '192.168.69.131 (192.168.69.131)' can't be established.
ECDSA key fingerprint is SHA256:PkvJs3SbQ+TiawuXQxrBkZ7EgZzjGxNQj61GeKcus+k.

客户端2登陆失败

[root@localhost ~]# ssh [email protected]
ssh_exchange_identification: read: Connection reset by peer   

你可能感兴趣的:(运维知识,linux,ssh)