SSH是Secure Shell Protocal安全的壳程序协议
SSH协议本身就提供两个服务器功能: 1.SSH |
Version 2由于加上了连接检测的机制,可以避免连接期间被插入恶意的攻击代码。
[root@szm ~]# ll /etc/ssh/ssh_host*
-rw-------. 1 root root 668 Mar 20 03:56 /etc/ssh/ssh_host_dsa_key
-rw-r--r--. 1 root root 590 Mar 20 03:56 /etc/ssh/ssh_host_dsa_key.pub
-rw-------. 1 root root 963 Mar 20 03:56 /etc/ssh/ssh_host_key
-rw-r--r--. 1 root root 627 Mar 20 03:56 /etc/ssh/ssh_host_key.pub
-rw-------. 1 root root 1675 Mar 20 03:56 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Mar 20 03:56 /etc/ssh/ssh_host_rsa_key.pub
如果不写帐号,那么会以本地端计算机的帐号来尝试登录远程主机 |
加了f这个参数和没有加的区别是:加了f会让对方主机自己运行命令,立刻回到本地端,没加的话会等待对方完成命令后回到本地端。 |
[root@szm ~]# ssh -o StrictHostKeyChecking=no root@localhost
root@localhost's password:
Last login: Mon Mar 25 23:51:12 2013 from 192.168.179.1
意思为删除known_hosts文件的第一行 |
[root@szm ~]# ssh root@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is ef:fc:bf:23:d7:c7:c3:e8:67:eb:4d:a9:86:13:52:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.---加入Know_hosts
root@localhost's password:
Last login: Tue Mar 26 09:54:35 2013 from 172.16.128.73
图形化连接SFTP-Server软件:Filezilla,端口22 |
SCP用于以知主机文件:
[root@szm ~]# scp /etc/hosts [email protected]:~下载
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is ef:fc:bf:23:d7:c7:c3:e8:67:eb:4d:a9:86:13:52:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.
[email protected]'s password:
hosts 100% 156 0.2KB/s 00:00
[root@szm ~]# scp [email protected]:/etc/bashrc /tmp上传
[email protected]'s password:
bashrc 100% 2620 2.6KB/s 00:00
Pietty是Putty的改良版 |
[root@szm ~]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
可以写多一个Port来启动多个端口; |
#AddressFamily any
#ListenAddress 0.0.0.0
主机监听端口IP。 |
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
也可以修改支持V1,V2:Protocol 2,1不可这样很不安全,容易被攻击 |
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
SSH私钥放置位置 |
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
如果没有单位。默认为秒 |
#PermitRootLogin yes
建议关闭这个Root的登录功能 |
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
是否允许用户自行使用成对的密钥系统进行登录,公针对Version 2 |
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
因为使用~/.shh/.rhosts太不安全了,所以这里一定要设置为NO |
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
第一个是给V1用的,使用rhosts文件在/etc/hosts.equiv配合RSA来认证,第二个是用V2用的,这两个都为NO |
#IgnoreUserKnownHosts no
是否要忽略乃主目录内的~/.ssh/known_hosts这个文件记录的内容 |
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
密码不得为空,一定要认证密码 |
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
允许任何的密码认证,所以,任何Login.conf规定的谁方式,均可使用,但目前我们比较喜欢使用PAM模块帮忙管理认证,因此这个选项可以设置为NO。 |
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
这个项目可以让窗口的数据通过SSH连接来传送。 |
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
PrindMotd登录后的显示信息,可以关闭 |
#PrintLastLog yes
上次登录信息 |
#TCPKeepAlive yes
如果所在的网络不稳定,建议关闭 |
#UseLogin no
#UsePrivilegeSeparation yes
当非Root用户登录时,会产生一个属于非Root的SSHD程序来使用,对系统较安全 |
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
一般来说,为了判断客户端来源是否正常合法的,会使用DNS去反查客户端的主机名。 |
#PidFile /var/run/sshd.pid
修改放置PID的文件。得知进程ID |
#MaxStartups 10
登录前,也就是得到Shell前的连接数 |
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
DenyUsers .... DenyGroups ... |
SSH自动登录解决办法:
1.客户端建立两把密钥;
2.客户端放置好私钥文件;
3.将公钥放置到服务器端的正确目录与文件中;
[root@szm ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
84:ef:86:84:79:bf:05:a9:72:e7:80:a7:e3:c7:98:3f [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . |
| . . |
| o o . |
| o o S |
| + = . |
| o+* = . |
| +=E= o |
| .o+..o |
+-----------------+
[root@szm ~]# ll -d ~/.ssh/;ll ~/.ssh/
drwx------. 2 root root 4096 Mar 27 17:19 /root/.ssh/
total 16
-rw-r--r--. 1 root root 226 Mar 27 14:22 authorized_keys
-rw-------. 1 root root 1675 Mar 27 17:22 id_rsa
-rw-r--r--. 1 root root 399 Mar 27 17:22 id_rsa.pub
-rw-r--r--. 1 root root 782 Mar 26 12:40 known_hosts
~/.ssh/目录必须是700权限!id_rsa的文件权限必须是上面那样才行,否则无法实现SSH连接。 |
[root@szm ~]# scp ~/.ssh/id_rsa.pub [email protected]:~
The authenticity of host '192.168.179.7 (192.168.179.7)' can't be established.
RSA key fingerprint is ef:fc:bf:23:d7:c7:c3:e8:67:eb:4d:a9:86:13:52:ed.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.179.7' (RSA) to the list of known hosts.
[email protected]'s password:
id_rsa.pub 100% 399 0.4KB/s 00:00
[root@szm ~]# cat id_rsa.pub >> ~/.ssh/authorized_keys
[root@szm ~]# ll ~/.ssh/authorized_keys
-rw-r--r--. 1 root root 625 Mar 27 17:30 /root/.ssh/authorized_keys
为个地方要非常的注意权限 |
SSH安全方面的设置: PermitRootLogin no DenyUsers .... DenyGroups ....
[root@szm ~]# cat /etc/hosts.allow sshd:127.0.0.1 192.168.179.0/255.255.255.0
[root@szm ~]# cat /etc/hosts.deny
sshd:ALL
日志排错:
[root@szm ~]# tail /var/log/secure
|
启动一个X Display Manager程序。 |
X Server,X Client,Window Manager(VM)【GNOME,KDE,XFCE】,Display Manager(DM)【GDM,KDM】 |
XDMPC配置过程:
1.[root@Centosszm ~]# cat /etc/gdm/custom.conf
# GDM configuration storage
[daemon]
[security]
AllowRemoteRoot=true
DisallowTCP=false
[xdmcp]
Enable=1
[greeter]
[chooser]
[debug]
2.[root@Centosszm ~]# cat /etc/sysconfig/iptables
3.[root@Centosszm ~]# /etc/init.d/iptables restart
4.[root@Centosszm ~]# runlevel
3 5--------上一次为3,这一次为5
5.因为已经启动了init 5,需要重启应用配置文件;
[root@Centosszm ~]# init 3
[root@Centosszm ~]# init 5
6.查看是否启用了177,6000端口,6000端口用于XServer连接XClient。
[root@Centosszm ~]# netstat -tulnp
在当前运行界别中运行GDM, [root@Centosszm ~]# gdm
[root@Centosszm ~]# cat /etc/rc.d/rc.local
[root@Centosszm ~]# /usr/sbin/gdm
|
一:在不同的X环境下启动连接:直接用X 在Centos6.X的环境中,如果原本就是Runlevel 5的环境,那么这个图形接口的:0是在tty1终端;如果由runlevel 3启动图形接口,那么是在tty7。 二:在同一个X下启动另一个X:使用Xnest [root@Centosszm ~]# yum install xorg-x11-server-Xnest
[root@Centosszm ~]# Xnest -query 192.168.179.7 -geometry 640x480 :1
|
XServer连接前:
[root@Centosszm ~]# pstree | grep gdm
|-gdm-binary---gdm-simple-slav-+-Xorg
| |-2*[gdm-session-wor]
| |-gdm-simple-gree
XServer连接后:
[root@Centosszm ~]# pstree | grep gdm
|-gdm-binary-+-gdm-simple-slav-+-Xorg
| | |-2*[gdm-session-wor]
| | |-gdm-simple-gree
| `-gdm-simple-slav-+-2*[gdm-session-wor]
| |-gdm-simple-gree---{gdm-sim ple-gre}
在以前的VNC Server有较大差异,在CentOS 6.x当中,Tiger VNC-Server这套软件会主动依据服务器端的图形接口登录方式给予正确的图形显示接口。 |
请注意,不要将VNC Server的指令写入到/etc/rc.d/rc.local文件中,否则可能会产生localhost无法登录的问题。 |
Windows的远程桌面系统:XRDP服务器
XRDP最终会自动启用VNC,必须要安装VNC才行。否则XRDP无法运行。 |
[root@Centosszm ~]# /etc/init.d/xrdp start
Starting xrdp: [ OK ]
Starting xrdp-sesman: [ OK ]
[root@Centosszm ~]# netstat -tunlp | grep xrdp
tcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN 22598/xrdp-sesman
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN 22594/xrdp
[root@Centosszm ~]# cat /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6000:6010 -j ACCEPT
SSH的高级应用:
在非标准端口启动SSH;
[root@Centosszm ~]# vim /etc/ssh/sshd_config
Port 22
Port 23
[root@Centosszm ~]# cat /var/log/audit/audit.log | grep AVC | grep ssh | audit2allow -m sshlocal >sshlocal.te
[root@Centosszm ~]# grep sshd_t /var/log/audit/audit.log | audit2allow -M sshlocal
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i sshlocal.pp
[root@Centosszm ~]# semodule -i sshlocal.pp
[root@Centosszm ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@Centosszm ~]# netstat -tulnp | grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 23782/sshd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 23782/sshd
tcp 0 0 :::22 :::* LISTEN 23782/sshd
tcp 0 0 :::23 :::* LISTEN 23782/sshd
以rsync进行同步镜像备份:
rsync不但传输速度快,而且在传输时,可以比对本地端与远程主机欲复制的文件内容,而仅复制两者有差异的文件而已,所以传输的时间就相对降低很多! |
1.[root@Centosszm ~]# rsync -av /etc /tmp
-v:列出信息 |
通过SSH通道加密原本无加密的服务:
[root@Centosszm ~]# ssh -L 5911:127.0.0.1:5901 -n 192.168.179.254
Centosszm(5911)--------ssh(5911)----------(22)ssh------------(5901)179.154 |
VNC View:localhost:5911
以SSH通道配合X Server传递图形界面:
[root@Centosszm ~]# yum install xterm