ssh
ssh简介
专为远程登录会话和其他网路服务提供安全性的协议
- 有效防止远程管理过程中的信息泄露
- 传输数据加密,能防止DNS和IP欺骗
- 传输数据压缩,加快传输速度
在linux系统中一般使用OpenSSH工具
OpenSSH是SSH协议的免费开源实现,提供了服务端程序openssh-server和客户端程序openssh-client
ssh命令
ssh [-pi] [user@host]
-p 指定ssh端口号,默认为22
-i 使用指定私钥文件连接服务器
exit或logout可退出当前登陆
[root@aczdev-161-kvm .ssh]# ssh root@192.168.9.163
The authenticity of host '192.168.9.163 (192.168.9.163)' can't be established.
ECDSA key fingerprint is SHA256:t9dwM9KzQxGVag1Didv9FPIEztHIJUuyPbFhwby5rVc.
ECDSA key fingerprint is MD5:58:07:6d:4a:85:d6:af:a9:2b:78:16:90:32:58:ba:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.9.163' (ECDSA) to the list of known hosts.
Last login: Fri Mar 13 19:10:01 2020 from 192.168.6.5
[root@aczdev-163-kvm ~]# exit
logout
Connection to 192.168.9.163 closed.
ssh配置
ssh配置信息都保存在~/.ssh中
- known_hosts: 连接服务器记录
- authorized_keys: 作为服务端,客户端的绵密连接公钥文件
- config: 作为客户端,记录连接服务器配置的别名
服务器别名
- 远程管理命令(如ssh、scp等)连接一台服务器时,一般需要提供服务器地址、端口、用户名
- 可以将经常使用的服务器连接参数记录到配置文件中,并设置别名,方便连接
[root@aczdev-12-kvm .ssh]# vim config
Host kvm-163
HostName 192.168.9.163
User root
Port 22
The authenticity of host '192.168.9.163 (192.168.9.163)' can't be established.
ECDSA key fingerprint is SHA256:gR0zQ8hytD4BF7BHvU5bX3dSljCq8RCpQdvmCZSPQz0.
ECDSA key fingerprint is MD5:f2:49:55:52:ae:9e:a0:62:e3:e1:20:3a:af:b5:4b:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.9.163' (ECDSA) to the list of known hosts.
root@192.168.9.163's password:
[root@aczdev-163-kvm ~]#
免密登陆
ssh-keygen [-tfc]
-t 指定加密类型,默认为非对称加密(rsa), 所有可选项:dsa、ecdsa、ed25519、rsa
-f 设置密钥文件名,若设置,在连接时需指定要验证的密钥文件:ssh -i file user@host, 默认文件名则可省略
-c 添加注释再密钥文件尾部
[root@dev-117-kvm ~]# ssh-keygen # 生成密钥文件
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in y.
Your public key has been saved in y.pub.
The key fingerprint is:
SHA256:bFO1aL6MmN0SuA9/1uaZlmPoxPx+O7NeDMYZOG7XIGY root@dev-117-kvm
The key's randomart image is:
+---[RSA 2048]----+
| . |
| o o |
| + E o |
| o + + + = |
| . S . o * .|
| * O o o o |
| = + Bo . o|
| + o+.Bo+. |
| o+.**++= |
+----[SHA256]-----+
[root@aczdev-12-kvm .ssh]# ssh-copy-id root@192.168.6.117 # 将公钥文件上传到192.168.6.117服务器上(.ssh/authorized_keys)
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.6.117's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.6.117'"
and check to make sure that only the key(s) you wanted were added.
[root@aczdev-12-kvm .ssh]# ssh root@192.168.6.117
Last login: Mon Mar 16 20:44:19 2020 from 192.168.9.12
[root@dev-117-kvm ~]#
免密钥文件登陆
1、生成密钥对
ssh-keygen -t rsa -f ~/.ssh/id_rsa
chmod 400 ~/.ssh/id_rsa
2、上传公钥到要连接的服务器.ssh/authorized_keys中: ssh-copy-id root@192.168.6.117
3、使用私钥文件登陆: ssh -i id_rsa root@192.168.6.117
4、也可将私钥文件在config中设置,简化登陆命令
[root@aczdev-12-kvm .ssh]# vim config
Host kvm-163
HostName 192.168.9.163
User root
Port 22
IdentityFile ~/.ssh/id_rsa
[root@aczdev-12-kvm .ssh]# ssh kvm-163
Last login: Mon Mar 16 18:29:00 2020 from 172.18.1.1
[root@aczdev-163-kvm ~]#