ssh

ssh在linux上有两个服务，一个是ssh客户端，另一个是sshd服务端

针对服务器的注意事项：
1.密码应该经常换
2.使用非默认端口
3.限制登录客户地址
4.禁止管理员直接登录
5.仅允许有限用户登录
6.使用基于秘钥的认证
7.禁止使用版本1

★客户端：

配置文件在/etc/ssh/ssh_config

1.密码ssh
　　ssh root@ip/主机名：在linux内以对方root的身份ssh登录　　
　　ssh root@ip/主机名 ['命令']：以对方root身份远程执行一条命令
　　ssh -p #：使用非默认端口
　　如果ssh无法成功登录，可以在自己用户的家目录内找到一个隐藏文件.ssh/known_host，找到对应的ssh信息，或者直接删掉这个文件即可

2.公私钥ssh
　　ssh-keygen：生成公钥私钥对，默认会在root目录下有个私钥和公钥
　　　　　　-t [rsa | dsa]：指定加密算法
　　　　　　-f '路径'：指定存储路径
　　　　　　-P '密码'：为私钥加上密码

[root@bogon ~]# ssh-keygen -t rsa     #指定rsa算法
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):   #秘钥存放路径
Enter passphrase (empty for no passphrase):           #指定密码，我这里为空
Enter same passphrase again:                            #确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
72:f5:89:28:fd:90:3f:00:16:ea:b1:e5:97:09:b1:72 root@bogon
The key's randomart image is:
+--[ RSA 2048]----+
|      o          |
|     . +         |
|    + E   .      |
|   . O + * o .   |
|    o + S . o    |
|       = =       |
|          +      |
|           .     |
|                 |
+-----------------+
[root@bogon ~]# ls .ssh/
id_rsa  id_rsa.pub

3.ssh-copy-id -i ~/.ssh/id_rsa.pub root@主机/ip ：将公钥传给对端主机，-i 指定公钥。这时再去登录对端主机就不需要密码了　　

[root@bogon ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.17.148.113
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.17.148.113's password:   #这里需要输入远端对应用户的密码
 
Number of key(s) added: 1
 
Now try logging into the machine, with:   "ssh 'root@172.17.148.113'"
and check to make sure that only the key(s) you wanted were added.
 
[root@bogon ~]# ssh root@172.17.148.113
Last login: Thu May 31 23:11:36 2018 from 172.17.148.255  #现在登录就不需要密码了

4.scp：主机之间的文件传输
　　scp 源文件 root@主机名/ip：存储路径传送文件到远程主机，中间要加上冒号
　　scp root@主机名/ip：原文件存储路径　　　拉取远程主机文件到本地，加冒号
　　　　-r：递归
　　　　-p：保留元属性
　　　　-C：压缩
5.rsync：用法同scp，会多一次校验，如果校验文件一样就不再复制，只复制不同文件

6.sftp：配置过ssh秘钥登录的也不用输入密码，直接sftp ip就可以。get获取文件

7.xshell生成的秘钥要放在远程主机的家目录下.ssh/authorized_keys里面，如果没有这个文件需要新建，文件夹权限为700，文件权限为600。而且在复制秘钥的时候要注意复制全了。这地方吃了大亏！

8.开启秘钥认证之后将密码认证关闭就好了
　　PasswordAuthentication no

★服务端：

sshd配置文件
#空格代表注释信息
#参数代表可以更改项
配置文件更改完后需要服务重读配置service sshd reload

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

[root@localhost ssh]# cat /etc/ssh/sshd_config 
#   $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
 
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
 
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
 
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
 
#Port 22                            默认监听端口22，可以更换成其他端口
#AddressFamily any                  默认监听ipv4和ipv6
#ListenAddress 0.0.0.0              监听地址
#ListenAddress ::                   默认服务器上的所有端口地址都监听，如果想监听一个在这里加上ip
 
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2                          使用ssh版本2
 
# HostKey for protocol version 1    
#HostKey /etc/ssh/ssh_host_key      版本1的密钥
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key  版本2的密钥
#HostKey /etc/ssh/ssh_host_dsa_key  版本2的密钥
 
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h         密钥有效期限
#ServerKeyBits 1024                 密钥长度
 
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH                 日志来源默认为认证相关
SyslogFacility AUTHPRIV              日志来源：认证、权限
#LogLevel INFO　　　　　　　　　　　　   日志级别
 
# Authentication:
 
#LoginGraceTime 2m                   建立连接后，无响应等待时间，默认2分钟
#PermitRootLogin yes                 是否允许管理员直接登陆，应该关闭root远程直接登录，用普通用户su过去
#StrictModes yes                     是否使用严格限定模式
#MaxAuthTries 6                      最多尝试6次
#MaxSessions 10                      同一会话最大连接数
 
#RSAAuthentication yes               是否基于rsa认证
#PubkeyAuthentication yes            是否基于公钥认证
#AuthorizedKeysFile .ssh/authorized_keys     key文件放在哪个位置
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
 
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no           
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no              是否忽略读取~/.ssh/known_host文件
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes                     是否读取上面那个文件
 
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes         是否开启密码登录
#PermitEmptyPasswords no            是否允许口令为空的账号登录
PasswordAuthentication yes          开启密码认证
 
# Change to no to disable s/key passwords 
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no   ？？？
 
# Kerberos options
#KerberosAuthentication no           密码是否符合什么要求？？
#KerberosOrLocalPasswd yes           基于本地的/etc/passwd文件校验密码
#KerberosTicketCleanup yes           用户退出登录后是否清除记录？
#KerberosGetAFSToken no              
 
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
 
# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes                           基于PAM认证
 
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
 
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes                  
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes                      登陆成功后是否显示/etc/motd文件的内容             
#PrintLastLog yes                   是否打印上次登陆信息
#TCPKeepAlive yes                   是否持续连接
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10                    允许同时有几个还未输入密码的连接
#PermitTunnel no                    
#ChrootDirectory none
 
# no default banner path
#Banner none                      用户登陆成功后，显示的登录成功信息，格式为Banner  /to/files
 
# override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server      启用sftp服务
 
# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   ForceCommand cvs server#AllowUsers  xxx xxx xxx       允许登录的用户      这几个都是本地的用户组#AllowGroups        　　允许登录的组#DenyUsers   xxx xxx xxx        不予许登录的用户#DenyGroups        　　 不允许登录的组