SSH-KEY服务及批量分发与管理实战

SSH服务

一、SSH服务介绍

  SSH是Secure Shell Protocol的简写,由IETF网络工作小组制定;在进行数据传输之前,SSH先对联机数据包通过加密技术进行加密处理,加密后再进行数据传输,确保了传递的数据安全。

  SSH是专为远程登录会话和其他网络服务提供的安全性协议。利用SSH协议可以有效的防止远程管理过程中的信息泄露问题,在当前的生产环境当中,绝大多数企业普遍采用SSH协议服务来代替传统的不安全的远程联机服务软件。如telnet等。

 

SSH服务功能:

a.类似telnet远程联机服务

b.类似FTP服务的sftp-server,借助SSH协议来传输数据,提供更安全的SFTP服务

 

特别提醒:

   SSH客户端(ssh命令)还包含一个很有用的远程安全拷贝命令scp,也是通过ssh协议工作的

 

小结:

1.SSH是安全的加密协议,用于远程连接服务器

2.默认端口是22,安全协议版本是ssh2

3.服务端主要包含两个服务功能,ssh远程连接和SFTP服务

4.ssh客户端包含ssh连接命令,以及远程拷贝scp命令等

 

SSH服务结构:

  SSH服务是由服务端软件OpenSSH和客户端(常见的有SSH,SecureCRT,Xshell,Putty)组成,SSH服务默认使用22端口提供服务,它有两个不兼容的SSH协议版本,分别是1.x和2.x。

 

[root@backup ~]# rpm -qa openssh

openssh-5.3p1-104.el6.x86_64

[root@backup ~]# rpm -qa openssh openssl

openssh-5.3p1-104.el6.x86_64

openssl-1.0.1e-30.el6.x86_64

[root@backup ~]# ps -ef|grep sshd

root     2244     1  0 Jul22 ?        00:00:01 /usr/sbin/sshd

root    13819  2244  0 19:16 ?        00:00:01 sshd: root@pts/0

root    14672 13822  0 21:44 pts/0    00:00:00 grep sshd

[root@backup ~]# chkconfig --list sshd

sshd            0:off   1:off  2:on    3:on    4:on 5:on     6:off

 

SSH加密技术

# HostKey for protocol version 1  #(只支持RSA密钥)

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2 #(支持RSA和DSA密钥)

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

[root@backup ~]# grep ServerKey/etc/ssh/sshd_config

#ServerKeyBits 1024

#ServerKeyBits 1024

[root@backup ~]# ll ~/.ssh/

total 4

-rw-r--r-- 1 root root 395 Mar 28 19:11known_hosts

 

 

[root@backup ~]# ifconfig eth0

eth0     Link encap:Ethernet  HWaddr 00:0C:29:E4:F6:3F 

         inet addr:192.168.0.114 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fee4:f63f/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:2318994 errors:0dropped:0 overruns:0 frame:0

         TX packets:1511463 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:1781734365 (1.6 GiB)  TXbytes:416486786 (397.1 MiB)

 

[root@backup ~]# ifconfig eth0|sed -rn's#^.*dr:(.*)  Bc.*$#\1#gp'

192.168.0.114

 

简单解释一下这条sed

1、参数rn

   r是为了让sed支持扩展正则也就是ERE(还有BRE、PRE这些不同的流派对于正则里元字符的表达方式都有不同,楼主可以自己Google就不在这里解释了),这样可以省去后边正则中的N多转义符号,比如说不加r的时候()必须要写成\(\)。

   n是不要自动打印空间模式,加上他就只打印匹配的行才会去执行p的打印动作了。

 

 2、加个()是为了sed后边的\1,刚刚上边讲的“/源/目标/”这种模式中,源可以写成多个()表示的集合,第一个集合在目标中就用\1表示,第二个就是\2其他依次类推。

 

二、SSH服务认证类型

   从SSH客户端来看,SSH服务主要有两种级别安全验证,具体级别如下:

   1.基于口令的安全认证

  [root@NFS ~]# ls -l ~/.ssh

  [root@NFS ~]#

  [root@NFS ~]# ssh -p22 sshtest@192.168.0.131

sshtest@192.168.0.131's password:

welcome to oldboy linux training from/etc/profile.d

[sshtest@oldboy ~]$ ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1 

         inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:1446978 errors:0 dropped:0 overruns:0 frame:0

         TX packets:1946787 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:408128388 (389.2 MiB)  TXbytes:1248347837 (1.1 GiB)

[root@NFS ~]# ls -l ~/.ssh

total 4

-rw-r--r-- 1 root root 790 Jul 24 22:05known_hosts

[root@NFS ~]# cat ~/.ssh/known_hosts

192.168.0.131 ssh-rsa\

AAAAB3NzaC1yc2EAAAABIwAAAQEAr3aG1hPNk0pRhTVWM4ECI4HFLwriYGfw9sTIZtYAfdzJXnQD5dMrTUP0p4TgQ6k9rj/tCpbRHqIVOWI0i8R3z8N/jgZYtDs5h0YDRtM0iIgNRsKD3xJa4E+Vab1JMvbASPH9YKaJ13KprWnWat+OXAjiDHwi41tMphAnWNhPXCwaKuqMcsejPk3TmOemrfCt3XzFX34dGTLsVYYB4pn8Psu+phR+FQyiajDDGQaVVDGuKwgdd7JTs0P0WOEkV8ENX6dcDWvEB6KGCmBcQnXE0E0hxjiG+J1QrX2ODzMei8fI1h9ZXgM6hEqJSlsA6iVRhCFDsPuzXYdQ/J19OqpVDw==

 

   2.基于密钥对的安全认证

   基于密钥的安全认证也有windows客户端和linux客户端的区别。

  

三、启动SSH服务

[root@NFS ~]# rpm -qa"openssl|openssh"|sort                     #查看SSH服务相关的软件包

openssh-5.3p1-104.el6.x86_64

openssl098e-0.9.8e-18.el6_5.2.x86_64

openssl-1.0.1e-30.el6.x86_64

[root@NFS ~]# chkconfig --list sshd                             #查看SSH服务开机启动项

sshd            0:off   1:off  2:on    3:on    4:on 5:on     6:off

[root@NFS ~]# ll /etc/ssh/sshd_config

-rw-------. 1 root root 3879 Oct 15  2014 /etc/ssh/sshd_config  #SSH服务端配置文件

[root@NFS ~]# ll /etc/ssh/ssh_config

-rw-r--r--. 1 root root 2047 Oct 15  2014 /etc/ssh/ssh_config   #SSH客户端配置文件

[root@NFS ~]# less /etc/ssh/ssh_config

#      $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $

 

# This is the ssh client system-wideconfiguration file.  See

# ssh_config(5) for more information.  This file provides defaults for

# users, and the values can be changed inper-user configuration files

# or on the command line.

 

# Configuration data is parsed as follows:

[root@NFS ~]#

[root@NFS ~]# less /etc/ssh/sshd_config

#      $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

 

# This is the sshd server system-wideconfiguration file.  See

# sshd_config(5) for more information.

 

# This sshd was compiled withPATH=/usr/local/bin:/bin:/usr/bin

 

# The strategy used for options in thedefault sshd_config shipped with

 

 

[root@NFS ~]# netstat -tunlp|grep 22  #查看ssh服务是否已运行或启动,方法一

tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1052/sshd          

tcp       0      0 :::22                       :::*                        LISTEN      1052/sshd          

[root@NFS ~]# lsof -i:22              #查看ssh服务是否已运行或启动,方法二

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

sshd    1052 root    3u  IPv4  9891      0t0  TCP *:ssh (LISTEN)

sshd    1052 root    4u  IPv6  9893      0t0  TCP *:ssh (LISTEN)

sshd    6597 root    3r  IPv4 28879      0t0  TCP 192.168.0.113:ssh->192.168.0.104:49230(ESTABLISHED)

sshd   10253 root    3r  IPv4 36283      0t0  TCP 192.168.0.113:ssh->192.168.0.103:49898(ESTABLISHED)

 

四、更改SSH默认登录配置(安全优化)

   修改SSH服务的运行参数,是通过修改配置文件/etc/ssh/sshd_config实现的

 

[root@NFS ~]# cp /etc/ssh/sshd_config/etc/ssh/sshd_config.ori

[root@NFS ~]# vi /etc/ssh/sshd_config

#      $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:

18 djm Exp $

 

# This is the sshd server system-wideconfiguration fi

le. See

# sshd_config(5) for more information.

 

# This sshd was compiled withPATH=/usr/local/bin:/bin

:/usr/bin

 

# The strategy used for options in thedefault sshd_co

nfig shipped with

/port

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

 

# activation of protocol 1

Protocol 2

 

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

#ServerKeyBits 1024

 

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

 

# Authentication:

 

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

 

# For this to work you will also need hostkeys in /et

c/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust~/.ssh/known_hosts

for

# RhostsRSAAuthentication andHostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and~/.shosts files

# sshd_config(5) for more information.

 

 

# default value.

 

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

 

# installations. In future the default willchange to

require explicit

# activation of protocol 1

Protocol 2

 

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

 

# Lifetime and size of ephemeral version 1server key

# sshd_config(5) for more information.

 

 

# default value.

 

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

 

# activation of protocol 1

Protocol 2

 

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

 

# Lifetime and size of ephemeral version 1server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

 

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

 

# Authentication:

 

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

 

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# RhostsRSAAuthentication andHostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and~/.shosts files

#IgnoreRhosts yes

 

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

 

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

 

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#GSSAPIKeyExchange no

# and ChallengeResponseAuthentication to'no'.

#UsePAM no

UsePAM yes

 

# Accept locale-related environmentvariables

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

 

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

 

# no default banner path

#Banner none

 

# override default of no subsystems

 

 

# Example of overriding settings on aper-user basis

#Match User anoncvs

#      X11Forwarding no

#      AllowTcpForwarding no

#      ForceCommand cvs server

#       在最后加入如下内容,保存退出!

Port52113                #为了提高安全级别,建议改掉SSH服务默认连接端口

PermitRootLoginno        #root超级用户黑客都知道,建议禁止它(root)远程登陆

PermitEmptyPasswordsno   #禁止空密码登录

UseDNSno                 #不使用DNS

 

#GSSAPIoptions

GSSAPIAuthenticationno   #加快SSH连接速度

~                                                    

"/etc/ssh/sshd_config" 146L,4035C written

 

http://oldboy.blog.51cto.com/2561410/1300964

[root@NFS ~]# /etc/init.d/sshd restart       #重启ssh服务

Stopping sshd:                                       [  OK  ]

Starting sshd:                                       [  OK  ]

 

[root@NFS ~]# nmap www.baidu.com -p 1-65535  #扫描本机打开的端口

-bash: nmap: command not found

[root@NFS ~]# n

nail                nl

namei               nm

nameif              nohup

nano               nologin

ncurses5-config     nproc

ncursesw5-config    nroff

needs-restarting    nsenter

neqn                nslookup

netreport           nstat

netstat             nsupdate

newaliases          ntpd

newaliases.postfix  ntpdate

newgrp              ntpdc

new-kernel-pkg      ntp-keygen

newusers            ntpq

nfs_cache_getent    ntpstat

nfsidmap            ntptime

nfsiostat           ntsysv

nfsstat             numactl

ngettext            numademo

nice                numastat

nisdomainname      

[root@NFS ~]# yum -y install nmap              #安装扫描端口软件

Loaded plugins: fastestmirror, security

Setting up Install Process

Determining fastest mirrors

 *base: mirrors.sina.cn

 *extras: mirrors.btte.net

 *updates: mirrors.sina.cn

base                           | 3.7 kB     00:00    

extras                         | 3.4 kB     00:00    

extras/primary_db              | 31 kB     00:00    

updates                        | 3.4 kB     00:00    

updates/primary_db             | 4.4 MB     00:10    

Resolving Dependencies

--> Running transaction check

---> Package nmap.x86_64 2:5.51-4.el6will be installed

--> Finished Dependency Resolution

 

Dependencies Resolved

 

======================================================

 Package Arch       Version           Repository

                                                Size

======================================================

Installing:

 nmap    x86_64     2:5.51-4.el6      base    2.8 M

 

Transaction Summary

======================================================

Install       1 Package(s)

 

Total download size: 2.8 M

Installed size: 9.7 M

Downloading Packages:

nmap-5.51-4.el6.x86_64.rpm     | 2.8 MB     00:06    

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

 Installing : 2:nmap-5.51-4.el6.x86_64           1/1

 Verifying  :2:nmap-5.51-4.el6.x86_64           1/1

 

Installed:

 nmap.x86_64 2:5.51-4.el6                           

 

Complete!

 

 

[root@NFS ~]# nmap 192.168.0.113 -p 1-65535       #扫描本机打开的端口

 

Starting Nmap 5.51 ( http://nmap.org ) at2015-07-24 23:23 CST

Nmap scan report for 192.168.0.113

Host is up (0.0000040s latency).

Not shown: 65526 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

111/tcp  open  rpcbind

875/tcp  open  unknown

2049/tcp open  nfs

33561/tcp open  unknown

45357/tcp open  unknown

52360/tcp open  unknown

53647/tcp open  unknown

54877/tcp open  unknown

 

Nmap done: 1 IP address (1 host up) scannedin 0.65 seconds

 

五、远程连接SSH服务

1.linux客户端通过ssh连接:

  ssh基本语法使用

  ssh-p22 sshtest@192.168.0.131

 #-->SSH 连接远程主机命令的基本语法

 #-->-p(小写)接端口,默认22端口时可以省略-p22

 #-->"@" 前为用户名,“@”后为要连接的服务器的IP,更多用法,请man ssh

a.直接登陆远程主机的方法:

 

[root@NFS ~]# ssh -p22sshtest@192.168.0.131

sshtest@192.168.0.131's password:

Last login: Fri Jul 24 22:25:59 2015 from192.168.0.113

welcome to oldboy linux training from/etc/profile.d

[sshtest@oldboy ~]$ ifconfig

eth0     Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1 

         inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:1449144 errors:0 dropped:0 overruns:0 frame:0

         TX packets:1952746 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:408356613 (389.4 MiB)  TXbytes:1248748377 (1.1 GiB)

 

eth0:1   Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1 

         inet addr:192.168.0.150 Bcast:192.168.0.255 Mask:255.255.255.0

         UP BROADCAST RUNNINGMULTICAST  MTU:1500  Metric:1

 

lo       Link encap:Local Loopback 

         inet addr:127.0.0.1 Mask:255.0.0.0

         inet6 addr: ::1/128 Scope:Host

         UP LOOPBACK RUNNING MTU:65536  Metric:1

         RX packets:1233 errors:0 dropped:0 overruns:0 frame:0

         TX packets:1233 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:0

         RX bytes:127384 (124.3 KiB)  TXbytes:127384 (124.3 KiB)

[root@oldboy ~]#ssh root@192.168.0.113

The authenticity of host '192.168.0.113(192.168.0.113)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added '192.168.0.113'(RSA) to the list of known hosts.

root@192.168.0.113's password:

Last login: Sat Jul 25 14:20:45 2015 from192.168.0.104

welcome to oldboy linux training from/etc/profile.d

[root@NFS ~]#

[root@NFS ~]# ifconfig

eth0     Link encap:Ethernet  HWaddr00:0C:29:3C:A9:18 

         inet addr:192.168.0.113 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe3c:a918/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

          RX packets:57014 errors:0 dropped:0overruns:0 frame:0

         TX packets:67410 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:34403157 (32.8 MiB)  TXbytes:17167386 (16.3 MiB)

 

lo       Link encap:Local Loopback 

         inet addr:127.0.0.1 Mask:255.0.0.0

         inet6 addr: ::1/128 Scope:Host

         UP LOOPBACK RUNNING MTU:65536  Metric:1

         RX packets:132318 errors:0 dropped:0 overruns:0 frame:0

         TX packets:132318 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:0

         RX bytes:5606236 (5.3 MiB)  TXbytes:5606236 (5.3 MiB)

[root@oldboy ~]#ssh root@192.168.0.113

root@192.168.0.113's password:

Permission denied, please try again.

root@192.168.0.113's password:

Permission denied, please try again.

root@192.168.0.113's password:

Permission denied(publickey,gssapi-keyex,gssapi-with-mic,password).

[root@oldboy ~]#ssh -p52113root@192.168.0.113

ssh: connect to host 192.168.0.113 port52113: Connection refused   #提示拒绝连接,连接拒绝原因:端口错误或用户名,IP错误

 

b.不登陆远程主机,直接在远程主机执行命令

[root@oldboy ~]#ssh -p52113root@192.168.0.113

ssh: connect to host 192.168.0.113 port52113: Connection refused

[root@oldboy ~]#ssh -p22 root@192.168.0.113/sbin/ifconfig

root@192.168.0.113's password:

eth0     Link encap:Ethernet  HWaddr00:0C:29:3C:A9:18 

         inet addr:192.168.0.113 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe3c:a918/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:57277 errors:0 dropped:0 overruns:0 frame:0

         TX packets:67582 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:34430072 (32.8 MiB)  TXbytes:17187649 (16.3 MiB)

 

lo       Link encap:Local Loopback 

         inet addr:127.0.0.1 Mask:255.0.0.0

         inet6 addr: ::1/128 Scope:Host

         UP LOOPBACK RUNNING MTU:65536  Metric:1

         RX packets:132360 errors:0 dropped:0 overruns:0 frame:0

         TX packets:132360 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:0

         RX bytes:5612182 (5.3 MiB)  TXbytes:5612182 (5.3 MiB)

[root@oldboy ~]#ssh -p22 root@192.168.0.113/usr/bin/free -m

root@192.168.0.113's password:

            total       used       free    shared    buffers     cached

Mem:           988        415        572          0         41        274

-/+ buffers/cache:         99        888

Swap:         2047          0       2047

 

[root@oldboy ~]#cat ~/.ssh/known_hosts

192.168.0.113 ssh-rsa\AAAAB3NzaC1yc2EAAAABIwAAAQEAr3aG1hPNk0pRhTVWM4ECI4HFLwriYGfw9sTIZtYAfdzJXnQD5dMrTUP0p4TgQ6k9rj/tCpbRHqIVOWI0i8R3z8N/jgZYtDs5h0YDRtM0iIgNRsKD3xJa4E+Vab1JMvbASPH9YKaJ13KprWnWat+OXAjiDHwi41tMphAnWNhPXCwaKuqMcsejPk3TmOemrfCt3XzFX34dGTLsVYYB4pn8Psu+phR+FQyiajDDGQaVVDGuKwgdd7JTs0P0WOEkV8ENX6dcDWvEB6KGCmBcQnXE0E0hxjiG+J1QrX2ODzMei8fI1h9ZXgM6hEqJSlsA6iVRhCFDsPuzXYdQ/J19OqpVDw==

[root@oldboy ~]#rm -f ~/.ssh/known_hosts  

[root@oldboy ~]#ssh -p22 root@192.168.0.113/usr/bin/free -m

The authenticity of host '192.168.0.113(192.168.0.113)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added '192.168.0.113'(RSA) to the list of known hosts.

root@192.168.0.113's password:

            total       used       free    shared    buffers     cached

Mem:           988        415        572          0         41        274

-/+ buffers/cache:         99        888

Swap:         2047          0       2047

[root@oldboy ~]#

[root@oldboy ~]#ifconfig

eth0     Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1 

         inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:1450400 errors:0 dropped:0 overruns:0 frame:0

         TX packets:1954594 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:408489734 (389.5 MiB)  TXbytes:1248906769 (1.1 GiB)

 

eth0:1   Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1 

         inet addr:192.168.0.150 Bcast:192.168.0.255 Mask:255.255.255.0

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

 

lo       Link encap:Local Loopback 

         inet addr:127.0.0.1 Mask:255.0.0.0

         inet6 addr: ::1/128 Scope:Host

         UP LOOPBACK RUNNING MTU:65536  Metric:1

         RX packets:1233 errors:0 dropped:0 overruns:0 frame:0

         TX packets:1233 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:0

         RX bytes:127384 (124.3 KiB)  TXbytes:127384 (124.3 KiB)

 

小结:

1.切换到别的机器 ssh -p22 user@ip([user@]hostname[command]

2.到其他机器执行命令(不会切到机器上) ssh -p22 user@ip 命令(命令用全路径)

3.当第一次连接的时候,本地会产生一个密钥文件~/.ssh/known_hosts(多个密钥)

 

六、SSH客户端附带的远程拷贝scp命令

1.scp命令的基本语法使用

 NAME

    scp - secure copy (remote file copy program)

  推:PUSH

  scp-P22 -r -p /tmp/oldboy oldboy@10.0.0.143:/tmp

                 源(本地文件)        目标

  拉:PULL

  scp-P22 -rp root@10.0.0.7:/tmp/oldboy     /opt/

                  源(远端文件或目录)      目标(本地目录)

#-->scp 为远程拷贝文件或目录的命令

#-->-P(大写,注意和ssh命令的不同)接端口,默认22端口时可以省略-P22

#-->-r 表示拷贝目录

#-->-p 表示在拷贝前后保持文件或目录的属性

#-->/tmp/oldboy 为本地的目录。“@”前为用户名,“@”后为要连接的服务器的IP,IP后的:/tmp目录,为远端的目标目录

#-->-l[limit] 限制scp远程拷贝速度

[root@oldboy ~]#scp -P22 /root/oldboy.logroot@192.168.0.113:/tmp  #推-->push

root@192.168.0.113's password:

oldboy.log                  100%    0    0.0KB/s   00:00   

[root@oldboy ~]#ssh -p22 root@192.168.0.113/bin/ls -l /tmp

root@192.168.0.113's password:

total 0

-rw-r--r-- 1 root root 0 Jul 25 15:27oldboy.log

 

[root@NFS ~]# scp -P22 root@192.168.0.131:/root/a.log/tmp         #拉-->pull

root@192.168.0.131's password:

a.log                       100%  292    0.3KB/s   00:00   

[root@NFS ~]# ll /tmp

total 4

-rw-r--r-- 1 root root 292 Jul 25 15:33a.log

 

[root@oldboy ~]#scp -P22 -r /rootroot@192.168.0.113:/tmp  #拷贝/root目录到远程192.168.0.113主机上的/tmp目录下

root@192.168.0.113's password:

oldboy.log                  100%    0    0.0KB/s   00:00   

known_hosts                 100%  395    0.4KB/s   00:00   

ping.sh                     100%   33    0.0KB/s   00:00    

tar.sh                      100%  160    0.2KB/s   00:00   

.bash_profile               100%   34    0.0KB/s   00:00   

a.log                       100%  292    0.3KB/s   00:00   

/root/tools/mysql-5.6.23/mysql-test/mysql-test-run:No such file or directory

/root/tools/mysql-5.6.23/mysql-test/mtr: Nosuch file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient.so:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.a:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so.18.1.0:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so.18:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient.so.18:No such file or directory

.bash_history               100%   17KB 17.4KB/s   00:00   

[root@oldboy ~]#ssh -p22 root@192.168.0.113/bin/ls -l /tmp/

root@192.168.0.113's password:

total 8

-rw-r--r-- 1 root root  292 Jul 25 15:33 a.log

-rw-r--r-- 1 root root    0 Jul 25 15:27 oldboy.log

dr-xr-x--- 6 root root 4096 Jul 25 15:44root

 

小结:

     scp是加密的远程拷贝,可以把数据从一台机器推送到另一台机器,也可以从其它服务器把数据拉回到本地执行命令的服务器。但是,每次都是全量拷贝(rsync是增量拷贝),因此,效率不高。

 

七、SSH服务附带的sftp功能

   在前面就应该知道ssh服务除了远程连接机器外,还有一个安全的FTP功能,即通过ssh加密数据后进行传输。

  windows客户端和linux服务器之间传输数据工具:

   1)rz,sz

  2)winscp,WinSCP-v4.0.5<==基于SSH

   3)SFX(xshell)

   4)SFTP<===基于SSH,加密传输

  5)samba,http,ftp,NFS

 

a.linuxsftp客户端连接sftp服务器方法

[root@oldboy ~]#sftp -oPort=22 root@192.168.0.113    #-o接端口

Connecting to 192.168.0.113...

root@192.168.0.113's password:

sftp> ll

Invalid command.

sftp> ls -l

drwxr-xr-x    3 root    root         4096 Mar 26 20:57tools

sftp> put a.txt                      #上传文件到root家目录,也可以指定路径

Uploading a.txt to /root/a.txt

a.txt                       100%    0    0.0KB/s   00:00   

sftp> ls -l

-rw-r--r--    1 root    root            0 Jul 25 16:36a.txt

drwxr-xr-x    3 root    root         4096 Mar 26 20:57tools

sftp> get ddd                        #下载文件到本地的当前目录,也可以指定路径

Fetching /root/ddd to ddd

sftp> quit

[root@oldboy ~]#ll

total 16

-rw-r--r-- 1 root root  292 May 12 22:16 a.log

-rw-r--r-- 1 root root    0 Jul 25 16:16 a.txt

-rw-r--r-- 1 root root    0 Jul 25 16:37 ddd

drwxrwxr-x 7 1000 kl   4096 May 11 22:07 keepalived-1.2.7

-rw-r--r-- 1 root root    0 Jul 11 10:06 oldboy.log

drwxr-xr-x 3 root root 4096 Jul  5 20:58 server

drwxr-xr-x 4 root root 4096 May 11 22:07tools

 

[root@oldboy ~]#sftp -oPort=22root@192.168.0.113

Connecting to 192.168.0.113...

root@192.168.0.113's password:

sftp> put /etc/hosts /tmp

Uploading /etc/hosts to /tmp/hosts

/etc/hosts                  100%  108    0.1KB/s   00:00   

sftp> quit

[root@NFS ~]# ll /tmp

total 12

-rw-r--r-- 1 root root  292 Jul 25 15:33 a.log

-rw-r--r-- 1 root root  108 Jul 25 16:42 hosts

 

[root@oldboy ~]#egrep -v "^#|^$"/etc/ssh/sshd_config

Protocol 2

SyslogFacility AUTHPRIV

PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes

GSSAPICleanupCredentials yes

UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIMELC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESSLC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

X11Forwarding yes

Subsystem       sftp   /usr/libexec/openssh/sftp-server

 

八、SSH KEY功能生产实战应用

1.基于密钥对的安全认证(密钥认证也可以是不同用户)

   基于密钥的安全认证也有windows客户端和linux客户端的区别。

   

2.ssh的企业生产应用场景

 

   a.批量分发文件或数据实战

   1)添加系统账号,并修改密码

[root@A ~]# useradd oldboy                    #添加oldboy用户

[root@A ~]# id oldboy                         #查看oldboy用户是否添加成功

uid=501(oldboy) gid=501(oldboy)groups=501(oldboy)

[root@A ~]# echo 123456|passwd --stdinoldboy  #非交互式修改密码

Changing password for user oldboy.

passwd: all authentication tokens updatedsuccessfully.

 

   2)创建密钥对

[root@A ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@A ~]$ whoami

oldboy

[oldboy@A ~]$ ssh-key

ssh-keygen  ssh-keyscan 

[oldboy@A ~]$ file ssh-keygen

ssh-keygen: cannot open `ssh-keygen' (Nosuch file or directory)

[oldboy@A ~]$ man ssh-keygen

SSH-KEYGEN(1)             BSD General Commands Manual            SSH-KEYGEN(1)

 

NAME

    ssh-keygen - authentication key generation, management and

    conversion

 

SYNOPSIS

    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase]

                [-C comment] [-foutput_keyfile]

    ssh-keygen -p [-P old_passphrase] [-N new_passphrase]

                [-f keyfile]

    ssh-keygen -i [-f input_keyfile]

    ssh-keygen -e [-f input_keyfile]

    ssh-keygen -y [-f input_keyfile]

    ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]

    ssh-keygen -l [-f input_keyfile]

    ssh-keygen -B [-f input_keyfile]

    ssh-keygen -D pkcs11

    ssh-keygen -F hostname [-f known_hosts_file] [-l]

    ssh-keygen -H [-f known_hosts_file]

    ssh-keygen -R hostname [-f known_hosts_file]

    ssh-keygen -r hostname [-f input_keyfile] [-g]

    ssh-keygen -G output_file [-v] [-b bits] [-M memory]

                [-S start_point]

    ssh-keygen -T output_file -f input_file [-v]

ssh-keygen-t dsa  #-t 参数指建立密钥的类型,这里指建立的dsa类型

ssh-keygen-t rsa  #建立rsa类型的密钥,其中默认情况下是rsa,什么都不接是rsa

 

rsa和dsa的区别:

   rsa是一种加密算法

   dsa就是数字签名算法的英文全称的简写,即Digital Signature Algorithm

   rsa既可以进行加密,也可以进行数字签名实现认证,而dsa只能用于数字签名从而实现认证。

 

[oldboy@A ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key(/home/oldboy/.ssh/id_dsa):

Created directory '/home/oldboy/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:   #此处回车

Your identification has been saved in/home/oldboy/.ssh/id_dsa.

Your public key has been saved in/home/oldboy/.ssh/id_dsa.pub.

The key fingerprint is:        #此处回车

0e:99:ef:7f:2d:5c:36:88:79:09:7a:89:e0:d1:f7:fcoldboy@A

The key's randomart image is:  #此处回车

+--[ DSA 1024]----+

|               |

|               |

|      .       |

|     oo. o    |

|    .+oS+ B o  |

|     .+o = * +  |

|       o. o = . |

|      .    + E |

|       .... .   |

+-----------------+

[oldboy@A ~]$ ll ~/ -al

total 24

drwx------ 3 oldboy oldboy 4096 Jul 25 22:24 .

drwxr-xr-x. 3 root   root  4096 Jul 25 21:58 ..

-rw-r--r-- 1 oldboy oldboy   18 Oct 16  2014 .bash_logout

-rw-r--r-- 1 oldboy oldboy  176 Oct 16  2014 .bash_profile

-rw-r--r-- 1 oldboy oldboy  124 Oct 16  2014 .bashrc

drwx------ 2 oldboy oldboy 4096 Jul 25 22:25 .ssh

[oldboy@A ~]$ ll  ~/.ssh

total 8

-rw------- 1 oldboy oldboy 672 Jul 25 22:25id_dsa      #私钥,权限为600,保留本地,私钥为钥匙

-rw-r--r-- 1 oldboy oldboy 598 Jul 25 22:25id_dsa.pub  #公钥,权限为644, 分发给B和C主机,公钥为锁

[oldboy@A ~]$ ls  -ld .ssh/

drwx------ 2 oldboy oldboy 4096 Jul 2522:25 .ssh/

 

3)查看B和C主机的ssh端口:

[root@B ~]# netstat -tunlp|grep ssh

tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      915/sshd           

tcp       0      0 :::22                       :::*                        LISTEN      915/sshd 

[root@B ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$     

[root@C ~]# netstat -tunlp|grep ssh

tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      968/sshd           

tcp       0      0 :::22                       :::*                        LISTEN      968/sshd  

[root@C ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$

4)推送公钥到B和C主机上分别

[oldboy@A ~]$ ssh

ssh         ssh-agent    sshd         ssh-keyscan 

ssh-add     ssh-copy-id  ssh-keygen  

[oldboy@A ~]$ man  ssh-copy-id

SSH-COPY-ID(1)                                                 SSH-COPY-ID(1)

 

NAME

      ssh-copy-id  -  install your  public  key in  a  remote

      machine’s authorized_keys

 

SYNOPSIS

      ssh-copy-id [-i [identity_file]] [user@]machine

 

DESCRIPTION

      ssh-copy-id is a script that uses  ssh  to  log  into  a

      remote  machine  (presumably using  a login password, so

      password authentication should be enabled, unless  you’ve

      done  some  clever use  of  multiple identities) It also

      changes  the  permissions of  the  remote user’s  home,

      ~/.ssh,   and   ~/.ssh/authorized_keys  to remove  group

      writability (which would otherwise prevent you from  log-

      ging  in,  if  theremote sshd has StrictModes set in its

      configuration).  If the -i optionis given then the iden-

      tity   file  (defaults to  ~/.ssh/id_rsa.pub)  is used,

      regardless of whether there are any keys  in  your  ssh-

      agent.  Otherwise, if this:       ssh-add -L provides any

      output, it uses that in preference to the identity  file.

[oldboy@A ~]$ ssh-copy-id -i .ssh/id_dsa

id_dsa     id_dsa.pub 

[oldboy@A ~]$ ssh-copy-id -i.ssh/id_dsa.pub "-p 22 oldboy@192.168.0.111" #推送公钥到C主机方法一

The authenticity of host '192.168.0.111(192.168.0.111)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added '192.168.0.111'(RSA) to the list of known hosts.

oldboy@192.168.0.111's password:

Now try logging into the machine, with"ssh '-p 22 oldboy@192.168.0.111'", and check in:

 

 .ssh/authorized_keys                    #出现这个表示推送公钥成功

 

to make sure we haven't added extra keysthat you weren't expecting.

 

[oldboy@A ~]$

 

[oldboy@A ~]$ which ssh-copy-id          #推送公钥方法二

/usr/bin/ssh-copy-id

[oldboy@A ~]$ logout

[root@A ~]# vi /usr/bin/ssh-copy-id

#!/bin/sh

 

# Shell script to install your public keyon a remote machine

# Takes the remote machine name as anargument.

# Obviously, the remote machine must acceptpassword authentication,

# or one of the other keys in yourssh-agent, for this to work.

 

ID_FILE="${HOME}/.ssh/id_rsa.pub"

 

if [ "-i" = "$1" ];then

 shift

  if[ -n "$2" ]; then

   if expr "$1" : ".*\.pub" > /dev/null ; then

     ID_FILE="$1"

   else

else

  if[ x$SSH_AUTH_SOCK != x ] ; then

   GET_ID="$GET_ID ssh-add -L"

  fi

fi

 

if [ -z "`eval $GET_ID`" ]&& [ -r "${ID_FILE}" ] ; then

    30

    31 if [ -z "`eval $GET_ID`" ]; then

    32   echo "$0: ERROR: Noidentities found" >&2

    33   exit 1

    34 fi

    35

    36 if [ "$#" -lt 1 ] || [ "$1" = "-h" ] ||[ "$1" = "--help" ]; the

       n

    37   echo "Usage: $0 [-i[identity_file]] [user@]machine" >&2

    38   exit 1

    39 fi

    40

    41 { eval "$GET_ID" ; } | ssh -p22 $1 "umask 077; test -d~/.ssh ||

        mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x/sbin/

       restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys>/d

       ev/null 2>&1 || true)" || exit 1  #在41行中的开头ssh后面和$1前面加入自定义的ssh端口

    42

    43 cat <<EOF

    44 Now try logging into the machine, with "ssh '$1'", andcheck in:

    45

     46  .ssh/authorized_keys

    47

    48 to make sure we haven't added extra keys that you weren't expect

       ing.

    49

"/usr/bin/ssh-copy-id" 50L, 1394Cwritten

[root@A ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@A ~]$ ssh-copy-id -i .ssh/id_dsa.pub oldboy@192.168.0.112   #推送公钥到B主机

The authenticity of host '192.168.0.112(192.168.0.112)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continue connecting(yes/no)? yes

Warning: Permanently added '192.168.0.112'(RSA) to the list of known hosts.

oldboy@192.168.0.112's password:

Now try logging into the machine, with"ssh 'oldboy@192.168.0.112'", and check in:

 

 .ssh/authorized_keys              #出现这个表示推送公钥成功

 

to make sure we haven't added extra keysthat you weren't expecting.

 

 

[oldboy@B ~]$ whoami

oldboy

[oldboy@B ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:59authorized_keys

[oldboy@B ~]$

 

[oldboy@C ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys

[oldboy@C ~]$

 

[oldboy@A ~]$ ssh  -p22 oldboy@192.168.0.111

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$ ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:C4:5E:59 

         inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fec4:5e59/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:34573 errors:0 dropped:0 overruns:0 frame:0

         TX packets:37880 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:9934738 (9.4 MiB)  TXbytes:21723657 (20.7 MiB)

[oldboy@C ~]$

[oldboy@C ~]$ logout

Connection to 192.168.0.111 closed.

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$ ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:26:9E:2B 

         inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe26:9e2b/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:46444 errors:0 dropped:0 overruns:0 frame:0

         TX packets:45611 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:26468622 (25.2 MiB)  TXbytes:32723825 (31.2 MiB)

[oldboy@B ~]$

[oldboy@B ~]$ logout

Connection to 192.168.0.112 closed.

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112/sbin/ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:26:9E:2B 

         inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fe26:9e2b/64 Scope:Link

         UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

         RX packets:47192 errors:0 dropped:0 overruns:0 frame:0

         TX packets:46131 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:27062027 (25.8 MiB)  TXbytes:32975656 (31.4 MiB)

[oldboy@A ~]$

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111/sbin/ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:C4:5E:59 

         inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

         inet6 addr: fe80::20c:29ff:fec4:5e59/64 Scope:Link

         UP BROADCAST RUNNINGMULTICAST  MTU:1500  Metric:1

         RX packets:34789 errors:0 dropped:0 overruns:0 frame:0

         TX packets:38039 errors:0 dropped:0 overruns:0 carrier:0

         collisions:0 txqueuelen:1000

         RX bytes:9957285 (9.4 MiB)  TXbytes:21738962 (20.7 MiB)

 

注意:ssh-copy-id的特殊应用

    如果SSH修改成了特殊端口,如52113,那么,用上面的ssh-copy-id命令就无法进行分发公钥匙了。如果仍要使用ssh-copy-id的话,那么可能的解决方法有两个:

    1.命令为: ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 oldboy@192.168.0.111"#特殊端口分发,要适当加引号

    2.编辑vi /usr/bin/ssh-copy-id 在第41行做如下修改,见加粗部分

     41 { eval "$GET_ID" ; } | ssh-p22 $1 "umask 077; test -d ~/.ssh ||

         mkdir ~/.ssh ; cat >>~/.ssh/authorized_keys && (test -x /sbin/

        restorecon && /sbin/restorecon~/.ssh ~/.ssh/authorized_keys >/d

        ev/null 2>&1 || true)" ||exit 1  #在41行中的开头ssh后面和$1前面加入自定义的ssh端口

    在中心分发服务器A机器上执行了ssh-copy-id脚本成功后,从B 192.168.0.112和C192.168.0.111上可以看到从A端拷贝过来的公钥(锁文件)如下:

   [oldboy@B ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:59authorized_keys

   [oldboy@C ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys

   

3.ssh-copy-id的原理(ssh-copy-id -i .ssh/id_dsa.pub "-p 52113oldboy@192.168.0.111"

      就是把.ssh/id_dsa.pub复制到192.168.0.111下面的.ssh目录(提前创建,权限为700)下,并做了更改名字的操作,名字改为authorized_keys,权限变为600.

 

[oldboy@C ~]$ ll -d .ssh/

drwx------ 2 oldboy oldboy 4096 Jul 2522:47 .ssh/

[oldboy@C ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys

 

九、测试批量分发文件到所有的服务器

[oldboy@A ~]$ whoami

oldboy

[oldboy@A ~]$ echo 123 >a.txt

[oldboy@A ~]$ ll

total 4

-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:00a.txt

[oldboy@A ~]$ cat a.txt

123

[oldboy@A ~]$ scp -P22 a.txtoldboy@192.168.0.111:~

a.txt                                 100%   4     0.0KB/s   00:00   

[oldboy@A ~]$ scp -P22 a.txtoldboy@192.168.0.112:~

a.txt                                 100%    4    0.0KB/s   00:00   

 

[oldboy@A ~]$ history|grep scp

  35  scp -P22 a.txtoldboy@192.168.0.111:~

  36  scp -P22 a.txtoldboy@192.168.0.112:~

  37  history|grep scp

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

scp -P22 a.txt oldboy@192.168.0.111:~

scp -P22 a.txt oldboy@192.168.0.112:~

~                                                                                                                                           

                                                                                     

"fenfa.sh" [New] 3L, 117Cwritten                    

[oldboy@A ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 117 Jul 26 00:06fenfa.sh

[oldboy@A ~]$ sh fenfa.sh

a.txt                                 100%    4     0.0KB/s  00:00   

a.txt                                 100%    4    0.0KB/s   00:00   

[oldboy@A ~]$ sh fenfa.sh

a.txt                                 100%    4    0.0KB/s   00:00   

a.txt                                 100%    4    0.0KB/s   00:00        

[oldboy@A ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 117 Jul 26 00:06fenfa.sh

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

       scp -P22 $1 oldboy@192.168.0.$n:~

done

~                                                                                                                                                                                                             

"fenfa.sh" 5L, 108C written                          

[oldboy@A ~]$ cat fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

       scp -P22 $1 oldboy@192.168.0.$n:~

done

[oldboy@A ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 108 Jul 26 00:16fenfa.sh

[oldboy@A ~]$ sh fenfa.sh /etc/hosts

hosts                                 100%  106    0.1KB/s   00:00   

hosts                                100%  106    0.1KB/s   00:00  

 

[oldboy@B ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:11 a.txt

-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts

[oldboy@C ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:11 a.txt

-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts

 

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

       scp -P22 -rp $1 oldboy@192.168.0.$n:~   #-rp -r选项的作用是可以分发目录,-p选项的作用是保持目录或文件的属性分发

done

~                                                          

~                                                          

[oldboy@A ~]$ sh fenfa.sh /etc/

mail.rc                   100% 1909     1.9KB/s  00:00   

exports                   100%   81    0.1KB/s   00:00   

libuser.conf              100% 2293     2.2KB/s  00:00   

alsactl.conf              100%  203    0.2KB/s   00:00   

mailx.conf                100%  331    0.3KB/s   00:00   

rhtsupport.conf           100% 417     0.4KB/s   00:00   

report_event.conf         100% 2134     2.1KB/s  00:00   

report_Logger.conf        100%  49     0.1KB/s   00:00   

report_Tarball.xml        100% 5085     5.0KB/s  00:00   

report_Mailx.xml          100%  20KB  20.0KB/s   00:00   

report_Kerneloops.xml     100% 7792     7.6KB/s  00:00   

 

[oldboy@B ~]$ ll

total 12

-rw-rw-r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drwxr-xr-x 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  106 Jul 26 00:20hosts

[oldboy@C ~]$ ll

total 12

-rw-rw-r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drwxr-xr-x 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  106 Jul 26 00:20hosts

 

免密码登陆小结:

1)免密码登陆验证是单向的

2)基于用户的,最好不要跨不同的用户

3)ssh连接慢的问题

4)批量分发1000台初始都需要输入一次密码,并且第一次连接要确认(expect

 

 

十、SSH批量管理

[oldboy@A ~]$ cp fenfa.sh guanli.sh

[oldboy@A ~]$ ll

total 12

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 112 Jul 26 00:28fenfa.sh

-rw-rw-r-- 1 oldboy oldboy 112 Jul 26 20:44guanli.sh

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111/sbin/ifconfig|grep 192.168.0.

         inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112/sbin/ifconfig|grep 192.168.0.

         inet addr:192.168.0.112 Bcast:192.168.0.255  Mask:255.255.255.0

[oldboy@A ~]$ vi guanli.sh

#!/bin/sh

 

#piliangfenfajiaoben,2015-07-26,linuxzkq

 

for n in 111 112

do

        ssh -p22 oldboy@192.168.0.$n /sbin/ifconfig|grep 192.168.0.

done

~                                                          

~                                                          

~                                                                                                                 

"guanli.sh" 8L, 147C written             

[oldboy@A ~]$ cat guanli.sh

#!/bin/sh

 

#piliangfenfajiaoben,2015-07-26,linuxzkq

 

for n in 111 112

do

        ssh -p22 oldboy@192.168.0.$n /sbin/ifconfig|grep 192.168.0.

done

[oldboy@A ~]$ sh guanli.sh

         inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

         inet addr:192.168.0.112  Bcast:192.168.0.255  Mask:255.255.255.0

 

[oldboy@A ~]$ vi guanli.sh

#!/bin/sh

 

#piliangfenfajiaoben,2015-07-26,linuxzkq

 

for n in 111 112

do

        ssh -p22 oldboy@192.168.0.$n $1

done

~                                                          

~                                                          

                                                         

"guanli.sh" 8L, 119C written

 

[oldboy@A ~]$ sh guanli.sh

Last login: Sat Jul 25 23:16:51 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$

[oldboy@C ~]$ logout

Connection to 192.168.0.111 closed.

Last login: Sat Jul 25 23:19:04 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$ logout

Connection to 192.168.0.112 closed.

[oldboy@A ~]$ sh guanli.sh

Last login: Sun Jul 26 20:55:21 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$ logout

Connection to 192.168.0.111 closed.

Last login: Sun Jul 26 20:58:07 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$ logout

Connection to 192.168.0.112 closed.

[oldboy@A ~]$ sh guanli.sh /sbin/ifconfigeth0|grep 192.168.0.

         inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

         inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

[oldboy@A ~]$ sh guanli.sh"/sbin/ifconfig eth0|grep 192.168.0."

         inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

         inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

[oldboy@A ~]$ sh guanli.sh"/usr/bin/free -m"

            total       used       free    shared    buffers     cached

Mem:           988        929         58          0          2         10

-/+ buffers/cache:        916         71

Swap:         2047        504       1543

            total       used       free    shared    buffers     cached

Mem:           988        738        249          0         24        198

-/+ buffers/cache:        515        472

Swap:         2047          0       2047

[oldboy@A ~]$ sh guanli.sh"/sbin/ifconfig eth0"|sed -rn 's#^.*dr:(.*) \ Bc.*$#\1#gp'

192.168.0.111

192.168.0.112

 

十一、SSH服务实现sudo提权拷贝文件方案及实战

1.sudo提权给cp命令

[oldboy@A ~]$ cp /etc/hosts hosts

[oldboy@A ~]$ ll

total 24

-rw-r--r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 00:28fenfa.sh

-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh

-rw-r--r-- 1 oldboy oldboy 106 Jul 26 22:23hosts

 [oldboy@A~]$ vi hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

~                                                                            

"hosts" 5L, 154C written

[oldboy@A ~]$ cat fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

       scp -P22 -rp $1 oldboy@192.168.0.$n:~

done

[oldboy@A ~]$ sh fenfa.sh hosts

hosts                                   100%  154    0.2KB/s   00:00   

hosts                                   100%  154    0.2KB/s   00:00

[oldboy@B ~]$ ll

total 12

-rw-r--r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drw-r--r-- 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  154 Jul 26 22:24hosts

[oldboy@C ~]$ ll

total 12

-rw-r--r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drw-r--r-- 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  154 Jul 26 22:24hosts

 

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

       scp -P22 -rp $1 oldboy@192.168.0.$n:$2

done

~                                                                        

~                                                                                                                                            

"fenfa.sh" 5L, 113C written   

[oldboy@A ~]$ sh fenfa.sh hosts /etc

scp: /etc/hosts: Permission denied

scp: /etc/hosts: Permission denied

[oldboy@A ~]$ sh -x fenfa.sh hosts/etc   #查看.sh脚本执行过程

+ for n in 111 112

+ scp -P22 -rp hostsoldboy@192.168.0.111:/etc

scp: /etc/hosts: Permission denied

+ for n in 111 112

+ scp -P22 -rp hostsoldboy@192.168.0.112:/etc

scp: /etc/hosts: Permission denied

 

 

[oldboy@A ~]$ logout

[root@A ~]# visudo

## Sudoers allows particular users to runvarious commands as

## the root user, without needing the rootpassword.

##

## Examples are provided at the bottom ofthe file for collections

## of related commands, which can then bedelegated out to particular

## users or groups.

##

## This file must be edited with the'visudo' command.

 

## Host Aliases

## Groups of machines. You may prefer touse hostnames (perhaps using

## wildcards for entire domains) or IPaddresses instead.

# Host_Alias     FILESERVERS = fs1, fs2

# Host_Alias     MAILSERVERS = smtp, smtp2

 

## User Aliases

## These aren't often necessary, as you canuse regular groups

"/etc/sudoers.tmp" 118L, 4002C

## systems).

## Syntax:

##

##     user    MACHINE=COMMANDS

##

## The COMMANDS section may have otheroptions added to it.

##

## Allow root to run any commands anywhere

root   ALL=(ALL)       ALL

oldboy  ALL=(ALL)       NOPASSWD:/bin/cp  #在98行后加入这一行内容,给予oldboy用户执行/bin/cp命令的权限,sudo提权

 

## Allows members of the 'sys' group to runnetworking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE,SERVICES, STORAGE, DELEGATING, PROCESSE

S, LOCATE, DRIVERS

 

## Allows people in group wheel to run allcommands

"/etc/sudoers.tmp" 119L, 4043Cwritten

[root@A ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@A ~]$

[oldboy@A ~]$ sudo -l

Matching Defaults entries for oldboy onthis host:

   requiretty, !visiblepw, always_set_home, env_reset,env_keep="COLORS

   DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",env_keep+="MAIL

   PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",

   env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES",

   env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPERLC_TELEPHONE",

   env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSETXAUTHORITY",

   secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

 

User oldboy may run the following commandson this host:

(ALL) NOPASSWD:/bin/cp

注意:出现以上信息,说明sudo配置正确!

 

[oldboy@A ~]$ cp hosts /etc/

cp: cannot create regular file`/etc/hosts': Permission denied

[oldboy@A ~]$ sudo cp hosts /etc/

[oldboy@A ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

[oldboy@B ~]$ logout

[root@B ~]# echo "oldboy  ALL=(ALL)       NOPASSWD:/bin/cp">>/etc/sudoers

[oldboy@C ~]$ logout

[root@C ~]# echo "oldboy  ALL=(ALL)       NOPASSWD:/bin/cp">>/etc/sudoers

[root@B ~]# visudo -c    #检查sudoers配置文件语法是否正确

/etc/sudoers: parsed OK

[root@C ~]# visudo -c

/etc/sudoers: parsed OK

[root@B ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$

[root@C ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$

 

[oldboy@C ~]$ logout

 

2.远程sudo执行方法

[root@C ~]# visudo

找到如下内容:

# Disable "ssh hostname sudo<cmd>", because it will show the password in

clear.

#        You have to run "ssh -t hostname sudo <cmd>".  #远程执行sudo方法一

#

Defaults   requiretty                #远程执行sudo方法二,直接注释掉此行内容

 

[oldboy@A ~]$  ssh -p22 oldboy@192.168.0.111 sudo /bin/cp -f~/hosts /etc/hosts

sudo: sorry, you must have a tty to runsudo

[oldboy@A ~]$  ssh -p22 -t oldboy@192.168.0.111 sudo /bin/cp-f ~/hosts /etc/hosts

Connection to 192.168.0.111 closed.

[oldboy@C ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

 

[oldboy@A ~]$ vi fenfa.sh             

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

      scp  -rp $1 oldboy@192.168.0.$n:~&&\

      ssh  -t oldboy@192.168.0.$n sudo/bin/cp ~/$1 /etc/

done

 

[oldboy@B ~]$ cat /etc/hosts 

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

[oldboy@B ~]$ ll /etc/hosts

-rw-r--r-- 1 root root 154 Jul 27 00:07/etc/hosts

[oldboy@C ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

[oldboy@C ~]$ ll /etc/hosts

-rw-r--r-- 1 root root 154 Jul 27 00:07/etc/hosts

 

十二、SSH服务实现suid提权批量分发文件方案及实战

[root@C ~]# which rsync

/usr/bin/rsync

[root@B ~]# chmod 4755 `which rsync`  #方法一给rsync命令提权,赋予suid权限,注意:whichrsync两边为倒引号

[root@C ~]# chmod u+s `which rsync`   #方法二给rsync命令提权,赋予suid权限,注意:whichrsync两边为倒引号

[root@A ~]# chmod u+s $(which rsync)  #方法三给rsync命令提权,赋予suid权限

[root@NFS ~]# ll /usr/bin/rsync

-rwxr-xr-x 1 root root 414968 Apr 30  2014 /usr/bin/rsync

[root@NFS ~]# chmod u+s $(which rsync)

[root@NFS ~]# ll /usr/bin/rsync      

-rwsr-xr-x 1 root root 414968 Apr 30  2014 /usr/bin/rsync

[root@NFS ~]# chmod u-s $(which rsync)

[root@NFS ~]# ll /usr/bin/rsync      

-rwxr-xr-x 1 root root 414968 Apr 30  2014 /usr/bin/rsync

 

[oldboy@A ~]$ cp fenfa.sh fenfa2.sh

[oldboy@A ~]$ vi fenfa2.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

      scp  -rp $1 oldboy@192.168.0.$n:~&&\

      ssh  oldboy@192.168.0.$n/usr/bin/rsync ~/$1 /etc/

done

~                                                                            

~                                                                            

~                                                                                                                                                      

"fenfa2.sh" 6L, 169C written                               

[oldboy@A ~]$ ll

total 28

-rw-r--r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh

-rw-r--r-- 1 oldboy oldboy 169 Jul 27 21:27fenfa2.sh

-rw-r--r-- 1 oldboy oldboy 170 Jul 27 00:02fenfa.sh

-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh

-rw-rw-r-- 1 oldboy oldboy 620 Jul 26 22:01ssh_key.tar.gz

 

[oldboy@A ~]$ cat /tmp/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

[oldboy@A ~]$ cp -rf /tmp/hosts hosts

[oldboy@A ~]$ ll

total 28

-rw-r--r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh

-rw-r--r-- 1 oldboy oldboy 169 Jul 27 21:27fenfa2.sh

-rw-r--r-- 1 oldboy oldboy 170 Jul 27 00:02fenfa.sh

-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh

-rw-r--r-- 1 oldboy oldboy 163 Jul 27 21:31hosts

-rw-rw-r-- 1 oldboy oldboy 620 Jul 26 22:01ssh_key.tar.gz

[oldboy@A ~]$ cat hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

[oldboy@A ~]$ sh fenfa2.sh hosts

hosts                                      100%  163     0.2KB/s  00:00   

hosts                                      100%  163     0.2KB/s  00:00   

[oldboy@C ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

[oldboy@B ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

 

十三、ssh批量分发与管理方案小结:

1.利用root做ssh_key验证

  优点:简单,易用

  缺点:安全差,同时无法禁止root远程连接

2.利用普通用户如oldboy来做,思路是先把分发的文件拷贝到服务器用户家目录,然后sudo提权,拷贝到服务器的对应权限目录

  优点:安全

  缺点:配置复杂

3.拓展:同方案2,只是不用sudo,而是设置suid对固定命令提权

  优点:相对安全

  缺点:复杂,安全性较差,任何人都可以处理带有suid权限的命令

 

建议:

a.追求简单,选1

b.追求安全,选2

 

十四、SSH分发中心服务器的安全优化及安全思想

1.一定要取消中心分发服务器的外网IP

2.开启防火墙,禁止SSH对外用户登陆,并且仅给某一台后端无外网机器访问。

 

企业级生产场景批量管理,自动化管理方案:

1.最简单,最常用的就是ssh_key,功能是最强大的。一般中小型企业会用,50-100台以下。

2.sina cfengine较早的批量管理工具,现在基本没有企业用

3.门户级别比较流行的,puppet批量管理工具,复杂,笨重

4.saltstack批量管理工具,特点:简单,功能强大(配置就要复杂)

5.http+wget+cron

posted @ 2015-08-24 15:19  linuxzkq  阅读(1841)  评论(0编辑  收藏  举报