Linux与云计算——第二阶段Linux服务器架设
第三章:SSH服务器架设(上)openssh 基础
1.密码认证
配置SSH服务器以便远程主机连接访问
[1] 即使你在安装CentOS系统的时候选择了最小化安装,OpenSSH也会被默认安装,所以你不需要再安装任何额外的软件包来实现该功能。缺省情况下你可以通过密码实现远程访问,如果需要增强安全性,建议还是要修改部分配置。
[root@demo ~]# vim /etc/ssh/sshd_config
# line 49:去掉备注并修改 ( 阻止root用户远程访问 )
PermitRootLogin no
# line 77和78: 去掉注释
PermitEmptyPasswords no
PasswordAuthentication yes
[root@demo ~]# systemctl restart sshd
[2] 如果防火墙服务处于开启状态,请允许SSH服务,SSH使用TCP的20端口进行通信。 [root@demo ~]# firewall-cmd --add-service=ssh --permanent
[root@demo ~]# firewall-cmd --reload
在CentOS上配置SSH客户端.
[3] 安装SSH客户端.
[root@client ~]# yum -y install openssh-clients
[4] 使用一个普通用户连接SSH服务器.
# ssh [username@(hostname or IP address)]
[root@client ~]# ssh user@192.168.96.128
The authenticity of host '192.168.96.128 (192.168.96.128)' can't be established.
ECDSA key fingerprint is 26:a3:c4:bc:cb:36:c5:20:1d:9c:ad:eb:b2:11:bb:36.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.96.128' (ECDSA) to the list of known hosts.
user@192.168.96.128's password:
[user@demo ~]$
[5] 我们也可以使用SSH来在远程主机上执行命令.
# 例如我们希望执行"cat /etc/passwd"
[root@client ~]# ssh user@192.168.96.128 "cat /etc/passwd"
user@192.168.96.128's password:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Configure SSH Client on Windows.
[6]你也可以尝试在windows上使用一些终端软件来实现,例如putty、xshell或者SecureCRT.
2.文件传输(CentOS)
使用基于SSH的文件传输非常方便并且安全高效.
[1] 使用SCP (Secure Copy)来进行文件传输.
# scp [Option] Source Target
# 将本地的[test.txt] 拷贝给远程服务器 [demo.example.com]
[root@client ~]# cp /etc/passwd ./test.txt
[root@client ~]# scp test.txt user@192.168.96.128:~/
user@192.168.96.128's password:
test.txt 100% 1040 1.0KB/s 00:00
[2] 使用SFTP (SSH File Transfer Protocol)来进行文件传输.
SFTP服务器功能一般是默认开启的,如果没有开启,就在[/etc/ssh/sshd_config]文件中加入以下行来开启它 [Subsystem sftp /usr/libexec/openssh/sftp-server].
# sftp [Option] [user@host]
[root@client ~]# sftp user@192.168.96.128
user@192.168.96.128's password:
Connected to 192.168.96.128
# 显示远程主机的当前目录
sftp> pwd
Remote working directory: /home/user
# 显示本地服务器的当前目录
sftp> !pwd
/root
# 显示远程主机当前目录中的文件
sftp> ls -l
-rw-r--r-- 1 user user 1040 Jul 8 11:17 test.txt
# 显示本地主机中当前目录中的文件
sftp> !ls -l
total 8
-rw-------. 1 root root 996 Jul 8 03:44 anaconda-ks.cfg
-rw-r--r--. 1 root root 1040 Jul 8 20:15 test.txt
# 上传一个文件到远程服务器
sftp> put anaconda-ks.cfg redhat.txt
Uploading anaconda-ks.cfg to /home/user/redhat.txt
anaconda-ks.cfg
sftp> ls -l
-rw------- 1 user user 996 Jul 8 12:09 redhat.txt
-rw-r--r-- 1 user user 1040 Jul 8 11:17 test.txt
# 从远程服务器上下载一个文件
sftp> get test.txt
Fetching /home/user/test.txt to test.txt
/home/user/test.txt
# 在远程服务器上创建目录
sftp> mkdir testdir
sftp> ls -l
-rw------- 1 user user 996 Jul 8 12:09 redhat.txt
-rw-r--r-- 1 user user 1040 Jul 8 11:17 test.txt
drwxrwxr-x 2 user user 6 Jul 8 12:35 testdir
# 删除目录
sftp> rmdir testdir
sftp> ls -l
-rw------- 1 user user 996 Jul 8 12:09 redhat.txt
-rw-r--r-- 1 user user 1040 Jul 8 11:17 test.txt
# 删除一个文件
sftp> rm test.txt
Removing /home/user/test.txt
sftp> ls -l
-rw------- 1 user user 996 Jul 8 12:09 redhat.txt
# 退出
sftp> quit
3.文件传输(Windows)
在Windows平台下,有一款SCP传输的工具值得推荐使用,可以自行下载安装,使用方法很简单,安装完毕后,连接服务器,就可以自由传输文件了。
4.Keys认证
使用密钥认证的方式访问SSH服务器,给服务器创建一个私钥和公钥。
[1] 为每一个用户创建一个密钥对,并且普通用户通过密钥登录访问服务器。
# 创建密钥对
[user@demo ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
b4:22:69:1c:b6:35:77:88:bc:61:96:b3:13:b6:fb:70 user@demo.example.com
The key's randomart p_w_picpath is:
[user@demo ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
[user@demo ~]$ chmod 600 ~/.ssh/authorized_keys
[2] 将创建好的密钥发给客户机,客户机可以通过该密钥访问服务器并完成验证。
[user@client ~]$ mkdir ~/.ssh
[user@client ~]$ chmod 700 ~/.ssh
# 将密钥拷贝到本地的ssh目录中
[user@client ~]$ mkdir ~/.ssh
[user@client ~]$ chmod 700 ~/.ssh
[user@client ~]$ scp user@192.168.96.128:/home/user/.ssh/id_rsa ~/.ssh/
The authenticity of host '192.168.96.128 (192.168.96.128)' can't be established.
ECDSA key fingerprint is 26:a3:c4:bc:cb:36:c5:20:1d:9c:ad:eb:b2:11:bb:36.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.96.128' (ECDSA) to the list of known hosts.
user@192.168.96.128's password:
id_rsa
[user@client ~]$ ssh -i ~/.ssh/id_rsa user@192.168.96.128
Last login: Fri Jul 8 14:11:41 2016
[user@demo ~]$
[3] 如果你 "PasswordAuthentication" 设置为no,系统将更加安全。
[root@demo ~]# vim /etc/ssh/sshd_config
# line 79: 把yes更换为 "no"
PasswordAuthentication no
[root@demo ~]# systemctl restart sshd
详细视频课程请戳—→