Linux与云计算——第二阶段Linux服务器架设

第三章:SSH服务器架设(上)openssh 基础

1.密码认证

配置SSH服务器以便远程主机连接访问

[1] 即使安装CentOS系统的时候选择了最小化安装,OpenSSH也会被默认安装,所以你不需要再安装任何额外的软件包来实现该功能。缺省情况下你可以通过密码实现远程访问,如果需要增强安全性,建议还是要修改部分配置。

[root@demo ~]# vim /etc/ssh/sshd_config

# line 49:去掉备注并修改 ( 阻止root用户远程访问 )

PermitRootLogin no

# line 77和78: 去掉注释

PermitEmptyPasswords no

PasswordAuthentication yes

[root@demo ~]# systemctl restart sshd 

[2] 如果防火墙服务处于开启状态,请允许SSH服务SSH使用TCP的20端口进行通信 [root@demo ~]# firewall-cmd --add-service=ssh --permanent

[root@demo ~]# firewall-cmd --reload

在CentOS配置SSH客户端.

[3] 安装SSH客户端.

[root@client ~]# yum -y install openssh-clients

[4] 使用一个普通用户连接SSH服务器.

# ssh [username@(hostname or IP address)]

[root@client ~]# ssh user@192.168.96.128

The authenticity of host '192.168.96.128 (192.168.96.128)' can't be established.

ECDSA key fingerprint is 26:a3:c4:bc:cb:36:c5:20:1d:9c:ad:eb:b2:11:bb:36.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.96.128' (ECDSA) to the list of known hosts.

user@192.168.96.128's password:

[user@demo ~]$

[5] 我们也可以使用SSH来在远程主机上执行命令.

# 例如我们希望执行"cat /etc/passwd"

 [root@client ~]# ssh user@192.168.96.128 "cat /etc/passwd"

user@192.168.96.128's password:

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

...

...

postfix:x:89:89::/var/spool/postfix:/sbin/nologin

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

Configure SSH Client on Windows.

[6]你也可以尝试在windows上使用一些终端软件来实现,例如puttyxshell或者SecureCRT.

2.文件传输(CentOS)

使用基于SSH的文件传输非常方便并且安全高效.

[1] 使用SCP (Secure Copy)进行文件传输.

# scp [Option] Source Target

# 将本地的[test.txt] 拷贝给远程服务器 [demo.example.com]

[root@client ~]# cp /etc/passwd ./test.txt

[root@client ~]# scp test.txt user@192.168.96.128:~/

user@192.168.96.128's password:

test.txt                                                100% 1040     1.0KB/s   00:00

[2] 使用SFTP (SSH File Transfer Protocol)进行文件传输.

SFTP服务器功能一般是默认开启的,如果没有开启,就在[/etc/ssh/sshd_config]文件中加入以下行来开启它 [Subsystem sftp /usr/libexec/openssh/sftp-server].

# sftp [Option] [user@host]

[root@client ~]# sftp user@192.168.96.128

user@192.168.96.128's password:

Connected to 192.168.96.128

# 显示远程主机的当前目录

sftp> pwd

Remote working directory: /home/user

# 显示本地服务器的当前目录

sftp> !pwd

/root

# 显示远程主机当前目录中的文件

sftp> ls -l

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

# 显示本地主机中当前目录中的文件

sftp> !ls -l

total 8

-rw-------. 1 root root  996 Jul  8 03:44 anaconda-ks.cfg

-rw-r--r--. 1 root root 1040 Jul  8 20:15 test.txt

# 上传一个文件到远程服务器

sftp> put anaconda-ks.cfg redhat.txt

Uploading anaconda-ks.cfg to /home/user/redhat.txt

anaconda-ks.cfg

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

# 从远程服务器上下载一个文件

sftp> get test.txt

Fetching /home/user/test.txt to test.txt

/home/user/test.txt

# 在远程服务器上创建目录

sftp> mkdir testdir

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

drwxrwxr-x    2 user     user            6 Jul  8 12:35 testdir

# 删除目录

sftp> rmdir testdir

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

-rw-r--r--    1 user     user         1040 Jul  8 11:17 test.txt

# 删除一个文件

sftp> rm test.txt

Removing /home/user/test.txt

sftp> ls -l

-rw-------    1 user     user          996 Jul  8 12:09 redhat.txt

# 退出

sftp> quit

3.文件传输(Windows)

在Windows平台下,有一款SCP传输的工具值得推荐使用,可以自行下载安装,使用方法很简单,安装完毕后,连接服务器,就可以自由传输文件了。

4.Keys认证

使用密钥认证的方式访问SSH服务器,给服务器创建一个私钥和公钥。

[1] 每一个用户创建一个密钥对,并且普通用户通过密钥登录访问服务器。

# 创建密钥对

[user@demo ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/user/.ssh/id_rsa):

Created directory '/home/user/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/user/.ssh/id_rsa.

Your public key has been saved in /home/user/.ssh/id_rsa.pub.

The key fingerprint is:

b4:22:69:1c:b6:35:77:88:bc:61:96:b3:13:b6:fb:70 user@demo.example.com

The key's randomart p_w_picpath is:

[user@demo ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

[user@demo ~]$ chmod 600 ~/.ssh/authorized_keys 

[2] 创建好的密钥发给客户机,客户机可以通过密钥访问服务器并完成验证。

[user@client ~]$ mkdir ~/.ssh

[user@client ~]$ chmod 700 ~/.ssh

# 将密钥拷贝到本地的ssh目录

[user@client ~]$ mkdir ~/.ssh

[user@client ~]$ chmod 700 ~/.ssh

[user@client ~]$ scp user@192.168.96.128:/home/user/.ssh/id_rsa ~/.ssh/

The authenticity of host '192.168.96.128 (192.168.96.128)' can't be established.

ECDSA key fingerprint is 26:a3:c4:bc:cb:36:c5:20:1d:9c:ad:eb:b2:11:bb:36.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.96.128' (ECDSA) to the list of known hosts.

user@192.168.96.128's password:

id_rsa

[user@client ~]$ ssh -i ~/.ssh/id_rsa user@192.168.96.128

Last login: Fri Jul  8 14:11:41 2016

[user@demo ~]$ 

[3] 如果你 "PasswordAuthentication" 设置为no,系统将更加安全

[root@demo ~]# vim /etc/ssh/sshd_config

# line 79: 把yes更换为 "no"

PasswordAuthentication no

[root@demo ~]# systemctl restart sshd

详细视频课程请戳—→