文章目录
1. ssh协议的理解
1-1. ssh是什么?
SSH(Secure Shell),由 IETF 的网络小组(Network Working Group)所制定;SSH 是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。
总结:用于计算机间的加密登录
1-2. ssh产生的背景
传统的网络服务程序,如:ftp、pop和telnet在本质上都是不安全的,因为它们在网络上用明文传送口令和数据,别有用心的人非常容易就可以截获这些口令和数据。
1-3. ssh协议版本
- ssh version1(已淘汰,存在中间人攻击)
- ssh version2
##1-4. 常见ssh客户端软件 - Windows:putty(别用汉化版)、X-Shell(界面简洁),SecureCRT(企业版,收费)
- Linux/Unix:openssh
##1-5. ssh工作原理
2. openssh软件用户认证方式
2-1. 基于口令的安全认证
如果你是第一次登录对方主机,系统会出现下面的提示:
[root@VM_33_142_centos ~]# ssh [email protected]
The authenticity of host 'java.createclouds.cn (119.29.72.88)' can't be established.
RSA key fingerprint is 90:c1:b4:87:e3:29:df:bd:1e:f6:42:8a:89:b7:86:01.
**注意:第一次登陆对方主机时无法确认对方主机的真实性,并显示该公钥指纹,问你是否选择连接,若确认连接,输入yes,反之,输入no
Are you sure you want to continue connecting (yes/no)?
2-2. 基于密钥的安全认证
- client端生成公钥和私钥
[test@foundation45 ~]$ ssh-keygen ##生成公钥和私钥的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa): ##默认公钥与私钥存放的位置
Created directory '/home/test/.ssh'. ##会建立目录/home/test/.ssh
Enter passphrase (empty for no passphrase): ##输入密码,可为空
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
b5:03:81:58:fc:13:3e:dd:37:ff:a5:a8:c8:b6:7f:2f [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| +... |
| . o .. |
| o.o.. |
| =o... o |
| Soo . o |
| . o|
| . .o|
| ... E . .|
| .+ooo o. |
+-----------------+
[test@foundation45 ~]$ ls .ssh/
id_rsa ##私钥
id_rsa.pub ##公钥
- 使用key加密server主机的目标用户
[test@foundation45 ~]$ ssh-copy-id -i /home/test/.ssh/id_rsa.pub [email protected]
## 用ssh-copy-id这个工具
## -i ##指定使用的公钥
## [email protected] ##要加密的目标主机与目标用户
The authenticity of host '172.25.254.188 (172.25.254.188)' can't be established.
ECDSA key fingerprint is 52:02:5d:54:4d:e3:b2:34:92:8f:8c:a7:00:e4:b5:46.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
思考:如果作为服务端生成密钥该怎么做呢?可无密码连接client端该如何操作?
4. ssh服务端配置文件常用参数
17 #Port 22
23 #Protocol 2
49 #PermitRootLogin yes
79 PasswordAuthentication yes