SSH配置手册
snow chuai汇总、整理、撰写---2020/1/25
1. SSH密码验证
1) 关闭root账户远程登录
[root@srv ~]# vim /etc/ssh/sshd_config
# 38行,yes改为no
PermitRootLogin no
[root@srv ~]# systemctl restart sshd
2) 开启防火墙
[root@srv ~]# firewall-cmd --add-service=ssh --permanent
success
[root@srv ~]# firewall-cmd --reload
success
3) ssh客户端 # 默认Linux自带ssh客户端
[root@client ~]# yum install -y install openssh-clients
[snow@client ~]$ ssh root@srv.1000cc.net
The authenticity of host 'srv.1000cc.net (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:31:69:8c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'srv.1000cc.net' (ECDSA) to the list of known hosts.
root@srv.1000cc.net's password: # 输入远程root账户的密码
[root@srv ~]# # 已登录至srv.1000cc.net主机
4) 执行远程主机的命令
[root@client ~]# ssh root@srv.1000cc.net 'cat /etc/redhat-release'
root@srv.1000cc.net's password: # 输入远程root账户的密码
CentOS Linux release 7.7.1908 (Core)
|
2. 文件传输
1) SCP文件复制
# 本地文件复制到远程
[snow@client ~]$ scp ./test.txt root@srv.1000cc.net:~/
srv.1000cc.net's password:
test.txt 100% 10 0.0KB/s 00:00
# 远程文件复制到本地
[snow@client ~]$ scp root@srv.1000cc.net:/etc/passwd ./
srv.1000cc.net's password:
passwd. 100% 10 0.0KB/s 00:00
2) SCP目录复制
# 本地目录复制到远程
[snow@client ~]$ tree test
test
└── node.txt
0 directories, 1 file
[snow@client ~]$ scp -rp ./test root@srv.1000cc.net:~ # -r为目录复制,-p保留权限及时间戳等信息
srv.1000cc.net's password:
node.txt 100% 80 52.2KB/s 00:00
# 远程目录复制到本地
[snow@client ~]$ scp -rp root@sv.1000cc.net:/etc/detaul ./
useradd 100% 119 56.0KB/s 00:00
nss 100% 1756 743.9KB/s 00:00
grub 100% 256 154.9KB/s 00:00
3) sftp文件传输
[snow@client ~]$ sftp root@srv.1000cc.net
srv.1000cc.net's password:
Connected to srv.1000cc.net.
sftp> put test.txt # 将当前本地目录test.txt上传至远程主机当前目录
Uploading test.txt to /root/test.txt
test.txt 100% 10 0.0KB/s 00:00
sftp> get test.txt # 将远程主机当前目录下test.txt下载至本地主机当前目录
Fetching /root/test.txt to test.txt
/root/test.txt 100% 10 0.0KB/s 00:00
sftp> quit
221 Goodbye.
4) 仅允许SFTP并Chroot
[root@srv ~]# groupadd sftp_users
[root@srv ~]# usermod -G sftp_users lisa
[root@srv ~]# vim /etc/ssh/sshd_config
......
......
......
......
......
......
# 注释132行,并于133行添加如下内容
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home # 限制于/home目录下
ForceCommand internal-sftp
[root@srv ~]# systemctl restart sshd
[snow@client ~]$ sftp lisa@srv.1000cc.net
srv.1000cc.net's password:
Connected to srv.1000cc.net.
sftp> pwd
Remote working directory: /
sftp> ls
lisa
sftp> quit
221 Goodbye.
|
3. 秘钥认证
1) 创建秘钥
[snow@client ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/snow/.ssh/id_rsa): # 秘钥保存目录
Created directory '/home/snow/.ssh'.
Enter passphrase (empty for no passphrase): # 输入证书保护口令,也可以直接回车
Enter same passphrase again:
Your identification has been saved in /home/snow/.ssh/id_rsa. # 私钥存放位置
Your public key has been saved in /home/snow/.ssh/id_rsa.pub. # 公钥存放位置
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx snow@client.1000cc.net
The key's randomart image is:
[snow@client ~]$
2) 将公钥添加至远程主机中
[snow@client ~]$ ssh-copy-id root@srv.1000cc.net
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/snow/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.10.250's password: # 输入远程root账户的密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@srv.1000cc.net'"
and check to make sure that only the key(s) you wanted were added.
[snow@client ~]$ ssh root@srv.1000cc.net
Last login: Sat Jan 25 21:27:17 2020 from srv.1000cc.net
[root@srv ~]# # 秘钥登录成功
|
4. X11转发
1) 配置SSH Server--SSH Server为CLI模式
[root@srv ~]# vim /etc/ssh/sshd_config
AllowTcpForwarding yes # 99行,启用 tcp 转发
X11Forwarding yes # 101行, 启用 X11 转发
X11DisplayOffset 10 # 102行,设定 X11 监听端口偏移值为 10,x11 默认监听为 6000
X11UseLocalhost yes # 103行,使用本地主机完成 X11 程序的提供
[root@srv ~]# systemctl restart sshd
[root@srv ~]# yum install xorg-x11-xauth -y
# 此处可安装任意一个GUI程序
[root@srv ~]# yum install gedit -y
2) SSH客户端--SSH客户端为GUI模式
[snow@client ~]$ ssh -X root@srv.1000cc.net gedit
# 如果成功,应在ssh客户端处看到gedit程序
|
5. SSH端口转发
5.1 开启本地转发
本地转发--示例1
本例:
(1) 场景:
srv1.1000cc.net仅允许srv.1000cc.net连接,不允许其他主机及用户连接。故而将srv.1000cc.net开启本地转发(做跳板机),便于让client.1000cc.net主机连接并登入至srv1.1000cc.net
(2) 方法
利用srv.1000cc.net自身连接方法,开启2222端口。当有连接本地2222端口的连接,就直接转向srv1.1000cc.net的22端口.设定转发服务器为srv.1000cc.net
[root@srv ~]# ssh -L :2222:srv1.1000cc.net:22 -fN root@srv.1000cc.net # -L 本地转发
[root@srv ~]# netstat -lantp | grep 2222
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 1591/ssh
[snow@client ~]$ ssh -p 2222 root@srv.1000cc.net # -p 指定远程ssh服务器连接的端口
Last login: Sat Jan 25 22:54:20 2020 from client.1000cc.net
[root@srv1 ~]# # 连接到srv1.1000cc.net
本地转发--示例2
(1) 场景:
srv1.1000cc.net仅允许srv.1000cc.net连接,不允许其他主机及用户连接。故而将srv.1000cc.net开启本地转发(做跳板机),便于让client.1000cc.net主机连接并登入至srv1.1000cc.net
(2) 方法
利用客户端自身连接方法,开启2233端口。当连接自身的2233端口的连接,就通过srv.1000cc.net(跳板机)直接连接到srv1.1000cc.net的22端口.
[root@client ~]# ssh -L :2233:srv1.1000cc.net:22 -fN root@srv.1000cc.net
[root@client ~]# netstat -lantp | grep 2233
tcp 0 0 0.0.0.0:2233 0.0.0.0:* LISTEN 1696/ssh
tcp6 0 0 :::2233 :::* LISTEN 1696/ssh
[root@client ~]# ssh -p 2233 localhost
[root@srv1 ~]# # 连接到srv1.1000cc.net
|
5.2 开启远程转发
远程转发--示例1
(1) 场景:
srv1.1000cc.net仅允许srv.1000cc.net连接,不允许其他主机及用户连接。故而将srv.1000cc.net开启本地转发(做跳板机),便于让client.1000cc.net主机连接并登入至srv1.1000cc.net
(2) 方法
利用srv.1000cc.net主机访问client.1000cc.net节点,并给client.1000cc.net转发
[root@srv ~]# ssh -R 2222:srv1.1000cc.net:22 -fN root@client.1000cc.net # 在srv.1000cc.net主机上
[root@client ~]# netstat -lantp # 在client.1000cc.net主机上
tcp 0 0 127.0.0.1:2222 0.0.0.0:* LISTEN 1103/sshd: root
tcp6 0 0 ::1:2222 :::* LISTEN 1103/sshd: root
[root@client ~]# ssh -p 2222 localhost
[root@srv1 ~]# # 连接到srv1.1000cc.net
远程转发--示例2
(1) 场景:
有srv1,srv2,srv3 3台服务器, Srv1需要通过Srv2连接到Srv3主机(Srv1<=>Srv2<=>Srv3), 那么在Srv2主机上执行如下命令:
[root@srv2 ~]# ssh -CfNg -L 2222:127.0.0.1:22 root@srv3.1000y.cloud
[root@srv2 ~]# ssh -CfNg -R 2221:127.0.0.1:2222 root@srv1.1000y.cloud
# Srv1测试
[root@srv1 ~]# ssh -p 2221 localhost
......
......
......
......
......
......
Last login: Tue Sep 8 16:58:21 2020 from 192.168.10.200
[root@srv3 ~]# # 连接到srv3.1000y.cloud
|
6. 使用SSHPass
[root@client ~]# yum --enablerepo=epel install -y sshpass
[snow@client ~]$ sshpass -p password ssh srv.1000cc.net hostname # -p 直接使用密码登陆
srv.1000cc.net
[snow@client ~]$ echo 'password' > password.txt # 创建密码本
[snow@client ~]$ chmod 600 password.txt
[snow@client ~]$ sshpass -f ./password.txt ssh srv.1000cc.net hostname # -f 调用密码本
srv.1000cc.net
[snow@client ~]$ export SSHPASS=password # 设置为SHELL环境
[snow@client ~]$ sshpass -e ssh srv.1000cc.net hostname
srv.1000cc.net
|
7. 使用SSH-Agent---管理ssh私钥
1.建立不同的秘钥,并传送至不同的服务器
[snow@client ~]$ ssh-keygen -q -N ''
Enter file in which to save the key (/home/snow/.ssh/id_rsa):
[snow@client ~]$ ssh-keygen -q -N ''
Enter file in which to save the key (/home/snow/.ssh/id_rsa):/home/snow/.ssh/srv2
[snow@client ~]$ ssh-copy-id srv1.1000y.cloud
[snow@client ~]$ ssh-copy-id -i /home/snow/.ssh/srv2.pub srv2.1000y.cloud
2.SSH免密登录测试
[snow@client ~]$ ssh srv1.1000y.cloud
[snow@client ~]$ ssh -i /home/snow/.ssh/srv2 srv2.1000y.cloud
3.使用SSH-Agent对应相关的ssh服务器
[snow@client ~]$ eval `ssh-agent` # 启用ssh-agent
Agent pid 1117
[snow@client ~]$ ssh-add
Identity added: /home/snow/.ssh/id_rsa (/home/snow/.ssh/id_rsa) # 添加秘钥到ssh-agent
[snow@client ~]$ ssh-add /home/snow/.ssh/srv2
Identity added: /home/snow/.ssh/srv2 (/home/snow/.ssh/srv2)
[snow@client ~]$ ssh-add -l # 验证
2048 SHA256:lihJOni7noOgU1IXI3ye4iKhbdlk/NakhGlMdO5Yl2k /home/snow/.ssh/id_rsa (RSA)
2048 SHA256:ocwGDSdaTG3YCyrgwglPRJQY7nY8weFiDUo+REM2xCo /home/snow/.ssh/srv2 (RSA)
[snow@client ~]$ ssh srv1.1000y.cloud hostname
srv1.1000y.cloud # 不需要输入ssh的passphrase
[snow@client ~]$ ssh srv2.1000y.cloud hostname
srv2.1000y.cloud
[snow@client ~]$ eval `ssh-agent -k` # 退出ssh-agent
Agent pid 1117 killed
|
8. PSSH
8.1 PSSH使用
1) 安装PSSH
[root@clinet ~]# yum --enablerepo=epel install -y pssh
2) 使用PSSH
[snow@client ~]$ pssh -H 'srv.1000cc.net srv1.1000cc.net' -i 'hostname'
[1] 00:18:32 [SUCCESS] srv.1000cc.net
srv.1000cc.net
[2] 00:18:33 [SUCCESS] srv1.1000cc.net
srv1.1000cc.net
[snow@client ~]$ vim host-list.txt
root@srv.1000cc.net
root@srv1.1000cc.net
[snow@client ~]$ pssh -h host-list.txt -i 'hostname'
[1] 00:18:32 [SUCCESS] srv.1000cc.net
srv.1000cc.net
[2] 00:18:33 [SUCCESS] srv1.1000cc.net
srv1.1000cc.net
[snow@client ~]$ pssh -h host-list.txt -A -O PreferredAuthentications=password -i "hostname"
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: # 输入远程账户的密码
[1] 00:18:32 [SUCCESS] srv.1000cc.net
srv.1000cc.net
[2] 00:18:33 [SUCCESS] srv1.1000cc.net
srv1.1000cc.net
|
8.2 PSSH远程复制
1) 本地文件复制到远程主机
[snow@client ~]$ pscp.pssh -h host-list.txt test/node.txt /tmp/
[1] 00:31:49 [SUCCESS] root@srv.1000cc.net
[2] 00:31:49 [SUCCESS] root@srv1.1000cc.net
2) 远程文件复制到本地主机
# 复制远程主机/etc/passwd文件到~/test目录下
[snow@client ~]$ pslurp -h host-list.txt -L ~/test /etc/passwd ./
# 复制远程主机/etc/passwd文件到~目录下
[snow@client ~]$ pslurp -h host-list.txt /etc/passwd ./
3) 批量结束远程进程
[snow@client ~]$ pnuke -h sshhosts.txt httpd
3) 批量rsync
# 将本地test目录同步至远程/tmp目录下,-r:递归,-a:使用archive-mode,-z:压缩
[snow@client ~]$ prsync -raz -h host-list.txt test/ /tmp
|
9. SSHFS
1) 在所有的主机上安装sshfs(包含客户端)
[snow@client ~]$ pssh -h host-list.txt -i 'yum --enablerepo=epel install -y sshfs'
2) 在所有的主机上安装sshfs(包含客户端)
[root@client ~]# sshfs root@srv.1000cc.net:/ /mnt
[root@client ~]# df -Th | grep /mnt
root@192.168.10.250:/ fuse.sshfs 8.4G 1.7G 6.2G 22% /mnt
|
10. 个性化指定ssh_config
[root@srv1 ~]# vim ~/.ssh/config
# 定义SSH主机别名---必写
Host srv1
# 定义所需要连接的ssh的远程FQDN/IP地址---必写
Hostname srv1.1000y.cloud
# 定义连接远程SSH服务器的端口号---可选择
Port 22
# 定义远程账户名---可选
User root
# 定义账户私钥所在位置---可选
IdentityFile ~/.ssh/id_rsa
Host srv2
Hostname srv2.1000y.cloud
Port 2222
User snow
IdentityFile ~/.ssh/snow_rsa
[root@srv1 ~]# chmod 600 ~/.ssh/config
[root@srv1 ~]# ssh srv1
|
如对您有帮助,请随缘打个赏。^-^