SSH:安全外壳协议,是一种在不安全网络上用于安全远程登录和其他安全网络服务的协议
SSH由三部分构成:
1.传输层协议 [SSH-TRANS]:
提供了服务器认证,保密性及完整性。此外它有时还提供压缩功能。 SSH-TRANS 通常运行在TCP/IP连接上,也可能用于其它可靠数据流上。 SSH-TRANS 提供了强力的加密技术、密码主机认证及完整性保护。该协议中的认证基于主机,并且该协议不执行用户认证。更高层的用户认证协议可以设计为在此协议之上。
2.用户认证协议 [SSH-USERAUTH]
用于向服务器提供客户端用户鉴别功能。它运行在传输层协议 SSH-TRANS 上面。当SSH-USERAUTH 开始后,它从低层协议那里接收会话标识符(从第一次密钥交换中的交换哈希H )。会话标识符唯一标识此会话并且适用于标记以证明私钥的所有权。 SSH-USERAUTH 也需要知道低层协议是否提供保密性保护。
3.连接协议 [SSH-CONNECT]
将多个加密隧道分成逻辑通道。它运行在用户认证协议上。它提供了交互式登录话路、远程命令执行、转发 TCP/IP 连接和转发 X11 连接。
目录
密码登录
免密登录
密钥登录
密码登录
密码登录也叫本地登录,即使用系统中有的用户进行登录
允许本地登录:
vim /etc/ssh/sshd_config #编辑ssh配置文件Port 22 #端口
PermitRootLogin yes #允许root远程登录
#MaxAuthTries 6 #密码最多尝试次数
#MaxSessions 10 #最多登录数
#PermitEmptyPasswords no #禁止空密码免密登录
指不用输入密码可直接进行登录,这种方式较为不安全
先生成密钥,在所有需要免密登录的服务器上执行
ssh-keygen #生成密钥(在所有需要免密登录的主机上执行)Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ph6xfXo7j7Vl+ez9FkxS28xo8u92AWxxaWbEaJTZgkQ root@linux4
The key's randomart image is:
+---[RSA 3072]----+
| oEo.B..|
| . B X |
| o O+o|
| .=oo+|
| . S .+= |
| * .= |
| + . . . +.o|
| . . ooo + o*|
| . ..o+o =X|
+----[SHA256]-----+选择一台根ssh,复制私钥和发送密钥
ssh-copy-id linux3.skills.com #复制linux3 id(在所有需要免密登录的主机上执行 linux3为选择其中一台作为ssh根服务器)/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'linux3.skills.com (192.168.100.70)' can't be established.
ECDSA key fingerprint is SHA256:PaZo5HAGzDRzwRAiEZGz4U7lrUXCuBXCPqaNyZlaO0M.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes #输入 yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@linux3.skills.com's password: #输入密码Number of key(s) added: 1Now try logging into the machine, with: "ssh 'linux3.skills.com'"
and check to make sure that only the key(s) you wanted were added.cd ~/.ssh #切换目录scp authorized_keys linux4.skills.com:~/.ssh #发送密钥(在根ssh服务器上执行所有(除自己)的完全合格域名)The authenticity of host 'linux4.skills.com (192.168.100.80)' can't be established.
ECDSA key fingerprint is SHA256:eZTdD1yO5XNEVi0YY0ibebxDFIr/aoJLU5r4MjBZuKo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes #输入yes
Warning: Permanently added 'linux4.skills.com,192.168.100.80' (ECDSA) to the list of known hosts.
root@linux4.skills.com's password: #输入免密
authorized_keys 100% 1130 118.9KB/s 00:00密钥登录
使用公钥+私钥认证的方式,使用时较为安全
一般不使用root用户生成密钥对,否则都要使用root操作
ssh-keygen #在要连接上的客户机生成密钥对Generating public/private rsa key pair.
Enter file in which to save the key (/home/chen/.ssh/id_rsa): #回车
/home/chen/.ssh/id_rsa already exists.
Overwrite (y/n)? y #覆盖原有密钥(已生成过)
Enter passphrase (empty for no passphrase): #输入密钥密码
Enter same passphrase again: #再次输入密钥密码
Your identification has been saved in /home/chen/.ssh/id_rsa
Your public key has been saved in /home/chen/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:eUpOqm172pMbETKWHxXYtpWwbUrUCGaftI08NeXjbms chen@chen-HP-Pro-Tower-288-G9-PCI-Desktop-PC
The key's randomart image is:
+---[RSA 3072]----+
| ++*=oo. |
| +.*+O+o |
| = o.Xo+ o |
| . + =.+ . . |
| S o . |
| = + . |
| . +. o |
| o..+. .E. |
| ..++oo .. |
+----[SHA256]-----+ssh-copy-id root@10.1.220.100 #上传公钥到服务器/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.1.220.100's password: #输入服务器密码Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@10.1.220.100'"
and check to make sure that only the key(s) you wanted were added.以上操作后,执行ssh重启动即可
systemctl restart sshd #重启ssh服务
)
)
)
)
)
