标签:phrase done dev art 公钥 eth ... log bin
[TOC]标签(空格分隔): 作者:一毛钱
进行数据传输之前,ssh先对数据加密了再传输。版本不一样,连不上
①远程连接②远程拷贝
安装包
[root@localhost ~]# rpm -qa openssh openssl
openssl-1.0.1e-15.el6.x86_64
openssh-5.3p1-94.el6.x86_642.1基于口令---知道服务器的账号和密码
2.2基于秘钥----基于密钥的安全的验证的方式是指,需要依靠密钥,必须事先建立一对密钥对,然后把公用密钥放在需要访问的目标服务器上,另外,还需要私有密钥放到SSH客户端或对应的客户端服务器上。
修改配置前要备份(备份、备份、备份)
Port 22修改默认端口
ListenAddress 0.0.0.0改单个IP
PermitRootLogin yes改成no
PasswordAuthentication yes改成no
UseDNS yes改成no
GSSAPIAuthentication yes改成no
[root@localhost ~]# cp -ap /etc/ssh/sshd_config{,.bak}
[root@localhost ~]# ll /etc/ssh/sshd_config*
-rw-------. 1 root root 3879 11月 23 2013 /etc/ssh/sshd_config
-rw-------. 1 root root 3879 11月 23 2013 /etc/ssh/sshd_config.bak
[root@localhost ~]# vim /etc/ssh/sshd_config 如何防止SSH登录***小结:
1.用密钥登录,不用密码登录
2.牤牛阵法:解决SSH安全问题
①防火墙封闭SSH指定源IP限制
②开启SSH只监听本地内网IP
3.尽量不给服务器外网IP
SSH客户端命令:
ssh -p22 lihao@172.16.10.10scp -P22 /etc/hosts lihao@172.16.10.22:/tmp/ #将本地的/etc/hosts文件推送到对面的/tmp
scp -P22 lihao@172.16.10.22:/tmp/ /data/ #这个是拉功能小结
1.scp是加密的远程拷贝,而cp仅为本地拷贝
2.可以把数据从一台机器推送到另一台机器,也可以从其他机器把数据拉回来
3.每次都是完备,效率不高,适合第一次使用,如果需要增量拷贝用rsync。
[root@localhost ~]# sftp root@172.16.10.40
Connecting to 172.16.10.40...
The authenticity of host ‘172.16.10.40 (172.16.10.40)‘ can‘t be established.
RSA key fingerprint is f3:af:42:ba:f8:ab:74:8b:cf:f9:59:d6:27:41:6c:1d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.16.10.40‘ (RSA) to the list of known hosts.
root@172.16.10.40‘s password:
sftp> ls
anaconda-ks.cfg install.log install.log.syslog ipvsadm-1.26
keepalived-1.1.19
sftp> put /etc/hosts #上传数据#get是下载
Uploading /etc/hosts to /root/hosts
/etc/hosts 100% 158 0.2KB/s 00:00
sftp> pwd
Remote working directory: /root
sftp> put /etc/hosts /tmp
Uploading /etc/hosts to /tmp/hosts
/etc/hosts 100% 158 0.2KB/s 00:00
sftp> cd /tmp
sftp> ls
hosts yum.log
sftp> pwd
Remote working directory: /tmp基于口令的-expect 、pssh 、sshpass
基于密钥
1.创建用户及密码
useradd xiaoxue
echo 123456|passwd --stdin xiaoxue
su - xiaoxue2.创建密钥对
ssh-keygen -t dsa 一直回车
2.[root@MBA ~]# su - xiaoxue
[xiaoxue@MBA ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/xiaoxue/.ssh/id_dsa):
Created directory ‘/home/xiaoxue/.ssh‘.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/xiaoxue/.ssh/id_dsa.
Your public key has been saved in /home/xiaoxue/.ssh/id_dsa.pub.
The key fingerprint is:
72:19:99:31:84:b6:41:95:74:a3:04:64:6b:f6:41:0e xiaoxue@MBA
The key‘s randomart image is:
+--[ DSA 1024]----+
| oE*O.o |
| .+*.B . |
| .+oB |
| o.. + |
| . S |
| o |
| |
| |
| |
+-----------------+
[xiaoxue@MBA ~]$ ll /home/xiaoxue/.ssh/
总用量 8
-rw------- 1 xiaoxue xiaoxue 668 11月 3 01:06 id_dsa
-rw-r--r-- 1 xiaoxue xiaoxue 601 11月 3 01:06 id_dsa.pub非交互式创建密钥:一键创建
1.ssh-keygen -t dsa -P ‘‘ -f~/.ssh/id_dsa >/dev/null 2>&1
2.echo -e "\n"|ssh-keygen -t dsa -N ""3.管理机分发公钥
ssh默认端口22
ssh-copy-id -i .ssh/id_dsa.pub xiaoxue@172.16.10.10
更改过端口:
ssh-copy-id -i .ssh/id_dsa.pub "-p 1314 xiaoxue@172.16.10.30"
传送密钥:
ssh-copy-id -i .ssh/id_dsa.pub "-p 1314 xiaoxue@172.16.10.30"4.测试 #全部机器连接不需要密码
[xiaoxue@MBA ~]$ ssh -p1314 xiaoxue@172.16.10.30 /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:FF:73:81
inet addr:192.168.20.137 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:feff:7381/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:893 errors:0 dropped:0 overruns:0 frame:0
TX packets:293 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:87817 (85.7 KiB) TX bytes:24158 (23.5 KiB)
eth1 Link encap:Ethernet HWaddr 00:0C:29:FF:73:8B
inet addr:172.16.10.30 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:feff:738b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:962 errors:0 dropped:0 overruns:0 frame:0
TX packets:363 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:92411 (90.2 KiB) TX bytes:44909 (43.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)企业里实现ssh方案:
1.直接root登录
2.sudo提权
配置sudoers:
echo "xiaoxue ALL= NOPASSWD: /usr/bin/rsync" >>/etc/sudoers
visudo -c3.利用suid实现没有权限用户拷贝
rsync -avz hosts -e ‘ssh -p 1314‘ xiaoxue@172.16.10.30:~ #rsync 隧道模式
1.增量、加密
批量分发脚本
#!/bin/bash
. /etc/init.d/functions
if [ $# -ne 1 ]
then
echo "USAGE:/bin/bash $0 ARG1"
exit 1
fi
for n in 10 30 40
do
echo ::::::172.16.10.$n::::::
ssh -p1314 xiaoxue@172.16.10.$n "$1"
done标签:phrase done dev art 公钥 eth ... log bin
原文地址:https://blog.51cto.com/13528668/2356071
