码迷,mamicode.com
首页 > 其他好文 > 详细

ssh客户端及基于key登陆

时间:2019-04-21 11:25:43      阅读:154      评论:0      收藏:0      [点我收藏+]

标签:算法   利用   crc   vat   配置文件   cti   rem   code   sts   

ssh服务

ssh名字为secure shell,目前使用的版本号为2,所使用的端口号为tcp的22号端口,可以实现安全的远程登录。
ssh协议版本有v1版和v2版本:
v1是基于CRC-32做MAC,不安全,无法防止中间人***。
V2版本双方主机协议选择安全的MAC方式基于DH算法做密钥交换,基于RSA或DSA实现身份认证
ssh具体的软件实现为:Openssh和dropbear


Openssh

openssh是ssh的一种实现,它能允许远程系统经验证地加密安全访问。当用户远程连接ssh服务器时,会复制ssh服务器/etc/ssh/ssh_host_ecdsa_key.pub文件中的公钥到客户机的~/.ssh/know_hosts中。下次连接时会自动匹配相应私钥,不能匹配的将拒绝连接

ssh软件的组成
openssh是由openssh、openssh-clients、openssh-server这几个包组成。
由于ssh是基于C/S结构,所以它分别有客户端的配置和服务器端的配置。

openssh客户端

一、配置文件

ssh客户端的配置存放在/etc/ssh/ssh_config文件内,一般客户端的配置文件不做修改,使用默认配置,但其中有几项选项稍作了解。
1.StrictHostKeyChecking
当客户端第一次访问服务器时,客户端会询问所访问的主机是否是你真正想想要访问的主机。默认是每次都会询问,当设置为no时,不会再询问。

StrictHostKeyChecking no

2.port
此项为连接服务器时的端口号。默认为22号端口,当服务器的ssh服务的端口为非标时,将配置文件的port进行修改,也可以使用ssh -p PORT来指定端口号。
修改配置文件方法

port 9527    #找到port行修改为指定端口

手动指定端口号方法:

[root@centos7 ~]# ssh root@192.168.73.133 -p 9527

二、ssh的用户登陆方式

ssh有2中登录方式,一种是基于口令的登陆方式,另一种是基于Key的登登录方式。

基于口令的登陆方式

基于口令的登陆方式依赖于ssh命令
ssh的使用方法:

ssh [option] [user@]host [COMMAND]
选项 说明
-p port 指定远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持x11转发
-t 强制伪tty分配

常用选项示例:

-p:可以用来指定连接远程主机的端口号,常用在服务器端口号为非标的情况下

[root@centos7 ~]# ssh root@192.168.73.133 -p 9527

-C:压缩方法连接,常用在带宽较小的情况下

[root@centos7 ~]# ssh -C root@192.168.73.133

-X:支持x11转发功能
x11转发功能可以实现将远程的主机的图形化桌面拉取到本机,从而实现图形操作。

[root@centos7 ~]# ssh -X root@192.168.73.133

-t:强制伪tty分配
强制伪tty分配使用的场合为有a、b、c、d,4台主机,a要去连接d,但d,c,b只能通过单线去连接,a无法直接连接到的d,需要b,c上依次登录才能登录到d,使用-t选项可以实现一条命令直接登录至d主机

[root@centos7 ~]# ssh -t 192.168.73.132 ssh -t 192.168.73.133 ssh 192.168.73.134
root@192.168.73.132‘s password: 
The authenticity of host ‘192.168.73.133 (192.168.73.133)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.133‘ (ECDSA) to the list of known hosts.
root@192.168.73.133‘s password: 
The authenticity of host ‘192.168.73.134 (192.168.73.134)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.134‘ (ECDSA) to the list of known hosts.
root@192.168.73.134‘s password: 
Last failed login: Tue Apr 16 11:41:25 CST 2019 from 192.168.73.133 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Tue Apr 16 07:15:03 2019 from 192.168.73.1

基于密钥方式的登录

一、交互式方法实现密钥登录
1.先在本机生成私钥

[root@centos7 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:7s3nPNrHugMdkip+8ozUvE2pYeUnvGGhylzVHMhaPMk root@centos7.localdomain
The key‘s randomart image is:
+---[RSA 2048]----+
|                 |
|         + o     |
|          E..    |
|         oo+..   |
|        S.+oo.   |
|      .+.*.o.    |
|     ...O O...   |
|     +oB.X B+ o  |
|      =+* *+**   |
+----[SHA256]-----+

2.将密钥文件发送给远端的主机

[root@centos7 ~]# ssh-copy-id root@192.168.73.132
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.73.132‘s password: 
Permission denied, please try again.
root@192.168.73.132‘s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ‘root@192.168.73.132‘"
and check to make sure that only the key(s) you wanted were added.

二、非交互式方法实现密钥登陆
1.生成密钥,存放在~/.ssh/id_rsa

[root@centos7 ~]# ssth-keygen - rsa -N "" -f ~/.ssh/id_rs
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:q+dIP5AXsmfJT71CleOlW8pR27c/SBdDJaRBK/n3ibo root@centos7.localdomain
The key‘s randomart image is:
+---[RSA 2048]----+
|           .o.o o|
|           . + o |
|          o o..  |
|      . .  o+ oo |
|       =So +.=.oo|
|      + *.o =o+o+|
|      .=.+ ..Bo.+|
|     . +o o *. o |
|      ooo. E.   +|
+----[SHA256]-----+

2.复制密钥至远程主机

[root@centos7 ~]# ssh-copy-id 192.168.73.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.73.128‘s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.

注意:key验证必须保证key的安全,若私钥文件被偷走,别人可以利用私钥文件进行免密登陆,为防止密钥被别人盗走后被别人免密登陆,可以对私钥进行加密。
3.密钥的加密

[root@centos7 .ssh]# ssh-keygen -t rsa -P "111111" -f ~/.ssh/id_rsa     #创建密钥时对密钥进行加密
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+kwhjUafA73ra7CoTaR59wemYBSGMummrZbHwubPUlI root@centos7.localdomain
The key‘s randomart image is:
+---[RSA 2048]----+
| . .             |
|+ . o  .         |
|.o . .o .        |
| o E.. = o       |
|o.... + S        |
|...=o..oo+       |
|..B.ooo=o.       |
|.B.*..o*. .      |
|+.*+.  .*o       |
+----[SHA256]-----+

[root@centos7 .ssh]# ssh-copy-id 192.168.73.128                         #将密钥复制到远程主机
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host ‘192.168.73.128 (192.168.73.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.73.128‘s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.

[root@centos7 .ssh]# ssh 192.168.73.128
Enter passphrase for key ‘/root/.ssh/id_rsa‘:                       #再次登陆时要求输入密钥的密码
Last login: Tue Apr 16 21:15:58 2019 from 192.168.73.132

由于每次需要输入密码太过麻烦,也可以使用代理,先输一次密码,只有所有登陆时所需要的输入的密码都由代理来输入,达到免密的方法
4.ssh-agent代理的使用

[root@centos7 .ssh]# ssh-agent bash         #运行代理
[root@centos7 .ssh]# ssh-add                #将密钥通过命令添加给代理
Enter passphrase for /root/.ssh/id_rsa: 
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@centos7 .ssh]# ssh 192.168.73.128
Last login: Tue Apr 16 21:21:40 2019 from 192.168.73.128        #再次实现免密登陆
[root@centos7 ~]# 

5.集群模式下的基于key验证。
假设有3台设备,要实现相互间key验证登陆,那我们就需要依次坐在每台主机上,执行创建密钥和公钥分发的操作,由于此方法过于繁琐,有没有更加便捷的方法呢?
实现思路:3台主机公用一个公私钥
5.1现在一台主机上创建私钥文件

[root@centos7 ~]# mkdir .ssh
[root@centos7 ~]# ssh-keygen -P "" -t rsa  -f .ssh/id_rsa
Generating public/private rsa key pair.
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+pUkZANYvXQPGCF2VC5dpF7FNnZvLVyZZRNg7Av33f8 root@centos7.localdomain
The key‘s randomart image is:
+---[RSA 2048]----+
|     o=o==..++ooB|
|    .. ++ooo.o=++|
|       .=o+oo+ +o|
|       o.+ o.oo +|
|        S o o ooo|
|       . o . . .o|
|      .   o     .|
|       . .      .|
|        .       E|
+----[SHA256]-----+

5.2对自己创建authorized_keys文件

[root@centos7 ~]# ssh-copy-id 192.168.73.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host ‘192.168.73.128 (192.168.73.128)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.73.128‘s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ‘192.168.73.128‘"
and check to make sure that only the key(s) you wanted were added.

5.3将整个.ssh目录分发给另外两台主机

[root@centos7 ~]# scp -rp .ssh 192.168.73.132:/root/
root@192.168.73.132‘s password: 
id_rsa                                                                 100% 1675     1.3MB/s   00:00    
id_rsa.pub                                                             100%  406   389.1KB/s   00:00    
known_hosts                                                            100%  352   536.8KB/s   00:00    
authorized_keys                                                        100%  406   660.1KB/s   00:00    
[root@centos7 ~]# scp .ssh 192.168.73.133:/root/
The authenticity of host ‘192.168.73.133 (192.168.73.133)‘ can‘t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.73.133‘ (ECDSA) to the list of known hosts.
root@192.168.73.133‘s password: 
.ssh: not a regular file
[root@centos7 ~]# scp -rp .ssh 192.168.73.133:/root/
root@192.168.73.133‘s password: 
id_rsa                                                                 100% 1675     1.2MB/s   00:00    
id_rsa.pub                                                             100%  406   365.0KB/s   00:00    
known_hosts                                                            100%  528     1.1MB/s   00:00    
authorized_keys                                                        100%  406   619.8KB/s   00:00    

5.4登录测试

[root@centos7 ~]# ssh 192.168.73.133
Last login: Tue Apr 16 06:23:20 2019
[root@centos7 ~]# ssh 192.168.73.132
Last login: Tue Apr 16 13:50:51 2019 from 192.168.73.1
[root@centos7 ~]# ssh 192.168.73.128
Last login: Tue Apr 16 21:50:38 2019 from 192.168.73.1

ssh客户端及基于key登陆

标签:算法   利用   crc   vat   配置文件   cti   rem   code   sts   

原文地址:https://blog.51cto.com/11886307/2382115

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!