标签:
# rpm -qa|grep openssh openssh-askpass-5.3p1-104.el6_6.1.x86_64 openssh-server-5.3p1-104.el6_6.1.x86_64 #服务器端软件包 openssh-clients-5.3p1-104.el6_6.1.x86_64 #客户端软件包 openssh-5.3p1-104.el6_6.1.x86_64 #包含服务器端和客户端的核心文件
#mkdir /mnt/local #创建一个目录,用于挂载光盘文件 # mount /dev/cdrom /mnt/local/ mount: block device /dev/sr0 is write-protected, mounting read-only # cd /mnt/local/Packages/ #DVD镜像文件的盛放目录 进入光盘目录,找到并执行执行下列命令: # rpm -ivh openssh-5.3p1-94.el6.x86_64.rpm # rpm -ivh openssh-server-5.3p1-94.el6.x86_64.rpm # rpm -ivh openssh-clients-5.3p1-94.el6.x86_64.rpm # rpm -ivh openssh-askpass-5.3p1-94.el6.x86_64.rpm 按序安装
# ssh -v #版本信息 OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]
13 #Port 22 #服务器监听的端口号 14 #AddressFamily any 15 #ListenAddress 0.0.0.0 #设置OpenSSH服务器绑定的IP 16 #ListenAddress :: 18 # Disable legacy (protocol version 1) support in the server for new 19 # installations. In future the default will change to require explicit 20 # activation of protocol 1 21 Protocol 2 23 # HostKey for protocol version 1 24 #HostKey /etc/ssh/ssh_host_key #设置包含计算机私有主机秘钥的文件 25 # HostKeys for protocol version 2 26 #HostKey /etc/ssh/ssh_host_rsa_key 27 #HostKey /etc/ssh/ssh_host_dsa_key 29 # Lifetime and size of ephemeral version 1 server key 30 #KeyRegenerationInterval 1h 31 #ServerKeyBits 1024 #设置服务器秘钥的位数,最小值512,默认1024 33 # Logging 34 # obsoletes QuietMode and FascistLogging 35 #SyslogFacility AUTH 36 SyslogFacility AUTHPRIV 37 #LogLevel INFO #设置记录ssh日志消息的级别 39 # Authentication: 41 #LoginGraceTime 2m #设置如果用户不能成功登录,在切断连接之前服务器需要等待的时间 42 #PermitRootLogin yes #设置root用户是否能够使用ssh登录 43 #StrictModes yes 44 #MaxAuthTries 6 45 #MaxSessions 10 #指定允许每个网络连接打开的最大会话数,默认10 47 #RSAAuthentication yes #设置是否允许只有RSA安全验证 48 #PubkeyAuthentication yes 49 #AuthorizedKeysFile .ssh/authorized_keys 50 #AuthorizedKeysCommand none 51 #AuthorizedKeysCommandRunAs nobody 53 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 54 #RhostsRSAAuthentication no #设置是否允许用rhosts或/etc/hosts.equiv加上RSA进行安全验证 55 # similar for protocol version 2 56 #HostbasedAuthentication no 57 # Change to yes if you don‘t trust ~/.ssh/known_hosts for 58 # RhostsRSAAuthentication and HostbasedAuthentication 59 #IgnoreUserKnownHosts no 60 # Don‘t read the user‘s ~/.rhosts and ~/.shosts files 61 #IgnoreRhosts yes #设置RhostsRSA验证和Hostbased验证的时候是否使用.rhosts和.shosts文件 63 # To disable tunneled clear text passwords, change to no here! 64 #PasswordAuthentication yes #设置是否允许口令验证 65 #PermitEmptyPasswords no #设置是否允许用户口令为空字符串的账号登陆,默认no 66 PasswordAuthentication yes #设置是否允许口令验证 68 # Change to no to disable s/key passwords 69 #ChallengeResponseAuthentication yes 70 ChallengeResponseAuthentication no 72 # Kerberos options 73 #KerberosAuthentication no 74 #KerberosOrLocalPasswd yes 75 #KerberosTicketCleanup yes 76 #KerberosGetAFSToken no 77 #KerberosUseKuserok yes 79 # GSSAPI options 80 #GSSAPIAuthentication no 81 GSSAPIAuthentication yes 82 #GSSAPICleanupCredentials yes 83 GSSAPICleanupCredentials yes 84 #GSSAPIStrictAcceptorCheck yes 85 #GSSAPIKeyExchange no 87 # Set this to ‘yes‘ to enable PAM authentication, account processing, 88 # and session processing. If this is enabled, PAM authentication will 89 # be allowed through the ChallengeResponseAuthentication and 90 # PasswordAuthentication. Depending on your PAM configuration, 91 # PAM authentication via ChallengeResponseAuthentication may bypass 92 # the setting of "PermitRootLogin without-password". 93 # If you just want the PAM account and session checks to run without 94 # PAM authentication, then enable this but set PasswordAuthentication 95 # and ChallengeResponseAuthentication to ‘no‘. 96 #UsePAM no 97 UsePAM yes 99 # Accept locale-related environment variables 100 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 101 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 102 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 103 AcceptEnv XMODIFIERS 105 #AllowAgentForwarding yes 106 #AllowTcpForwarding yes 107 #GatewayPorts no 108 #X11Forwarding no 109 X11Forwarding yes #设置是否允许X11转发 110 #X11DisplayOffset 10 111 #X11UseLocalhost yes 112 #PrintMotd yes #设置sshd是否在用户登陆的时候显示/etc/motd文件的信息 113 #PrintLastLog yes 114 #TCPKeepAlive yes 115 #UseLogin no 116 #UsePrivilegeSeparation yes 117 #PermitUserEnvironment no 118 #Compression delayed 119 #ClientAliveInterval 0 120 #ClientAliveCountMax 3 #设置允许超时的次数(指定从客户端断开连接之前,在没有接到响应时能够发送客户端活跃消息的次数) 121 #ShowPatchLevel no 122 #UseDNS yes 123 #PidFile /var/run/sshd.pid 124 #MaxStartups 10:30:100 #指定SSH守护进程并未经身份验证连接的最大数量,默认值是10 125 #PermitTunnel no 126 #ChrootDirectory none 128 # no default banner path 129 #Banner none 131 # override default of no subsystems 132 Subsystem sftp /usr/libexec/openssh/sftp-server 134 # Example of overriding settings on a per-user basis 135 #Match User anoncvs 136 # X11Forwarding no 137 # AllowTcpForwarding no 138 # ForceCommand cvs server AllowGroups #设置允许连接的组群 AllowUsers #设置允许连接的用户 DenyGroup #设置拒绝连接的组群 DenyUsers #设置拒绝连接的用户(默认没有这个项,需要手动添加,若模式写成User@Host,则User和Host将同时被检查,限制特定用户在特定主机上连接SSH服务器,例Tom@192.168.10.10,表示拒绝用户Tom在192.168.10.10的主机上连接openSSH服务器
13Port 22 15 ListenAddress 192.168.0.2 21 Protocol 2 36 SyslogFacility AUTHPRIV 65 #PermitEmptyPasswords no 66 PasswordAuthentication yes DenyUsers test 70 ChallengeResponseAuthentication no 81 GSSAPIAuthentication yes 83 GSSAPICleanupCredentials yes 97 UsePAM yes 100 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 101 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 102 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 103 AcceptEnv XMODIFIERS 109 X11Forwarding yes #设置是否允许X11转发 132 Subsystem sftp /usr/libexec/openssh/sftp-server
[root@vnc Packages]# vim /etc/ssh/
moduli ssh_host_dsa_key ssh_host_key.pub
ssh_config ssh_host_dsa_key.pub ssh_host_rsa_key
sshd_config ssh_host_key ssh_host_rsa_key.pub
ssh_config 客户端配置文件
sshd_config 服务器配置文件
# service sshd start
# service sshd status
# service sshd stop restart
# service sshd reload 重新加载sshd服务配置
# chkconfig sshd on 开机自启动
# chkconfig --list sshd
# Host * 只对匹配后面字符串的计算机有效,* 表示所有计算机 # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # GSSAPIKeyExchange no # GSSAPITrustDNS no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc # MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no # VisualHostKey no Host * GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. ForwardX11Trusted yes # Send locale-related environment variables SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE SendEnv XMODIFIERS
$ ssh 192.168.175.134
# ssh vn@192.168.175.138
# ssh root@192.168.175.138 ls -ahl /home
[vn@vn /]$ whoami vn 当前用户名 [vn@vn /]$ scp /home/update.sh root@192.168.175.138:/root/u.sh
[vn@vn /]$ scp -r /home root@192.168.175.138:/root/test root@192.168.175.138‘s password: //输入密码 [vn@vn /]$ ssh root@192.168.175.138 ls -ld /root/test/home //这里可以查看传送的文件 root@192.168.175.138‘s password: drwxr-xr-x. 3 root root 4096 7月 1 21:10 /root/test/home
[root@vn vn]# scp -r root@192.168.175.138:/root/test/home /root root@192.168.175.138‘s password: [root@vn vn]# ls -ld /root/home/ drwxr-xr-x. 3 root root 4096 7月 1 13:22 /root/home/
[root@vn vn]# scp -r root@192.168.175.138:/root/test/home /root root@192.168.175.138‘s password: [root@vn vn]# ls -ld /root/home/ drwxr-xr-x. 3 root root 4096 7月 1 13:22 /root/home/
sftp> help 一些命令
Available commands: bye Quit sftp cd path Change remote directory to ‘path‘ chgrp grp path Change group of file ‘path‘ to ‘grp‘ chmod mode path Change permissions of file ‘path‘ to ‘mode‘ chown own path Change owner of file ‘path‘ to ‘own‘ df [-hi] [path] Display statistics for current directory or filesystem containing ‘path‘ exit Quit sftp get [-P] remote-path [local-path] Download file help Display this help text lcd path Change local directory to ‘path‘ lls [ls-options [path]] Display local directory listing lmkdir path Create local directory ln oldpath newpath Symlink remote file lpwd Print local working directory ls [-1aflnrSt] [path] Display remote directory listing lumask umask Set local umask to ‘umask‘ mkdir path Create remote directory progress Toggle display of progress meter put [-P] local-path [remote-path] Upload file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file rm path Delete remote file rmdir path Remove remote directory symlink oldpath newpath Symlink remote file version Show SFTP version !command Execute ‘command‘ in local shell ! Escape to local shell ? Synonym for help sftp>
[root@vn ~]# ssh root@192.168.175.138 root@192.168.175.138‘s password: Permission denied, please try again. //连接被拒绝
Too many arguments. usage: ssh-keygen [options] Options: -a trials Number of trials for screening DH-GEX moduli. -B Show bubblebabble digest of key file. -b bits Number of bits in the key to create. -C comment Provide new comment. -c Change comment in private and public key files. -D pkcs11 Download public key from pkcs11 token. -e Convert OpenSSH to RFC 4716 key file. -F hostname Find hostname in known hosts file. -f filename Filename of the key file. -G file Generate candidates for DH-GEX moduli. -g Use generic DNS resource record format. -H Hash names in known_hosts file. -h Generate host certificate instead of a user certificate. -I key_id Key identifier to include in certificate. -i Convert RFC 4716 to OpenSSH key file. -L Print the contents of a certificate. -l Show fingerprint of key file. -M memory Amount of memory (MB) to use for generating DH-GEX moduli. -N phrase Provide new passphrase. -O option Specify a certificate option. -P phrase Provide old passphrase. -p Change passphrase of private key file. -q Quiet. -R hostname Remove host from known_hosts file. -r hostname Print DNS resource record. -S start Start point (hex) for generating DH-GEX moduli. -s ca_key Certify keys with CA key. -T file Screen candidates for DH-GEX moduli. -t type Specify type of key to create. -V from:to Specify certificate validity interval. -v Verbose. -W gen Generator to use for generating DH-GEX moduli. -y Read private key file and print public key. -Z name,... User/host principal names to include in certificate -z serial Specify a serial number.
Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): //直接回车,使用默认文件保存秘钥 Created directory ‘/root/.ssh‘. Enter passphrase (empty for no passphrase): //输入秘钥保护密码 Enter same passphrase again: //再次输入秘钥保护密码 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 04:5f:46:79:4a:7a:9d:5a:fb:64:29:57:c7:28:97:b9 root@computer The key‘s randomart image is: +--[ RSA 2048]----+ | . .+. | | o oo . | | oo + . = | | .. o = = +| | S. o + +.| | . o E | | * | | . | | | +-----------------+
[root@computer ~]# ssh-keygen -r rhel rhel IN SSHFP 1 1 38b3bd45ce295040ebb21a415f5a4674e36c0389 rhel IN SSHFP 2 1 2cf544964ba9cba2c1135f5decc96dd92a897c1d
Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): //输入秘钥保护密码 Enter same passphrase again: //再次输入秘钥保护密码 Your identification has been saved in /root/.ssh/known_hosts. Your public key has been saved in /root/.ssh/known_hosts.pub. The key fingerprint is: f8:b0:c0:8d:bd:1f:d3:c9:ae:e5:74:5f:08:ca:40:b9 root@computer The key‘s randomart image is: +--[ RSA 2048]----+ | | | . | | o | | . + o . | | + = E . | | . = = o . . | | o + O . . .| | . B . . . | | o.o . | +-----------------+
Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): 直接回车,使用默认文件保存秘钥 Enter passphrase (empty for no passphrase): 使用秘钥保护密码 Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: b0:fd:14:1d:79:f2:35:b4:a0:cb:ad:be:94:3c:d2:22 root@computer The key‘s randomart image is: +--[ DSA 1024]----+ | .o.. | | .+.o.o| | . ...+ o.| | + ..o . | | . S .o . | | oo o | | E o.B | | . = . | | o. | +-----------------+
Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Created directory ‘/root/.ssh‘. Enter passphrase (empty for no passphrase): Enter same passphrase again: Passphrases do not match. Try again. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: 72:83:0d:65:87:13:dc:e8:b2:2b:58:74:1d:7d:ba:34 root@computer The key‘s randomart image is: +--[ DSA 1024]----+ | .+*. | | o*.o . | | .o o o | | . o+o E | | . .ooS. o | | . .o .. | | o . | | . . . | | . | +-----------------+
[root@computer ~]# ls /root/.ssh/id_dsa* /root/.ssh/id_dsa /root/.ssh/id_dsa.pub
The authenticity of host ‘192.168.175.134 (192.168.175.134)‘ can‘t be established. RSA key fingerprint is 5e:0c:e1:cc:35:16:a1:9b:22:d5:aa:2b:6d:7b:c3:07. Are you sure you want to continue connecting (yes/no)? yes 同意连接 Warning: Permanently added ‘192.168.175.134‘ (RSA) to the list of known hosts. root@192.168.175.134‘s password: 输入主机192.168.175.134的root用户密码 Now try logging into the machine, with "ssh ‘192.168.175.134‘", and check in: .ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting.
# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
[root@vn ~]# ls /root/.ssh/
authorized_keys known_hosts
[root@vn ~]# cat /root/.ssh/authorized_keys 该文件的内容和OpenSSH客户端上的公钥文件是一致的
ssh-dss AAAAB3NzaC1kc3MAAACBAPuwIw7NDzwNXWaxG5rUsySBzqMlGRTBtAqXWmA2gUsPgJXuf8F0y+cqjCt6EnISp98dPbUR9UkkGOtnl627kDrW1Q/zT6S4Z4d9QT94zEYhXZ8u3OJsxHW8vru1wEdyPG0AmYHrZyBONUdw8vjOn2RX1pIZ3qaHTgwcxWPPNH43AAAAFQDYTPLsiarPPiE1D5dQ0RcmfySwjQAAAIEA3aULtXsmcoB71kgZxj6iRIZpz+t06EfnRaXZbTCY7BlFNF16bY/Fjub/fOD51nZN4q9kaxkDFD6P7z2kMDP47j+9BVHEJFlCixUr8RimYCDPLgE8KIQuyt5ymdZ8TaGUOt1Fz5YsJ1YsSpk09rl0jGjl+vaqVVaihsGmmZdHkskAAACAZnNOLCE+T9mQmR4MNQUNFCDm0uDE8aet1UEHdh1GyQjLy4LfU/u2vRin8w4/2rmq2/zNUHTVXvWed/FG1oQQxSwUfOFhDmyh3mjl7O+fk1qznexC/mPuO3p49dhkkCBECqYGK9ZjrpLojoM7bxvkHT1TU86N7wLJK/n37/VIiXE= root@computer
[root@computer ~]# ssh 192.168.175.134 Enter passphrase for key ‘/root/.ssh/id_dsa‘: 输入秘钥保护密码 Last login: Fri Jul 3 10:46:13 2015 from 192.168.175.1 [root@vn ~]# ifconfig eth1|grep "inet addr" 登陆服务器成功 inet addr:192.168.175.134 Bcast:192.168.175.255 Mask:255.255.255.0
标签:
原文地址:http://www.cnblogs.com/chinas/p/4637145.html
