ssh:Secure SHell
ssh特点:
基于TCP22号端口;
密文认证;
密文传输数据
openssh是ssh的开源实现,支持ssh v1和ssh v2
但ssh v1无法解决中间层攻击,建议不要使用
客户端:
Linux:ssh
Windows:putty,SecureCRT,SSHSecureShellClient,Xmanager
服务器端:
Linux:sshd
openssh相关命令
1.ssh
-X:enable X11 forwarding
-Y:enable trusted X11 forwarding
-p #:指定#端口号
HOST:以当前身份登陆HOST
-l USERNAME HOST:以USERNAME身份登陆HOST
USERNAME@HOST:以USERNAME身份登陆HOST
USERNAME@HOST ‘COMMAND‘:以USERNAME身份执行HOST的COMMAND命名,执行玩退出
2.scp [OPTIONS] SRC DEST 选项用法与cp命令基本一致
-r:递归
-p:保存权限
-a = -rp
scp USERNAME@HOST:/path/to/somefile /path/to/localfile
scp /path/to/localfile USERNAME@HOST:/path/to/somedirectory
3.ssh-keygen
-t {rsa|dsa}:指定加密类型
-f /path/to/keyfile:指定保存路径和文件名
-N ‘passwd‘:指定使用密钥时的密码
直接使用ssh-keygen命令会进入交互模式
[root@localhost named]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory ‘/root/.ssh‘. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 8d:32:74:34:39:56:49:35:a5:fa:9e:1d:59:e7:68:bd root@localhost.localdomain
4.ssh-copy-id
-i ~/.ssh/id_rsa.pub:指定公钥文件
ssh-copy-id -i ~/.ssh/id_rsa.pub USERNAME@REMOTE_HOST
5.sftp:密文传输数据的ftp
USERNAME@HOST:以USERNAME身份登陆HOST的ftp服务器
openssh相关配置文件
客户端ssh配置文件/etc/ssh/ssh_config
[root@localhost named]# cat /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. # Host * # ForwardAgent no # ForwardX11 no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 #定义连接端口 # Protocol 2,1 #支持的versions # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ # Tunnel no # TunnelDevice any:any # PermitLocalCommand no Host * GSSAPIAuthentication yes # If this option is set to yes then remote X11 clients will have full access # to the original X11 display. As virtually no X11 client supports the untrusted # mode correctly we set this to yes. ForwardX11Trusted yes # Send locale-related environment variables SendEnv LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL
服务器端sshd配置文件/etc/ssh/sshd_config
[root@localhost tls]# vim /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #配置在指定地址上提供服务 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #密钥重新生成的时间间隔 #ServerKeyBits 768 #服务器端密钥长度 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #登录时间,超过后退出 #PermitRootLogin yes #允许root登陆 #StrictModes yes #MaxAuthTries 6 #允许登录尝试次数 #RSAAuthentication yes #PubkeyAuthentication yes #基于密钥认证 #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don‘t trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don‘t read the user‘s ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes #基于口令认证 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #Kerberos选项 #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes # Set this to ‘yes‘ to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes #使用可插入式认证模块认证 # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #是否打印/etc/motd #PrintLastLog yes #是否显示上一次登录的信息 #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner /some/path #登陆Banner # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
实现基于密钥的认证:
1、在客户端主机上生成一对密钥
ssh-keygen
2、将公钥文件内容追加到服务器端某用户的家目录下的.ssh/authorized_keys文件中
①ssh-copy-id -i /path/to/pubkey USERNAME@REMOTE_HOST
②将公钥文件scp复制到服务器端,再将公钥文件追加到某用户的家目录下的.ssh/authorized_keys文件中
之后的登录会基于密钥认证,ssh登录用户不用再输入密码即可登录成功。
安全要点:
1、密码应该经常换且足够复杂;
2、使用非默认端口;
3、限制登陆客户地址;
4、禁止管理员直接登录;
5、仅允许有限用户登录;
6、使用基于密钥的认证;
7、禁止使用ssh v1。
原文地址:http://chenqiyi.blog.51cto.com/8125763/1686233
