##################1.openssh-server

功能:让远程主机可以通过网络访问sshd服务,开始一个安全shell

 

##################2.客户端连接方式

ssh远程主机用户@远程主机ip

[root@server45 ~]# ssh root@172.25.254.177

The authenticity of host '172.25.254.177 (172.25.254.177)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes    ##连接陌生主机时需要建立认证关系

Warning: Permanently added '172.25.254.177' (ECDSA) to the list of known hosts.

root@172.25.254.177's password:                          ##远程用户密码

Last login: Mon Oct  3 20:54:06 2016 from foundation45.ilt.example.com

[root@foundation177 ~]#                                  ##登陆成功

 

ssh 远程主机用户@远程主机ip -X##调用远程主机图形工具

ssh     远程主机用户@远程主机ipcommand##直接在远程主机运行某条命

 

ssh root@172.25.254.177   -X  “gedit&  firefox&”   同时打开两个工具

 

 

##################3.sshkey加密

1)生成公钥私钥

 

[root@foundation177 ~]# ssh-keygen                  ##生成公钥私钥的工具

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):  [enter]     ##加密字符保存文件(建议用默认)

Enter passphrase (empty for no passphrase):        [enter]    ##密钥密钥,必须大于四个 字符

Enter same passphrase again:                     [enter]    ##确认密码

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

bb:9f:a7:cb:6b:4c:1d:ad:1c:84:72:30:b8:fb:91:ad root@foundation177.ilt.example.com

The key's randomart p_w_picpath is:

+--[ RSA 2048]----+

|       .o. .     |

|      . ..o .    |

|       . o . .   |

|      .     o .  |

|       .So o +   |

|      . o.o +    |

|       ..=       |

|        Eoo..    |

|        .oB=     |

+-----------------+

[root@foundation177 ~]#

 

[root@foundation177 ~]# ls /root/.ssh/

 

id_rsa  id_rsa.pub

id_rsa##私钥,就是钥匙

id_rsa.pub##公钥,就是锁

 

2)添加key的认证方式

[root@foundation177 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub  root@172.25.254.177

ssh-copy-id##添加key认证方式的工具

-i##指定加密key文件

/root/.ssh/id_rsa.pub##加密key

root##加密用户为root

172.25.254.177##被加密主机ip

3).分发钥匙给client主机

[root@foundation177 ~]scp /root/.ssh/id_rsa root@172.25.254.150:/root/.ssh/

 

4)测试

 [root@server45 ~]# ssh 172.25.254.177              ##通过id_rsa直接连接不需要输入用户密码

Last login: Mon Oct  3 20:57:31 2016 from foundation150.ilt.example.com

[root@foundation177 ~]#

 

###############4.提升openssh的安全级别

 

1.openssh-server配置文件

/etc/ssh/sshd_config

78 PasswordAuthentication yes|no##是否开启用户密码认证,yes为支持no为关闭

48 PermitRootLogin yes|no##是否允许超级用户登陆

49 AllowUsers student westos##用户白名单,只有在名单中出现的用户可以使用sshd建立shell

50 DenyUsers westos##用户黑名单