SSH-KEY服务及批量分发与管理实战
SSH服务
一、SSH服务介绍
SSH是Secure Shell Protocol的简写,由IETF网络工作小组制定;在进行数据传输之前,SSH先对联机数据包通过加密技术进行加密处理,加密后再进行数据传输,确保了传递的数据安全。
SSH是专为远程登录会话和其他网络服务提供的安全性协议。利用SSH协议可以有效的防止远程管理过程中的信息泄露问题,在当前的生产环境当中,绝大多数企业普遍采用SSH协议服务来代替传统的不安全的远程联机服务软件。如telnet等。
SSH服务功能:
a.类似telnet远程联机服务
b.类似FTP服务的sftp-server,借助SSH协议来传输数据,提供更安全的SFTP服务
特别提醒:
SSH客户端(ssh命令)还包含一个很有用的远程安全拷贝命令scp,也是通过ssh协议工作的。
小结:
1.SSH是安全的加密协议,用于远程连接服务器
2.默认端口是22,安全协议版本是ssh2
3.服务端主要包含两个服务功能,ssh远程连接和SFTP服务
4.ssh客户端包含ssh连接命令,以及远程拷贝scp命令等
SSH服务结构:
SSH服务是由服务端软件OpenSSH和客户端(常见的有SSH,SecureCRT,Xshell,Putty)组成,SSH服务默认使用22端口提供服务,它有两个不兼容的SSH协议版本,分别是1.x和2.x。
[root@backup ~]# rpm -qa openssh
openssh-5.3p1-104.el6.x86_64
[root@backup ~]# rpm -qa openssh openssl
openssh-5.3p1-104.el6.x86_64
openssl-1.0.1e-30.el6.x86_64
[root@backup ~]# ps -ef|grep sshd
root 2244 1 0 Jul22 ? 00:00:01 /usr/sbin/sshd
root 13819 2244 0 19:16 ? 00:00:01 sshd: root@pts/0
root 14672 13822 0 21:44 pts/0 00:00:00 grep sshd
[root@backup ~]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
SSH加密技术
# HostKey for protocol version 1 #(只支持RSA密钥)
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2 #(支持RSA和DSA密钥)
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
[root@backup ~]# grep ServerKey/etc/ssh/sshd_config
#ServerKeyBits 1024
#ServerKeyBits 1024
[root@backup ~]# ll ~/.ssh/
total 4
-rw-r--r-- 1 root root 395 Mar 28 19:11known_hosts
[root@backup ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:E4:F6:3F
inet addr:192.168.0.114 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee4:f63f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2318994 errors:0dropped:0 overruns:0 frame:0
TX packets:1511463 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1781734365 (1.6 GiB) TXbytes:416486786 (397.1 MiB)
[root@backup ~]# ifconfig eth0|sed -rn's#^.*dr:(.*) Bc.*$#\1#gp'
192.168.0.114
简单解释一下这条sed
1、参数rn
r是为了让sed支持扩展正则也就是ERE(还有BRE、PRE这些不同的流派对于正则里元字符的表达方式都有不同,楼主可以自己Google就不在这里解释了),这样可以省去后边正则中的N多转义符号,比如说不加r的时候()必须要写成\(\)。
n是不要自动打印空间模式,加上他就只打印匹配的行才会去执行p的打印动作了。
2、加个()是为了sed后边的\1,刚刚上边讲的“/源/目标/”这种模式中,源可以写成多个()表示的集合,第一个集合在目标中就用\1表示,第二个就是\2其他依次类推。
二、SSH服务认证类型
从SSH客户端来看,SSH服务主要有两种级别安全验证,具体级别如下:
1.基于口令的安全认证
[root@NFS ~]# ls -l ~/.ssh
[root@NFS ~]#
[root@NFS ~]# ssh -p22 sshtest@192.168.0.131
sshtest@192.168.0.131's password:
welcome to oldboy linux training from/etc/profile.d
[sshtest@oldboy ~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr00:0C:29:21:B6:B1
inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1446978 errors:0 dropped:0 overruns:0 frame:0
TX packets:1946787 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:408128388 (389.2 MiB) TXbytes:1248347837 (1.1 GiB)
[root@NFS ~]# ls -l ~/.ssh
total 4
-rw-r--r-- 1 root root 790 Jul 24 22:05known_hosts
[root@NFS ~]# cat ~/.ssh/known_hosts
192.168.0.131 ssh-rsa\
AAAAB3NzaC1yc2EAAAABIwAAAQEAr3aG1hPNk0pRhTVWM4ECI4HFLwriYGfw9sTIZtYAfdzJXnQD5dMrTUP0p4TgQ6k9rj/tCpbRHqIVOWI0i8R3z8N/jgZYtDs5h0YDRtM0iIgNRsKD3xJa4E+Vab1JMvbASPH9YKaJ13KprWnWat+OXAjiDHwi41tMphAnWNhPXCwaKuqMcsejPk3TmOemrfCt3XzFX34dGTLsVYYB4pn8Psu+phR+FQyiajDDGQaVVDGuKwgdd7JTs0P0WOEkV8ENX6dcDWvEB6KGCmBcQnXE0E0hxjiG+J1QrX2ODzMei8fI1h9ZXgM6hEqJSlsA6iVRhCFDsPuzXYdQ/J19OqpVDw==
2.基于密钥对的安全认证
基于密钥的安全认证也有windows客户端和linux客户端的区别。
三、启动SSH服务
[root@NFS ~]# rpm -qa"openssl|openssh"|sort #查看SSH服务相关的软件包
openssh-5.3p1-104.el6.x86_64
openssl098e-0.9.8e-18.el6_5.2.x86_64
openssl-1.0.1e-30.el6.x86_64
[root@NFS ~]# chkconfig --list sshd #查看SSH服务开机启动项
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@NFS ~]# ll /etc/ssh/sshd_config
-rw-------. 1 root root 3879 Oct 15 2014 /etc/ssh/sshd_config #SSH服务端配置文件
[root@NFS ~]# ll /etc/ssh/ssh_config
-rw-r--r--. 1 root root 2047 Oct 15 2014 /etc/ssh/ssh_config #SSH客户端配置文件
[root@NFS ~]# less /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
# This is the ssh client system-wideconfiguration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed inper-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
[root@NFS ~]#
[root@NFS ~]# less /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wideconfiguration file. See
# sshd_config(5) for more information.
# This sshd was compiled withPATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in thedefault sshd_config shipped with
[root@NFS ~]# netstat -tunlp|grep 22 #查看ssh服务是否已运行或启动,方法一
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1052/sshd
tcp 0 0 :::22 :::* LISTEN 1052/sshd
[root@NFS ~]# lsof -i:22 #查看ssh服务是否已运行或启动,方法二
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1052 root 3u IPv4 9891 0t0 TCP *:ssh (LISTEN)
sshd 1052 root 4u IPv6 9893 0t0 TCP *:ssh (LISTEN)
sshd 6597 root 3r IPv4 28879 0t0 TCP 192.168.0.113:ssh->192.168.0.104:49230(ESTABLISHED)
sshd 10253 root 3r IPv4 36283 0t0 TCP 192.168.0.113:ssh->192.168.0.103:49898(ESTABLISHED)
四、更改SSH默认登录配置(安全优化)
修改SSH服务的运行参数,是通过修改配置文件/etc/ssh/sshd_config实现的
[root@NFS ~]# cp /etc/ssh/sshd_config/etc/ssh/sshd_config.ori
[root@NFS ~]# vi /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:
18 djm Exp $
# This is the sshd server system-wideconfiguration fi
le. See
# sshd_config(5) for more information.
# This sshd was compiled withPATH=/usr/local/bin:/bin
:/usr/bin
# The strategy used for options in thedefault sshd_co
nfig shipped with
/port
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need hostkeys in /et
c/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust~/.ssh/known_hosts
for
# RhostsRSAAuthentication andHostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and~/.shosts files
# sshd_config(5) for more information.
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# installations. In future the default willchange to
require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1server key
# sshd_config(5) for more information.
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# RhostsRSAAuthentication andHostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and~/.shosts files
#IgnoreRhosts yes
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#GSSAPIKeyExchange no
# and ChallengeResponseAuthentication to'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environmentvariables
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
# Example of overriding settings on aper-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
# 在最后加入如下内容,保存退出!
Port52113 #为了提高安全级别,建议改掉SSH服务默认连接端口
PermitRootLoginno #root超级用户黑客都知道,建议禁止它(root)远程登陆
PermitEmptyPasswordsno #禁止空密码登录
UseDNSno #不使用DNS
#GSSAPIoptions
GSSAPIAuthenticationno #加快SSH连接速度
~
"/etc/ssh/sshd_config" 146L,4035C written
http://oldboy.blog.51cto.com/2561410/1300964
[root@NFS ~]# /etc/init.d/sshd restart #重启ssh服务
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@NFS ~]# nmap www.baidu.com -p 1-65535 #扫描本机打开的端口
-bash: nmap: command not found
[root@NFS ~]# n
nail nl
namei nm
nameif nohup
nano nologin
ncurses5-config nproc
ncursesw5-config nroff
needs-restarting nsenter
neqn nslookup
netreport nstat
netstat nsupdate
newaliases ntpd
newaliases.postfix ntpdate
newgrp ntpdc
new-kernel-pkg ntp-keygen
newusers ntpq
nfs_cache_getent ntpstat
nfsidmap ntptime
nfsiostat ntsysv
nfsstat numactl
ngettext numademo
nice numastat
nisdomainname
[root@NFS ~]# yum -y install nmap #安装扫描端口软件
Loaded plugins: fastestmirror, security
Setting up Install Process
Determining fastest mirrors
*base: mirrors.sina.cn
*extras: mirrors.btte.net
*updates: mirrors.sina.cn
base | 3.7 kB 00:00
extras | 3.4 kB 00:00
extras/primary_db | 31 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 4.4 MB 00:10
Resolving Dependencies
--> Running transaction check
---> Package nmap.x86_64 2:5.51-4.el6will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================
Package Arch Version Repository
Size
======================================================
Installing:
nmap x86_64 2:5.51-4.el6 base 2.8 M
Transaction Summary
======================================================
Install 1 Package(s)
Total download size: 2.8 M
Installed size: 9.7 M
Downloading Packages:
nmap-5.51-4.el6.x86_64.rpm | 2.8 MB 00:06
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 2:nmap-5.51-4.el6.x86_64 1/1
Verifying :2:nmap-5.51-4.el6.x86_64 1/1
Installed:
nmap.x86_64 2:5.51-4.el6
Complete!
[root@NFS ~]# nmap 192.168.0.113 -p 1-65535 #扫描本机打开的端口
Starting Nmap 5.51 ( http://nmap.org ) at2015-07-24 23:23 CST
Nmap scan report for 192.168.0.113
Host is up (0.0000040s latency).
Not shown: 65526 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
875/tcp open unknown
2049/tcp open nfs
33561/tcp open unknown
45357/tcp open unknown
52360/tcp open unknown
53647/tcp open unknown
54877/tcp open unknown
Nmap done: 1 IP address (1 host up) scannedin 0.65 seconds
五、远程连接SSH服务
1.linux客户端通过ssh连接:
ssh基本语法使用
ssh-p22 sshtest@192.168.0.131
#-->SSH 连接远程主机命令的基本语法
#-->-p(小写)接端口,默认22端口时可以省略-p22
#-->"@" 前为用户名,“@”后为要连接的服务器的IP,更多用法,请man ssh
a.直接登陆远程主机的方法:
[root@NFS ~]# ssh -p22sshtest@192.168.0.131
sshtest@192.168.0.131's password:
Last login: Fri Jul 24 22:25:59 2015 from192.168.0.113
welcome to oldboy linux training from/etc/profile.d
[sshtest@oldboy ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr00:0C:29:21:B6:B1
inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1449144 errors:0 dropped:0 overruns:0 frame:0
TX packets:1952746 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:408356613 (389.4 MiB) TXbytes:1248748377 (1.1 GiB)
eth0:1 Link encap:Ethernet HWaddr00:0C:29:21:B6:B1
inet addr:192.168.0.150 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNINGMULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1233 errors:0 dropped:0 overruns:0 frame:0
TX packets:1233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:127384 (124.3 KiB) TXbytes:127384 (124.3 KiB)
[root@oldboy ~]#ssh root@192.168.0.113
The authenticity of host '192.168.0.113(192.168.0.113)' can't be established.
RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.0.113'(RSA) to the list of known hosts.
root@192.168.0.113's password:
Last login: Sat Jul 25 14:20:45 2015 from192.168.0.104
welcome to oldboy linux training from/etc/profile.d
[root@NFS ~]#
[root@NFS ~]# ifconfig
eth0 Link encap:Ethernet HWaddr00:0C:29:3C:A9:18
inet addr:192.168.0.113 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe3c:a918/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57014 errors:0 dropped:0overruns:0 frame:0
TX packets:67410 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:34403157 (32.8 MiB) TXbytes:17167386 (16.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:132318 errors:0 dropped:0 overruns:0 frame:0
TX packets:132318 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5606236 (5.3 MiB) TXbytes:5606236 (5.3 MiB)
[root@oldboy ~]#ssh root@192.168.0.113
root@192.168.0.113's password:
Permission denied, please try again.
root@192.168.0.113's password:
Permission denied, please try again.
root@192.168.0.113's password:
Permission denied(publickey,gssapi-keyex,gssapi-with-mic,password).
[root@oldboy ~]#ssh -p52113root@192.168.0.113
ssh: connect to host 192.168.0.113 port52113: Connection refused #提示拒绝连接,连接拒绝原因:端口错误或用户名,IP错误
b.不登陆远程主机,直接在远程主机执行命令
[root@oldboy ~]#ssh -p52113root@192.168.0.113
ssh: connect to host 192.168.0.113 port52113: Connection refused
[root@oldboy ~]#ssh -p22 root@192.168.0.113/sbin/ifconfig
root@192.168.0.113's password:
eth0 Link encap:Ethernet HWaddr00:0C:29:3C:A9:18
inet addr:192.168.0.113 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe3c:a918/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57277 errors:0 dropped:0 overruns:0 frame:0
TX packets:67582 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:34430072 (32.8 MiB) TXbytes:17187649 (16.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:132360 errors:0 dropped:0 overruns:0 frame:0
TX packets:132360 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5612182 (5.3 MiB) TXbytes:5612182 (5.3 MiB)
[root@oldboy ~]#ssh -p22 root@192.168.0.113/usr/bin/free -m
root@192.168.0.113's password:
total used free shared buffers cached
Mem: 988 415 572 0 41 274
-/+ buffers/cache: 99 888
Swap: 2047 0 2047
[root@oldboy ~]#cat ~/.ssh/known_hosts
192.168.0.113 ssh-rsa\AAAAB3NzaC1yc2EAAAABIwAAAQEAr3aG1hPNk0pRhTVWM4ECI4HFLwriYGfw9sTIZtYAfdzJXnQD5dMrTUP0p4TgQ6k9rj/tCpbRHqIVOWI0i8R3z8N/jgZYtDs5h0YDRtM0iIgNRsKD3xJa4E+Vab1JMvbASPH9YKaJ13KprWnWat+OXAjiDHwi41tMphAnWNhPXCwaKuqMcsejPk3TmOemrfCt3XzFX34dGTLsVYYB4pn8Psu+phR+FQyiajDDGQaVVDGuKwgdd7JTs0P0WOEkV8ENX6dcDWvEB6KGCmBcQnXE0E0hxjiG+J1QrX2ODzMei8fI1h9ZXgM6hEqJSlsA6iVRhCFDsPuzXYdQ/J19OqpVDw==
[root@oldboy ~]#rm -f ~/.ssh/known_hosts
[root@oldboy ~]#ssh -p22 root@192.168.0.113/usr/bin/free -m
The authenticity of host '192.168.0.113(192.168.0.113)' can't be established.
RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.0.113'(RSA) to the list of known hosts.
root@192.168.0.113's password:
total used free shared buffers cached
Mem: 988 415 572 0 41 274
-/+ buffers/cache: 99 888
Swap: 2047 0 2047
[root@oldboy ~]#
[root@oldboy ~]#ifconfig
eth0 Link encap:Ethernet HWaddr00:0C:29:21:B6:B1
inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1450400 errors:0 dropped:0 overruns:0 frame:0
TX packets:1954594 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:408489734 (389.5 MiB) TXbytes:1248906769 (1.1 GiB)
eth0:1 Link encap:Ethernet HWaddr00:0C:29:21:B6:B1
inet addr:192.168.0.150 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1233 errors:0 dropped:0 overruns:0 frame:0
TX packets:1233 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:127384 (124.3 KiB) TXbytes:127384 (124.3 KiB)
小结:
1.切换到别的机器 ssh -p22 user@ip([user@]hostname[command])
2.到其他机器执行命令(不会切到机器上) ssh -p22 user@ip 命令(命令用全路径)
3.当第一次连接的时候,本地会产生一个密钥文件~/.ssh/known_hosts(多个密钥)
六、SSH客户端附带的远程拷贝scp命令
1.scp命令的基本语法使用
NAME
scp - secure copy (remote file copy program)
推:PUSH
scp-P22 -r -p /tmp/oldboy oldboy@10.0.0.143:/tmp
源(本地文件) 目标
拉:PULL
scp-P22 -rp root@10.0.0.7:/tmp/oldboy /opt/
源(远端文件或目录) 目标(本地目录)
#-->scp 为远程拷贝文件或目录的命令
#-->-P(大写,注意和ssh命令的不同)接端口,默认22端口时可以省略-P22
#-->-r 表示拷贝目录
#-->-p 表示在拷贝前后保持文件或目录的属性
#-->/tmp/oldboy 为本地的目录。“@”前为用户名,“@”后为要连接的服务器的IP,IP后的:/tmp目录,为远端的目标目录
#-->-l[limit] 限制scp远程拷贝速度
[root@oldboy ~]#scp -P22 /root/oldboy.logroot@192.168.0.113:/tmp #推-->push
root@192.168.0.113's password:
oldboy.log 100% 0 0.0KB/s 00:00
[root@oldboy ~]#ssh -p22 root@192.168.0.113/bin/ls -l /tmp
root@192.168.0.113's password:
total 0
-rw-r--r-- 1 root root 0 Jul 25 15:27oldboy.log
[root@NFS ~]# scp -P22 root@192.168.0.131:/root/a.log/tmp #拉-->pull
root@192.168.0.131's password:
a.log 100% 292 0.3KB/s 00:00
[root@NFS ~]# ll /tmp
total 4
-rw-r--r-- 1 root root 292 Jul 25 15:33a.log
[root@oldboy ~]#scp -P22 -r /rootroot@192.168.0.113:/tmp #拷贝/root目录到远程192.168.0.113主机上的/tmp目录下
root@192.168.0.113's password:
oldboy.log 100% 0 0.0KB/s 00:00
known_hosts 100% 395 0.4KB/s 00:00
ping.sh 100% 33 0.0KB/s 00:00
tar.sh 100% 160 0.2KB/s 00:00
.bash_profile 100% 34 0.0KB/s 00:00
a.log 100% 292 0.3KB/s 00:00
/root/tools/mysql-5.6.23/mysql-test/mysql-test-run:No such file or directory
/root/tools/mysql-5.6.23/mysql-test/mtr: Nosuch file or directory
/root/tools/mysql-5.6.23/libmysql/libmysqlclient.so:No such file or directory
/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.a:No such file or directory
/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so:No such file or directory
/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so.18.1.0:No such file or directory
/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so.18:No such file or directory
/root/tools/mysql-5.6.23/libmysql/libmysqlclient.so.18:No such file or directory
.bash_history 100% 17KB 17.4KB/s 00:00
[root@oldboy ~]#ssh -p22 root@192.168.0.113/bin/ls -l /tmp/
root@192.168.0.113's password:
total 8
-rw-r--r-- 1 root root 292 Jul 25 15:33 a.log
-rw-r--r-- 1 root root 0 Jul 25 15:27 oldboy.log
dr-xr-x--- 6 root root 4096 Jul 25 15:44root
小结:
scp是加密的远程拷贝,可以把数据从一台机器推送到另一台机器,也可以从其它服务器把数据拉回到本地执行命令的服务器。但是,每次都是全量拷贝(rsync是增量拷贝),因此,效率不高。
七、SSH服务附带的sftp功能
在前面就应该知道ssh服务除了远程连接机器外,还有一个安全的FTP功能,即通过ssh加密数据后进行传输。
windows客户端和linux服务器之间传输数据工具:
1)rz,sz
2)winscp,WinSCP-v4.0.5<==基于SSH
3)SFX(xshell)
4)SFTP<===基于SSH,加密传输
5)samba,http,ftp,NFS
a.linuxsftp客户端连接sftp服务器方法
[root@oldboy ~]#sftp -oPort=22 root@192.168.0.113 #-o接端口
Connecting to 192.168.0.113...
root@192.168.0.113's password:
sftp> ll
Invalid command.
sftp> ls -l
drwxr-xr-x 3 root root 4096 Mar 26 20:57tools
sftp> put a.txt #上传文件到root家目录,也可以指定路径
Uploading a.txt to /root/a.txt
a.txt 100% 0 0.0KB/s 00:00
sftp> ls -l
-rw-r--r-- 1 root root 0 Jul 25 16:36a.txt
drwxr-xr-x 3 root root 4096 Mar 26 20:57tools
sftp> get ddd #下载文件到本地的当前目录,也可以指定路径
Fetching /root/ddd to ddd
sftp> quit
[root@oldboy ~]#ll
total 16
-rw-r--r-- 1 root root 292 May 12 22:16 a.log
-rw-r--r-- 1 root root 0 Jul 25 16:16 a.txt
-rw-r--r-- 1 root root 0 Jul 25 16:37 ddd
drwxrwxr-x 7 1000 kl 4096 May 11 22:07 keepalived-1.2.7
-rw-r--r-- 1 root root 0 Jul 11 10:06 oldboy.log
drwxr-xr-x 3 root root 4096 Jul 5 20:58 server
drwxr-xr-x 4 root root 4096 May 11 22:07tools
[root@oldboy ~]#sftp -oPort=22root@192.168.0.113
Connecting to 192.168.0.113...
root@192.168.0.113's password:
sftp> put /etc/hosts /tmp
Uploading /etc/hosts to /tmp/hosts
/etc/hosts 100% 108 0.1KB/s 00:00
sftp> quit
[root@NFS ~]# ll /tmp
total 12
-rw-r--r-- 1 root root 292 Jul 25 15:33 a.log
-rw-r--r-- 1 root root 108 Jul 25 16:42 hosts
[root@oldboy ~]#egrep -v "^#|^$"/etc/ssh/sshd_config
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIMELC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESSLC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
八、SSH KEY功能生产实战应用
1.基于密钥对的安全认证(密钥认证也可以是不同用户)
基于密钥的安全认证也有windows客户端和linux客户端的区别。
2.ssh的企业生产应用场景
a.批量分发文件或数据实战
1)添加系统账号,并修改密码
[root@A ~]# useradd oldboy #添加oldboy用户
[root@A ~]# id oldboy #查看oldboy用户是否添加成功
uid=501(oldboy) gid=501(oldboy)groups=501(oldboy)
[root@A ~]# echo 123456|passwd --stdinoldboy #非交互式修改密码
Changing password for user oldboy.
passwd: all authentication tokens updatedsuccessfully.
2)创建密钥对
[root@A ~]# su - oldboy
welcome to oldboy linux training from/etc/profile.d
[oldboy@A ~]$ whoami
oldboy
[oldboy@A ~]$ ssh-key
ssh-keygen ssh-keyscan
[oldboy@A ~]$ file ssh-keygen
ssh-keygen: cannot open `ssh-keygen' (Nosuch file or directory)
[oldboy@A ~]$ man ssh-keygen
SSH-KEYGEN(1) BSD General Commands Manual SSH-KEYGEN(1)
NAME
ssh-keygen - authentication key generation, management and
conversion
SYNOPSIS
ssh-keygen [-q] [-b bits] -t type [-N new_passphrase]
[-C comment] [-foutput_keyfile]
ssh-keygen -p [-P old_passphrase] [-N new_passphrase]
[-f keyfile]
ssh-keygen -i [-f input_keyfile]
ssh-keygen -e [-f input_keyfile]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
ssh-keygen -l [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-f known_hosts_file] [-l]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-f input_keyfile] [-g]
ssh-keygen -G output_file [-v] [-b bits] [-M memory]
[-S start_point]
ssh-keygen -T output_file -f input_file [-v]
ssh-keygen-t dsa #-t 参数指建立密钥的类型,这里指建立的dsa类型
ssh-keygen-t rsa #建立rsa类型的密钥,其中默认情况下是rsa,什么都不接是rsa
rsa和dsa的区别:
rsa是一种加密算法
dsa就是数字签名算法的英文全称的简写,即Digital Signature Algorithm
rsa既可以进行加密,也可以进行数字签名实现认证,而dsa只能用于数字签名从而实现认证。
[oldboy@A ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key(/home/oldboy/.ssh/id_dsa):
Created directory '/home/oldboy/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again: #此处回车
Your identification has been saved in/home/oldboy/.ssh/id_dsa.
Your public key has been saved in/home/oldboy/.ssh/id_dsa.pub.
The key fingerprint is: #此处回车
0e:99:ef:7f:2d:5c:36:88:79:09:7a:89:e0:d1:f7:fcoldboy@A
The key's randomart image is: #此处回车
+--[ DSA 1024]----+
| |
| |
| . |
| oo. o |
| .+oS+ B o |
| .+o = * + |
| o. o = . |
| . + E |
| .... . |
+-----------------+
[oldboy@A ~]$ ll ~/ -al
total 24
drwx------ 3 oldboy oldboy 4096 Jul 25 22:24 .
drwxr-xr-x. 3 root root 4096 Jul 25 21:58 ..
-rw-r--r-- 1 oldboy oldboy 18 Oct 16 2014 .bash_logout
-rw-r--r-- 1 oldboy oldboy 176 Oct 16 2014 .bash_profile
-rw-r--r-- 1 oldboy oldboy 124 Oct 16 2014 .bashrc
drwx------ 2 oldboy oldboy 4096 Jul 25 22:25 .ssh
[oldboy@A ~]$ ll ~/.ssh
total 8
-rw------- 1 oldboy oldboy 672 Jul 25 22:25id_dsa #私钥,权限为600,保留本地,私钥为钥匙
-rw-r--r-- 1 oldboy oldboy 598 Jul 25 22:25id_dsa.pub #公钥,权限为644, 分发给B和C主机,公钥为锁
[oldboy@A ~]$ ls -ld .ssh/
drwx------ 2 oldboy oldboy 4096 Jul 2522:25 .ssh/
3)查看B和C主机的ssh端口:
[root@B ~]# netstat -tunlp|grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 915/sshd
tcp 0 0 :::22 :::* LISTEN 915/sshd
[root@B ~]# su - oldboy
welcome to oldboy linux training from/etc/profile.d
[oldboy@B ~]$
[root@C ~]# netstat -tunlp|grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 968/sshd
tcp 0 0 :::22 :::* LISTEN 968/sshd
[root@C ~]# su - oldboy
welcome to oldboy linux training from/etc/profile.d
[oldboy@C ~]$
4)推送公钥到B和C主机上分别
[oldboy@A ~]$ ssh
ssh ssh-agent sshd ssh-keyscan
ssh-add ssh-copy-id ssh-keygen
[oldboy@A ~]$ man ssh-copy-id
SSH-COPY-ID(1) SSH-COPY-ID(1)
NAME
ssh-copy-id - install your public key in a remote
machine’s authorized_keys
SYNOPSIS
ssh-copy-id [-i [identity_file]] [user@]machine
DESCRIPTION
ssh-copy-id is a script that uses ssh to log into a
remote machine (presumably using a login password, so
password authentication should be enabled, unless you’ve
done some clever use of multiple identities) It also
changes the permissions of the remote user’s home,
~/.ssh, and ~/.ssh/authorized_keys to remove group
writability (which would otherwise prevent you from log-
ging in, if theremote sshd has StrictModes set in its
configuration). If the -i optionis given then the iden-
tity file (defaults to ~/.ssh/id_rsa.pub) is used,
regardless of whether there are any keys in your ssh-
agent. Otherwise, if this: ssh-add -L provides any
output, it uses that in preference to the identity file.
[oldboy@A ~]$ ssh-copy-id -i .ssh/id_dsa
id_dsa id_dsa.pub
[oldboy@A ~]$ ssh-copy-id -i.ssh/id_dsa.pub "-p 22 oldboy@192.168.0.111" #推送公钥到C主机方法一
The authenticity of host '192.168.0.111(192.168.0.111)' can't be established.
RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.0.111'(RSA) to the list of known hosts.
oldboy@192.168.0.111's password:
Now try logging into the machine, with"ssh '-p 22 oldboy@192.168.0.111'", and check in:
.ssh/authorized_keys #出现这个表示推送公钥成功
to make sure we haven't added extra keysthat you weren't expecting.
[oldboy@A ~]$
[oldboy@A ~]$ which ssh-copy-id #推送公钥方法二
/usr/bin/ssh-copy-id
[oldboy@A ~]$ logout
[root@A ~]# vi /usr/bin/ssh-copy-id
#!/bin/sh
# Shell script to install your public keyon a remote machine
# Takes the remote machine name as anargument.
# Obviously, the remote machine must acceptpassword authentication,
# or one of the other keys in yourssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/id_rsa.pub"
if [ "-i" = "$1" ];then
shift
if[ -n "$2" ]; then
if expr "$1" : ".*\.pub" > /dev/null ; then
ID_FILE="$1"
else
else
if[ x$SSH_AUTH_SOCK != x ] ; then
GET_ID="$GET_ID ssh-add -L"
fi
fi
if [ -z "`eval $GET_ID`" ]&& [ -r "${ID_FILE}" ] ; then
30
31 if [ -z "`eval $GET_ID`" ]; then
32 echo "$0: ERROR: Noidentities found" >&2
33 exit 1
34 fi
35
36 if [ "$#" -lt 1 ] || [ "$1" = "-h" ] ||[ "$1" = "--help" ]; the
n
37 echo "Usage: $0 [-i[identity_file]] [user@]machine" >&2
38 exit 1
39 fi
40
41 { eval "$GET_ID" ; } | ssh -p22 $1 "umask 077; test -d~/.ssh ||
mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x/sbin/
restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys>/d
ev/null 2>&1 || true)" || exit 1 #在41行中的开头ssh后面和$1前面加入自定义的ssh端口
42
43 cat <<EOF
44 Now try logging into the machine, with "ssh '$1'", andcheck in:
45
46 .ssh/authorized_keys
47
48 to make sure we haven't added extra keys that you weren't expect
ing.
49
"/usr/bin/ssh-copy-id" 50L, 1394Cwritten
[root@A ~]# su - oldboy
welcome to oldboy linux training from/etc/profile.d
[oldboy@A ~]$ ssh-copy-id -i .ssh/id_dsa.pub oldboy@192.168.0.112 #推送公钥到B主机
The authenticity of host '192.168.0.112(192.168.0.112)' can't be established.
RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.
Are you sure you want to continue connecting(yes/no)? yes
Warning: Permanently added '192.168.0.112'(RSA) to the list of known hosts.
oldboy@192.168.0.112's password:
Now try logging into the machine, with"ssh 'oldboy@192.168.0.112'", and check in:
.ssh/authorized_keys #出现这个表示推送公钥成功
to make sure we haven't added extra keysthat you weren't expecting.
[oldboy@B ~]$ whoami
oldboy
[oldboy@B ~]$ ll .ssh/
total 4
-rw------- 1 oldboy oldboy 598 Jul 25 22:59authorized_keys
[oldboy@B ~]$
[oldboy@C ~]$ ll .ssh/
total 4
-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys
[oldboy@C ~]$
[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111
welcome to oldboy linux training from/etc/profile.d
[oldboy@C ~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr00:0C:29:C4:5E:59
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fec4:5e59/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34573 errors:0 dropped:0 overruns:0 frame:0
TX packets:37880 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9934738 (9.4 MiB) TXbytes:21723657 (20.7 MiB)
[oldboy@C ~]$
[oldboy@C ~]$ logout
Connection to 192.168.0.111 closed.
[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112
welcome to oldboy linux training from/etc/profile.d
[oldboy@B ~]$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr00:0C:29:26:9E:2B
inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe26:9e2b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46444 errors:0 dropped:0 overruns:0 frame:0
TX packets:45611 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26468622 (25.2 MiB) TXbytes:32723825 (31.2 MiB)
[oldboy@B ~]$
[oldboy@B ~]$ logout
Connection to 192.168.0.112 closed.
[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112/sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr00:0C:29:26:9E:2B
inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe26:9e2b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:47192 errors:0 dropped:0 overruns:0 frame:0
TX packets:46131 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27062027 (25.8 MiB) TXbytes:32975656 (31.4 MiB)
[oldboy@A ~]$
[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111/sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr00:0C:29:C4:5E:59
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fec4:5e59/64 Scope:Link
UP BROADCAST RUNNINGMULTICAST MTU:1500 Metric:1
RX packets:34789 errors:0 dropped:0 overruns:0 frame:0
TX packets:38039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9957285 (9.4 MiB) TXbytes:21738962 (20.7 MiB)
注意:ssh-copy-id的特殊应用
如果SSH修改成了特殊端口,如52113,那么,用上面的ssh-copy-id命令就无法进行分发公钥匙了。如果仍要使用ssh-copy-id的话,那么可能的解决方法有两个:
1.命令为: ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 oldboy@192.168.0.111"#特殊端口分发,要适当加引号
2.编辑vi /usr/bin/ssh-copy-id 在第41行做如下修改,见加粗部分
41 { eval "$GET_ID" ; } | ssh-p22 $1 "umask 077; test -d ~/.ssh ||
mkdir ~/.ssh ; cat >>~/.ssh/authorized_keys && (test -x /sbin/
restorecon && /sbin/restorecon~/.ssh ~/.ssh/authorized_keys >/d
ev/null 2>&1 || true)" ||exit 1 #在41行中的开头ssh后面和$1前面加入自定义的ssh端口
在中心分发服务器A机器上执行了ssh-copy-id脚本成功后,从B 192.168.0.112和C192.168.0.111上可以看到从A端拷贝过来的公钥(锁文件)如下:
[oldboy@B ~]$ ll .ssh/
total 4
-rw------- 1 oldboy oldboy 598 Jul 25 22:59authorized_keys
[oldboy@C ~]$ ll .ssh/
total 4
-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys
3.ssh-copy-id的原理(ssh-copy-id -i .ssh/id_dsa.pub "-p 52113oldboy@192.168.0.111")
就是把.ssh/id_dsa.pub复制到192.168.0.111下面的.ssh目录(提前创建,权限为700)下,并做了更改名字的操作,名字改为authorized_keys,权限变为600.
[oldboy@C ~]$ ll -d .ssh/
drwx------ 2 oldboy oldboy 4096 Jul 2522:47 .ssh/
[oldboy@C ~]$ ll .ssh/
total 4
-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys
九、测试批量分发文件到所有的服务器
[oldboy@A ~]$ whoami
oldboy
[oldboy@A ~]$ echo 123 >a.txt
[oldboy@A ~]$ ll
total 4
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:00a.txt
[oldboy@A ~]$ cat a.txt
123
[oldboy@A ~]$ scp -P22 a.txtoldboy@192.168.0.111:~
a.txt 100% 4 0.0KB/s 00:00
[oldboy@A ~]$ scp -P22 a.txtoldboy@192.168.0.112:~
a.txt 100% 4 0.0KB/s 00:00
[oldboy@A ~]$ history|grep scp
35 scp -P22 a.txtoldboy@192.168.0.111:~
36 scp -P22 a.txtoldboy@192.168.0.112:~
37 history|grep scp
[oldboy@A ~]$ vi fenfa.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
scp -P22 a.txt oldboy@192.168.0.111:~
scp -P22 a.txt oldboy@192.168.0.112:~
~
"fenfa.sh" [New] 3L, 117Cwritten
[oldboy@A ~]$ ll
total 8
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:00 a.txt
-rw-rw-r-- 1 oldboy oldboy 117 Jul 26 00:06fenfa.sh
[oldboy@A ~]$ sh fenfa.sh
a.txt 100% 4 0.0KB/s 00:00
a.txt 100% 4 0.0KB/s 00:00
[oldboy@A ~]$ sh fenfa.sh
a.txt 100% 4 0.0KB/s 00:00
a.txt 100% 4 0.0KB/s 00:00
[oldboy@A ~]$ ll
total 8
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:00 a.txt
-rw-rw-r-- 1 oldboy oldboy 117 Jul 26 00:06fenfa.sh
[oldboy@A ~]$ vi fenfa.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
scp -P22 $1 oldboy@192.168.0.$n:~
done
~
"fenfa.sh" 5L, 108C written
[oldboy@A ~]$ cat fenfa.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
scp -P22 $1 oldboy@192.168.0.$n:~
done
[oldboy@A ~]$ ll
total 8
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:00 a.txt
-rw-rw-r-- 1 oldboy oldboy 108 Jul 26 00:16fenfa.sh
[oldboy@A ~]$ sh fenfa.sh /etc/hosts
hosts 100% 106 0.1KB/s 00:00
hosts 100% 106 0.1KB/s 00:00
[oldboy@B ~]$ ll
total 8
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:11 a.txt
-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts
[oldboy@C ~]$ ll
total 8
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:11 a.txt
-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts
[oldboy@A ~]$ vi fenfa.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
scp -P22 -rp $1 oldboy@192.168.0.$n:~ #-rp -r选项的作用是可以分发目录,-p选项的作用是保持目录或文件的属性分发
done
~
~
[oldboy@A ~]$ sh fenfa.sh /etc/
mail.rc 100% 1909 1.9KB/s 00:00
exports 100% 81 0.1KB/s 00:00
libuser.conf 100% 2293 2.2KB/s 00:00
alsactl.conf 100% 203 0.2KB/s 00:00
mailx.conf 100% 331 0.3KB/s 00:00
rhtsupport.conf 100% 417 0.4KB/s 00:00
report_event.conf 100% 2134 2.1KB/s 00:00
report_Logger.conf 100% 49 0.1KB/s 00:00
report_Tarball.xml 100% 5085 5.0KB/s 00:00
report_Mailx.xml 100% 20KB 20.0KB/s 00:00
report_Kerneloops.xml 100% 7792 7.6KB/s 00:00
[oldboy@B ~]$ ll
total 12
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:11a.txt
drwxr-xr-x 85 oldboy oldboy 4096 Jul 2522:00 etc
-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts
[oldboy@C ~]$ ll
total 12
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:11a.txt
drwxr-xr-x 85 oldboy oldboy 4096 Jul 2522:00 etc
-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts
免密码登陆小结:
1)免密码登陆验证是单向的
2)基于用户的,最好不要跨不同的用户
3)ssh连接慢的问题
4)批量分发1000台初始都需要输入一次密码,并且第一次连接要确认(expect)
十、SSH批量管理
[oldboy@A ~]$ cp fenfa.sh guanli.sh
[oldboy@A ~]$ ll
total 12
-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:00 a.txt
-rw-rw-r-- 1 oldboy oldboy 112 Jul 26 00:28fenfa.sh
-rw-rw-r-- 1 oldboy oldboy 112 Jul 26 20:44guanli.sh
[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111/sbin/ifconfig|grep 192.168.0.
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112/sbin/ifconfig|grep 192.168.0.
inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0
[oldboy@A ~]$ vi guanli.sh
#!/bin/sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
ssh -p22 oldboy@192.168.0.$n /sbin/ifconfig|grep 192.168.0.
done
~
~
~
"guanli.sh" 8L, 147C written
[oldboy@A ~]$ cat guanli.sh
#!/bin/sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
ssh -p22 oldboy@192.168.0.$n /sbin/ifconfig|grep 192.168.0.
done
[oldboy@A ~]$ sh guanli.sh
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0
[oldboy@A ~]$ vi guanli.sh
#!/bin/sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
ssh -p22 oldboy@192.168.0.$n $1
done
~
~
"guanli.sh" 8L, 119C written
[oldboy@A ~]$ sh guanli.sh
Last login: Sat Jul 25 23:16:51 2015 from192.168.0.114
welcome to oldboy linux training from/etc/profile.d
[oldboy@C ~]$
[oldboy@C ~]$ logout
Connection to 192.168.0.111 closed.
Last login: Sat Jul 25 23:19:04 2015 from192.168.0.114
welcome to oldboy linux training from/etc/profile.d
[oldboy@B ~]$ logout
Connection to 192.168.0.112 closed.
[oldboy@A ~]$ sh guanli.sh
Last login: Sun Jul 26 20:55:21 2015 from192.168.0.114
welcome to oldboy linux training from/etc/profile.d
[oldboy@C ~]$ logout
Connection to 192.168.0.111 closed.
Last login: Sun Jul 26 20:58:07 2015 from192.168.0.114
welcome to oldboy linux training from/etc/profile.d
[oldboy@B ~]$ logout
Connection to 192.168.0.112 closed.
[oldboy@A ~]$ sh guanli.sh /sbin/ifconfigeth0|grep 192.168.0.
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0
[oldboy@A ~]$ sh guanli.sh"/sbin/ifconfig eth0|grep 192.168.0."
inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0
inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0
[oldboy@A ~]$ sh guanli.sh"/usr/bin/free -m"
total used free shared buffers cached
Mem: 988 929 58 0 2 10
-/+ buffers/cache: 916 71
Swap: 2047 504 1543
total used free shared buffers cached
Mem: 988 738 249 0 24 198
-/+ buffers/cache: 515 472
Swap: 2047 0 2047
[oldboy@A ~]$ sh guanli.sh"/sbin/ifconfig eth0"|sed -rn 's#^.*dr:(.*) \ Bc.*$#\1#gp'
192.168.0.111
192.168.0.112
十一、SSH服务实现sudo提权拷贝文件方案及实战
1.sudo提权给cp命令
[oldboy@A ~]$ cp /etc/hosts hosts
[oldboy@A ~]$ ll
total 24
-rw-r--r-- 1 oldboy oldboy 4 Jul 26 00:00 a.txt
-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh
-rw-r--r-- 1 oldboy oldboy 112 Jul 26 00:28fenfa.sh
-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh
-rw-r--r-- 1 oldboy oldboy 106 Jul 26 22:23hosts
[oldboy@A~]$ vi hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
~
"hosts" 5L, 154C written
[oldboy@A ~]$ cat fenfa.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
scp -P22 -rp $1 oldboy@192.168.0.$n:~
done
[oldboy@A ~]$ sh fenfa.sh hosts
hosts 100% 154 0.2KB/s 00:00
hosts 100% 154 0.2KB/s 00:00
[oldboy@B ~]$ ll
total 12
-rw-r--r-- 1 oldboy oldboy 4 Jul 26 00:11a.txt
drw-r--r-- 85 oldboy oldboy 4096 Jul 2522:00 etc
-rw-r--r-- 1 oldboy oldboy 154 Jul 26 22:24hosts
[oldboy@C ~]$ ll
total 12
-rw-r--r-- 1 oldboy oldboy 4 Jul 26 00:11a.txt
drw-r--r-- 85 oldboy oldboy 4096 Jul 2522:00 etc
-rw-r--r-- 1 oldboy oldboy 154 Jul 26 22:24hosts
[oldboy@A ~]$ vi fenfa.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
scp -P22 -rp $1 oldboy@192.168.0.$n:$2
done
~
~
"fenfa.sh" 5L, 113C written
[oldboy@A ~]$ sh fenfa.sh hosts /etc
scp: /etc/hosts: Permission denied
scp: /etc/hosts: Permission denied
[oldboy@A ~]$ sh -x fenfa.sh hosts/etc #查看.sh脚本执行过程
+ for n in 111 112
+ scp -P22 -rp hostsoldboy@192.168.0.111:/etc
scp: /etc/hosts: Permission denied
+ for n in 111 112
+ scp -P22 -rp hostsoldboy@192.168.0.112:/etc
scp: /etc/hosts: Permission denied
[oldboy@A ~]$ logout
[root@A ~]# visudo
## Sudoers allows particular users to runvarious commands as
## the root user, without needing the rootpassword.
##
## Examples are provided at the bottom ofthe file for collections
## of related commands, which can then bedelegated out to particular
## users or groups.
##
## This file must be edited with the'visudo' command.
## Host Aliases
## Groups of machines. You may prefer touse hostnames (perhaps using
## wildcards for entire domains) or IPaddresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you canuse regular groups
"/etc/sudoers.tmp" 118L, 4002C
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have otheroptions added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
oldboy ALL=(ALL) NOPASSWD:/bin/cp #在98行后加入这一行内容,给予oldboy用户执行/bin/cp命令的权限,sudo提权
## Allows members of the 'sys' group to runnetworking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE,SERVICES, STORAGE, DELEGATING, PROCESSE
S, LOCATE, DRIVERS
## Allows people in group wheel to run allcommands
"/etc/sudoers.tmp" 119L, 4043Cwritten
[root@A ~]# su - oldboy
welcome to oldboy linux training from/etc/profile.d
[oldboy@A ~]$
[oldboy@A ~]$ sudo -l
Matching Defaults entries for oldboy onthis host:
requiretty, !visiblepw, always_set_home, env_reset,env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",env_keep+="MAIL
PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPERLC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSETXAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User oldboy may run the following commandson this host:
(ALL) NOPASSWD:/bin/cp
注意:出现以上信息,说明sudo配置正确!
[oldboy@A ~]$ cp hosts /etc/
cp: cannot create regular file`/etc/hosts': Permission denied
[oldboy@A ~]$ sudo cp hosts /etc/
[oldboy@A ~]$ cat /etc/hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
[oldboy@B ~]$ logout
[root@B ~]# echo "oldboy ALL=(ALL) NOPASSWD:/bin/cp">>/etc/sudoers
[oldboy@C ~]$ logout
[root@C ~]# echo "oldboy ALL=(ALL) NOPASSWD:/bin/cp">>/etc/sudoers
[root@B ~]# visudo -c #检查sudoers配置文件语法是否正确
/etc/sudoers: parsed OK
[root@C ~]# visudo -c
/etc/sudoers: parsed OK
[root@B ~]# su - oldboy
welcome to oldboy linux training from/etc/profile.d
[oldboy@B ~]$
[root@C ~]# su - oldboy
welcome to oldboy linux training from/etc/profile.d
[oldboy@C ~]$
[oldboy@C ~]$ logout
2.远程sudo执行方法
[root@C ~]# visudo
找到如下内容:
# Disable "ssh hostname sudo<cmd>", because it will show the password in
clear.
# You have to run "ssh -t hostname sudo <cmd>". #远程执行sudo方法一
#
Defaults requiretty #远程执行sudo方法二,直接注释掉此行内容
[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111 sudo /bin/cp -f~/hosts /etc/hosts
sudo: sorry, you must have a tty to runsudo
[oldboy@A ~]$ ssh -p22 -t oldboy@192.168.0.111 sudo /bin/cp-f ~/hosts /etc/hosts
Connection to 192.168.0.111 closed.
[oldboy@C ~]$ cat /etc/hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
[oldboy@A ~]$ vi fenfa.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
scp -rp $1 oldboy@192.168.0.$n:~&&\
ssh -t oldboy@192.168.0.$n sudo/bin/cp ~/$1 /etc/
done
[oldboy@B ~]$ cat /etc/hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
[oldboy@B ~]$ ll /etc/hosts
-rw-r--r-- 1 root root 154 Jul 27 00:07/etc/hosts
[oldboy@C ~]$ cat /etc/hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
[oldboy@C ~]$ ll /etc/hosts
-rw-r--r-- 1 root root 154 Jul 27 00:07/etc/hosts
十二、SSH服务实现suid提权批量分发文件方案及实战
[root@C ~]# which rsync
/usr/bin/rsync
[root@B ~]# chmod 4755 `which rsync` #方法一给rsync命令提权,赋予suid权限,注意:whichrsync两边为倒引号
[root@C ~]# chmod u+s `which rsync` #方法二给rsync命令提权,赋予suid权限,注意:whichrsync两边为倒引号
[root@A ~]# chmod u+s $(which rsync) #方法三给rsync命令提权,赋予suid权限
[root@NFS ~]# ll /usr/bin/rsync
-rwxr-xr-x 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@NFS ~]# chmod u+s $(which rsync)
[root@NFS ~]# ll /usr/bin/rsync
-rwsr-xr-x 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[root@NFS ~]# chmod u-s $(which rsync)
[root@NFS ~]# ll /usr/bin/rsync
-rwxr-xr-x 1 root root 414968 Apr 30 2014 /usr/bin/rsync
[oldboy@A ~]$ cp fenfa.sh fenfa2.sh
[oldboy@A ~]$ vi fenfa2.sh
#piliangfenfajiaoben,2015-07-26,linuxzkq
for n in 111 112
do
scp -rp $1 oldboy@192.168.0.$n:~&&\
ssh oldboy@192.168.0.$n/usr/bin/rsync ~/$1 /etc/
done
~
~
~
"fenfa2.sh" 6L, 169C written
[oldboy@A ~]$ ll
total 28
-rw-r--r-- 1 oldboy oldboy 4 Jul 26 00:00 a.txt
-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh
-rw-r--r-- 1 oldboy oldboy 169 Jul 27 21:27fenfa2.sh
-rw-r--r-- 1 oldboy oldboy 170 Jul 27 00:02fenfa.sh
-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh
-rw-rw-r-- 1 oldboy oldboy 620 Jul 26 22:01ssh_key.tar.gz
[oldboy@A ~]$ cat /tmp/hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
##oldboy
[oldboy@A ~]$ cp -rf /tmp/hosts hosts
[oldboy@A ~]$ ll
total 28
-rw-r--r-- 1 oldboy oldboy 4 Jul 26 00:00 a.txt
-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh
-rw-r--r-- 1 oldboy oldboy 169 Jul 27 21:27fenfa2.sh
-rw-r--r-- 1 oldboy oldboy 170 Jul 27 00:02fenfa.sh
-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh
-rw-r--r-- 1 oldboy oldboy 163 Jul 27 21:31hosts
-rw-rw-r-- 1 oldboy oldboy 620 Jul 26 22:01ssh_key.tar.gz
[oldboy@A ~]$ cat hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
##oldboy
[oldboy@A ~]$ sh fenfa2.sh hosts
hosts 100% 163 0.2KB/s 00:00
hosts 100% 163 0.2KB/s 00:00
[oldboy@C ~]$ cat /etc/hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
##oldboy
[oldboy@B ~]$ cat /etc/hosts
127.0.0.1 mysql localhost4 localhost4.localdomain4
::1 mysql localhost6 localhost6.localdomain6
192.168.0.114 A
192.168.0.112 B
192.168.0.111 C
##oldboy
十三、ssh批量分发与管理方案小结:
1.利用root做ssh_key验证
优点:简单,易用
缺点:安全差,同时无法禁止root远程连接
2.利用普通用户如oldboy来做,思路是先把分发的文件拷贝到服务器用户家目录,然后sudo提权,拷贝到服务器的对应权限目录
优点:安全
缺点:配置复杂
3.拓展:同方案2,只是不用sudo,而是设置suid对固定命令提权
优点:相对安全
缺点:复杂,安全性较差,任何人都可以处理带有suid权限的命令
建议:
a.追求简单,选1
b.追求安全,选2
十四、SSH分发中心服务器的安全优化及安全思想
1.一定要取消中心分发服务器的外网IP
2.开启防火墙,禁止SSH对外用户登陆,并且仅给某一台后端无外网机器访问。
企业级生产场景批量管理,自动化管理方案:
1.最简单,最常用的就是ssh_key,功能是最强大的。一般中小型企业会用,50-100台以下。
2.sina cfengine较早的批量管理工具,现在基本没有企业用
3.门户级别比较流行的,puppet批量管理工具,复杂,笨重
4.saltstack批量管理工具,特点:简单,功能强大(配置就要复杂)
5.http+wget+cron
