SSHD服务搭建

SSH协议：安全外壳协议。为Secure Shell 缩写。SSH为建立在应用层和传输层基础上的安全协议。

 

1、检查SSH服务端安装情况

1. [root@rhel6_84 ~]# rpm -qpi /mnt/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm #rpm -qpi packetname 查看安装包的内容

2. [root@rhel-6~]# rpm -qa |grep openssh #检查ssh安装情况。如果没有使用rpm安装一遍。
3. openssh-5.3p1-94.el6.x86_64
4. openssh-clients-5.3p1-94.el6.x86_64
5. openssh-askpass-5.3p1-94.el6.x86_64
6. openssh-server-5.3p1-94.el6.x86_64

 

2、启动SSHD服务

1. [root@rhel-6 ~]# service sshd start
   
2. [root@rhel-6 ~]# /etc/init.d/sshd start #绝对路径方式启动
   
3. [root@rhel-6 ~]# chkconfig sshd on #设置sshd服务开机自启 on自启 off关闭自启 [root@rhel-6 ~]# chkconfig --list sshd #检查开机自启情况 sshd 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭

 

3、客户端保存的密钥

1. [root@rhel-6~]# cat .ssh/known_hosts #查看本机保存的服务端的密钥。
2. 192.168.3.81 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCzit8dq4s0xZCk1Gme5GJfYaWZzYHW37KHMfpaU7Fc2/npmJpHpufXGiYR+h9bAR6DBJvDzp5Mr/nmoaOxLb9WH4dsD9ZyLVTLzp3gaFpk9Fc7B8VRznIgveRYmIue146DoU3+Hjt7DWA19Cg4vxGZih/RekhmUgwEbKmxoC1KW6Qm6Aqd+F5oNIdign8KtFaIMzE4cNcL6YEb1wdYTk3fdUWhUip0Fir3sej9zjrGdCCA3HPxuPbsPE+3yaQ975yfelKRHI/DUpsKegQHK88RtfElLnDOVgle/yne8vsvDgnB1JYKZTGu8XuHG+vGwQAR+E2AelQcQDVFZ0+eJ+T

 

4、SSHD服务配置文件

1. [root@rhel6_84 ~]# cp /etc/ssh/sshd_config{,.back} #修改前备份此配置文件

2. [root@rhel6_84 ~]# ls /etc/ssh/ moduli ssh_config sshd_config sshd_config.back ssh_host_dsa_key

3. [root@rhel6_84 ~]# cat -n /etc/ssh/sshd_config
4. #Port 22 #端口，默认是22，最好修改为其它

5. [root@rhel6_84 ~]# netstat -anptu |grep ssh #修改好后，查看ssh服务是否正常监听新端口（222） tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2597/sshd tcp 0 0 0.0.0.0:222 0.0.0.0:* LISTEN 2765/sshd tcp 0 52 192.168.3.84:22 192.168.3.130:57537 ESTABLISHED 2597/sshd tcp 0 0 ::1:6010 :::* LISTEN 2597/sshd tcp 0 0 :::222 :::* LISTEN 2765/sshd


 

5、新端口ssh连接

1. [root@rhel6_80 ~]# ssh -p 222 root@192.168.3.84 #加上-p参数 指定222端口 连接新服务器

 

6、SSHD配置文件详解

1. # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin #ssh所执行的bash目录
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options change a
11. # default value.
13. Port222 #ssh服务端口号
14. #AddressFamily any
15. #ListenAddress 0.0.0.0
16. #ListenAddress ::
18. # Disable legacy (protocol version 1) support in the server for new
19. # installations. In future the default will change to require explicit
20. # activation of protocol 1
21. Protocol2
23. # HostKey for protocol version 1
24. #HostKey /etc/ssh/ssh_host_key
25. # HostKeys for protocol version 2
26. #HostKey /etc/ssh/ssh_host_rsa_key
27. #HostKey /etc/ssh/ssh_host_dsa_key
29. # default value.
31. Port222
32. #AddressFamily any
33. #ListenAddress 0.0.0.0
34. #ListenAddress :: #指定只监听的IP地址，设置只允许此IP登陆
36. # Disable legacy (protocol version 1) support in the server for new
37. # installations. In future the default will change to require explicit
38. # activation of protocol 1
39. Protocol2
41. # HostKey for protocol version 1
42. #HostKey /etc/ssh/ssh_host_key
43. # HostKeys for protocol version 2
44. #HostKey /etc/ssh/ssh_host_rsa_key
45. #HostKey /etc/ssh/ssh_host_dsa_key
47. # Lifetime and size of ephemeral version 1 server key
48. #KeyRegenerationInterval 1h
49. #ServerKeyBits 1024 #定义密钥长度，默认长度1024
51. # Logging
52. # obsoletes QuietMode and FascistLogging
53. #SyslogFacility AUTH
54. SyslogFacility AUTHPRIV
55. #LogLevel INFO
57. # Authentication:
59. #LoginGraceTime 2m #连接断开前等待时间
60. #PermitRootLogin yes #禁止root用户登陆
61. #StrictModes yes
62. #MaxAuthTries 6
63. #MaxSessions 10
65. #RSAAuthentication yes
66. #PubkeyAuthentication yes
67. #AuthorizedKeysFile .ssh/authorized_keys
68. #AuthorizedKeysCommand none
69. #AuthorizedKeysCommandRunAs nobody
71. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
72. #RhostsRSAAuthentication no
73. # similar for protocol version 2
74. #HostbasedAuthentication no
75. # Change to yes if you don't trust ~/.ssh/known_hosts for
76. # RhostsRSAAuthentication and HostbasedAuthentication
77. #IgnoreUserKnownHosts no
78. # Don't read the user's ~/.rhosts and ~/.shosts files
79. #IgnoreRhosts yes
81. # To disable tunneled clear text passwords, change to no here!
82. #PasswordAuthentication yes
83. #PermitEmptyPasswords no
84. PasswordAuthentication yes #是否允许使用账号和密码登陆，改为no将不允许使用账号和密码登陆，可使用私钥登陆。
86. # Change to no to disable s/key passwords
87. #ChallengeResponseAuthentication yes
88. ChallengeResponseAuthentication no
90. # Kerberos options
91. #KerberosAuthentication no
92. #KerberosOrLocalPasswd yes
93. #KerberosTicketCleanup yes
94. #KerberosGetAFSToken no
95. #KerberosUseKuserok yes
97. # GSSAPI options
98. #GSSAPIAuthentication no
99. GSSAPIAuthentication yes
100. #GSSAPICleanupCredentials yes
101. GSSAPICleanupCredentials yes
102. #GSSAPIStrictAcceptorCheck yes
103. #GSSAPIKeyExchange no
105. # Set this to 'yes' to enable PAM authentication, account processing,
106. # and session processing. If this is enabled, PAM authentication will
107. # be allowed through the ChallengeResponseAuthentication and
108. # PasswordAuthentication. Depending on your PAM configuration,
109. # PAM authentication via ChallengeResponseAuthentication may bypass
110. # the setting of "PermitRootLogin without-password".
111. # If you just want the PAM account and session checks to run without
112. # PAM authentication, then enable this but set PasswordAuthentication
113. # and ChallengeResponseAuthentication to 'no'.
114. #UsePAM no
115. UsePAM yes
117. # Accept locale-related environment variables
118. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
119. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
120. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
121. AcceptEnv XMODIFIERS
123. #AllowAgentForwarding yes
124. #AllowTcpForwarding yes
125. #GatewayPorts no
126. #X11Forwarding no
127. X11Forwarding yes
128. #X11DisplayOffset 10
129. #X11UseLocalhost yes
130. #PrintMotd yes #是否打印 /etc/motd 连接时显示的信息
131. #PrintLastLog yes #是否显示上次登陆信息
132. #TCPKeepAlive yes
133. #UseLogin no
134. #UsePrivilegeSeparation yes #是否允许低权限用户产生新连接进程，no表示如何用户都是用root权限运行ssh
135. #PermitUserEnvironment no
136. #Compression delayed
137. #ClientAliveInterval 0
138. #ClientAliveCountMax 3
139. #ShowPatchLevel no
140. #UseDNS yes #是否启用DNS验证，外网需要启用
141. #PidFile /var/run/sshd.pid #存放服务进程ID
142. #MaxStartups 10:30:100
143. #PermitTunnel no
144. #ChrootDirectory none
146. # no default banner path
147. #Banner none
149. # override default of no subsystems
150. Subsystem sftp /usr/libexec/openssh/sftp-server
152. # Example of overriding settings on a per-user basis
153. #Match User anoncvs
154. # X11Forwarding no
155. # AllowTcpForwarding no
156. # ForceCommand cvs server

 

 

来自为知笔记(Wiz)