一、ssh协议介绍

1、远程连接协议

ssh协议，应用层

远程连接的协议：
1、ssh协议，典型连接linux服务器、网络设备【密文】
2、telnet协议，典型在局域网连接网络设备【明文】
3、RDP协议，典型连接windows服务器

服务器操作方式:
1、本地操作
2、远程连接操作

2、ssh服务基本操作

• 查看sshd服务的状态

[root@martin-host ~]# systemctl status sshd 
● sshd.service - OpenSSH server daemonLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)Active: active (running) since 二 2024-10-22 09:04:39 CST; 38min agoDocs: man:sshd(8)man:sshd_config(5)Main PID: 1160 (sshd)Tasks: 1CGroup: /system.slice/sshd.service└─1160 /usr/sbin/sshd -D10月 22 09:04:39 martin-host.linux.com systemd[1]: Starting OpenSSH server daemon...
10月 22 09:04:39 martin-host.linux.com sshd[1160]: Server listening on 0.0.0.0 port 22.
10月 22 09:04:39 martin-host.linux.com sshd[1160]: Server listening on :: port 22.
10月 22 09:04:39 martin-host.linux.com systemd[1]: Started OpenSSH server daemon.
[root@martin-host ~]# 

[root@martin-host ~]# ps -elf | grep ssh
4 S root       1160      1  0  80   0 - 28225 poll_s 09:04 ?        00:00:00 /usr/sbin/sshd -D

// 查看ssh服务的端口
[root@martin-host ~]# netstat -tunlp | grep ssh 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1160/sshd           
tcp6       0      0 :::22                   :::*                    LISTEN      1160/sshd         

• 查看sshd服务对应的软件

[root@martin-host ~]# which sshd
/usr/sbin/sshd[root@martin-host ~]# rpm -qf /usr/sbin/sshd
openssh-server-7.4p1-21.el7.x86_64

• windows客户端软件
  xshell、secureCRT、xterminal、XModerm、Putty

3、ssh常用操作

• 远程连接

# ssh 用户名@主机

• 执行远程命令

[root@martin-host ~]# ssh root@192.168.140.10 ifconfig ens33 

• 远程拷贝文件

// 远程拷贝文件 
[root@martin-host ~]# scp file01 root@192.168.140.10:/tmp 
root@192.168.140.10's password: 
file01                                                                100%    4     2.2KB/s   00:00    [root@martin-host ~]# scp root@192.168.140.10:/etc/fstab ./ 
root@192.168.140.10's password: 
fstab                                                                100%  465   339.8KB/s   00:00    // 拷贝目录 
[root@martin-host ~]# scp -r test/ root@192.168.140.10:/tmp

二、ssh加密

1、加密算法类型

对称加密算法
非对称加密算法

2、对称加密算法

加密、解密时使用的密钥是一样的
典型算法: DES、3DES、AES

• 加密数据

[root@martin-host ~]# openssl enc -e -des -in /opt/file01 -out /opt/file01_new 
enter des-cbc encryption password:
Verifying - enter des-cbc encryption password:

• 解密数据

[root@node01 ~]# openssl enc -d -des -in /opt/file01_new -out /opt/file01 
enter des-cbc decryption password:

3、非对称加密算法

加密、解密时使用的密钥是不一样的

加密方式：公钥加密、私钥解密

典型算法：RSA、DSA

三、免密ssh的配置

1、ssh认证方式

基于密码的认证
基于密钥的认证(免密ssh)

2、配置免密ssh

• 在客户端生成一个密钥对

[root@martin-host ~]# ssh-keygen -t rsa 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:zYgk4ThXS0U8e9kY/Gu3iFhesz3rxqRJtFpnKRiNfCQ root@martin-host.linux.com
The key's randomart image is:
+---[RSA 2048]----+
|    . o+o.       |
|   o + .o E .    |
|  o + o  + @     |
|   o o ..+B *    |
|      . S.o= o . |
|          o X *  |
|         + B # . |
|        . + = *  |
|             ooo |
+----[SHA256]-----+[root@martin-host ~]# ls /root/.ssh/
id_rsa  id_rsa.pub
[root@martin-host ~]# 

• 将公钥拷贝到远端的服务器

[root@martin-host ~]# ssh-copy-id root@192.168.140.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.140.10 (192.168.140.10)' can't be established.
ECDSA key fingerprint is SHA256:6If14U96x1VtkGO5zXGKxnmGRUw2Cv04pVWSeq6Rd0I.
ECDSA key fingerprint is MD5:9b:1c:33:d9:31:ff:4d:11:a7:bd:77:bb:b0:82:11:3e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.140.10's password: Number of key(s) added: 1Now try logging into the machine, with:   "ssh 'root@192.168.140.10'"
and check to make sure that only the key(s) you wanted were added.

• 测试

[root@martin-host ~]# ssh root@192.168.140.10
Last login: Tue Oct 22 14:08:08 2024 from 192.168.140.1
[root@node01 ~]# exit
登出
Connection to 192.168.140.10 closed.[root@martin-host ~]# ssh root@192.168.140.10 hostname
node01
[root@martin-host ~]# 
[root@martin-host ~]# scp /etc/passwd root@192.168.140.10:/tmp/
passwd                                                                100% 2368     1.1MB/s   00:00    
[root@martin-host ~]# 注意：
1、ssh免密是基于用户的
2、ssh免密是单向的

3、ssh-copy-id做了什么？

• 将公钥文件拷贝到远端服务器对应用户的家目录，改名为authorized_keys

[root@node01 ~]# ls -a /home/martin/.ssh/
.  ..  authorized_keys

• 将密钥文件的权限修改为600

[root@node01 ~]# ls -l /home/martin/.ssh/
total 4
-rw------- 1 martin martin 408 Oct 22 14:18 authorized_keys
[root@node01 ~]# 

四、ssh服务配置

• 配置文件
  /etc/ssh/sshd_config

• 修改默认端口

[root@martin-host ~]# vim /etc/ssh/sshd_config 
Port 23333[root@martin-host ~]# systemctl restart sshd[root@martin-host ~]# netstat -tunlp | grep ssh
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      6022/sshd: root@pts 
tcp        0      0 0.0.0.0:23333           0.0.0.0:*               LISTEN      8472/sshd 

[root@node01 ~]# ssh root@192.168.140.135 -p 23333[root@node01 ~]# scp -P 23333 /etc/passwd root@192.168.140.135:/tmp/

• 禁止使用root用户远程登录

[root@martin-host ~]# vim /etc/ssh/sshd_config 
PermitRootLogin no[root@martin-host ~]# systemctl restart sshd[root@node01 ~]# ssh -p 23333 martin@192.168.140.135
martin@192.168.140.135's password: 
[martin@martin-host ~]$ 

• 关闭DNS解析

[root@martin-host ~]# vim /etc/ssh/sshd_config 
UseDNS no[root@martin-host ~]# systemctl restart sshd