ssh是secure shell protocol的简写,它通过对联机数据包加密的技术来进行数据的传递,因此比telnet更安全。
ssh默认提供两个服务器功能:
1.类似于telnet的远程联机服务,即人们常说的SSH。
2.类似于FTP的sftp-server,可以提供更安全的FTP服务。
ssh目前有两个版本的联机模式:ssh protocol version 1及version 2 。它们的区别在于version 2多了一个确认联机正确性的机制,安全性更高。
下面是ssh protocol version 1的联机加密步骤:
1.当sshd 启动时,会产生一个768位的公钥(server key),存放在server中。
2.当client端有联机请求传过来时,server便将这个公钥传给client,同时client会判断这个公钥的正确性,其标准为/etc/ssh/ssh_known_hosts或~/.ssh/known_hosts文件的内容。
3.client收到这个公钥后自己也会随机产生一个256位的私钥(private key or host key)并以加密的方式将之前接收到公钥与自己产生的私钥整合为一对完整的密钥对并将其传给server.
4.之后,在这次联机中,该server与client便以这一对1024位的密钥对来进行数据的传输。
*公钥放在server上,而私钥在每次联机时由client随机产生。
*在client端用户的默认目录下的~/.ssh/known_hosts会记录曾联机过的主机的公钥,用以确定每次来
自该主机的联机是否正确。
*与version 1相比version 2多了一个确认联机正确性的diffie-hellman机制,在每次数据传输中
server都会以该机制检查资料来源的正确性。
*现在的发行版都默认安装了openssl,openssh并默认为开机启动。
启动SSH服务:
[root@localhost ~]# /etc/init.d/sshd stop
Stopping sshd: [ OK ]
[root@localhost ~]# /etc/init.d/sshd start
Starting sshd: [ OK ]
[root@localhost ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@localhost ~]#
用netstat检查sshd是否被正确地监听:
[root@localhost ~]# netstat -tlp | grep sshd
tcp 0 0 *:ssh *:* LISTEN 7355/sshd
tcp 0 0 *:ssh *:* LISTEN 7355/sshd
[root@localhost ~]#
SSH客户端联机:
*默认允许以root身份登录
1.直接登录到对方主机:
[root@localhost ~]# ssh oracle@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 5f:3e:7f:c2:a3:d8:38:44:cc:d4:9c:4d:e0:92:e7:e8.
Are you sure you want to continue connecting (yes/no)? yes
#一定要完整的yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
oracle@localhost's password:
Last login: Tue Apr 19 10:44:14 2011 from localhost.localdomain
#已登录
[oracle@localhost ~]$ ls -l
total 64
-rw-r--r-- 1 oracle oinstall 27 Apr 10 21:36 afiedt.buf
drwxr-xr-x. 6 oracle oinstall 4096 Mar 24 16:50 app
drwxr-xr-x 2 oracle oinstall 4096 Mar 31 23:25 Desktop
drwxr-xr-x 2 oracle oinstall 4096 Mar 24 15:41 Documents
drwxr-xr-x 3 oracle oinstall 4096 Mar 31 20:52 Downloads
..........
#退出,离开对方主机
[oracle@localhost ~]$ exit
logout
Connection to localhost closed.
[root@localhost ~]#
2.不登录对方主机,直接在对方主机执行命令
[root@localhost ~]# ssh oracle@localhost pwd
oracle@localhost's password:
/home/oracle
[root@localhost ~]#
SSH的sftp功能:进入sftp后的操作和在一般模式下的操作没什么两样
[root@localhost ~]# sftp oracle@localhost
oracle@localhost's password:
Connected to localhost.
sftp> ls
Desktop Documents Downloads Music
ON.lst Pictures Public Templates
Videos afiedt.buf app java_se
mysqlplus.sql oracle_for_linux test.sql workspace
sftp> pwd
Remote working directory: /home/oracle
sftp> exit
[root@localhost ~]#
SSH的scp功能:
1.从本地复制到远程主机
[root@localhost ~]# scp /etc/crontab oracle@localhost:/home/oracle
oracle@localhost's password:
crontab 100% 441 0.4KB/s 00:00
[root@localhost ~]# ls -l /home/oracle/crontab
-rw-r--r-- 1 oracle oinstall 441 Apr 19 12:02 /home/oracle/crontab
2.从远程主机复制到本地
[root@localhost ~]# scp -r oracle@localhost:/home/oracle/java_se .
oracle@localhost's password:
hello.class 100% 410 0.4KB/s 00:00
hello.java 100% 111 0.1KB/s 00:00
[root@localhost ~]# ls -al
total 168
.......
-rw-r--r--. 1 root root 13781 Mar 15 17:23 install.log.syslog
drwxr-xr-x 2 root root 4096 Apr 19 12:05 java_se
drwx------ 2 root root 4096 Apr 19 11:42 .ssh
.......
[root@localhost ~]#
SSHD详细设置:
sshd的详细设置请参照:/etc/ssh/sshd_config
ssh提供两种认证方式:
1.用户口令认证,直接输入相应用户的口令即可。
2.基于密钥的认证:
1.先在client端用ssh-keygen建立public key 和 private key 这两个密钥。
[fedora@localhost ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fedora/.ssh/id_rsa): (enter)
Enter passphrase (empty for no passphrase): (enter)
Enter same passphrase again: (enter)
Your identification has been saved in /home/fedora/.ssh/id_rsa.
Your public key has been saved in /home/fedora/.ssh/id_rsa.pub.
The key fingerprint is:
f7:7f:89:c0:8a:47:fb:1a:83:6a:05:04:6b:b2:e2:75 fedora@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| .. |
| .. |
| . o. |
| + . |
|.. . E. S o |
|o . . ..o + |
| . ..ooo o . .|
| ... +o o ..|
| .. ..o. .. |
+-----------------+
[fedora@localhost ~]$
2.将private key 放在client端默认目录下,即$HOME/.ssh/,并把权限修改为只有该用户可读
3.把public key放在任何一个你想要登录的主机(server)的某个用户默认目录下的.ssh/里的认证文件内。
[fedoracle@kingdom ~]$ scp fedora@192.168.1.103:/home/fedora/.ssh/id_rsa.pub /home/fedoracle/.ssh
fedora@192.168.1.103's password:
id_rsa.pub 100% 410 0.4KB/s 00:00
[fedoracle@kingdom ~]$ ls -al .ssh
total 20
drwx------ 2 fedoracle fedoracle 4096 Apr 21 15:57 .
drwx------ 18 fedoracle fedoracle 4096 Apr 21 15:46 ..
-rw-r--r-- 1 fedoracle fedoracle 410 Apr 21 15:57 id_rsa.pub
-rw-r--r-- 1 fedoracle fedoracle 791 Apr 21 15:51 known_hosts
[fedoracle@kingdom ~]$
[fedoracle@kingdom .ssh]$ cat id_rsa.pub >> authorized_keys
4.在client端登录:
[fedora@localhost ~]$ ssh fedoracle@192.168.71.129
Agent admitted failure to sign using the key.
fedoracle@192.168.71.129's password:
*在以前的话按上面的设置是可以成功的,但是现在不行了,要运行下面的命令将私钥加进来:
[fedora@localhost ~]$ ssh-add ~/.ssh/id_rsa
Identity added: /home/fedora/.ssh/id_rsa (/home/fedora/.ssh/id_rsa)
现在就可以正常使用基于密钥的认证啦:
[fedora@localhost ~]$ ssh fedoracle@192.168.71.129
Last login: Thu Apr 21 22:54:09 2011 from 192.168.71.1
[fedoracle@kingdom ~]$
直接登录到远程主机,须需输入密码,嘿嘿。
