ssh远程管理

远程连接

Linux:
- ssh 端口:22 加密传输数据
- telnet 端口:23 明文传输数据

Windows:
- rdp 端口:3389 remote desktop protoco

抓包演示

Telnet数据明文传输

image.png

SSH数据加密传输

image.png

ssh免密连接

验证方式:
  • 用户名密码验证
  • 密钥对验证方式
ssh密钥对认证流程

image.png1653398593854

企业面试题

## 写出下列服务或者协议的端口

ftp 21
ssh 22
telnet 23
dns 53
mysql 3306
http 80
https 443
rsync 873

ssh相关命令及选项

## 注意:使用ssh命令时,不加用户@,默认使用当前登录的用户

ssh:远程连接linux服务器
	-p:prot指定端口

## 不连上服务器,直接执行命令
[root@web01 ~]# ssh root@10.0.0.41 'tail -1 /etc/passwd'
root@10.0.0.41's password: 
www:x:666:666::/home/www:/sbin/nologin/

scp:远程拷贝数据(写在前面的是源文件)
	-r:递归(远程拷贝目录)
	-p:拷贝的时候保持属性
	-P:大写P指定端口prot
	
推:[root@backup ~]# scp check_md5.sh root@172.16.1.7:/opt
拉:[root@web01 ~]# scp root@172.16.1.41:/root/check_md5.sh /opt/

# 结论:
1.scp通过ssh协议加密方式进行文件或目录拷贝
2.scp连接时的用户作为为拷贝文件或目录的权限(-p保持文件属性,-a)
3.scp支持数据推送和拉取,每次都是全量拷贝,效率较低

ssh免密连接

验证方式:
  • 用户名密码验证
  • 密钥对验证方式
#### ssh-keygen:生成密钥对

[root@m01 ~]# ssh-keygen
Generating public/private rsa key pair.
## 将秘钥保存到文件中,可以指定其他路径(直接回车)
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
## 给密钥对设置密码,不需要设置(直接回车)
Enter passphrase (empty for no passphrase):
## 重复输入设置的密码(直接回车)
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3jXcLjP2VzFk55xY7lYGdohVQSSxxBJLDJE9MJIUWbU root@m01
The key's randomart image is:
+---[RSA 2048]----+
| .+=*O+o*=*o|
| o..o==.*+o|
| Eoo*=o|
| . o ==|
| S + o.+|
| . . . o o.|
| . . = o .|
| . = .|
| .. |
+----[SHA256]-----+

## 生成后的密钥对
[root@m01 ~]# ll /root/.ssh/
total 8
-rw------- 1 root root 1679 May 23 21:46 id_rsa
-rw-r--r-- 1 root root  390 May 23 21:46 id_rsa.pub
-rw-r--r-- 1 root root    0 May 23 21:42 known_hosts

#### ssh-copy-id:发送公钥
	-i:指定公钥位置

[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

[root@m01 ~]# ssh 'root@172.16.1.41'
Last login: Mon May 23 22:07:38 2022 from 172.16.1.61
[root@backup ~]#

[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.7
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.8
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.31

#### .ssh目录中的know_host作用
[root@m01 ~]# cat ~/.ssh/known_hosts
记录连接过的服务器,如果没有连接过(第一次连接),需要输入yes


#### 生成密钥对命令:ssh-keygen(步骤)
1.在当前用户的家目录下创建了一个隐藏目录.ssh	相当于: mkdir ~/.ssh
2.将密钥对存放目录 .ssh 授权为 700 		相当于: chmod 700 ~/.ssh
3.将公钥内容写入 ~/.ssh/id_rsa.pub 文件中
4.将私钥内容写入 ~/.ssh/id_rsa 文件中
5.将私钥文件授权为 600 						相当于: chmod 600 ~/.ssh/id_rsa

#### 发送公钥:ssh-copy-id(步骤)
[root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.7
输入yes
输入密码:密码

1.在远端的指定用户的家目录下创建了一个隐藏目录.ssh 相当于: ssh root@172.16.1.5 'mkdir ~/.ssh'

2.将密钥对存放目录 .ssh 授权为 700 		相当于: ssh root@172.16.1.5 'chmod 700 ~/.ssh'

3.先在远端~/.ssh目录下创建文件authorized_keys 	
相当于: ssh root@172.16.1.5 'touch ~/.ssh/authorized_keys'

4.将authorized_keys文件授权为600  			
相当于: ssh root@172.16.1.5 'chmod 600~/.ssh/authorized_keys'

5.将公钥内容,保存到authorized_keys文件中

# .ssh/known_hosts文件内容是追加进去的,
[root@backup .ssh]# ssh root@172.16.1.7 'echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu4gXGJM4gAPSvScOPZcSh+8CvJ03MTqTBacHrbKtnjw4/580qeyWmluEAWDyLS+tYxyaa/OGNrH392/Aj3U23vEYc9rnkO7aMu2mB+jZD9jP7IWasU1IxvMEN6eRz3+rdSL6M7hRVDdySyjwrv5AdscjLyuw6E0CSGV7HUXnid1p0RzZWSVBS9ax41lfEdeypqqo+5pacjWHTx3K/cFzRw1cZDFGFlwt5n4a7xRxaVLitp97+wEnerW//XE9PReyeQMZeVZgzHssr/9V8c44spsCgwReLTrG/X7ZvtmA/6Rwq2AzZUPATxaNCVY8Vr1N/LDoMweEwghR70Ufw/TpF root@web01' >>~/.ssh/authorized_keys

[root@backup .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKOsVC2INKekgzflvcE7BfNoKJya3ErA0qqssZH7afGg3T1TCitZwmGs3t4t0snZCb41FUIBNPYX8OlTijWjtHYUkXNgDQuqJkuq2Fa6DB6rckbvxpRL1rtKu7xNU3V8/s84p5sL8/9/zJQCjfgDrUZ6B9f4PEXegXlovG3InIaRQPCfM5k07ATpVxqRxTh28W6sezDt7ZO9RdFPGRBHmsCQq+YpnICwg8vurAsXU7O9irRP1SiZB6iSYDwjboBbb9enBkyUW9BFZ6pBelqyuW+KbOR8R3TN6PKjMKNaLWiPQld/Ep5+q4Ww3LoY923XiBwBoTJt2DjfDpKLtTYuE5 root@m01
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCu4gXGJM4gAPSvScOPZcSh+8CvJ03MTqTBacHrbKtnjw4/580qeyWmluEAWDyLS+tYxyaa/OGNrH392/Aj3U23vEYc9rnkO7aMu2mB+jZD9jP7IWasU1IxvMEN6eRz3+rdSL6M7hRVDdySyjwrv5AdscjLyuw6E0CSGV7HUXnid1p0RzZWSVBS9ax41lfEdeypqqo+5pacjWHTx3K/cFzRw1cZDFGFlwt5n4a7xRxaVLitp97+wEnerW//XE9PReyeQMZeVZgzHssr/9V8c44spsCgwReLTrG/X7ZvtmA/6Rwq2AzZUPATxaNCVY8Vr1N/LDoMweEwghR70Ufw/TpF root@web01

免密使用场景

批量查看服务器信息

#!/bin/bash
[ $# -ne 1 ] && echo "请输入执行的命令" && exit 1
for i in 5 7 8 31 41
do
echo "#########172.16.1.$i#####"
ssh root@172.16.1.$i "$1"
done

ssh安全优化

## ssh配置文件
[root@nfs ~]# vim /etc/ssh/sshd_config
17 Port 5555 					# 修改默认端口
115 UseDNS no 					# 关闭反向解析
38 PermitRootLogin no 			# 禁止root用户登录
65 PasswordAuthentication no 	# 禁止使用密码登录
79 GSSAPIAuthentication no 		# 关闭GSSAPI认证

## 将以下内容,直接复制到文件最后一行
Port 5555 						# 变更SSH服务远程连接端口
PermitRootLogin no 				# 禁止root用户直接远程登录
PasswordAuthentication no 		# 禁止使用密码直接远程登录
UseDNS no 						# 禁止ssh进行dns反向解析,影响ssh连接效率参数
GSSAPIAuthentication no 		# 禁止GSS认证,减少连接时产生的延迟

## 重启服务
[root@m01 ~]# systemctl restart sshd


## 解决方案
如果已经优化完ssh,发现服务器上出现以下问题:
	- 没有普通用户
		useradd swu(无法创建,进入单用户模式)
	- windows上秘钥没有推送
		使用windows的命令行执行 ssh-keygen
		使用Xshell

使用Xshell生成密钥对

生成秘钥对

image.png

image.png

image.png

image.png

image.png

image.png

image.png

[swu@m01 ~]$ mkdir .ssh
[swu@m01 ~]$ chmod 700 .ssh/
[swu@m01 ~]$ vim .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAx8M9KP9zOXhoXzN0IeBWVAqHtIzAKbKAWhonfuPXFpuYKD5UTyqqmZtVms49UfR8I+Uj4Kin7ZWcyTYL+a/oDjzY7dpyfreZxfXgbNf7BjovKfGLgiecEahuVgysnEsCtv6/vn5Z1GSEmLoOsdfsZE3oeQf63aYjnCfznj9rEzzLkv1YgOCzFn5mRvw63ZXF1Jbdw64xi1LtwNZ3xruygYyCz3uotUK5MH0aafSZUycNAUH2qncxiPb+qKbl61+1LfC5Je3fw1YoaFH5aFHvyH6aWDV6yR40rSQrrsY7C124xjB1gmuAvTERqrvOV2hCHriUISYvn8FvJuUFh5shFw==
[swu@m01 ~]$ chmod 600 .ssh/authorized_keys

image.png

image.png

免交互生成密钥对

ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null

-t:指定加密类型
-P:空密码
-f:秘钥生成的位置

免交互推送公钥

## 不走循环的脚本

#!/bin/bash
ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.31
ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.41
ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.5
ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.7
ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.8


## 循环的脚本

#!/bin/bash
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null

for n in `cat /root/1.txt`;do
	ssh-copy-id -i ~/.ssh/id_rsa.pub root@$n
done

## 解决密码交互问题
	- 使用expect解决
	#!/usr/bin/expect
set ip 172.16.1.31
set pass 1
set timeout 30
spawn ssh-keygen
expect {
"id_rsa):" {send "\r"; exp_continue}
"passphrase):" {send "\r"; exp_continue}
"again:" {send "\r"}
}
expect eof

spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$n
expect {
"(yes/no)" {send "yes\r"; exp_continue}
"password:" {send "$pass\r"}
}
#expect "root@*" {send "df -h\r"}
#expect "root@*" {send "exit\r"}
expect eof

	- 使用sshpass解决
[root@m01 ~]# yum install -y sshpass

## ssh不需要输入yes的选项
[root@m01 ~]# ssh -o 'StrictHostKeyChecking no' root@172.16.1.7
[root@m01 ~]# sshpass -p 1 ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub
root@172.16.1.8

[root@m01 ~]# cat send_public_key.sh

#!/bin/bash
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null

for n in `cat /root/1.txt`;do
shpass -p 1 ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$n
done

[root@m01 ~]# cat /root/1.txt
172.16.1.31
172.16.1.41
172.16.1.5
172.16.1.7
172.16.1.8

## 密码不一致的情况

#!/bin/bash
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null

for n in `cat /root/1.txt`;do
pass=`echo $n|awk -F ':' '{print $2}'`
ip=`echo $n|awk -F ':' '{print $1}'`
sshpass -p $pass ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$ip
done

[root@m01 ~]# cat /root/1.txt
172.16.1.31:1
172.16.1.41:2
172.16.1.5:3
172.16.1.7:4
172.16.1.8:111

## 优化后的脚本
[root@m01 ~]# vim send_public_key.sh

#!/bin/bash
. /etc/init.d/functions
ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null

for n in `cat /root/1.txt`;do
pass=`echo $n|awk -F ':' '{print $2}'`
ip=`echo $n|awk -F ':' '{print $1}'`
sshpass -p $pass ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$ip
&>/dev/null
if [ $? -eq 0 ];then
action "$ip send public key " /bin/true
else
action "$ip send public key " /bin/false
fi
done

## 优化后不使用判断的脚本
#!/bin/bash
. /etc/init.d/functions

ls -l ~/.ssh/id_rsa &>/dev/null || ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa &>/dev/null

for n in `cat /root/1.txt`;do
pass=`echo $n|awk -F ':' '{print $2}'`
ip=`echo $n|awk -F ':' '{print $1}'`
sshpass -p $pass ssh-copy-id -o 'StrictHostKeyChecking no' -i ~/.ssh/id_rsa.pub root@$ip
&>/dev/null && \
action "$ip send public key " /bin/true || \
action "$ip send public key " /bin/false
done