常見的遠端登入工具
telnet(遠端登入協定,端口23) 明文,可以抓包獲得使用者名與密碼。一般隻用于測試
ssh(secure shell,應用層協定,端口22)通信過程及認證過程加密且主機認證
dropbear 嵌入式系統專用的SSH伺服器端和用戶端工具
OpenSSH是使用SSH透過計算機網絡加密通訊的實作。用于在遠端系統上安全運作shell。如果在可提供ssh服務的遠端Linux系統中擁有使用者帳戶,則ssh是通常用來遠端登入到該系統的指令。ssh指令也可用于在遠端系統中運作指令。
V1:基于CRC-32作MAC,無法防範中間人***
V2:雙方主機協定選擇安全的MAC方式,基于DH算法做密鑰交換,基于RSA或DSA算法實作身份認證
基于密碼認證
基于密鑰認證(不需要輸密碼)
是基于C/S架構工作client/server(另外還有B/S架構browser)
伺服器端sshd,配置檔案/etc/ssh/sshd_config
用戶端ssh ,配置檔案/etc/ssh/ssh_config
ssh-keygen //密鑰生成器
ssh-copy-id //将公鑰傳輸至遠端服務端
scp //跨主機安全複制工具
以目前使用者身份建立遠端互動式shell,然後在結束時使用exit指令傳回到之前的shell
[root@cygames ~]# ssh 192.168.161.100
The authenticity of host '192.168.161.100 (192.168.161.100)' can't be established.
ECDSA key fingerprint is SHA256:xj5/Qq8WV0G4/sdF7/hNgq76VBZzsTxnCc/FuptqmFI.
ECDSA key fingerprint is MD5:7b:f5:4c:cb:3e:75:fe:ac:bf:81:d4:dd:8c:6d:18:0f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.161.100' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Mon Jan 7 06:19:18 2019 from 192.168.161.1
[root@cy ~]#
以其他使用者身份在標明主機上連接配接到遠端<code>shell</code>
[root@cygames ~]# ssh [email protected]
[email protected]'s password:
[chen@cy ~]$
以遠端使用者身份(remoteuser)在遠端主機(remotehost)上通過将輸出傳回到本地顯示器的方式來執行單一指令
[root@cygames ~]# ssh 192.168.161.100 '/usr/sbin/ip a s ens33'
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d9:31:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.161.100/24 brd 192.168.161.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::7c5f:bec9:7ecd:41f7/64 scope link
ssh通過公鑰加密的方式保持通信安全。當某一ssh用戶端連接配接到ssh伺服器時,在該用戶端登入之前,伺服器會向其發送公鑰副本。這可用于為通信管道設定安全加密,并可驗證用戶端的伺服器。
使用者第一次使用ssh連接配接到特定伺服器時,ssh指令可在使用者的~/.ssh/known_hosts檔案中存儲該伺服器的公鑰。在此之後每當使用者進行連接配接時,用戶端都會通過對比~/.ssh/known_hosts檔案中的伺服器條目和伺服器發送的公鑰,確定從伺服器獲得相同的公鑰。如果公鑰不比對,用戶端會假定網絡通信已遭劫持或伺服器已被***,并且中斷連接配接。
這意味着,如果伺服器的公鑰發生更改(由于硬碟出現故障導緻公鑰丢失,或者出于某些正當理由替換公鑰),使用者則需要更新其~/.ssh/known_hosts檔案并删除舊的條目才能夠進行登入。
root@cy ~]# cat ~/.ssh/known_hosts
192.168.161.177 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMLHizRSDpHB+WORU4Qbdd8lghQeQzfzyGTvZU5oSthAvok9O97yRN4Hmt8y3WhGrfdfLbZlrcd/I+xmn1b025s=
[root@cy ~]# ls /etc/ssh/key
/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key.pub
[root@cygames ~]# ssh-keygen -t rsa //使用 ssh-keygen 建立公鑰-私鑰對
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:EDJOascdlJi/8SYKzeWJDyGGGaSQqou937JUFa8y5zM root@cygames
The key's randomart image is:
+---[RSA 2048]----+
|oo +++.. |
|= =o+.o o |
|o+o +.o . . |
|+.o.. +o . |
|.. + =+=S |
|. . =.==o |
|.o ..+ oE |
|o ..o.. o |
| .ooo. |
+----[SHA256]-----+
[root@cygames ~]# ssh-copy-id [email protected] //使用 ssh-copy-id 将公鑰複制到遠端系統上的正确位置
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@cygames ~]# ssh 192.168.161.100 //無需指令直接登入
Last login: Mon Jan 7 06:26:35 2019