ssh,公鑰和私鑰,遠程復制
1.openssh
是一個提供遠程訪問控制的軟件
2.ssh 遠程主機用戶@遠程主機ip地址
ssh root@172.25.254.1
The authenticity of host '172.25.254.1 (172.25.254.1)' can't be established.
ECDSA key fingerprint is 55:dd:43:ce:bf:94:dd:91:49:e7:97:29:63:3d:02:02.
Are you sure you want to continue connecting (yes/no)? yes ##建立安全傳輸key
root@172.25.254.1's password: ##密碼輸入沒有回顯
Last failed login: Sun Oct 11 16:56:29 CST 2015 from 172.25.254.206 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Oct 11 16:55:46 2015 from 172.25.254.206
[root@foundation1 ~]# ###登陸成功
ctrl +d |logout ###退出
[root@foundation1 ~]# logout
Connection to 172.25.254.1 closed.
3.ssh的key認證
#######生成key###########
[test@foundation0 ~]$ ssh-keygen ###生成公鑰和私鑰的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):『enter』 ###指定加密字符保存文件,使用默認
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase): ###密碼,必須大於4位
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub. ###確認密碼
a5:4f:02:51:68:59:f4:e8:e3:c5:91:1f:6f:86:99:06 test@foundation0.ilt.example.com
key's randomart image is:
+--[ RSA 2048]----+
| .*+ |
| +. o . |
| .. . E . |
| o + + * |
| S + * + |
| . * . o |
| . . |
| |
+-----------------+
[test@foundation0 .ssh]$ pwd
/home/test/.ssh ###生成密鑰存放位置
[test@foundation0 .ssh]$ ls
id_rsa id_rsa.pub ####id_rsa位私鑰,id_rsa.pub位公鑰
#####################使用key加密目標主機的目標用戶############
[test@foundation0 ~]$ ssh-copy-id -i /home/test/.ssh/id_rsa.pub westos@172.25.254.100
The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
westos@172.25.254.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'westos@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.
ssh-copy-id ####上傳key的工具
-i ####指定使用的公鑰
/home/test/.ssh/id_rsa.pub #####使用公鑰的名稱
westos ####被管理的目標用戶
172.25.254.100 ####被管理用戶所在主機的ip
authorized_keys ###此文件在目標用戶加目錄的.ssh中,這個文件就是目標用戶被加密的標識,文件內容位公鑰內容。
然后如果指定讓哪個主機的哪個用戶登錄,就將 id_rsa(私鑰,鑰匙)傳給那個主機的用戶的.ssh下(前提是已經存在這個目錄了)
scp id_rsa student@172.25.254.101:/home/student/.ssh/,之后[test@foundation0 .ssh]$ pwd
/home/test/.ssh ###生成密鑰存放位置
[test@foundation0 .ssh]$ ls
id_rsa id_rsa.pub ####id_rsa位私鑰,id_rsa.pub位公鑰
#####################使用key加密目標主機的目標用戶############
[test@foundation0 ~]$ ssh-copy-id -i /home/test/.ssh/id_rsa.pub westos@172.25.254.100
The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
westos@172.25.254.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'westos@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.
ssh-copy-id ####上傳key的工具
-i ####指定使用的公鑰
/home/test/.ssh/id_rsa.pub #####使用公鑰的名稱
westos ####被管理的目標用戶
172.25.254.100 ####被管理用戶所在主機的ip
authorized_keys ###此文件在目標用戶加目錄的.ssh中,這個文件就是目標用戶被加密的標識,文件內容位公鑰內容。
vimdiff authorized_keys id_rsa.pub 比較這兩個文件有什么不同
如果讓指定的某台主機能訪問將id_rsa文件發送到給該主機的家目錄的.ssh下就好:
scp id_rsa student@172.25.254.101:/home/student/Desktop
然后172.25.254.101這台主機的student用戶就可以訪問被加密的用戶了
生成密鑰的用戶不一定是被加密的用戶,可以在客戶端生成公私鑰遠程給某個用戶加密上鎖
sshd服務的簡單配置
vim /etc/ssh/sshd_config ###sshd服務的配置文件
48 PermitRootLogin yes|no ###是否允許root用戶通過sshd的認證
78 PasswordAuthentication yes|no ###開啟或關閉用戶密碼認證
AllowUsers student westos ###用戶白名單,只允許在名單中出現的用戶使用sshd服務
systemctl restart sshd ###從新加載配置
在服務端更改/etc/ssh/sshd_config可以禁止root登錄,可以配置可登錄的用戶westos,然后在有密鑰的客戶端必須用ssh westos@172..... 才能登錄,是敲的命令必須是westos@。。。
######################遠程文件傳輸#####################
scp ##遠程復制
scp file user@ip:/directory ##上傳文件
scp -r dir user@ip:/directory ##長傳目錄
scp user@ip:/filename /direcotry ##下載文件
scp -r user@ip:/directory /direcotry ##下載目錄
rsync ###遠程同步(把文件歸檔,傳輸速度更快)
rsync file|direcotry user@ip:/directory
rsync user@ip:/directory /directory
-r ##同步目錄
-l ##不忽略鏈接
-p ##不忽略特殊權限
-t ##不忽略時間戳
-g ##不忽略組信息
-o ##不忽略用戶信息
-D ##不忽略設備文件
注意傳輸的原目錄后如果不帶/,是傳輸復制該目錄下的子目錄和文件不包含目錄本身,
帶/,則包含目錄下的子文件與目錄
sftp
2.ssh 遠程主機用戶@遠程主機ip地址
ssh root@172.25.254.1
The authenticity of host '172.25.254.1 (172.25.254.1)' can't be established.
ECDSA key fingerprint is 55:dd:43:ce:bf:94:dd:91:49:e7:97:29:63:3d:02:02.
Are you sure you want to continue connecting (yes/no)? yes ##建立安全傳輸key
root@172.25.254.1's password: ##密碼輸入沒有回顯
Last failed login: Sun Oct 11 16:56:29 CST 2015 from 172.25.254.206 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sun Oct 11 16:55:46 2015 from 172.25.254.206
[root@foundation1 ~]# ###登陸成功
ctrl +d |logout ###退出
[root@foundation1 ~]# logout
Connection to 172.25.254.1 closed.
3.ssh的key認證
#######生成key###########
[test@foundation0 ~]$ ssh-keygen ###生成公鑰和私鑰的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):『enter』 ###指定加密字符保存文件,使用默認
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase): ###密碼,必須大於4位
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub. ###確認密碼
a5:4f:02:51:68:59:f4:e8:e3:c5:91:1f:6f:86:99:06 test@foundation0.ilt.example.com
key's randomart image is:
+--[ RSA 2048]----+
| .*+ |
| +. o . |
| .. . E . |
| o + + * |
| S + * + |
| . * . o |
| . . |
| |
+-----------------+
[test@foundation0 .ssh]$ pwd
/home/test/.ssh ###生成密鑰存放位置
[test@foundation0 .ssh]$ ls
id_rsa id_rsa.pub ####id_rsa位私鑰,id_rsa.pub位公鑰
#####################使用key加密目標主機的目標用戶############
[test@foundation0 ~]$ ssh-copy-id -i /home/test/.ssh/id_rsa.pub westos@172.25.254.100
The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
westos@172.25.254.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'westos@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.
ssh-copy-id ####上傳key的工具
-i ####指定使用的公鑰
/home/test/.ssh/id_rsa.pub #####使用公鑰的名稱
westos ####被管理的目標用戶
172.25.254.100 ####被管理用戶所在主機的ip
authorized_keys ###此文件在目標用戶加目錄的.ssh中,這個文件就是目標用戶被加密的標識,文件內容位公鑰內容。
然后如果指定讓哪個主機的哪個用戶登錄,就將 id_rsa(私鑰,鑰匙)傳給那個主機的用戶的.ssh下(前提是已經存在這個目錄了)
scp id_rsa student@172.25.254.101:/home/student/.ssh/,之后[test@foundation0 .ssh]$ pwd
/home/test/.ssh ###生成密鑰存放位置
[test@foundation0 .ssh]$ ls
id_rsa id_rsa.pub ####id_rsa位私鑰,id_rsa.pub位公鑰
#####################使用key加密目標主機的目標用戶############
[test@foundation0 ~]$ ssh-copy-id -i /home/test/.ssh/id_rsa.pub westos@172.25.254.100
The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
westos@172.25.254.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'westos@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.
ssh-copy-id ####上傳key的工具
-i ####指定使用的公鑰
/home/test/.ssh/id_rsa.pub #####使用公鑰的名稱
westos ####被管理的目標用戶
172.25.254.100 ####被管理用戶所在主機的ip
authorized_keys ###此文件在目標用戶加目錄的.ssh中,這個文件就是目標用戶被加密的標識,文件內容位公鑰內容。
vimdiff authorized_keys id_rsa.pub 比較這兩個文件有什么不同
如果讓指定的某台主機能訪問將id_rsa文件發送到給該主機的家目錄的.ssh下就好:
scp id_rsa student@172.25.254.101:/home/student/Desktop
然后172.25.254.101這台主機的student用戶就可以訪問被加密的用戶了
生成密鑰的用戶不一定是被加密的用戶,可以在客戶端生成公私鑰遠程給某個用戶加密上鎖
sshd服務的簡單配置
vim /etc/ssh/sshd_config ###sshd服務的配置文件
48 PermitRootLogin yes|no ###是否允許root用戶通過sshd的認證
78 PasswordAuthentication yes|no ###開啟或關閉用戶密碼認證
AllowUsers student westos ###用戶白名單,只允許在名單中出現的用戶使用sshd服務
systemctl restart sshd ###從新加載配置
在服務端更改/etc/ssh/sshd_config可以禁止root登錄,可以配置可登錄的用戶westos,然后在有密鑰的客戶端必須用ssh westos@172..... 才能登錄,是敲的命令必須是westos@。。。
######################遠程文件傳輸#####################
scp ##遠程復制
scp file user@ip:/directory ##上傳文件
scp -r dir user@ip:/directory ##長傳目錄
scp user@ip:/filename /direcotry ##下載文件
scp -r user@ip:/directory /direcotry ##下載目錄
rsync ###遠程同步(把文件歸檔,傳輸速度更快)
rsync file|direcotry user@ip:/directory
rsync user@ip:/directory /directory
-r ##同步目錄
-l ##不忽略鏈接
-p ##不忽略特殊權限
-t ##不忽略時間戳
-g ##不忽略組信息
-o ##不忽略用戶信息
-D ##不忽略設備文件
注意傳輸的原目錄后如果不帶/,是傳輸復制該目錄下的子目錄和文件不包含目錄本身,
帶/,則包含目錄下的子文件與目錄
sftp