SSH服务

一、SSH服务介绍

SSH是Secure Shell Protocol的简写,由IETF网络工作小组制定;在进行数据传输之前,SSH先对联机数据包通过加密技术进行加密处理,加密后再进行数据传输,确保了传递的数据安全。

SSH是专为远程登录会话和其他网络服务提供的安全性协议。利用SSH协议可以有效的防止远程管理过程中的信息泄露问题,在当前的生产环境当中,绝大多数企业普遍采用SSH协议服务来代替传统的不安全的远程联机服务软件。如telnet等。

SSH服务功能:

a.类似telnet远程联机服务

b.类似FTP服务的sftp-server,借助SSH协议来传输数据,提供更安全的SFTP服务

特别提醒:

  SSH客户端(ssh命令)还包含一个很有用的远程安全拷贝命令scp,也是通过ssh协议工作的

小结:

1.SSH是安全的加密协议,用于远程连接服务器

2.默认端口是22,安全协议版本是ssh2

3.服务端主要包含两个服务功能,ssh远程连接和SFTP服务

4.ssh客户端包含ssh连接命令,以及远程拷贝scp命令等

SSH服务结构:

SSH服务是由服务端软件OpenSSH和客户端(常见的有SSH,SecureCRT,Xshell,Putty)组成,SSH服务默认使用22端口提供服务,它有两个不兼容的SSH协议版本,分别是1.x和2.x。

[root@backup ~]# rpm -qa openssh

openssh-5.3p1-104.el6.x86_64

[root@backup ~]# rpm -qa openssh openssl

openssh-5.3p1-104.el6.x86_64

openssl-1.0.1e-30.el6.x86_64

[root@backup ~]# ps -ef|grep sshd

root     2244     1  0 Jul22 ?        00:00:01 /usr/sbin/sshd

root    13819  2244  0 19:16 ?        00:00:01 sshd: root@pts/0

root    14672 13822  0 21:44 pts/0    00:00:00 grep sshd

[root@backup ~]# chkconfig --list sshd

sshd            0:off   1:off  2:on    3:on    4:on 5:on     6:off

SSH加密技术

# HostKey for protocol version 1  #(只支持RSA密钥)

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2 #(支持RSA和DSA密钥)

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

[root@backup ~]# grep ServerKey/etc/ssh/sshd_config

#ServerKeyBits 1024

#ServerKeyBits 1024

[root@backup ~]# ll ~/.ssh/

total 4

-rw-r--r-- 1 root root 395 Mar 28 19:11known_hosts

[root@backup ~]# ifconfig eth0

eth0     Link encap:Ethernet  HWaddr 00:0C:29:E4:F6:3F

inet addr:192.168.0.114 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fee4:f63f/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:2318994 errors:0dropped:0 overruns:0 frame:0

TX packets:1511463 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:1781734365 (1.6 GiB)  TXbytes:416486786 (397.1 MiB)

[root@backup ~]# ifconfig eth0|sed -rn's#^.*dr:(.*)  Bc.*$#\1#gp'

192.168.0.114

简单解释一下这条sed

1、参数rn

r是为了让sed支持扩展正则也就是ERE(还有BRE、PRE这些不同的流派对于正则里元字符的表达方式都有不同,楼主可以自己Google就不在这里解释了),这样可以省去后边正则中的N多转义符号,比如说不加r的时候()必须要写成\(\)。

n是不要自动打印空间模式,加上他就只打印匹配的行才会去执行p的打印动作了。

2、加个()是为了sed后边的\1,刚刚上边讲的“/源/目标/”这种模式中,源可以写成多个()表示的集合,第一个集合在目标中就用\1表示,第二个就是\2其他依次类推。

二、SSH服务认证类型

从SSH客户端来看,SSH服务主要有两种级别安全验证,具体级别如下:

1.基于口令的安全认证

[root@NFS ~]# ls -l ~/.ssh

[root@NFS ~]#

[root@NFS ~]# ssh -p22 sshtest@192.168.0.131

sshtest@192.168.0.131's password:

welcome to oldboy linux training from/etc/profile.d

[sshtest@oldboy ~]$ ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1

inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:1446978 errors:0 dropped:0 overruns:0 frame:0

TX packets:1946787 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:408128388 (389.2 MiB)  TXbytes:1248347837 (1.1 GiB)

[root@NFS ~]# ls -l ~/.ssh

total 4

-rw-r--r-- 1 root root 790 Jul 24 22:05known_hosts

[root@NFS ~]# cat ~/.ssh/known_hosts

192.168.0.131 ssh-rsa\

AAAAB3NzaC1yc2EAAAABIwAAAQEAr3aG1hPNk0pRhTVWM4ECI4HFLwriYGfw9sTIZtYAfdzJXnQD5dMrTUP0p4TgQ6k9rj/tCpbRHqIVOWI0i8R3z8N/jgZYtDs5h0YDRtM0iIgNRsKD3xJa4E+Vab1JMvbASPH9YKaJ13KprWnWat+OXAjiDHwi41tMphAnWNhPXCwaKuqMcsejPk3TmOemrfCt3XzFX34dGTLsVYYB4pn8Psu+phR+FQyiajDDGQaVVDGuKwgdd7JTs0P0WOEkV8ENX6dcDWvEB6KGCmBcQnXE0E0hxjiG+J1QrX2ODzMei8fI1h9ZXgM6hEqJSlsA6iVRhCFDsPuzXYdQ/J19OqpVDw==

 2.基于密钥对的安全认证

基于密钥的安全认证也有windows客户端和linux客户端的区别。

三、启动SSH服务

[root@NFS ~]# rpm -qa"openssl|openssh"|sort                     #查看SSH服务相关的软件包

openssh-5.3p1-104.el6.x86_64

openssl098e-0.9.8e-18.el6_5.2.x86_64

openssl-1.0.1e-30.el6.x86_64

[root@NFS ~]# chkconfig --list sshd                             #查看SSH服务开机启动项

sshd            0:off   1:off  2:on    3:on    4:on 5:on     6:off

[root@NFS ~]# ll /etc/ssh/sshd_config

-rw-------. 1 root root 3879 Oct 15  2014 /etc/ssh/sshd_config  #SSH服务端配置文件

[root@NFS ~]# ll /etc/ssh/ssh_config

-rw-r--r--. 1 root root 2047 Oct 15  2014 /etc/ssh/ssh_config   #SSH客户端配置文件

[root@NFS ~]# less /etc/ssh/ssh_config

#      $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $

# This is the ssh client system-wideconfiguration file.  See

# ssh_config(5) for more information.  This file provides defaults for

# users, and the values can be changed inper-user configuration files

# or on the command line.

# Configuration data is parsed as follows:

[root@NFS ~]#

[root@NFS ~]# less /etc/ssh/sshd_config

#      $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wideconfiguration file.  See

# sshd_config(5) for more information.

# This sshd was compiled withPATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in thedefault sshd_config shipped with

[root@NFS ~]# netstat -tunlp|grep 22  #查看ssh服务是否已运行或启动,方法一

tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1052/sshd

tcp       0      0 :::22                       :::*                        LISTEN      1052/sshd

[root@NFS ~]# lsof -i:22              #查看ssh服务是否已运行或启动,方法二

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

sshd    1052 root    3u  IPv4  9891      0t0  TCP *:ssh (LISTEN)

sshd    1052 root    4u  IPv6  9893      0t0  TCP *:ssh (LISTEN)

sshd    6597 root    3r  IPv4 28879      0t0  TCP 192.168.0.113:ssh->192.168.0.104:49230(ESTABLISHED)

sshd   10253 root    3r  IPv4 36283      0t0  TCP 192.168.0.113:ssh->192.168.0.103:49898(ESTABLISHED)

四、更改SSH默认登录配置(安全优化)

修改SSH服务的运行参数,是通过修改配置文件/etc/ssh/sshd_config实现的

[root@NFS ~]# cp /etc/ssh/sshd_config/etc/ssh/sshd_config.ori

[root@NFS ~]# vi /etc/ssh/sshd_config

#      $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:

18 djm Exp $

# This is the sshd server system-wideconfiguration fi

le. See

# sshd_config(5) for more information.

# This sshd was compiled withPATH=/usr/local/bin:/bin

:/usr/bin

# The strategy used for options in thedefault sshd_co

nfig shipped with

/port

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

#ServerKeyBits 1024

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need hostkeys in /et

c/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust~/.ssh/known_hosts

for

# RhostsRSAAuthentication andHostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and~/.shosts files

# sshd_config(5) for more information.

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# installations. In future the default willchange to

require explicit

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1server key

# sshd_config(5) for more information.

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# RhostsRSAAuthentication andHostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and~/.shosts files

#IgnoreRhosts yes

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#GSSAPIKeyExchange no

# and ChallengeResponseAuthentication to'no'.

#UsePAM no

UsePAM yes

# Accept locale-related environmentvariables

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

# no default banner path

#Banner none

# override default of no subsystems

# Example of overriding settings on aper-user basis

#Match User anoncvs

#      X11Forwarding no

#      AllowTcpForwarding no

#      ForceCommand cvs server

#       在最后加入如下内容,保存退出!

Port52113                #为了提高安全级别,建议改掉SSH服务默认连接端口

PermitRootLoginno        #root超级用户黑客都知道,建议禁止它(root)远程登陆

PermitEmptyPasswordsno   #禁止空密码登录

UseDNSno                 #不使用DNS

 

#GSSAPIoptions

GSSAPIAuthenticationno   #加快SSH连接速度

~

"/etc/ssh/sshd_config" 146L,4035C written

http://oldboy.blog.51cto.com/2561410/1300964

[root@NFS ~]# /etc/init.d/sshd restart       #重启ssh服务

Stopping sshd:                                       [  OK  ]

Starting sshd:                                       [  OK  ]

[root@NFS ~]# nmap www.baidu.com -p 1-65535  #扫描本机打开的端口

-bash: nmap: command not found

[root@NFS ~]# n

nail                nl

namei               nm

nameif              nohup

nano               nologin

ncurses5-config     nproc

ncursesw5-config    nroff

needs-restarting    nsenter

neqn                nslookup

netreport           nstat

netstat             nsupdate

newaliases          ntpd

newaliases.postfix  ntpdate

newgrp              ntpdc

new-kernel-pkg      ntp-keygen

newusers            ntpq

nfs_cache_getent    ntpstat

nfsidmap            ntptime

nfsiostat           ntsysv

nfsstat             numactl

ngettext            numademo

nice                numastat

nisdomainname

[root@NFS ~]# yum -y install nmap              #安装扫描端口软件

Loaded plugins: fastestmirror, security

Setting up Install Process

Determining fastest mirrors

*base: mirrors.sina.cn

*extras: mirrors.btte.net

*updates: mirrors.sina.cn

base                           | 3.7 kB     00:00

extras                         | 3.4 kB     00:00

extras/primary_db              | 31 kB     00:00

updates                        | 3.4 kB     00:00

updates/primary_db             | 4.4 MB     00:10

Resolving Dependencies

--> Running transaction check

---> Package nmap.x86_64 2:5.51-4.el6will be installed

--> Finished Dependency Resolution

Dependencies Resolved

======================================================

Package Arch       Version           Repository

Size

======================================================

Installing:

nmap    x86_64     2:5.51-4.el6      base    2.8 M

Transaction Summary

======================================================

Install       1 Package(s)

Total download size: 2.8 M

Installed size: 9.7 M

Downloading Packages:

nmap-5.51-4.el6.x86_64.rpm     | 2.8 MB     00:06

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Installing : 2:nmap-5.51-4.el6.x86_64           1/1

Verifying  :2:nmap-5.51-4.el6.x86_64           1/1

Installed:

nmap.x86_64 2:5.51-4.el6

Complete!

[root@NFS ~]# nmap 192.168.0.113 -p 1-65535       #扫描本机打开的端口

Starting Nmap 5.51 ( http://nmap.org ) at2015-07-24 23:23 CST

Nmap scan report for 192.168.0.113

Host is up (0.0000040s latency).

Not shown: 65526 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

111/tcp  open  rpcbind

875/tcp  open  unknown

2049/tcp open  nfs

33561/tcp open  unknown

45357/tcp open  unknown

52360/tcp open  unknown

53647/tcp open  unknown

54877/tcp open  unknown

Nmap done: 1 IP address (1 host up) scannedin 0.65 seconds

五、远程连接SSH服务

1.linux客户端通过ssh连接:

ssh基本语法使用

ssh-p22 sshtest@192.168.0.131

#-->SSH 连接远程主机命令的基本语法

#-->-p(小写)接端口,默认22端口时可以省略-p22

#-->"@" 前为用户名,“@”后为要连接的服务器的IP,更多用法,请man ssh

a.直接登陆远程主机的方法:

[root@NFS ~]# ssh -p22sshtest@192.168.0.131

sshtest@192.168.0.131's password:

Last login: Fri Jul 24 22:25:59 2015 from192.168.0.113

welcome to oldboy linux training from/etc/profile.d

[sshtest@oldboy ~]$ ifconfig

eth0     Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1

inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:1449144 errors:0 dropped:0 overruns:0 frame:0

TX packets:1952746 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:408356613 (389.4 MiB)  TXbytes:1248748377 (1.1 GiB)

eth0:1   Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1

inet addr:192.168.0.150 Bcast:192.168.0.255 Mask:255.255.255.0

UP BROADCAST RUNNINGMULTICAST  MTU:1500  Metric:1

lo       Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536  Metric:1

RX packets:1233 errors:0 dropped:0 overruns:0 frame:0

TX packets:1233 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:127384 (124.3 KiB)  TXbytes:127384 (124.3 KiB)

[root@oldboy ~]#ssh root@192.168.0.113

The authenticity of host '192.168.0.113(192.168.0.113)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added '192.168.0.113'(RSA) to the list of known hosts.

root@192.168.0.113's password:

Last login: Sat Jul 25 14:20:45 2015 from192.168.0.104

welcome to oldboy linux training from/etc/profile.d

[root@NFS ~]#

[root@NFS ~]# ifconfig

eth0     Link encap:Ethernet  HWaddr00:0C:29:3C:A9:18

inet addr:192.168.0.113 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe3c:a918/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:57014 errors:0 dropped:0overruns:0 frame:0

TX packets:67410 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:34403157 (32.8 MiB)  TXbytes:17167386 (16.3 MiB)

lo       Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536  Metric:1

RX packets:132318 errors:0 dropped:0 overruns:0 frame:0

TX packets:132318 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:5606236 (5.3 MiB)  TXbytes:5606236 (5.3 MiB)

[root@oldboy ~]#ssh root@192.168.0.113

root@192.168.0.113's password:

Permission denied, please try again.

root@192.168.0.113's password:

Permission denied, please try again.

root@192.168.0.113's password:

Permission denied(publickey,gssapi-keyex,gssapi-with-mic,password).

[root@oldboy ~]#ssh -p52113root@192.168.0.113

ssh: connect to host 192.168.0.113 port52113: Connection refused   #提示拒绝连接,连接拒绝原因:端口错误或用户名,IP错误

b.不登陆远程主机,直接在远程主机执行命令

[root@oldboy ~]#ssh -p52113root@192.168.0.113

ssh: connect to host 192.168.0.113 port52113: Connection refused

[root@oldboy ~]#ssh -p22 root@192.168.0.113/sbin/ifconfig

root@192.168.0.113's password:

eth0     Link encap:Ethernet  HWaddr00:0C:29:3C:A9:18

inet addr:192.168.0.113 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe3c:a918/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:57277 errors:0 dropped:0 overruns:0 frame:0

TX packets:67582 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:34430072 (32.8 MiB)  TXbytes:17187649 (16.3 MiB)

lo       Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536  Metric:1

RX packets:132360 errors:0 dropped:0 overruns:0 frame:0

TX packets:132360 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:5612182 (5.3 MiB)  TXbytes:5612182 (5.3 MiB)

[root@oldboy ~]#ssh -p22 root@192.168.0.113/usr/bin/free -m

root@192.168.0.113's password:

total       used       free    shared    buffers     cached

Mem:           988        415        572          0         41        274

-/+ buffers/cache:         99        888

Swap:         2047          0       2047

[root@oldboy ~]#cat ~/.ssh/known_hosts

192.168.0.113 ssh-rsa\AAAAB3NzaC1yc2EAAAABIwAAAQEAr3aG1hPNk0pRhTVWM4ECI4HFLwriYGfw9sTIZtYAfdzJXnQD5dMrTUP0p4TgQ6k9rj/tCpbRHqIVOWI0i8R3z8N/jgZYtDs5h0YDRtM0iIgNRsKD3xJa4E+Vab1JMvbASPH9YKaJ13KprWnWat+OXAjiDHwi41tMphAnWNhPXCwaKuqMcsejPk3TmOemrfCt3XzFX34dGTLsVYYB4pn8Psu+phR+FQyiajDDGQaVVDGuKwgdd7JTs0P0WOEkV8ENX6dcDWvEB6KGCmBcQnXE0E0hxjiG+J1QrX2ODzMei8fI1h9ZXgM6hEqJSlsA6iVRhCFDsPuzXYdQ/J19OqpVDw==

[root@oldboy ~]#rm -f ~/.ssh/known_hosts

[root@oldboy ~]#ssh -p22 root@192.168.0.113/usr/bin/free -m

The authenticity of host '192.168.0.113(192.168.0.113)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added '192.168.0.113'(RSA) to the list of known hosts.

root@192.168.0.113's password:

total       used       free    shared    buffers     cached

Mem:           988        415        572          0         41        274

-/+ buffers/cache:         99        888

Swap:         2047          0       2047

[root@oldboy ~]#

[root@oldboy ~]#ifconfig

eth0     Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1

inet addr:192.168.0.131 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe21:b6b1/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:1450400 errors:0 dropped:0 overruns:0 frame:0

TX packets:1954594 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:408489734 (389.5 MiB)  TXbytes:1248906769 (1.1 GiB)

eth0:1   Link encap:Ethernet  HWaddr00:0C:29:21:B6:B1

inet addr:192.168.0.150 Bcast:192.168.0.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

lo       Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:65536  Metric:1

RX packets:1233 errors:0 dropped:0 overruns:0 frame:0

TX packets:1233 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:127384 (124.3 KiB)  TXbytes:127384 (124.3 KiB)

小结:

1.切换到别的机器 ssh -p22 user@ip([user@]hostname[command]

2.到其他机器执行命令(不会切到机器上) ssh -p22 user@ip 命令(命令用全路径)

3.当第一次连接的时候,本地会产生一个密钥文件~/.ssh/known_hosts(多个密钥)

六、SSH客户端附带的远程拷贝scp命令

1.scp命令的基本语法使用

NAME

scp - secure copy (remote file copy program)

推:PUSH

scp-P22 -r -p /tmp/oldboy oldboy@10.0.0.143:/tmp

源(本地文件)        目标

  拉:PULL

scp-P22 -rp root@10.0.0.7:/tmp/oldboy     /opt/

源(远端文件或目录)      目标(本地目录)

#-->scp 为远程拷贝文件或目录的命令

#-->-P(大写,注意和ssh命令的不同)接端口,默认22端口时可以省略-P22

#-->-r 表示拷贝目录

#-->-p 表示在拷贝前后保持文件或目录的属性

#-->/tmp/oldboy 为本地的目录。“@”前为用户名,“@”后为要连接的服务器的IP,IP后的:/tmp目录,为远端的目标目录

#-->-l[limit] 限制scp远程拷贝速度

[root@oldboy ~]#scp -P22 /root/oldboy.logroot@192.168.0.113:/tmp  #推-->push

root@192.168.0.113's password:

oldboy.log                  100%    0    0.0KB/s   00:00

[root@oldboy ~]#ssh -p22 root@192.168.0.113/bin/ls -l /tmp

root@192.168.0.113's password:

total 0

-rw-r--r-- 1 root root 0 Jul 25 15:27oldboy.log

[root@NFS ~]# scp -P22 root@192.168.0.131:/root/a.log/tmp         #拉-->pull

root@192.168.0.131's password:

a.log                       100%  292    0.3KB/s   00:00

[root@NFS ~]# ll /tmp

total 4

-rw-r--r-- 1 root root 292 Jul 25 15:33a.log

[root@oldboy ~]#scp -P22 -r /rootroot@192.168.0.113:/tmp  #拷贝/root目录到远程192.168.0.113主机上的/tmp目录下

root@192.168.0.113's password:

oldboy.log                  100%    0    0.0KB/s   00:00

known_hosts                 100%  395    0.4KB/s   00:00

ping.sh                     100%   33    0.0KB/s   00:00

tar.sh                      100%  160    0.2KB/s   00:00

.bash_profile               100%   34    0.0KB/s   00:00

a.log                       100%  292    0.3KB/s   00:00

/root/tools/mysql-5.6.23/mysql-test/mysql-test-run:No such file or directory

/root/tools/mysql-5.6.23/mysql-test/mtr: Nosuch file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient.so:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.a:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so.18.1.0:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient_r.so.18:No such file or directory

/root/tools/mysql-5.6.23/libmysql/libmysqlclient.so.18:No such file or directory

.bash_history               100%   17KB 17.4KB/s   00:00

[root@oldboy ~]#ssh -p22 root@192.168.0.113/bin/ls -l /tmp/

root@192.168.0.113's password:

total 8

-rw-r--r-- 1 root root  292 Jul 25 15:33 a.log

-rw-r--r-- 1 root root    0 Jul 25 15:27 oldboy.log

dr-xr-x--- 6 root root 4096 Jul 25 15:44root

小结:

     scp是加密的远程拷贝,可以把数据从一台机器推送到另一台机器,也可以从其它服务器把数据拉回到本地执行命令的服务器。但是,每次都是全量拷贝(rsync是增量拷贝),因此,效率不高。

七、SSH服务附带的sftp功能

在前面就应该知道ssh服务除了远程连接机器外,还有一个安全的FTP功能,即通过ssh加密数据后进行传输。

windows客户端和linux服务器之间传输数据工具:

1)rz,sz

2)winscp,WinSCP-v4.0.5<==基于SSH

3)SFX(xshell)

4)SFTP<===基于SSH,加密传输

5)samba,http,ftp,NFS

a.linuxsftp客户端连接sftp服务器方法

[root@oldboy ~]#sftp -oPort=22 root@192.168.0.113    #-o接端口

Connecting to 192.168.0.113...

root@192.168.0.113's password:

sftp> ll

Invalid command.

sftp> ls -l

drwxr-xr-x    3 root    root         4096 Mar 26 20:57tools

sftp> put a.txt                      #上传文件到root家目录,也可以指定路径

Uploading a.txt to /root/a.txt

a.txt                       100%    0    0.0KB/s   00:00

sftp> ls -l

-rw-r--r--    1 root    root            0 Jul 25 16:36a.txt

drwxr-xr-x    3 root    root         4096 Mar 26 20:57tools

sftp> get ddd                        #下载文件到本地的当前目录,也可以指定路径

Fetching /root/ddd to ddd

sftp> quit

[root@oldboy ~]#ll

total 16

-rw-r--r-- 1 root root  292 May 12 22:16 a.log

-rw-r--r-- 1 root root    0 Jul 25 16:16 a.txt

-rw-r--r-- 1 root root    0 Jul 25 16:37 ddd

drwxrwxr-x 7 1000 kl   4096 May 11 22:07 keepalived-1.2.7

-rw-r--r-- 1 root root    0 Jul 11 10:06 oldboy.log

drwxr-xr-x 3 root root 4096 Jul  5 20:58 server

drwxr-xr-x 4 root root 4096 May 11 22:07tools

[root@oldboy ~]#sftp -oPort=22root@192.168.0.113

Connecting to 192.168.0.113...

root@192.168.0.113's password:

sftp> put /etc/hosts /tmp

Uploading /etc/hosts to /tmp/hosts

/etc/hosts                  100%  108    0.1KB/s   00:00

sftp> quit

[root@NFS ~]# ll /tmp

total 12

-rw-r--r-- 1 root root  292 Jul 25 15:33 a.log

-rw-r--r-- 1 root root  108 Jul 25 16:42 hosts

[root@oldboy ~]#egrep -v "^#|^$"/etc/ssh/sshd_config

Protocol 2

SyslogFacility AUTHPRIV

PasswordAuthentication yes

ChallengeResponseAuthentication no

GSSAPIAuthentication yes

GSSAPICleanupCredentials yes

UsePAM yes

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIMELC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESSLC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

X11Forwarding yes

Subsystem       sftp   /usr/libexec/openssh/sftp-server

八、SSH KEY功能生产实战应用

1.基于密钥对的安全认证(密钥认证也可以是不同用户)

基于密钥的安全认证也有windows客户端和linux客户端的区别。

 

2.ssh的企业生产应用场景

 

a.批量分发文件或数据实战

1)添加系统账号,并修改密码

[root@A ~]# useradd oldboy                    #添加oldboy用户

[root@A ~]# id oldboy                         #查看oldboy用户是否添加成功

uid=501(oldboy) gid=501(oldboy)groups=501(oldboy)

[root@A ~]# echo 123456|passwd --stdinoldboy  #非交互式修改密码

Changing password for user oldboy.

passwd: all authentication tokens updatedsuccessfully.

2)创建密钥对

[root@A ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@A ~]$ whoami

oldboy

[oldboy@A ~]$ ssh-key

ssh-keygen  ssh-keyscan

[oldboy@A ~]$ file ssh-keygen

ssh-keygen: cannot open `ssh-keygen' (Nosuch file or directory)

[oldboy@A ~]$ man ssh-keygen

SSH-KEYGEN(1)             BSD General Commands Manual            SSH-KEYGEN(1)

NAME

ssh-keygen - authentication key generation, management and

conversion

SYNOPSIS

ssh-keygen [-q] [-b bits] -t type [-N new_passphrase]

[-C comment] [-foutput_keyfile]

ssh-keygen -p [-P old_passphrase] [-N new_passphrase]

[-f keyfile]

ssh-keygen -i [-f input_keyfile]

ssh-keygen -e [-f input_keyfile]

ssh-keygen -y [-f input_keyfile]

ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]

ssh-keygen -l [-f input_keyfile]

ssh-keygen -B [-f input_keyfile]

ssh-keygen -D pkcs11

ssh-keygen -F hostname [-f known_hosts_file] [-l]

ssh-keygen -H [-f known_hosts_file]

ssh-keygen -R hostname [-f known_hosts_file]

ssh-keygen -r hostname [-f input_keyfile] [-g]

ssh-keygen -G output_file [-v] [-b bits] [-M memory]

[-S start_point]

ssh-keygen -T output_file -f input_file [-v]

ssh-keygen-t dsa  #-t 参数指建立密钥的类型,这里指建立的dsa类型

ssh-keygen-t rsa  #建立rsa类型的密钥,其中默认情况下是rsa,什么都不接是rsa

rsa和dsa的区别:

   rsa是一种加密算法

   dsa就是数字签名算法的英文全称的简写,即Digital Signature Algorithm

   rsa既可以进行加密,也可以进行数字签名实现认证,而dsa只能用于数字签名从而实现认证。

[oldboy@A ~]$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key(/home/oldboy/.ssh/id_dsa):

Created directory '/home/oldboy/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:   #此处回车

Your identification has been saved in/home/oldboy/.ssh/id_dsa.

Your public key has been saved in/home/oldboy/.ssh/id_dsa.pub.

The key fingerprint is:        #此处回车

0e:99:ef:7f:2d:5c:36:88:79:09:7a:89:e0:d1:f7:fcoldboy@A

The key's randomart image is:  #此处回车

+--[ DSA 1024]----+

|               |

|               |

|      .       |

|     oo. o    |

|    .+oS+ B o  |

|     .+o = * +  |

|       o. o = . |

|      .    + E |

|       .... .   |

+-----------------+

[oldboy@A ~]$ ll ~/ -al

total 24

drwx------ 3 oldboy oldboy 4096 Jul 25 22:24 .

drwxr-xr-x. 3 root   root  4096 Jul 25 21:58 ..

-rw-r--r-- 1 oldboy oldboy   18 Oct 16  2014 .bash_logout

-rw-r--r-- 1 oldboy oldboy  176 Oct 16  2014 .bash_profile

-rw-r--r-- 1 oldboy oldboy  124 Oct 16  2014 .bashrc

drwx------ 2 oldboy oldboy 4096 Jul 25 22:25 .ssh

[oldboy@A ~]$ ll  ~/.ssh

total 8

-rw------- 1 oldboy oldboy 672 Jul 25 22:25id_dsa      #私钥,权限为600,保留本地,私钥为钥匙

-rw-r--r-- 1 oldboy oldboy 598 Jul 25 22:25id_dsa.pub  #公钥,权限为644, 分发给B和C主机,公钥为锁

[oldboy@A ~]$ ls  -ld .ssh/

drwx------ 2 oldboy oldboy 4096 Jul 2522:25 .ssh/

3)查看B和C主机的ssh端口:

[root@B ~]# netstat -tunlp|grep ssh

tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      915/sshd

tcp       0      0 :::22                       :::*                        LISTEN      915/sshd

[root@B ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$

[root@C ~]# netstat -tunlp|grep ssh

tcp       0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      968/sshd

tcp       0      0 :::22                       :::*                        LISTEN      968/sshd

[root@C ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$

4)推送公钥到B和C主机上分别

[oldboy@A ~]$ ssh

ssh         ssh-agent    sshd         ssh-keyscan

ssh-add     ssh-copy-id  ssh-keygen

[oldboy@A ~]$ man  ssh-copy-id

SSH-COPY-ID(1)                                                 SSH-COPY-ID(1)

NAME

ssh-copy-id  -  install your  public  key in  a  remote

machine’s authorized_keys

SYNOPSIS

ssh-copy-id [-i [identity_file]] [user@]machine

DESCRIPTION

ssh-copy-id is a script that uses  ssh  to  log  into  a

remote  machine  (presumably using  a login password, so

password authentication should be enabled, unless  you’ve

done  some  clever use  of  multiple identities) It also

changes  the  permissions of  the  remote user’s  home,

~/.ssh,   and   ~/.ssh/authorized_keys  to remove  group

writability (which would otherwise prevent you from  log-

ging  in,  if  theremote sshd has StrictModes set in its

configuration).  If the -i optionis given then the iden-

tity   file  (defaults to  ~/.ssh/id_rsa.pub)  is used,

regardless of whether there are any keys  in  your  ssh-

agent.  Otherwise, if this:       ssh-add -L provides any

output, it uses that in preference to the identity  file.

[oldboy@A ~]$ ssh-copy-id -i .ssh/id_dsa

id_dsa     id_dsa.pub

[oldboy@A ~]$ ssh-copy-id -i.ssh/id_dsa.pub "-p 22 oldboy@192.168.0.111" #推送公钥到C主机方法一

The authenticity of host '192.168.0.111(192.168.0.111)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continueconnecting (yes/no)? yes

Warning: Permanently added '192.168.0.111'(RSA) to the list of known hosts.

oldboy@192.168.0.111's password:

Now try logging into the machine, with"ssh '-p 22 oldboy@192.168.0.111'", and check in:

.ssh/authorized_keys                    #出现这个表示推送公钥成功

to make sure we haven't added extra keysthat you weren't expecting.

[oldboy@A ~]$

[oldboy@A ~]$ which ssh-copy-id          #推送公钥方法二

/usr/bin/ssh-copy-id

[oldboy@A ~]$ logout

[root@A ~]# vi /usr/bin/ssh-copy-id

#!/bin/sh

# Shell script to install your public keyon a remote machine

# Takes the remote machine name as anargument.

# Obviously, the remote machine must acceptpassword authentication,

# or one of the other keys in yourssh-agent, for this to work.

ID_FILE="${HOME}/.ssh/id_rsa.pub"

if [ "-i" = "$1" ];then

shift

if[ -n "$2" ]; then

if expr "$1" : ".*\.pub" > /dev/null ; then

ID_FILE="$1"

else

else

if[ x$SSH_AUTH_SOCK != x ] ; then

GET_ID="$GET_ID ssh-add -L"

fi

fi

if [ -z "`eval $GET_ID`" ]&& [ -r "${ID_FILE}" ] ; then

30

31 if [ -z "`eval $GET_ID`" ]; then

32   echo "$0: ERROR: Noidentities found" >&2

33   exit 1

34 fi

35

36 if [ "$#" -lt 1 ] || [ "$1" = "-h" ] ||[ "$1" = "--help" ]; the

n

37   echo "Usage: $0 [-i[identity_file]] [user@]machine" >&2

38   exit 1

39 fi

40

41 { eval "$GET_ID" ; } | ssh -p22 $1 "umask 077; test -d~/.ssh ||

mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys && (test -x/sbin/

restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys>/d

ev/null 2>&1 || true)" || exit 1  #在41行中的开头ssh后面和$1前面加入自定义的ssh端口

42

43 cat <<EOF

44 Now try logging into the machine, with "ssh '$1'", andcheck in:

45

46  .ssh/authorized_keys

47

48 to make sure we haven't added extra keys that you weren't expect

ing.

49

"/usr/bin/ssh-copy-id" 50L, 1394Cwritten

[root@A ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@A ~]$ ssh-copy-id -i .ssh/id_dsa.pub oldboy@192.168.0.112   #推送公钥到B主机

The authenticity of host '192.168.0.112(192.168.0.112)' can't be established.

RSA key fingerprint is85:83:52:21:20:dd:4a:7c:3c:df:ec:5a:de:a0:b4:82.

Are you sure you want to continue connecting(yes/no)? yes

Warning: Permanently added '192.168.0.112'(RSA) to the list of known hosts.

oldboy@192.168.0.112's password:

Now try logging into the machine, with"ssh 'oldboy@192.168.0.112'", and check in:

.ssh/authorized_keys              #出现这个表示推送公钥成功

to make sure we haven't added extra keysthat you weren't expecting.

[oldboy@B ~]$ whoami

oldboy

[oldboy@B ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:59authorized_keys

[oldboy@B ~]$

[oldboy@C ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys

[oldboy@C ~]$

[oldboy@A ~]$ ssh  -p22 oldboy@192.168.0.111

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$ ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:C4:5E:59

inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fec4:5e59/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:34573 errors:0 dropped:0 overruns:0 frame:0

TX packets:37880 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:9934738 (9.4 MiB)  TXbytes:21723657 (20.7 MiB)

[oldboy@C ~]$

[oldboy@C ~]$ logout

Connection to 192.168.0.111 closed.

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$ ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:26:9E:2B

inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe26:9e2b/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:46444 errors:0 dropped:0 overruns:0 frame:0

TX packets:45611 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:26468622 (25.2 MiB)  TXbytes:32723825 (31.2 MiB)

[oldboy@B ~]$

[oldboy@B ~]$ logout

Connection to 192.168.0.112 closed.

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112/sbin/ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:26:9E:2B

inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fe26:9e2b/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1

RX packets:47192 errors:0 dropped:0 overruns:0 frame:0

TX packets:46131 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:27062027 (25.8 MiB)  TXbytes:32975656 (31.4 MiB)

[oldboy@A ~]$

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111/sbin/ifconfig eth0

eth0     Link encap:Ethernet  HWaddr00:0C:29:C4:5E:59

inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::20c:29ff:fec4:5e59/64 Scope:Link

UP BROADCAST RUNNINGMULTICAST  MTU:1500  Metric:1

RX packets:34789 errors:0 dropped:0 overruns:0 frame:0

TX packets:38039 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:9957285 (9.4 MiB)  TXbytes:21738962 (20.7 MiB)

注意:ssh-copy-id的特殊应用

    如果SSH修改成了特殊端口,如52113,那么,用上面的ssh-copy-id命令就无法进行分发公钥匙了。如果仍要使用ssh-copy-id的话,那么可能的解决方法有两个:

    1.命令为: ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 oldboy@192.168.0.111"#特殊端口分发,要适当加引号

    2.编辑vi /usr/bin/ssh-copy-id 在第41行做如下修改,见加粗部分

     41 { eval "$GET_ID" ; } | ssh-p22 $1 "umask 077; test -d ~/.ssh ||

         mkdir ~/.ssh ; cat >>~/.ssh/authorized_keys && (test -x /sbin/

        restorecon && /sbin/restorecon~/.ssh ~/.ssh/authorized_keys >/d

        ev/null 2>&1 || true)" ||exit 1  #在41行中的开头ssh后面和$1前面加入自定义的ssh端口

    在中心分发服务器A机器上执行了ssh-copy-id脚本成功后,从B 192.168.0.112和C192.168.0.111上可以看到从A端拷贝过来的公钥(锁文件)如下:

[oldboy@B ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:59authorized_keys

[oldboy@C ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys

3.ssh-copy-id的原理(ssh-copy-id -i .ssh/id_dsa.pub "-p 52113oldboy@192.168.0.111"

      就是把.ssh/id_dsa.pub复制到192.168.0.111下面的.ssh目录(提前创建,权限为700)下,并做了更改名字的操作,名字改为authorized_keys,权限变为600.

 

[oldboy@C ~]$ ll -d .ssh/

drwx------ 2 oldboy oldboy 4096 Jul 2522:47 .ssh/

[oldboy@C ~]$ ll .ssh/

total 4

-rw------- 1 oldboy oldboy 598 Jul 25 22:47authorized_keys

九、测试批量分发文件到所有的服务器

[oldboy@A ~]$ whoami

oldboy

[oldboy@A ~]$ echo 123 >a.txt

[oldboy@A ~]$ ll

total 4

-rw-rw-r-- 1 oldboy oldboy 4 Jul 26 00:00a.txt

[oldboy@A ~]$ cat a.txt

123

[oldboy@A ~]$ scp -P22 a.txtoldboy@192.168.0.111:~

a.txt                                 100%   4     0.0KB/s   00:00

[oldboy@A ~]$ scp -P22 a.txtoldboy@192.168.0.112:~

a.txt                                 100%    4    0.0KB/s   00:00

[oldboy@A ~]$ history|grep scp

35  scp -P22 a.txtoldboy@192.168.0.111:~

36  scp -P22 a.txtoldboy@192.168.0.112:~

37  history|grep scp

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

scp -P22 a.txt oldboy@192.168.0.111:~

scp -P22 a.txt oldboy@192.168.0.112:~

~

"fenfa.sh" [New] 3L, 117Cwritten

[oldboy@A ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 117 Jul 26 00:06fenfa.sh

[oldboy@A ~]$ sh fenfa.sh

a.txt                                 100%    4     0.0KB/s  00:00

a.txt                                 100%    4    0.0KB/s   00:00

[oldboy@A ~]$ sh fenfa.sh

a.txt                                 100%    4    0.0KB/s   00:00

a.txt                                 100%    4    0.0KB/s   00:00

[oldboy@A ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 117 Jul 26 00:06fenfa.sh

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

scp -P22 $1 oldboy@192.168.0.$n:~

done

~

"fenfa.sh" 5L, 108C written

[oldboy@A ~]$ cat fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

scp -P22 $1 oldboy@192.168.0.$n:~

done

[oldboy@A ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 108 Jul 26 00:16fenfa.sh

[oldboy@A ~]$ sh fenfa.sh /etc/hosts

hosts                                 100%  106    0.1KB/s   00:00

hosts                                100%  106    0.1KB/s   00:00

[oldboy@B ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:11 a.txt

-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts

[oldboy@C ~]$ ll

total 8

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:11 a.txt

-rw-r--r-- 1 oldboy oldboy 106 Jul 26 00:20hosts

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

scp -P22 -rp $1 oldboy@192.168.0.$n:~   #-rp -r选项的作用是可以分发目录,-p选项的作用是保持目录或文件的属性分发

done

~

~

[oldboy@A ~]$ sh fenfa.sh /etc/

mail.rc                   100% 1909     1.9KB/s  00:00

exports                   100%   81    0.1KB/s   00:00

libuser.conf              100% 2293     2.2KB/s  00:00

alsactl.conf              100%  203    0.2KB/s   00:00

mailx.conf                100%  331    0.3KB/s   00:00

rhtsupport.conf           100% 417     0.4KB/s   00:00

report_event.conf         100% 2134     2.1KB/s  00:00

report_Logger.conf        100%  49     0.1KB/s   00:00

report_Tarball.xml        100% 5085     5.0KB/s  00:00

report_Mailx.xml          100%  20KB  20.0KB/s   00:00

report_Kerneloops.xml     100% 7792     7.6KB/s  00:00

[oldboy@B ~]$ ll

total 12

-rw-rw-r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drwxr-xr-x 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  106 Jul 26 00:20hosts

[oldboy@C ~]$ ll

total 12

-rw-rw-r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drwxr-xr-x 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  106 Jul 26 00:20hosts

免密码登陆小结:

1)免密码登陆验证是单向的

2)基于用户的,最好不要跨不同的用户

3)ssh连接慢的问题

4)批量分发1000台初始都需要输入一次密码,并且第一次连接要确认(expect

十、SSH批量管理

[oldboy@A ~]$ cp fenfa.sh guanli.sh

[oldboy@A ~]$ ll

total 12

-rw-rw-r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-rw-r-- 1 oldboy oldboy 112 Jul 26 00:28fenfa.sh

-rw-rw-r-- 1 oldboy oldboy 112 Jul 26 20:44guanli.sh

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.111/sbin/ifconfig|grep 192.168.0.

inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

[oldboy@A ~]$ ssh -p22 oldboy@192.168.0.112/sbin/ifconfig|grep 192.168.0.

inet addr:192.168.0.112 Bcast:192.168.0.255  Mask:255.255.255.0

[oldboy@A ~]$ vi guanli.sh

#!/bin/sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

ssh -p22 oldboy@192.168.0.$n /sbin/ifconfig|grep 192.168.0.

done

~

~

~

"guanli.sh" 8L, 147C written

[oldboy@A ~]$ cat guanli.sh

#!/bin/sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

ssh -p22 oldboy@192.168.0.$n /sbin/ifconfig|grep 192.168.0.

done

[oldboy@A ~]$ sh guanli.sh

inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

inet addr:192.168.0.112  Bcast:192.168.0.255  Mask:255.255.255.0

[oldboy@A ~]$ vi guanli.sh

#!/bin/sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

ssh -p22 oldboy@192.168.0.$n $1

done

~

~

"guanli.sh" 8L, 119C written

[oldboy@A ~]$ sh guanli.sh

Last login: Sat Jul 25 23:16:51 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$

[oldboy@C ~]$ logout

Connection to 192.168.0.111 closed.

Last login: Sat Jul 25 23:19:04 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$ logout

Connection to 192.168.0.112 closed.

[oldboy@A ~]$ sh guanli.sh

Last login: Sun Jul 26 20:55:21 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$ logout

Connection to 192.168.0.111 closed.

Last login: Sun Jul 26 20:58:07 2015 from192.168.0.114

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$ logout

Connection to 192.168.0.112 closed.

[oldboy@A ~]$ sh guanli.sh /sbin/ifconfigeth0|grep 192.168.0.

inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

[oldboy@A ~]$ sh guanli.sh"/sbin/ifconfig eth0|grep 192.168.0."

inet addr:192.168.0.111 Bcast:192.168.0.255 Mask:255.255.255.0

inet addr:192.168.0.112 Bcast:192.168.0.255 Mask:255.255.255.0

[oldboy@A ~]$ sh guanli.sh"/usr/bin/free -m"

total       used       free    shared    buffers     cached

Mem:           988        929         58          0          2         10

-/+ buffers/cache:        916         71

Swap:         2047        504       1543

total       used       free    shared    buffers     cached

Mem:           988        738        249          0         24        198

-/+ buffers/cache:        515        472

Swap:         2047          0       2047

[oldboy@A ~]$ sh guanli.sh"/sbin/ifconfig eth0"|sed -rn 's#^.*dr:(.*) \ Bc.*$#\1#gp'

192.168.0.111

192.168.0.112

十一、SSH服务实现sudo提权拷贝文件方案及实战

1.sudo提权给cp命令

[oldboy@A ~]$ cp /etc/hosts hosts

[oldboy@A ~]$ ll

total 24

-rw-r--r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 00:28fenfa.sh

-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh

-rw-r--r-- 1 oldboy oldboy 106 Jul 26 22:23hosts

[oldboy@A~]$ vi hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

~

"hosts" 5L, 154C written

[oldboy@A ~]$ cat fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

scp -P22 -rp $1 oldboy@192.168.0.$n:~

done

[oldboy@A ~]$ sh fenfa.sh hosts

hosts                                   100%  154    0.2KB/s   00:00

hosts                                   100%  154    0.2KB/s   00:00

[oldboy@B ~]$ ll

total 12

-rw-r--r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drw-r--r-- 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  154 Jul 26 22:24hosts

[oldboy@C ~]$ ll

total 12

-rw-r--r-- 1 oldboy oldboy    4 Jul 26 00:11a.txt

drw-r--r-- 85 oldboy oldboy 4096 Jul 2522:00 etc

-rw-r--r-- 1 oldboy oldboy  154 Jul 26 22:24hosts

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

scp -P22 -rp $1 oldboy@192.168.0.$n:$2

done

~

~

"fenfa.sh" 5L, 113C written

[oldboy@A ~]$ sh fenfa.sh hosts /etc

scp: /etc/hosts: Permission denied

scp: /etc/hosts: Permission denied

[oldboy@A ~]$ sh -x fenfa.sh hosts/etc   #查看.sh脚本执行过程

+ for n in 111 112

+ scp -P22 -rp hostsoldboy@192.168.0.111:/etc

scp: /etc/hosts: Permission denied

+ for n in 111 112

+ scp -P22 -rp hostsoldboy@192.168.0.112:/etc

scp: /etc/hosts: Permission denied

[oldboy@A ~]$ logout

[root@A ~]# visudo

## Sudoers allows particular users to runvarious commands as

## the root user, without needing the rootpassword.

##

## Examples are provided at the bottom ofthe file for collections

## of related commands, which can then bedelegated out to particular

## users or groups.

##

## This file must be edited with the'visudo' command.

## Host Aliases

## Groups of machines. You may prefer touse hostnames (perhaps using

## wildcards for entire domains) or IPaddresses instead.

# Host_Alias     FILESERVERS = fs1, fs2

# Host_Alias     MAILSERVERS = smtp, smtp2

## User Aliases

## These aren't often necessary, as you canuse regular groups

"/etc/sudoers.tmp" 118L, 4002C

## systems).

## Syntax:

##

##     user    MACHINE=COMMANDS

##

## The COMMANDS section may have otheroptions added to it.

##

## Allow root to run any commands anywhere

root   ALL=(ALL)       ALL

oldboy  ALL=(ALL)       NOPASSWD:/bin/cp  #在98行后加入这一行内容,给予oldboy用户执行/bin/cp命令的权限,sudo提权

## Allows members of the 'sys' group to runnetworking, software,

## service management apps and more.

# %sys ALL = NETWORKING, SOFTWARE,SERVICES, STORAGE, DELEGATING, PROCESSE

S, LOCATE, DRIVERS

## Allows people in group wheel to run allcommands

"/etc/sudoers.tmp" 119L, 4043Cwritten

[root@A ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@A ~]$

[oldboy@A ~]$ sudo -l

Matching Defaults entries for oldboy onthis host:

requiretty, !visiblepw, always_set_home, env_reset,env_keep="COLORS

DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",env_keep+="MAIL

PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",

env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENTLC_MESSAGES",

env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPERLC_TELEPHONE",

env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSETXAUTHORITY",

secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User oldboy may run the following commandson this host:

(ALL) NOPASSWD:/bin/cp

注意:出现以上信息,说明sudo配置正确!

[oldboy@A ~]$ cp hosts /etc/

cp: cannot create regular file`/etc/hosts': Permission denied

[oldboy@A ~]$ sudo cp hosts /etc/

[oldboy@A ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

[oldboy@B ~]$ logout

[root@B ~]# echo "oldboy  ALL=(ALL)       NOPASSWD:/bin/cp">>/etc/sudoers

[oldboy@C ~]$ logout

[root@C ~]# echo "oldboy  ALL=(ALL)       NOPASSWD:/bin/cp">>/etc/sudoers

[root@B ~]# visudo -c    #检查sudoers配置文件语法是否正确

/etc/sudoers: parsed OK

[root@C ~]# visudo -c

/etc/sudoers: parsed OK

[root@B ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@B ~]$

[root@C ~]# su - oldboy

welcome to oldboy linux training from/etc/profile.d

[oldboy@C ~]$

[oldboy@C ~]$ logout

2.远程sudo执行方法

[root@C ~]# visudo

找到如下内容:

# Disable "ssh hostname sudo<cmd>", because it will show the password in

clear.

#        You have to run "ssh -t hostname sudo <cmd>".  #远程执行sudo方法一

#

Defaults   requiretty                #远程执行sudo方法二,直接注释掉此行内容

[oldboy@A ~]$  ssh -p22 oldboy@192.168.0.111 sudo /bin/cp -f~/hosts /etc/hosts

sudo: sorry, you must have a tty to runsudo

[oldboy@A ~]$  ssh -p22 -t oldboy@192.168.0.111 sudo /bin/cp-f ~/hosts /etc/hosts

Connection to 192.168.0.111 closed.

[oldboy@C ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

[oldboy@A ~]$ vi fenfa.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

scp  -rp $1 oldboy@192.168.0.$n:~&&\

ssh  -t oldboy@192.168.0.$n sudo/bin/cp ~/$1 /etc/

done

[oldboy@B ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

[oldboy@B ~]$ ll /etc/hosts

-rw-r--r-- 1 root root 154 Jul 27 00:07/etc/hosts

[oldboy@C ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

[oldboy@C ~]$ ll /etc/hosts

-rw-r--r-- 1 root root 154 Jul 27 00:07/etc/hosts

十二、SSH服务实现suid提权批量分发文件方案及实战

[root@C ~]# which rsync

/usr/bin/rsync

[root@B ~]# chmod 4755 `which rsync`  #方法一给rsync命令提权,赋予suid权限,注意:whichrsync两边为倒引号

[root@C ~]# chmod u+s `which rsync`   #方法二给rsync命令提权,赋予suid权限,注意:whichrsync两边为倒引号

[root@A ~]# chmod u+s $(which rsync)  #方法三给rsync命令提权,赋予suid权限

[root@NFS ~]# ll /usr/bin/rsync

-rwxr-xr-x 1 root root 414968 Apr 30  2014 /usr/bin/rsync

[root@NFS ~]# chmod u+s $(which rsync)

[root@NFS ~]# ll /usr/bin/rsync

-rwsr-xr-x 1 root root 414968 Apr 30  2014 /usr/bin/rsync

[root@NFS ~]# chmod u-s $(which rsync)

[root@NFS ~]# ll /usr/bin/rsync

-rwxr-xr-x 1 root root 414968 Apr 30  2014 /usr/bin/rsync

[oldboy@A ~]$ cp fenfa.sh fenfa2.sh

[oldboy@A ~]$ vi fenfa2.sh

#piliangfenfajiaoben,2015-07-26,linuxzkq

for n in 111 112

do

scp  -rp $1 oldboy@192.168.0.$n:~&&\

ssh  oldboy@192.168.0.$n/usr/bin/rsync ~/$1 /etc/

done

~

~

~

"fenfa2.sh" 6L, 169C written

[oldboy@A ~]$ ll

total 28

-rw-r--r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh

-rw-r--r-- 1 oldboy oldboy 169 Jul 27 21:27fenfa2.sh

-rw-r--r-- 1 oldboy oldboy 170 Jul 27 00:02fenfa.sh

-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh

-rw-rw-r-- 1 oldboy oldboy 620 Jul 26 22:01ssh_key.tar.gz

[oldboy@A ~]$ cat /tmp/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

[oldboy@A ~]$ cp -rf /tmp/hosts hosts

[oldboy@A ~]$ ll

total 28

-rw-r--r-- 1 oldboy oldboy   4 Jul 26 00:00 a.txt

-rw-r--r-- 1 oldboy oldboy 112 Jul 26 22:10fenfa1.sh

-rw-r--r-- 1 oldboy oldboy 169 Jul 27 21:27fenfa2.sh

-rw-r--r-- 1 oldboy oldboy 170 Jul 27 00:02fenfa.sh

-rw-r--r-- 1 oldboy oldboy 119 Jul 26 20:55guanli.sh

-rw-r--r-- 1 oldboy oldboy 163 Jul 27 21:31hosts

-rw-rw-r-- 1 oldboy oldboy 620 Jul 26 22:01ssh_key.tar.gz

[oldboy@A ~]$ cat hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

[oldboy@A ~]$ sh fenfa2.sh hosts

hosts                                      100%  163     0.2KB/s  00:00

hosts                                      100%  163     0.2KB/s  00:00

[oldboy@C ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

[oldboy@B ~]$ cat /etc/hosts

127.0.0.1  mysql localhost4 localhost4.localdomain4

::1        mysql localhost6 localhost6.localdomain6

192.168.0.114 A

192.168.0.112 B

192.168.0.111 C

##oldboy

十三、ssh批量分发与管理方案小结:

1.利用root做ssh_key验证

优点:简单,易用

缺点:安全差,同时无法禁止root远程连接

2.利用普通用户如oldboy来做,思路是先把分发的文件拷贝到服务器用户家目录,然后sudo提权,拷贝到服务器的对应权限目录

优点:安全

缺点:配置复杂

3.拓展:同方案2,只是不用sudo,而是设置suid对固定命令提权

优点:相对安全

缺点:复杂,安全性较差,任何人都可以处理带有suid权限的命令

建议:

a.追求简单,选1

b.追求安全,选2

十四、SSH分发中心服务器的安全优化及安全思想

1.一定要取消中心分发服务器的外网IP

2.开启防火墙,禁止SSH对外用户登陆,并且仅给某一台后端无外网机器访问。

企业级生产场景批量管理,自动化管理方案:

1.最简单,最常用的就是ssh_key,功能是最强大的。一般中小型企业会用,50-100台以下。

2.sina cfengine较早的批量管理工具,现在基本没有企业用

3.门户级别比较流行的,puppet批量管理工具,复杂,笨重

4.saltstack批量管理工具,特点:简单,功能强大(配置就要复杂)

5.http+wget+cron

SSH-KEY服务及批量分发与管理实战的更多相关文章

  1. Linux使用ssh公钥实现免批量分发管理服务器

    ssh 无密码登录要使用公钥与私钥.linux下可以用用ssh-keygen生成公钥/私钥对,下面我以CentOS为例. 管理机器外网IP10.0.0.61(内网172.16.1.61) 服务器外网1 ...

  2. SSH认证原理和批量分发管理

    SSH密码认证原理 几点说明: 1.服务端/etc/ssh目录下有三对公钥私钥: [root@m01 ssh]# ls moduli ssh_config sshd_config ssh_host_d ...

  3. ssh key 免密码登陆服务器,批量分发管理以及挂载远程目录的sshfs

    ssh key 免密码登陆服务器,批量分发管理以及挂载远程目录的sshfs 第一部分:使用ssh key 实现服务器间的免密码交互登陆 步骤1: 安装openssh-clients [root@001 ...

  4. SSH批量分发管理

    ssh服务认证类型主要有两个: 基于口令的安全验证: 基于口令的安全验证的方式就是大家一直在用的,只要知道服务器的ssh连接账户.口令.IP及开发的端口,默认22,就可以通过ssh客户端登陆到这台远程 ...

  5. 【SSH项目实战三】脚本密钥的批量分发与执行

    [SSH项目实战]脚本密钥的批量分发与执行 标签(空格分隔): Linux服务搭建-陈思齐 ---本教学笔记是本人学习和工作生涯中的摘记整理而成,此为初稿(尚有诸多不完善之处),为原创作品,允许转载, ...

  6. 【SSH项目实战】脚本密钥的批量分发与执行【转】

    [TOC] 前言 <项目实战>系列为<linux实战教学笔记>第二阶段内容的同步教学配套实战练习,每个项目循序衔接最终将组成<Linux实战教学笔记>第二阶段核心教 ...

  7. [svc]ssh批量分发key/批量用户管理

    centos6 sshpass批量分发key yum install sshpass -y ssh-keygen -t dsa -f ~/.ssh/id_dsa -P "" 命令说 ...

  8. (转)SSH批量分发管理&非交互式expect

    目录 1 SSH批量分发管理 1.1 测试环境 1.2 批量管理步骤 1.3 批量分发管理实例 1.3.1 利用sudo提权来实现没有权限的用户拷贝 1.3.2 利用sudo提权开发管理脚本 1.3. ...

  9. (转)Linux SSH批量分发管理

    Linux SSH批量分发管理 原文:http://blog.51cto.com/chenfage/1831166 第1章 SSH服务基础介绍 1.1 SSH服务 1.1.1SSH介绍 SSH是Sec ...

随机推荐

  1. ReactNative 大图手势浏览技术分析

    支持通用的手势缩放,手势跟随,多图翻页 手势系统 通过 PanResponder.create 创建手势响应者,分别在 onPanResponderMove 与 onPanResponderRelea ...

  2. VIJOS P1540 月亮之眼

    [题目大意] 有多个珠子,给出部分珠子之间的相对上下位置和间距,问你这些珠子在满足给出的条件下,是否能把珠子排列在一条竖直直线上,如果能,求出每个珠子距离最高的珠子的距离,珠子的位置可重叠. [分析] ...

  3. wince 位图的使用

    操作位图的基本步骤: *创建位图句柄 *加载位图对象 *创建内存设备描述对象,将位图选入内存设备描述对象 *使用绘图函数进行图形绘制 *删除位图句柄 创建位图句柄并且加载位图对象: *位图句柄 HBI ...

  4. BZOJ 3505

    3505: [Cqoi2014]数三角形 Time Limit: 10 Sec  Memory Limit: 128 MBSubmit: 1171  Solved: 703[Submit][Statu ...

  5. HttpClient(4.3.5) - ResponseHandler

    The simplest and the most convenient way to handle responses is by using the ResponseHandler interfa ...

  6. 【转载】LinkedIn是如何优化Kafka的

    http://www.wtoutiao.com/p/18d5RY0.html 在LinkedIn的数据基础设施中,Kafka是核心支柱之一.来自LinkedIn的工程师曾经就Kafka写过一系列的专题 ...

  7. HDOJ2003求绝对值

    求绝对值 Time Limit: 2000/1000 MS (Java/Others)    Memory Limit: 65536/32768 K (Java/Others)Total Submis ...

  8. Android 中的 Service 全面总结 (转)

    原文地址:http://www.cnblogs.com/newcj/archive/2011/05/30/2061370.html 1.Service的种类   按运行地点分类: 类别 区别  优点 ...

  9. request对象实现请求转发

    request对象实现请求转发,请求转发指一个web资源收到客户端请求后,通知服务器去调用另外一个web资源进行处理.request对象提供了一个getRequestDispatcher方法,该方法返 ...

  10. request常用方法小结

    HttpServletRequest对象代表客户端的请求,当客户端通过HTTP协议访问服务器时,HTTP请求头中的所有信息都封装在这个对象中,开发人员通过这个对象的方法,可以获得客户这些信息. req ...