CentOS7系列--2.2CentOS7中配置SSH服务

CentOS7配置SSH服务

1. SSH配置

1.1. 使用SSH服务更加安全

[root@centos7 ~]# vi /etc/ssh/sshd_config

设置如下

PermitRootLogin no

PermitEmptyPasswords no

PasswordAuthentication yes

[root@centos7 ~]# systemctl restart sshd

1.2. 设置防火墙，允许SSH服务使用22/TCP

[root@centos7 ~]# firewall-cmd --add-service=ssh –permanent

[root@centos7 ~]# firewall-cmd –reload

2. SSH文件传输

2.1. 应用SCP进行文件远程复制

2.1.1. 将本地文件复制到远程服务器

[root@centos7 ~]$ scp ./test.txt root@192.168.1.102:~/

root@192.168.1.102's password:

test.txt 100% 10 0.0KB/s 00:00

2.1.2. 将远程服务器文件复制到本地

[root@centos7 ~]$ scp root@192.168.1.102:/root/test.txt ./test.txt

root@192.168.1.102's password:

test.txt 100% 10 0.0KB/s 00:00

2.2. 应用SFTP进行文件远程复制

[root@centos7 ~]$ sftp root@192.168.1.102

root@192.168.1.102's password:

Connected to 192.168.1.102.

sftp>

# show current directory on remote server

sftp> pwd

Remote working directory: /root

# show current directory on local server

sftp> !pwd

/root

# show files in current directory on FTP server

sftp> ls -l

drwxrwxr-x 2 root root 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 root root 10 Jul 28 22:53 test.txt

# show files in current directory on local server

sftp> !ls -l

total 4

-rw-rw-r-- 1 redhat redhat 10 Jul 29 21:31 test.txt

# change directory

sftp> cd public_html

sftp> pwd

Remote working directory: /root/public_html

# upload a file to remote server

sftp> put test.txt redhat.txt

Uploading test.txt to /root/redhat.txt

test.txt 100% 10 0.0KB/s 00:00

sftp> ls -l

drwxrwxr-x 2 root root 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 root root 10 Jul 29 21:39 redhat.txt

-rw-rw-r-- 1 root root 10 Jul 28 22:53 test.txt

# upload some files to remote server

sftp> put *.txt

Uploading test.txt to /root/test.txt

test.txt 100% 10 0.0KB/s 00:00

Uploading test2.txt to /root/test2.txt

test2.txt 100% 0 0.0KB/s 00:00

sftp> ls -l

drwxrwxr-x 2 root root 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 root root 10 Jul 29 21:39 redhat.txt

-rw-rw-r-- 1 root root 10 Jul 29 21:45 test.txt

-rw-rw-r-- 1 root root 10 Jul 29 21:46 test2.txt

# download a file from remote server

sftp> get test.txt

Fetching /root/test.txt to test.txt

/root/test.txt 100% 10 0.0KB/s 00:00

# download some files from remote server

sftp> get *.txt

Fetching /root/redhat.txt to redhat.txt

/root/redhat.txt 100% 10 0.0KB/s 00:00

Fetching /root/test.txt to test.txt

/root/test.txt 100% 10 0.0KB/s 00:00

Fetching /root/test2.txt to test2.txt

/root/test2.txt 100% 10 0.0KB/s 00:00

# create a directory on remote server

sftp> mkdir testdir

sftp> ls -l

drwxrwxr-x 2 root root 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 root root 10 Jul 29 21:39 redhat.txt

-rw-rw-r-- 1 root root 10 Jul 29 21:45 test.txt

-rw-rw-r-- 1 root root 10 Jul 29 21:46 test2.txt

drwxrwxr-x 2 root root 6 Jul 29 21:53 testdir

# delete a directory on remote server

sftp> rmdir testdir

rmdir ok, `testdir' removed

sftp> ls -l

drwxrwxr-x 2 root root 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 root root 10 Jul 29 21:39 redhat.txt

-rw-rw-r-- 1 root root 10 Jul 29 21:45 test.txt

-rw-rw-r-- 1 root root 10 Jul 29 21:46 test2.txt

# delete a file on remote server

sftp> rm test2.txt

Removing /root/test2.txt

sftp> ls -l

drwxrwxr-x 2 root root 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 root root 10 Jul 29 21:39 redhat.txt

-rw-rw-r-- 1 root root 10 Jul 29 21:45 test.txt

# execute commands with "![command]"

sftp> !cat /etc/passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

...

...

redhat:x:1001:1001::/root:/bin/bash

# exit

sftp> quit

221 Goodbye.

3. SSH使用密钥对认证

3.1. 给服务器用户创建密钥对

[root@server1 ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Created directory '/root/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:r5uV45jQN9JPbbD0qiegffn+d2HPbKAZR1D8lrnwpqk root@server1.smartmap.com

The key's randomart image is:

+---[RSA 2048]----+

| o. |

| . . |

| . .o|

| ..oo|

| S o.o..|

| ..o o.=o* |

| .oo.O.o=O+o|

| ...X+=+= B|

| *ooE*..o.|

+----[SHA256]-----+

[root@server1 ~]# ll

total 4

-rw-------. 1 root root 1496 Oct 28 11:32 anaconda-ks.cfg

[root@server1 ~]# ls -la

total 28

dr-xr-x---. 3 root root 147 Oct 28 12:31 .

dr-xr-xr-x. 17 root root 244 Oct 28 11:54 ..

-rw-------. 1 root root 1496 Oct 28 11:32 anaconda-ks.cfg

-rw-------. 1 root root 326 Oct 28 11:54 .bash_history

-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout

-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile

-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc

-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc

drwx------ 2 root root 38 Oct 28 12:31 .ssh

-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc

[root@server1 ~]# cd .ssh/

[root@server1 .ssh]# ll

total 8

-rw------- 1 root root 1679 Oct 28 12:31 id_rsa

-rw-r--r-- 1 root root 407 Oct 28 12:31 id_rsa.pub

[root@server1 .ssh]# mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

[root@server1 .ssh]# chmod 600 ~/.ssh/authorized_keys

3.2. 客户机复制服务器的密钥，并应用服务器的密钥登录服务器

[root@server2 ~]# mkdir ~/.ssh

[root@server2 ~]# chmod 700 ~/.ssh

[root@server2 ~]# scp root@192.168.1.101:/root/.ssh/id_rsa ~/.ssh/

The authenticity of host '192.168.1.101 (192.168.1.101)' can't be established.

ECDSA key fingerprint is SHA256:lgN0eOtdLR2eqHh+fabe54DGpV08ZiWo9oWVS60aGzw.

ECDSA key fingerprint is MD5:28:c0:cf:21:35:29:3d:23:d3:62:ca:0e:82:7a:4b:af.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.101' (ECDSA) to the list of known hosts.

root@192.168.1.101's password:

id_rsa 100% 1679 79.8KB/s 00:00

[root@server2 ~]# ssh -i ~/.ssh/id_rsa root@192.168.1.101

Last login: Sat Oct 28 12:23:00 2017 from 192.168.1.100