第40课 ssh远程管理服务 2019-05-27

第十周day1.png

一、远程连接服务：

1.1 ssh服务会对传输数据进行加密，监听在本地22/tcp端口，ssh服务默认支持root用户登录。

1.1.1 在本地输入下面的命令可以远程连接服务器（在用ssh远程连接的时候可以使用root用户连接）

[c:\~]$ ssh  root@10.0.0.61


Connecting to 10.0.0.61:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Mon May 27 16:46:32 2019 from 10.0.0.1
[root@m01 ~]# 

1.2 telnet服务不对数据进行加密，监听在本地23/tcp端口，Telnet默认不支持root用户登录。

1.2.1 在本地输入下面的命令可以远程连接服务器（在用telnet远程连接的时候无法使用root用户连接）

[c:\~]$ telnet   10.0.0.61

Connecting to 10.0.0.61:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Kernel 3.10.0-957.el7.x86_64 on an x86_64
m01 login: oldboy
Password: 
Last login: Mon May 27 16:27:36 from bogon
[oldboy@m01 ~]$ 

1.2.2 用wireshark抓包工具抓包会发现，在连接上设备后，只要输入符号就会在wireshark中把你的输入内容全部呈现出来，没有加密。

wireshark抓包.png

二、远程连接服务：

ssh相关客户端命令：

2.1 ssh远程连接到另一台服务器：

[root@m01 ~]# ssh 10.0.0.41
Last login: Mon May 27 19:30:44 2019 from 10.0.0.61
[root@backup ~]# 

2.2 scp远程传输数据 （不-P指定端口也可以传输）

[root@m01 ~]# scp -P22 /etc/hosts   10.0.0.41:/tmp
hosts                                       100%  349   164.4KB/s   00:00

2.3 sftp上传和下载
put上传

[root@m01 ~]# sftp 10.0.0.41
Connected to 10.0.0.41.
sftp> put  /etc/hostname  /tmp/
Uploading /etc/hostname to /tmp/hostname
/etc/hostname                               100%    4     0.1KB/s   00:00  

[root@backup tmp]# ll
total 16
drwxr-xr-x 87 root root 8192 May 17 12:33 etc
-rw-r--r--  1 root root    4 May 27 20:51 hostname
[root@backup tmp]# cat hostname 
m01

get下载

[root@m01 ~]# sftp 10.0.0.41
Connected to 10.0.0.41.
sftp> get /etc/hostname   /tmp
Fetching /etc/hostname to /tmp/hostname
/etc/hostname                               100%    7     6.7KB/s   00:00  

[root@m01 tmp]# ll
total 4
-rw-r--r-- 1 root root  7 May 27 20:21 hostname
[root@m01 tmp]# cat  hostname 
backup

三、服务器的/etc/ssh/sshd_config文件，里面参数修改后验证：

3.1 修改服务器的/etc/ssh/sshd_config文件，把里面的Port 端口号改为52113、把PermitRootLogin禁止root登录改为no禁止：

3.1.1 修改2个参数：
[root@m01 ~]# egrep -i '^port|^permitroot'  /etc/ssh/sshd_config 
Port 52113
PermitRootLogin no
[root@m01 ~]# systemctl reload sshd （软重启服务）

3.1.2 验证端口号不对的情况下是否可以在本地shell中连接：
[c:\~]$ ssh root@10.0.0.61 22


Connecting to 10.0.0.61:22...
Could not connect to '10.0.0.61' (port 22): Connection failed.

Type `help' to learn how to use Xshell prompt.

3.1.3 验证端口号对的情况下用root用户是否可以在本地shell中连接：
[c:\~]$ ssh root@10.0.0.61 52113


Connecting to 10.0.0.61:52113...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Connection closed by foreign host.

Disconnected from remote host(10.0.0.61:52113) at 21:50:32.

Type `help' to learn how to use Xshell prompt.

3.1.4  结果显示只能用52113端口和oldboy用户才能远程连接进去：
[c:\~]$ ssh  oldboy@10.0.0.61  52113


Connecting to 10.0.0.61:52113...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Last login: Mon May 27 18:05:35 2019 from bogon
[oldboy@m01 ~]$ 
[root@m01 ~]# ss -lntup|grep ssh （检查端口发现是52113端口）
tcp    LISTEN     0      128       *:52113                 *:*                   users:(("sshd",pid=7222,fd=3))
tcp    LISTEN     0      128      :::52113                :::*                   users:(("sshd",pid=7222,fd=4))

3.2 修改ListenAddress（监听的是本地网卡的ip）， 可以指定不同网段 ，不同端口的配置：

3.2.1 可以指定不同网段 ,不同端口的配置
ListenAddress 10.0.0.61:52113
ListenAddress 172.16.1.61

[root@m01 ~]# vim  /etc/ssh/sshd_config 
ListenAddress 10.0.0.61:52113
ListenAddress 172.16.1.61：
[root@m01 ~]# systemctl reload sshd （软重启服务）

3.2.2  在backup服务器下进行测试10.0.0.61是否连接的上：
[root@backup ~]# ssh -p52113  root@10.0.0.61 
root@10.0.0.61's password: 
Last login: Mon May 27 21:58:56 2019
[root@m01 ~]# 

3.2.3  在backup服务器下进行测试172.16.1.61是否连接的上：
[root@m01 ~]# ssh -p22 root@172.16.1.61
The authenticity of host '172.16.1.61 (172.16.1.61)' can't be established.
ECDSA key fingerprint is SHA256:BuEVMdDh+fJprYgfJK6W2jXl57syKGcd5GmIFkqKtFw.
ECDSA key fingerprint is MD5:12:b2:cc:15:15:39:3a:0a:e0:77:51:ca:a1:74:35:02.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.61' (ECDSA) to the list of known hosts.
root@172.16.1.61's password: 
Last login: Mon May 27 22:40:09 2019 from 10.0.0.41
[root@m01 ~]# 

上面学习的主要就是ssh服务器端的配置主要文件信息，可以用这个来进行限定连接，可以提高服务器远程的安全性。

四、ssh认证方式：

4.1 密码认证

[root@m01 /]# ssh  10.0.0.7  hostname （密码认证）
root@10.0.0.7's password: 
web01

4.2 秘钥认证（交互式密码认证）：

4.2.1 第一步：在管理服务器上生成秘钥（交互式）：
root@m01 /]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:UuUx4g6UpAmMVRrpZImhebI54H5BYpXk7Hm+u9aAsWQ root@m01
The key's randomart image is:
+---[DSA 1024]----+
|.*=*o.o.. +      |
|+.X= +.. + o     |
|=*o+o . o .      |
|+==E.  +         |
|+.o++.. S        |
|.. o+. .         |
| . . .o          |
|  .  ...         |
|    .+o          |
+----[SHA256]-----+
[root@m01 /]# ll ~/.ssh/
total 12
-rw------- 1 root root 668 May 28 17:19 id_dsa
-rw-r--r-- 1 root root 598 May 28 17:19 id_dsa.pub
-rw-r--r-- 1 root root 857 May 28 12:12 known_hosts

4.2.2 第二步：交互式发送公钥：
[root@m01 /]#  ssh-copy-id -i ~/.ssh/id_dsa.pub  172.16.1.41 
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

4.2.3第三式：验证秘钥是否成功：
[root@m01 /]# ssh  10.0.0.41  hostname
backup

4.2.4 制作秘钥的作用就是为了在管理服务器上执行对其他服务器命令的过程中，能够省去每次都要输入密码的麻烦。
密码认证与秘钥认证简单举例对比：
[root@m01 /]# ssh  10.0.0.41  hostname (秘钥认证）
backup
[root@m01 /]# ssh  10.0.0.7  hostname （密码认证）
root@10.0.0.7's password: 
web01

4.3 秘钥认证（非交互式）：

4.3.1 第一步：在管理服务器上一键生成秘钥（非交互式）：
[root@m01 ~]# ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ""
Generating public/private dsa key pair.
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
SHA256:qKiUrfJ23K76N7z/KA5US5aMis8QB9BuW/sQE21DROg root@m01
The key's randomart image is:
+---[DSA 1024]----+
|+.   *+          |
| .. oo+.         |
|.....o*.         |
| +o.E+ o         |
|o..o.+o S        |
| ++oo.           |
| o+oo=           |
|o.o o.B  .       |
|o+o+o=+=o..      |
+----[SHA256]-----+
[root@m01 ~]# ll ~/.ssh/
total 12
-rw------- 1 root root 672 May 28 17:47 id_dsa
-rw-r--r-- 1 root root 598 May 28 17:47 id_dsa.pub
-rw-r--r-- 1 root root 857 May 28 12:12 known_hosts

4.3.2 一键分发秘钥至一台服务器:
[root@m01 ~]# sshpass  -pwuxin7882832  ssh-copy-id -oStrictHostKeyChecking=no  10.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.

4.3.3  一键分发秘钥至多台服务器:
[root@m01 ~]# for ip  in 7  41
>  do
>  sshpass  -pwuxin7882832  ssh-copy-id -oStrictHostKeyChecking=no  10.0.0.$ip>  done
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.7'"
and check to make sure that only the key(s) you wanted were added.

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '10.0.0.41'"
and check to make sure that only the key(s) you wanted were added.

备注：
for循环：
for 变量 in  列表
do
  命令
 done

4.3.4 项目实战：一键完成生成秘钥、分发至多台设备公钥(写脚本，最后执行脚本）

#!/bin/bash

#make key
ssh-keygen -t dsa -f ~/.ssh/id_dsa -P ""
#fenfa key
for ip  in 7  41
do
 sshpass  -pwuxin7882832  ssh-copy-id -oStrictHostKeyChecking=no  10.0.0.$ip
done

五、批量管理：

5.1 pssh命令：

5.1.1 pssh命令格式：pssh 参数 命令(使用pssh的条件就是秘钥已经配置分发）：

[root@m01 ~]# cat /server/scripts/2.sh 
root@10.0.0.41
root@10.0.0.7
[root@m01 ~]# pssh -Ph /server/scripts/2.sh hostname
10.0.0.41: backup
[1] 20:22:02 [SUCCESS] root@10.0.0.41
10.0.0.7: web01
[2] 20:22:02 [SUCCESS] root@10.0.0.7
[root@m01 ~]# pssh -Ph /server/scripts/2.sh  "touch /root/wuxin.txt"
[1] 20:22:56 [SUCCESS] root@10.0.0.41
[2] 20:22:56 [SUCCESS] root@10.0.0.7

5.1.2 检查在2台服务器中是否创建成功：

[root@backup ~]# ll
total 8
-rw-r--r--  1 root root    0 May 28 20:22 wuxin.txt
[root@web01 ~]# ll
total 4
-rw-r--r--  1 root root    0 May 28 20:22 wuxin.txt

5.2 prsync 命令：

[root@m01 ~]# pssh -A  -Ph hosts.txt cat /tmp/hostname 
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: 
172.16.1.41: m01
[1] 12:52:32 [SUCCESS] root@172.16.1.41:22
172.16.1.7: m01
[2] 12:52:32 [SUCCESS] root@172.16.1.7:22