目录
SSH
介绍
SSH(Secure Shell)是一种加密的网络传输协议 而Telnet或非安全Shell等采用明文传输
特性
-
非对称加密
-
默认端口22
-
C-S模型
OpenSSH
OpenSSH是SSH(Secure Shell)协议的免费开源实现
原理
为了便于说明 密钥简写如下
PubC 客户端密钥对应的公钥
PrvC 客户端握有的私钥
PubS 服务器端产生的公钥
PrvS 服务器端产生的私钥
关于密钥(yue)的读音可以参考到底是密钥(yao)还是密钥(yue)?
认证
- Password认证
Client | Server
----------------------------------
<--------------PubS---------------
------------PubS(Pwd)------------>
PrvS->Pwd
- Public Key认证
Client | Server
----------------------------------
PubC
<----------PubC(Random)-----------
PrvC->Random
-----------Hash(Random)---------->
Hash(Random)
连接
Client | Server
----------------------------------
PrvC PubC/PubS/PrvS
<-----------PubC(PubS)------------
PrvS->PubS
PrvC/PubS PubC/PubS/PrvS
通信
Client | Server
----------------------------------
------------PubS(Data)----------->
PrvS->Data
<-----------PubC(Data)------------
PrvC->Data
中间人攻击
中间人攻击: MITM(Man in the Middle) Attack
Client | MITM Attack
----------------------------------
<--------------PubS---------------
------------PubS(Pwd)------------>
PrvS->Pwd
SSH协议的公钥 是自己签发的 没有证书中心(CA)公证
fingerprint
- client
The authenticity of host '192.168.56.222 (192.168.56.222)' can't be established.
ECDSA key fingerprint is SHA256:n600jhBnatrGCeFJHYrsKWraOATCDULD4e5Z+TS3JlI.
Are you sure you want to continue connecting (yes/no)?
- server
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
# 256 SHA256:n600jhBnatrGCeFJHYrsKWraOATCDULD4e5Z+TS3JlI
authorized_keys
- client
ssh-copy-id saas@192.168.56.222
关于ssh-copy-id更多介绍 参考ssh-copy-id(1) - Linux man page
- server
cat ~/.ssh/authorized_keys
# ssh-rsa ***
known_hosts
- client
cat ~/.ssh/known_hosts
# 192.168.56.222 ecdsa-sha2-nistp256 ***
配置和使用
生成密钥
- client
ssh-keygen -t rsa -f ~/.ssh/test -C "test@126.com"
上传公钥
- client
ssh-copy-id -i ~/.ssh/test.pub saas@192.168.56.222
ssh saas@192.168.56.222 # 需要输入密码
配置密钥
- client
echo "\nHost 192.168.56.222" >> ~/.ssh/config
echo "IdentityFile ~/.ssh/test" >> ~/.ssh/config
ssh saas@192.168.56.222 # 无须输入密码
禁用密码
- server
echo "PasswordAuthentication no" | sudo tee -a /etc/ssh/sshd_config
service ssh reload
文件权限
man ssh
FILES
~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of
this file is described in the sshd(8) manual page. This file is not highly sensitive, but the recommended per-
missions are read/write for the user, and not accessible by others.
~/.ssh/id_rsa
Contains the private key for authentication. These files contain sensitive data and should be readable by the
user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is
accessible by others. It is possible to specify a passphrase when generating the key which will be used to
encrypt the sensitive part of this file using 3DES.
~/.ssh/id_rsa.pub
Contains the public key for authentication. These files are not sensitive and can (but need not) be readable by
anyone.
~/.ssh/known_hosts
Contains a list of host keys for all hosts the user has logged into that are not already in the systemwide list
of known host keys. See sshd(8) for further details of the format of this file.
ls -l ~/.ssh/
-rw-rw-r-- 1 dev dev 5203 Sep 19 17:10 authorized_keys
-rw------- 1 dev dev 1679 Jan 3 2018 id_rsa
-rw-r--r-- 1 dev dev 404 Jan 3 2018 id_rsa.pub
-rw-r--r-- 1 dev dev 2442 Sep 19 19:49 known_hosts
关于"ssh 'permissions are too open' error"更多可以参考 ssh 'permissions are too open' error
端口转发
- client
ssh -L 8888:127.0.0.1:6379 saas@192.168.56.222
- server
redis-cli
set test 1
- client
redis-cli -p 8888
keys * # 1) "test"
网友评论