SSH工具

本文环境基于Ubuntu1604

目录

• 准备

• Client

  • 命令

  • 文件

• Server

  • 配置

  • 文件

准备

sudo passwd
# 设置root密码

sudo adduser test
# 添加test用户

Client

命令

ssh-keygen -t rsa -C "test@test.com"
# /Users/kevin/.ssh/test

ssh-copy-id -i ~/.ssh/test.pub test@192.168.xx.xx

ssh test@192.168.xx.xx "ls -l ~/.ssh/"
# -rw------- 1 test test 395 Mar 18 17:02 authorized_keys

vim ~/.ssh/config
# Host 192.168.xx.xx
#   IdentityFile ~/.ssh/test

ssh test@192.168.xx.xx "cat ~/.ssh/authorized_keys" >> server.pub
cat ~/.ssh/test.pub >> local.pub
diff server.pub local.pub

文件

man ssh

• ~/.ssh/ => 700

This directory is the default location for all user-specific configuration and authentication information.

There is no general requirement to keep the entire contents of this directory secret,

but the recommended permissions are read/write/execute for the user, and not accessible by others.

• ~/.ssh/known_hosts => 600

Contains a list of host keys for all hosts the user has logged into that are not already in the systemwide list of known host keys.

This file should be writable only by root/the owner and can, but need not be, world-readable.

• ~/.ssh/config => 600

This is the per-user configuration file.

Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by others.

• ~/.ssh/id_rsa => 400

Contains the private key for authentication.

These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute).

• ~/.ssh/id_rsa.pub => 400

Contains the public key for authentication.

These files are not sensitive and can (but need not) be readable by anyone

Server

配置

dpkg -l | grep ssh
# openssh-server

sudo service --status-all | grep ssh
# [ + ]  ssh

sudo service ssh status
# Active: active (running)

• man sshd_config

• /etc/ssh/sshd_config => 服务配置文件

• Port => 2222 | 服务端口设置为2222

• PermitRootLogin => no | 不允许root登录

• DenyUsers => test | 不允许test登录

• PasswordAuthentication => no | 禁止密码登录

• ClientAliveInterval => 10 | 空闲超时退出时间 单位秒

• ClientAliveCountMax => 0 | 空闲超时重试次数

同时设置ClientAliveInterval 10以及ClientAliveCountMax 0即10秒钟空闲超时断开连接

文件

man sshd

• ~/.ssh/ => 700

This directory is the default location for all user-specific configuration and authentication information.

There is no general requirement to keep the entire contents of this directory secret,

but the recommended permissions are read/write/execute for the user, and not accessible by others.

• ~/.ssh/authorized_keys => 600

Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user.

The content of the file is not highly sensitive,

but the recommended permissions are read/write for the user, and not accessible by others.