SSH
远程登录软件

1、秘钥认证

ssh 用户名@$ip

[root@vms001 ~]# ssh root@192.168.26.102
The authenticity of host '192.168.26.102 (192.168.26.102)' can't be established.
ECDSA key fingerprint is 52:69:ce:88:35:78:6b:e9:1b:67:9c:95:c8:09:2e:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.26.102' (ECDSA) to the list of known hosts.
root@192.168.26.102's password: 

2、创建秘钥对登录

1.生成秘钥对

[root@vms001 ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 123456
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Passphrases do not match.  Try again.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in 123456.
Your public key has been saved in 123456.pub.
The key fingerprint is:
b4:83:3e:d5:0c:f6:0a:9d:83:e5:1c:c0:1a:18:92:4a root@vms001.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|...o ..          |
|.E. . ..         |
|o    o  *        |
|.   .  X O       |
|      + S +      |
|     . o +       |
|      o .        |
|       .         |
|                 |
+-----------------+

2.把公钥发送至想登录的机器上

[root@vms001 ~]# ssh-copy-id root@192.168.26.102
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.26.102's password: 
[root@vms001 ~]# ssh-copy-id root@192.168.26.102
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.26.102's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.26.102'"
and check to make sure that only the key(s) you wanted were added.

3.检查是否传输成功

[root@vms002 ~]# ls .ssh/
authorized_keys  known_hosts

authorized_keys显示成功

4.可以实现免秘钥登陆

[root@vms001 ~]# ssh root@192.168.26.102
Last login: Wed Oct 30 20:26:18 2019 from vms001.example.com
-bash-4.2# 

5.发现登陆后出现-bash-4.2$的问题：
解决办法

(公钥内是包含私钥的)

SSH服务端配置文件安全设置

[root@vms001 ~]# vim /etc/ssh/sshd_config 

#Port 22   #默认端口号22，可修改为安全端口
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes      #将root账户仅限制为控制台访问，不允许ssh登录，可改为no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes   #可设置为是否允许使用秘钥登陆

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

UsePAM yes

#AllowAgentForwarding yes   
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS yes      #修改为no可提高ssh登陆速度
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       TcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
AllowUsers    admin    //允许的用户

DenyUsers    redhat  redhat@192.168.26.102 //禁止  redhat  登录，和禁止redhat使用192.168.26.102的ip地址登录

设置登陆白名单与黑名单也可以通过修改/etc/hosts.deny 与 /etc/hosts.allow来实现

使用VNC远程登录

1.安装VNC服务

[root@vms001 ~]# yum install -y *vnc*

[root@vms002 ~]# vncserver :2

设置密码后使用ip：2连接

待整理！