SSH命令詳解

ssh是一種安全的遠(yuǎn)程登錄及傳輸協(xié)議。ssh可用于遠(yuǎn)程登錄、遠(yuǎn)程文件傳輸?shù)?。ssh是安全的shell。

使用ssh協(xié)議可以安全地將客戶端與服務(wù)端通過網(wǎng)絡(luò)連接起來，這為遠(yuǎn)程調(diào)試設(shè)備提供了可能性。ssh遠(yuǎn)程登錄后的操作完全同本地shell的操作一致。

ssh安全登錄的方式有2種，密碼口令驗證和密鑰驗證。

ssh命令選項

密鑰驗證流程

ssh命令選項

要查看ssh詳細(xì)的命令選項，請在Linux系統(tǒng)終端鍵入

$man ssh

man ssh

man ssh翻譯內(nèi)容參考

https://www.cnblogs.com/f-ck-need-u/p/7120669.html

ssh命令詳解及使用

1.ssh連接遠(yuǎn)程主機(jī)

$ ssh user@hostname

最簡單的用法只需要指定用戶名和主機(jī)名參數(shù)即可，主機(jī)名可以是 IP 地址或者域名。例如：

# ssh cl@192.168.125.103

2.ssh連接指定端口的ssh服務(wù)

$ ssh -p 10022 user@hostname

SSH 默認(rèn)連接到目標(biāo)主機(jī)的 22 端口上，可以使用-p選項指定端口號 例如：

ssh cl@192.168.125.103 -p 5030

3.連接到ssh服務(wù)并執(zhí)行一條命令，打印結(jié)果到本地

$ ssh pi@10.42.0.47 ls -l

直接連接并在后面加上要執(zhí)行的命令就可以了 4.ssh及sshd配置

ssh配置在/etc/ssh目錄下

ssh配置目錄

SSH 的配置文件在 /etc/ssh/ssh_config 中，你可以看到端口號, 空閑超時時間等配置項，可以看到ssh非對稱密鑰有dsa、ecdsa、rsa等幾種，sshd的配置文件在/etc/ssh/sshd_config目錄下。

5.構(gòu)建ssh密鑰對

$ ssh-keygen -t rsa

使用 ssh-keygen -t +算法 ，現(xiàn)在大多數(shù)都使用rsa或者dsa算法

6.查看是否已經(jīng)添加了對應(yīng)主機(jī)的密鑰

$ ssh-keygen -F 222.24.51.147

7.刪除主機(jī)密鑰

$ ssh-keygen -R 222.24.51.147

使用-R選項，也可以在~/.ssh/known_hosts文件中手動刪除

8.綁定源地址

$ ssh -b 192.168.0.200  root@192.168.0.103

如果客戶端有多于兩個以上的 IP 地址，你不確定使用哪個IP來連接ssh服務(wù)器。我們可以使用 -b 選項來指定一個IP 地址。這個 IP 將會被用作建立連接的源地址。

9.對數(shù)據(jù)請求壓縮

$ ssh -C root@192.168.0.103

使用 -C 選項，所有通過 SSH 發(fā)送或接收的數(shù)據(jù)將會被壓縮，并且仍然是加密的

10.打開調(diào)試模式

$ ssh -v root@192.168.0.103

-v參數(shù)可以打印出調(diào)試信息，如下圖所示：

ssh調(diào)試信息

11.當(dāng)前用戶的ssh密鑰

cl@CL:~/.ssh$ ls
id_rsa  id_rsa.pub  known_hosts

12.known_hosts文件

known_hosts內(nèi)容

當(dāng)服務(wù)端被連接會在該路徑下known_hosts生成key驗證信息，用來驗證客戶端的IP地址與公鑰。

首次ssh連接服務(wù)端，服務(wù)端就會記錄連接的IP地址以及公鑰信息，存放在known_hosts文件里面，后續(xù)再次連接就不需要檢查指紋信息了。

13.查看服務(wù)端指紋信息

cl@CL:/etc/ssh$ sudo ssh-keygen -lf ssh_host_rsa_key -E sha256
2048 SHA256:Nr865fluVGxdxHnWCts9+ye/enB3pokV64w+qvRElTs root@CL (RSA)
cl@CL:/etc/ssh$ sudo ssh-keygen -lf ssh_host_rsa_key -E sha1
2048 SHA1:EVIobIZxbqHJs3RA/eefuog13EI root@CL (RSA)
cl@CL:/etc/ssh$ sudo ssh-keygen -lf ssh_host_rsa_key -E md5
2048 MD5:41:63:ed:9f:d6:ad:46:27:a1:cc:d5:36:1b:0e:cc:5a root@CL (RSA)

附ssh配置文件信息/etc/ssh/ssh_config

cl@CL:/etc/ssh$ cat ssh_config

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
    KexAlgorithms +diffie-hellman-group1-sha1

附sshd配置文件信息/etc/ssh/sshd_config

cl@CL:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

附ssh_host_rsa指紋信息

cl@CL:/etc/ssh$ cat ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRD/GdIFPSLRftmrOgoCLVmJFLc9ZzgeZCjfTdfOyD2BeZJ/1OhD9fH0dhFqJnuGcKYX2ZJz93s2L1ajcnF9mfeO/qHNOuWkyWYDOWYe/POg2fgngAy7ImG5262kqE4hHu1Op7kgfcBxCUwOo7aCaSnO7alle28yXkw7IAmrX3sOFEfO7J3NNZ08M66j6XioeXGDm3xM5/Mh5r/nuCDT/HdkjvKZjvAWo1heIf7cW7I83nSnGqM36TIkbVxz70PJM9sKNvy6dpF/HBq5NOyYLh8gmp6d/+7HMza6H5bsYHImp19Q4sUggQcyghK14L1TgGM5yUH+6n/1o0Rr2qSg3B root@CL

scp命令

scp命令可以進(jìn)行本地與遠(yuǎn)端之間的文件拷貝，基于ssh協(xié)議.

#copy 本地的文件到遠(yuǎn)程的機(jī)器上 
$ scp /etc/lilo.conf cl@192.168.125.111:/home/cl

會將本地的 /etc/lilo.conf 這個文件 copy 到 192.168.125.111，使用者 cl 的家目錄下。

#copy遠(yuǎn)程機(jī)器上的文件到本地來 
$ scp cl@192.168.125.111:/etc/lilo.conf  /etc

會將 192.168.125.111 中 /etc/lilo.conf 文件copy 到本地的 /etc 目錄下。

#保持從來源 host 檔案的屬性 
$ scp –p cl@192.168.125.111:/etc/lilo.conf  /etc

若要cp目錄，使用-r選項

#拷貝遠(yuǎn)程設(shè)備/tmp/dir到/home/cl下
$ scp –r cl@192.168.125.111:/tmp/dir /home/cl
#拷貝本地設(shè)備`/home/cl/tmp`到/home/abc下
$ scp -r /home/cl/tmp  cl@192.168.125.111:/home/abc

在此必須注意使用者的權(quán)限是否可讀取遠(yuǎn)程上的檔案，若想知道更多關(guān)于 scp 的使用方法，請使用man scp。

ssh協(xié)議實現(xiàn)

ssh協(xié)議典型實現(xiàn)是openssh， 輕量實現(xiàn)是dropbear.