Linux 远程登录(telnet ssh)
2012-12-31 15:48
731 查看
telnet
ssh
==================================================================================
ssh等价性
本文出自 “Vnimos” 博客,请务必保留此出处http://vnimos.blog.51cto.com/2014866/1105117
[root@rhel6 ~]# rpm -qa | grep telnet telnet-server-0.17-47.el6.x86_64 telnet-0.17-47.el6.x86_64 [root@rhel6 ~]# vi /etc/xinetd.d/telnet //telnet是依赖于xinetd的 # default: on # description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no instances = 1 //设置服务器最大连接数(即只允许1个用户通过telnet登录) # bind = 192.168.0.90 //只允许经由该适配器的数据包进来 # only_from = 192.168.0.0/24 //只允许该网段通过telnet访问 # no_access = 192.168.0.100 //不允许该IP通过telnet访问 # access_times = 9:00-18:00 //telnet服务开放的时间 } [root@rhel6 ~]# /etc/init.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@rhel5 ~]# telnet rhel6 Trying 192.168.0.90... Connected to rhel6. Escape character is '^]'. Red Hat Enterprise Linux Server release 6.2 (Santiago) Kernel 2.6.32-220.el6.x86_64 on an x86_64 login: root Password: Login incorrect //默认禁止root用户通过telnet登录 login: xfcy Password: Last login: Wed Dec 26 17:17:08 from rhel6 [xfcy@rhel6 ~]$ who root pts/0 2012-12-27 12:01 (192.168.0.90) xfcy pts/1 2012-12-27 12:18 (rhel5) [xfcy@rhel6 ~]$ telnet rhel6 Trying 192.168.0.90... Connected to rhel6. Escape character is '^]'. Connection closed by foreign host. //不允许第2个用户通过telnet登录 [root@rhel6 ~]# netstat -lntp | grep :23 //默认监听23号端口 tcp 0 0 :::23 :::* LISTEN 5169/xinetd [xfcy@rhel6 ~]$ vi /etc/services //修改telnet服务的监听端口为230 telnet 230/tcp telnet 230/udp [root@rhel6 ~]# /etc/init.d/xinetd restart Stopping xinetd: [ OK ] Starting xinetd: [ OK ] [root@rhel6 ~]# netstat -lntp | grep :23 tcp 0 0 :::230 :::* LISTEN 5319/xinetd [root@rhel5 ~]# telnet rhel6 Trying 192.168.0.90... //默认通过23号端口无法访问telnet服务 telnet: connect to address 192.168.0.90: Connection refused telnet: Unable to connect to remote host: Connection refused [root@rhel5 ~]# telnet rhel6 230 //通过230端口可成功访问telnet服务 Trying 192.168.0.90... Connected to rhel6.xfcy.org (192.168.0.90). Escape character is '^]'. Red Hat Enterprise Linux Server release 6.2 (Santiago) Kernel 2.6.32-220.el6.x86_64 on an x86_64 login: xfcy Password: Last login: Thu Dec 27 12:50:16 from rhel5 [xfcy@rhel6 ~]$ netstat -an | grep :23 tcp 0 0 192.168.0.90:230 192.168.0.89:51147 ESTABLISHED tcp 0 0 :::230 :::* LISTEN 默认情况下,linux不允许root用户以telnet方式登录linux主机,若要允许root用户登录,可采取以下3种方法之一: 1.修改login文件 redhat中对于远程登录的限制体现在/etc/pam.d/login 文件中,如果把限制的内容注销掉,那么限制将不起作用。 [root@rhel5 ~]# vi /etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth #account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke 2.移除securetty文件 验证规则设置在/etc/securetty 文件中,该文件定义root用户只能在tty1-tty11的终端上记录,移除该文件即可避开验证规则实现root用户远程登录。 [root@rhel5 ~]# mv /etc/securetty /etc/securetty.bak 3.修改securetty文件 [root@rhel5 ~]# vi /etc/securetty console vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 vc/7 vc/8 vc/9 vc/10 vc/11 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8 tty9 tty10 tty11 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 pts/10 pts/11
ssh
[root@rhel6 ~]# rpm -qa | grep openssh openssh-server-5.3p1-70.el6.x86_64 openssh-clients-5.3p1-70.el6.x86_64 openssh-5.3p1-70.el6.x86_64 openssh-askpass-5.3p1-70.el6.x86_64 [root@rhel6 ~]# cat /etc/ssh/sshd_config #Port 22 //设置ssh服务的端口 #MaxStartups 10 //设置最大连接数 #ListenAddress 0.0.0.0 #PermitRootLogin yes Protocol 2 //只允许SSH2协议 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server 当客户端登入远程服务器时,客户端会主动的接收到的服务器的公钥(public key) 去比对 ~/.ssh/known_hosts 有无相关的公钥, 然后进行底下的动作: 若接收的公钥尚未记录,则询问用户是否记录。若接受则写入 ~/.ssh/known_hosts 且继续登入的后续工作;若不接收则不写入该文件,并且离开登入工作; 若接收到的公钥已有记录,则比对记录是否相同,若相同则继续登入动作;若不相同,则出现警告信息,且离开登入的动作。 [root@rhel6 ~]# rm -f .ssh/known_hosts [root@rhel6 ~]# ssh rhel6 The authenticity of host 'rhel6 (192.168.1.119)' can't be established. RSA key fingerprint is 1a:cf:92:de:28:7d:f2:e0:e8:e6:ad:f1:7c:40:6a:67. Are you sure you want to continue connecting (yes/no)? yes //接受并在known_hosts中创建公钥 Warning: Permanently added 'rhel6,192.168.1.119' (RSA) to the list of known hosts. root@rhel6's password: Last login: Mon Dec 31 11:27:22 2012 from 192.168.1.19 [root@rhel6 ~]# cat .ssh/known_hosts rhel6,192.168.1.119 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA08gfRmTgp6wM1GPgbVBsAiL6dOaKoViS9w/aL3P/NVGjYANfKQQxx2yagOxqOIFV5wefnrutdgoEmYm9sWl+9AtIf4XgMHupGWlq3jK4LWkKrN2Lg7HdijpbKzH2XuHcI1k9sRzB6F2Xhx3YdTnQKyT8wb9spKp9hzTL4ztGXrrcRW9lXBrz7jp9m4HOwim44j6SSVPTAVrCZWho2X+I27f/6DbCHNfFXV1mi+g7ERo2c8e4KwoKComXaa+E/PsBPKWOuvJgujl1VPQ2hTAWPSVXA67eR9o+39c/cOliDPq/SGsGXtWxZei9FM7G+OZAI5RdZ/Fqmbvivzfweg7IZQ== 每一次启动sshd服务时,sshd服务端都会主动去找/etc/ssh/ssh_host*的公私钥文件,如果不存在则会重新创建公私钥 [root@rhel6 ~]# ls /etc/ssh/ssh_host_* /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key //私钥 /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key.pub //公钥 [root@rhel6 ~]# rm -f /etc/ssh/ssh_host_* [root@rhel6 ~]# ls /etc/ssh/ssh_host_* ls: cannot access /etc/ssh/ssh_host_*: No such file or directory [root@rhel6 ~]# /etc/init.d/sshd restart Stopping sshd: [ OK ] Generating SSH1 RSA host key: [ OK ] //创建SSH1的RSA公私钥 Generating SSH2 RSA host key: [ OK ] //创建SSH2的RSA公私钥 Generating SSH2 DSA host key: [ OK ] //创建SSH2的DSA公私钥 Starting sshd: [ OK ] [root@rhel6 ~]# ls /etc/ssh/ssh_host_* /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key.pub [root@rhel6 ~]# ssh rhel6 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:1 //由于更新了公私钥,故提示known_hosts文件中第1行的信息不匹配 RSA host key for rhel6 has changed and you have requested strict checking. Host key verification failed. [root@rhel6 ~]# sed -i '1d' .ssh/known_hosts //删除known_hosts的第一行内容 [root@rhel6 ~]# ssh rhel6 The authenticity of host 'rhel6 (192.168.1.119)' can't be established. RSA key fingerprint is 16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b. Are you sure you want to continue connecting (yes/no)? yes //重新更新known_hosts中的公钥 Warning: Permanently added 'rhel6,192.168.1.119' (RSA) to the list of known hosts. root@rhel6's password: Last login: Mon Dec 31 13:28:30 2012 from rhel6 ssh [-f] [-p port_num] [user@]IP [CMD] -f :需要配合后面的[CMD],不登入远程主机直接发送一个指令,若不加-f参数则需等待后面的CMD指令执行完毕才会离开远程主机 -p :指定sshd监听的端口 -X :开启X11 Forwarding(X11 forwarding是基于SSH使用远程X-Windows应用,需配合xhost +) -Y :开启X11 Forwarding [root@rhel6 ~]# vi ssh_test.sh //创建一个用于测试的脚本 #!/bin/sh echo '####### ssh without "-f" ############' date ssh rhel6 sleep 10 date echo '####### ssh with "-f" ############' date ssh -f rhel6 sleep 10 date [root@rhel6 ~]#chmod +x ssh_test.sh [root@rhel6 ~]# ./ssh_test.sh ####### ssh without "-f" ############ Mon Dec 31 14:24:26 CST 2012 Mon Dec 31 14:24:36 CST 2012 //需等待远程主机的指令执行完毕才会离开 ####### ssh with "-f" ############ Mon Dec 31 14:24:36 CST 2012 Mon Dec 31 14:24:36 CST 2012 //远程主机执行指令后立即离开 [root@rhel6 ~]# ssh rhel6 Last login: Mon Dec 31 15:13:16 2012 from rhel6 [root@rhel6 ~]# echo $DISPLAY [root@rhel6 ~]# exit [root@rhel6 ~]# ssh -X rhel6 Last login: Mon Dec 31 15:17:19 2012 from rhel6 [root@rhel6 ~]# echo $DISPLAY localhost:10.0
==================================================================================
ssh等价性
[root@rhel5-1 .ssh]# ssh-keygen -t rsa Generating public/private rsa key pair. "以下全部回车即可" Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: a1:ef:d7:94:03:da:bb:64:f2:7d:4f:73:ad:92:29:a1 root@rhel5-1.xfcy.org [root@rhel5-1 .ssh]# ls id_rsa id_rsa.pub "id_rsa文件必须存在" [root@rhel5-1 .ssh]# cat id_rsa.pub >> key [root@rhel5-1 .ssh]# scp key rhel5-2:/root/.ssh/ The authenticity of host 'rhel5-2 (192.168.1.22)' can't be established. RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rhel5-2,192.168.1.22' (RSA) to the list of known hosts. root@rhel5-2's password: key 100% 403 0.4KB/s 00:00 [root@rhel5-2 .ssh]# ls key [root@rhel5-2 .ssh]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 19:51:ec:c9:87:b3:7e:de:b0:e2:7d:b4:89:09:60:8f root@rhel5-2.xfcy.org [root@rhel5-2 .ssh]# ls id_rsa id_rsa.pub key [root@rhel5-2 .ssh]# cat id_rsa.pub >> authorized_keys [root@rhel5-2 .ssh]# cat key >> authorized_keys [root@rhel5-2 .ssh]# scp authorized_keys rhel5-1:/root/.ssh/ The authenticity of host 'rhel5-1 (192.168.1.11)' can't be established. RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'rhel5-1,192.168.1.11' (RSA) to the list of known hosts. root@rhel5-1's password: authorized_keys 100% 806 0.8KB/s 00:00 [root@rhel5-2 .ssh]# ls authorized_keys id_rsa id_rsa.pub key known_hosts [root@rhel5-2 .ssh]# ssh rhel5-1 Last login: Thu Aug 30 15:41:33 2012 from rhel5-2.xfcy.org 此时从rhel5-2通过ssh登录到rhel5-1已不需要密码,rhel5-1通过ssh登录到rhel5-2也不需要密码 注:两端的id_rsa文件必须存在
本文出自 “Vnimos” 博客,请务必保留此出处http://vnimos.blog.51cto.com/2014866/1105117
相关文章推荐
- Linux 远程登录服务:telnet和ssh
- Linux 远程登录telnet和ssh
- linux 远程登录 vnc telnet ssh
- Linux全攻略--远程登录管理-Telnet与SSH
- Linux 的伪终端的基本原理 及其在远程登录(SSH,telnet等)中的应用
- 通过linux ssh远程登录另一台Linux,无需密码,用证书验证
- linux中禁止root用户ssh远程登录并修改ssh远程登录端口
- 使用ssh远程登录linux
- Linux下使用ssh远程登录、上传、下载
- telnet远程登录Linux RHEL提示不能在端口23打开连接的解决办法
- 〖Linux〗使用ssh登录远程主机,并在本地打开远程图形界面
- SecureCRT密钥远程ssh证书登录Linux
- linux本机root账户无法登录,但是远程ssh可登录
- linux 使用ssh远程登录远程主机
- Linux下配置SSH远程免密登录问题
- 学习笔记8——linux系统安全优化之更改SSH服务远程登录的配置
- 使用SSH客户端远程登录Linux主机(可替代samba、ftp服务)
- Linux-Ubuntu 远程登录服务器--ssh的安装和配置
- SSH远程登录另一台linux
- linux远程登录ssh免密码