Linux 远程登录（telnet ssh）

telnet

[root@rhel6 ~]# rpm -qa | grep telnet
telnet-server-0.17-47.el6.x86_64
telnet-0.17-47.el6.x86_64
[root@rhel6 ~]# vi /etc/xinetd.d/telnet                     //telnet是依赖于xinetd的
# default: on
# description: The telnet server serves telnet sessions; it uses \
#       unencrypted username/password pairs for authentication.
service telnet
{
flags           = REUSE
socket_type     = stream
wait            = no
user            = root
server          = /usr/sbin/in.telnetd
log_on_failure  += USERID
disable         = no
instances       = 1                                 //设置服务器最大连接数(即只允许1个用户通过telnet登录)
#       bind            = 192.168.0.90                      //只允许经由该适配器的数据包进来
#       only_from       = 192.168.0.0/24                    //只允许该网段通过telnet访问
#       no_access       = 192.168.0.100                     //不允许该IP通过telnet访问
#       access_times    = 9:00-18:00                        //telnet服务开放的时间
}
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90...
Connected to rhel6.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: root
Password:
Login incorrect                                             //默认禁止root用户通过telnet登录
login: xfcy
Password:
Last login: Wed Dec 26 17:17:08 from rhel6
[xfcy@rhel6 ~]$ who
root     pts/0        2012-12-27 12:01 (192.168.0.90)
xfcy     pts/1        2012-12-27 12:18 (rhel5)
[xfcy@rhel6 ~]$ telnet rhel6
Trying 192.168.0.90...
Connected to rhel6.
Escape character is '^]'.
Connection closed by foreign host.                         //不允许第2个用户通过telnet登录
[root@rhel6 ~]# netstat -lntp | grep :23                   //默认监听23号端口
tcp        0      0 :::23                :::*        LISTEN      5169/xinetd
[xfcy@rhel6 ~]$ vi /etc/services                           //修改telnet服务的监听端口为230
telnet          230/tcp
telnet          230/udp
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd:                                           [  OK  ]
Starting xinetd:                                           [  OK  ]
[root@rhel6 ~]# netstat -lntp | grep :23
tcp        0      0 :::230                      :::*                        LISTEN      5319/xinetd
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90...                                     //默认通过23号端口无法访问telnet服务
telnet: connect to address 192.168.0.90: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@rhel5 ~]# telnet rhel6 230                           //通过230端口可成功访问telnet服务
Trying 192.168.0.90...
Connected to rhel6.xfcy.org (192.168.0.90).
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: xfcy
Password:
Last login: Thu Dec 27 12:50:16 from rhel5
[xfcy@rhel6 ~]$ netstat -an | grep :23
tcp        0      0 192.168.0.90:230            192.168.0.89:51147          ESTABLISHED
tcp        0      0 :::230                      :::*                        LISTEN

默认情况下，linux不允许root用户以telnet方式登录linux主机，若要允许root用户登录，可采取以下3种方法之一：
1.修改login文件
redhat中对于远程登录的限制体现在/etc/pam.d/login 文件中，如果把限制的内容注销掉，那么限制将不起作用。
[root@rhel5 ~]# vi /etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
#account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke

2.移除securetty文件
验证规则设置在/etc/securetty 文件中，该文件定义root用户只能在tty1-tty11的终端上记录，移除该文件即可避开验证规则实现root用户远程登录。
[root@rhel5 ~]# mv /etc/securetty /etc/securetty.bak

3.修改securetty文件
[root@rhel5 ~]# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
pts/10
pts/11

ssh

[root@rhel6 ~]# rpm -qa | grep openssh
openssh-server-5.3p1-70.el6.x86_64
openssh-clients-5.3p1-70.el6.x86_64
openssh-5.3p1-70.el6.x86_64
openssh-askpass-5.3p1-70.el6.x86_64

[root@rhel6 ~]# cat /etc/ssh/sshd_config
#Port 22                                        //设置ssh服务的端口
#MaxStartups 10                                 //设置最大连接数
#ListenAddress 0.0.0.0
#PermitRootLogin yes
Protocol 2                                      //只允许SSH2协议
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

当客户端登入远程服务器时，客户端会主动的接收到的服务器的公钥(public key) 去比对 ~/.ssh/known_hosts 有无相关的公钥， 然后进行底下的动作：
若接收的公钥尚未记录，则询问用户是否记录。若接受则写入 ~/.ssh/known_hosts 且继续登入的后续工作；若不接收则不写入该文件，并且离开登入工作；
若接收到的公钥已有记录，则比对记录是否相同，若相同则继续登入动作；若不相同，则出现警告信息，且离开登入的动作。
[root@rhel6 ~]# rm -f .ssh/known_hosts
[root@rhel6 ~]# ssh rhel6
The authenticity of host 'rhel6 (192.168.1.119)' can't be established.
RSA key fingerprint is 1a:cf:92:de:28:7d:f2:e0:e8:e6:ad:f1:7c:40:6a:67.
Are you sure you want to continue connecting (yes/no)? yes                 //接受并在known_hosts中创建公钥
Warning: Permanently added 'rhel6,192.168.1.119' (RSA) to the list of known hosts.
root@rhel6's password:
Last login: Mon Dec 31 11:27:22 2012 from 192.168.1.19
[root@rhel6 ~]# cat .ssh/known_hosts
rhel6,192.168.1.119 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA08gfRmTgp6wM1GPgbVBsAiL6dOaKoViS9w/aL3P/NVGjYANfKQQxx2yagOxqOIFV5wefnrutdgoEmYm9sWl+9AtIf4XgMHupGWlq3jK4LWkKrN2Lg7HdijpbKzH2XuHcI1k9sRzB6F2Xhx3YdTnQKyT8wb9spKp9hzTL4ztGXrrcRW9lXBrz7jp9m4HOwim44j6SSVPTAVrCZWho2X+I27f/6DbCHNfFXV1mi+g7ERo2c8e4KwoKComXaa+E/PsBPKWOuvJgujl1VPQ2hTAWPSVXA67eR9o+39c/cOliDPq/SGsGXtWxZei9FM7G+OZAI5RdZ/Fqmbvivzfweg7IZQ==

每一次启动sshd服务时，sshd服务端都会主动去找/etc/ssh/ssh_host*的公私钥文件，如果不存在则会重新创建公私钥
[root@rhel6 ~]# ls /etc/ssh/ssh_host_*
/etc/ssh/ssh_host_dsa_key      /etc/ssh/ssh_host_key      /etc/ssh/ssh_host_rsa_key     //私钥
/etc/ssh/ssh_host_dsa_key.pub  /etc/ssh/ssh_host_key.pub  /etc/ssh/ssh_host_rsa_key.pub //公钥
[root@rhel6 ~]# rm -f /etc/ssh/ssh_host_*
[root@rhel6 ~]# ls /etc/ssh/ssh_host_*
ls: cannot access /etc/ssh/ssh_host_*: No such file or directory
[root@rhel6 ~]# /etc/init.d/sshd restart
Stopping sshd:                                             [  OK  ]
Generating SSH1 RSA host key:                              [  OK  ]    //创建SSH1的RSA公私钥
Generating SSH2 RSA host key:                              [  OK  ]    //创建SSH2的RSA公私钥
Generating SSH2 DSA host key:                              [  OK  ]    //创建SSH2的DSA公私钥
Starting sshd:                                             [  OK  ]
[root@rhel6 ~]# ls /etc/ssh/ssh_host_*
/etc/ssh/ssh_host_dsa_key      /etc/ssh/ssh_host_key      /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key.pub  /etc/ssh/ssh_host_key.pub  /etc/ssh/ssh_host_rsa_key.pub

[root@rhel6 ~]# ssh rhel6
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1                                   //由于更新了公私钥,故提示known_hosts文件中第1行的信息不匹配
RSA host key for rhel6 has changed and you have requested strict checking.
Host key verification failed.

[root@rhel6 ~]# sed -i '1d' .ssh/known_hosts                                //删除known_hosts的第一行内容
[root@rhel6 ~]# ssh rhel6
The authenticity of host 'rhel6 (192.168.1.119)' can't be established.
RSA key fingerprint is 16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b.
Are you sure you want to continue connecting (yes/no)? yes                  //重新更新known_hosts中的公钥
Warning: Permanently added 'rhel6,192.168.1.119' (RSA) to the list of known hosts.
root@rhel6's password:
Last login: Mon Dec 31 13:28:30 2012 from rhel6

ssh [-f] [-p port_num] [user@]IP  [CMD]
-f  ：需要配合后面的[CMD]，不登入远程主机直接发送一个指令,若不加-f参数则需等待后面的CMD指令执行完毕才会离开远程主机
-p  ：指定sshd监听的端口
-X  ：开启X11 Forwarding(X11 forwarding是基于SSH使用远程X-Windows应用,需配合xhost +)
-Y  ：开启X11 Forwarding
[root@rhel6 ~]# vi ssh_test.sh                           //创建一个用于测试的脚本
#!/bin/sh
echo '####### ssh without "-f" ############'
date
ssh rhel6 sleep 10
date
echo '####### ssh with "-f" ############'
date
ssh -f rhel6 sleep 10
date
[root@rhel6 ~]#chmod +x ssh_test.sh
[root@rhel6 ~]# ./ssh_test.sh
####### ssh without "-f" ############
Mon Dec 31 14:24:26 CST 2012
Mon Dec 31 14:24:36 CST 2012                             //需等待远程主机的指令执行完毕才会离开
####### ssh with "-f" ############
Mon Dec 31 14:24:36 CST 2012
Mon Dec 31 14:24:36 CST 2012                             //远程主机执行指令后立即离开

[root@rhel6 ~]# ssh rhel6
Last login: Mon Dec 31 15:13:16 2012 from rhel6
[root@rhel6 ~]# echo $DISPLAY

[root@rhel6 ~]# exit

[root@rhel6 ~]# ssh -X rhel6
Last login: Mon Dec 31 15:17:19 2012 from rhel6
[root@rhel6 ~]# echo $DISPLAY
localhost:10.0

==================================================================================

ssh等价性

[root@rhel5-1 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.                      "以下全部回车即可"
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a1:ef:d7:94:03:da:bb:64:f2:7d:4f:73:ad:92:29:a1 root@rhel5-1.xfcy.org
[root@rhel5-1 .ssh]# ls
id_rsa  id_rsa.pub                              "id_rsa文件必须存在"
[root@rhel5-1 .ssh]# cat id_rsa.pub >> key
[root@rhel5-1 .ssh]# scp key rhel5-2:/root/.ssh/
The authenticity of host 'rhel5-2 (192.168.1.22)' can't be established.
RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel5-2,192.168.1.22' (RSA) to the list of known hosts.
root@rhel5-2's password:
key                                        100%  403     0.4KB/s   00:00

[root@rhel5-2 .ssh]# ls
key
[root@rhel5-2 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
19:51:ec:c9:87:b3:7e:de:b0:e2:7d:b4:89:09:60:8f root@rhel5-2.xfcy.org
[root@rhel5-2 .ssh]# ls
id_rsa  id_rsa.pub  key
[root@rhel5-2 .ssh]# cat id_rsa.pub >> authorized_keys
[root@rhel5-2 .ssh]# cat key >> authorized_keys
[root@rhel5-2 .ssh]# scp authorized_keys rhel5-1:/root/.ssh/
The authenticity of host 'rhel5-1 (192.168.1.11)' can't be established.
RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'rhel5-1,192.168.1.11' (RSA) to the list of known hosts.
root@rhel5-1's password:
authorized_keys                               100%  806     0.8KB/s   00:00

[root@rhel5-2 .ssh]# ls
authorized_keys  id_rsa  id_rsa.pub  key  known_hosts

[root@rhel5-2 .ssh]# ssh rhel5-1
Last login: Thu Aug 30 15:41:33 2012 from rhel5-2.xfcy.org
此时从rhel5-2通过ssh登录到rhel5-1已不需要密码,rhel5-1通过ssh登录到rhel5-2也不需要密码
注：两端的id_rsa文件必须存在

本文出自 “Vnimos” 博客，请务必保留此出处http://vnimos.blog.51cto.com/2014866/1105117