linux ssh互为信任

xingyu655

　　实验目的配置两台服务器不用密码互为登入
　　大纲
　　1.服务器IP 192.168.1.236 和192.168.1.208
　　2.在192.168.1.236 生成一对密钥
　　3.将1.236公钥传递至1.208
　　4.在1.208生成一对密钥
　　5.将1.208公钥传至1.236
　　ssh v1, v2
　　客户端：
Linux: ssh
Windows: putty, SecureCRT(), SSHSecureShellClient, Xmanager
　　服务器端：
sshd

openssh (ssh, sshd)
　　
ssh --> telnet
　　sshd:  主机密钥
　　netstat
-r
-n
-t: tcp connections
-u: udp connections
-l: listening
-p: process
　　

ssh (ssh_config)
sshd (sshd_config)
　　/etc/ssh
　　
ssh:
ssh -l USERNAME REMOTE_HOST ['command']
ssh USERNAME@REMOTE_HOST

-p port
　　-X
-Y

基于密钥的认证:
　　一台主机为客户端（基于某个用户实现）：
1、生成一对密钥
ssh-keygen
-t {rsa|dsa} 算法
-f /path/to/keyfile 保存的密钥文件
  -N 'password'  指定密码
　　2、将公钥传输至服务器端某用户的家目录下的.ssh/authorized_keys文件中
使用文件传输工具传输(ssh-copy-id, scp)
ssh-copy-id -i /path/to/pubkey USERNAME@REMOTE_HOST
　　3、测试登录
　　scp: 基于ssh的远程复制命令，可以实现在主机之间传输数据
scp [options] SRC DEST
-r
-p
-a
　　REMOTE_MACHINE
USERNAME@HOSTNAME:/path/to/somefile
　　ssh-keygen -t rsa -f .ssh/id_rsa -N '' 创建私钥密码为空
-f指定路径
-t 指定加密算法
　　192.168.1.236服务器
　　1.生成一对密钥
[root@mail .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
45:ff:bb:0a:07:57:73:c4:1c:e6:3e:a1:ad:2a:51:72 root@mail
　　[root@mail .ssh]# ls
known_hosts  id_rsa--私钥  id_rsa.pub--公钥
[root@mail .ssh]# ll
total 8
-rw-r--r-- 1 root root    0 Aug  7 10:36 known_hosts
-rw------- 1 root root 1675 Aug  7 10:41 id_rsa
-rw-r--r-- 1 root root  391 Aug  7 10:41 mail_rsa.pub
2.查看目录权限
[root@mail ~]# ll -ha
drwx------  2 root root 4.0K Aug  7 10:41 .ssh
　　3.将本地公钥传递至远程服务器保存在对应目录下面.ssh/authorized_keys
[root@mail .ssh]# ssh-copy-id -i mail_rsa.pub root@192.168.1.208
The authenticity of host '192.168.1.208 (192.168.1.208)' can't be established.
RSA key fingerprint is 2b:33:02:38:1d:1e:df:2e:7f:3a:e9:98:41:64:07:28.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.208' (RSA) to the list of known hosts.
root@192.168.1.208's password:
Now try logging into the machine, with "ssh 'root@192.168.1.208'", and check in:
　　.ssh/authorized_keys
　　to make sure we haven't added extra keys that you weren't expecting.
　　4.测试登入
[root@mail .ssh]# ssh 192.168.1.208
Last login: Thu Aug  7 11:00:48 2014 from 192.168.1.236
　　192.168.1.208服务器
　　
5.登入192.168.1.208 生成一对密钥
　　[root@rrcy .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
cb:96:66:fb:df:28:2d:7f:74:cc:b7:79:80:2b:ce:6a root@rrcy
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|                 |
|        S    . o |
|       . o  . o =|
|        B  . o o+|
|       +Eo+ oo.o.|
|       .o++*+.. .|
+-----------------+
[root@rrcy .ssh]# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
　　6.将公钥添加到192.168.1.236 .ssh/authorized_keys
[root@rrcy .ssh]# ssh-copy-id -i id_rsa.pub root@192.168.1.236
The authenticity of host '192.168.1.236 (192.168.1.236)' can't be established.
RSA key fingerprint is f0:f4:36:5b:b7:cf:46:24:42:f0:cc:58:98:df:3a:99.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.236' (RSA) to the list of known hosts.
root@192.168.1.236's password:
Now try logging into the machine, with "ssh 'root@192.168.1.236'", and check in:
　　.ssh/authorized_keys
　　to make sure we haven't added extra keys that you weren't expecting.
　　7.测试登入
[root@rrcy .ssh]# ssh 192.168.1.236
Last login: Thu Aug  7 11:06:01 2014 from 192.168.1.208
　　
ssh 默认FTP sftp root@ip
　　总结：
1、密码应该经常换且足够复杂；
2、使用非默认端口；
3、限制登录客户地址；
4、禁止管理直接登录；
5、仅允许有限制用户登录；
6、使用基于密钥的认证；
7、禁止使用版本1