本文包括ssh配置、配置sftp登陆不需要密码、ssh的X客户端设置、ssh解决连接速度慢、连接个别服务器故障、略过known_hosts文件、升级ssh、sftp连接命令、Openssh升级、生成https证书等。
ssh配置
配置ssh ,允许root 登陆
vi /etc/ssh/sshd_config
修改PermitRootLogin no为
PermitRootLogin yes #关闭限制
service sshd restart
修改端口
vi /etc/ssh/sshd_config
port 2222
#Port 22
#Protocol 2,1
#ListenAddress0.0.0.0
#ListenAddress ::
ssh登陆慢解决办法
刚开始用的时候,总会遇到输入了用户名以后等半天才出输入密码的框,很是急人。这是dns反查造成的。
解决方法如下:
1)编辑 /etc/ssh/sshd_conf , 将 #UseDNS yes 取消注释,设为no ,重启sshd
2)编辑机器的 /etc/hosts,将的ip以及对应的主机名加进去
隐藏登录
ssh -T ip
隐藏登录
ssh -T ip
sftp登陆不需要密码
方法一、通过密钥验证 (通过方法一的密钥验证就安全了许多,配置也简单,而且同时ssh、scp、sftp等登录都免去了输入密码的麻烦,推荐使用。下面的方法二密码匙明文传送,安全性不高。)
1.生成密匙对,以下用的是rsa的密钥。使用命令 "ssh-keygen -t rsa"
#ssh-keygen -t rsa
//一路回车在当前用户的根目录下的.ssh目录生成id_rsa.pub公钥
2.将公钥放到服务器上(注意存放目录位置)
#scp ~/.ssh/id_rsa.pub 用户名@的服务器的ip:~/.ssh/authorized_keys
//将本地生成的公钥拷贝到远程服务器的下并改名为authorized_keys
或者把id_rsa.pub中的信息复制出来,追加到需要登录的服务器下的authorized_keys文件(适用与已经存在authorized_keys文件)
这样就大功告成了!通过ssh登录、通过scp或者sftp传输文件都不用再输入密码!
注意:
如果不存在.ssh 则创建文件夹.ssh,并将权限修改为700,这一步非常重要,因为默认创建的.ssh文件夹的权限为700,手工创建不修改权限的话会导致配置不能成功
authorized_keys文件的权限是-rw-------也就是600,权限不对无法访问。
chmod -R 700 .ssh
chmod -R 600 authorized_keys
方法二、安装sshpass
# sudo apt-get install sshpass
安装完成后使用sshpass允许用 -p 参数指定明文密码,然后直接登录远程服务器。例如:
# sshpass -p '的密码' ssh 用户名@服务器ip地址
用 '-p' 指定了密码后,还需要在后面跟上标准的 ssh 连接命令。
例子:
在备服务器上操作:
# su - wap
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wap/.ssh/id_rsa):
Created directory '/home/wap/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wap/.ssh/id_rsa.
Your public key has been saved in /home/wap/.ssh/id_rsa.pub.
The key fingerprint is:
38:2a:1a:e3:22:ab:8f:66:f4:48:0c:8e:9f:a4:da:61 wap@wap2.boomsun.com
$ scp /home/wap/.ssh/id_rsa.pub 192.168.226.1:/home/wap/.ssh/authorized_keys
The authenticity of host '192.168.226.1 (192.168.226.1)' can't be established.
DSA key fingerprint is 94:97:c2:ab:f7:b6:43:79:4a:f2:f7:ae:2b:9c:52:ba.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.226.1' (DSA) to the list of known hosts.
Password:
id_rsa.pub 100% 402 0.4KB/s 00:00
$ ssh 192.168.226.1 date
Sat Sep 27 02:49:09 CST 2008
ssh的X客户端设置
(1) 设置背景颜色-background
Many of the X client command line options enable you to specify colors for different parts of the client window. You can specify a simple color such as red, green, white, and black. Alternatively, you can specify a color by indicating the red, green, and blue components of the color:
# xclock -background RGB:FF/00/FF
(2) ssh USER@IP 不能正常显示图形界面
[oracle@rhdb1 ~]$ ssh root@192.168.0.32
root@192.168.0.32's password:
Last login: Mon Jan 12 18:54:10 2009 from 192.168.0.31
[root@rhdb2 ~]# xclock
Error: Can't open display:
[root@rhdb2 ~]#
(3) ssh -X USER@IP 能够正常显示图形界面
[oracle@rhdb1 ~]$ ssh -X root@192.168.0.32
root@192.168.0.32's password:
Last login: Mon Jan 12 18:41:46 2009 from 192.168.0.151
/usr/bin/xauth: creating new authority file /root/.Xauthority
[root@rhdb2 ~]# xclock
Warning: Missing charsets in String to FontSet conversion
[root@rhdb2 ~]#
ssh解决连接速度慢
(1) 关闭ssh的解析dns功能,加速连接
# vi /etc/ssh/sshd_config
#UseDNS yes
UseDNS no
连接个别服务器故障
(2) ssh出现的问题:
主机能够允许其它用户联入,但连接特定的几台服务器时出现了问题。
正的服务器之间的连接:
[root@db106 ~]# ssh -v 211.151.66.84
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 211.151.66.84 [211.151.66.84] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host '211.151.66.84 (211.151.66.84)' can't be established.
RSA key fingerprint is 9f:cc:71:24:a6:dd:f5:25:a1:af:fd:85:64:aa:af:9b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '211.151.66.84' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root@211.151.66.84's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Fri Dec 19 10:50:09 2008
[root@web101 ~]#
出现问题的服务器连接其它的服务器
[root@db106 ~]# ssh -v 211.151.66.84
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 211.151.66.84 [211.151.66.84] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host '211.151.66.84 (211.151.66.84)' can't be established.
RSA key fingerprint is 9f:cc:71:24:a6:dd:f5:25:a1:af:fd:85:64:aa:af:9b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '211.151.66.84' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root@211.151.66.84's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Fri Dec 19 10:50:09 2008
[root@web101 ~]#
===========================================================================================================
解决办法2种:
(1)修改sshd_config配置文件,注意是修改要连接的目标远程主机的文件
(2)将远程主机的主机名和ip添加到/etc/hosts
"Unspecified GSS failure" on sshd
ERROR
####
debug1: Unspecified GSS failure. Minor code may provide more information
Unknown code krb5 195
##################################################
As you can see, ssh choose authentication in this order: gssapi-with-mic, publickey then password.
I searched for gssapi-with-mic, it is related to Kerberos. I know nothing about Kerberos, but I guess
Kerberos needs domain name to authorize a client.
##################################################
So I disable gssapi-with-mic authentication in /etc/ssh/sshd_config:
# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPICleanupCredentials yes
##################################################
It works immediately. Later I just added remote host into /etc/hosts, and bring gssapi-with-mic authentication back. That also works.
最终问题确定:dns配置出错
********************************************************************************************************
The Generic Security Services Application Program Interface (GSSAPI, also GSS-API) is an application programming interface for programs to access security services.
[edit] How it works
The GSSAPI, by itself, does not provide any security. Instead, security service vendors provide GSSAPI implementations usually in the form of libraries installed with their security software. These libraries present a GSSAPI-compatible interface to application writers who can write their application to use only the vendor-independent GSSAPI. If the security implementation ever needs replacing, the application need not be rewritten.
The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens) that hide the implementation detail from the higher level application. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. GSSAPI tokens can be sent over an insecure network because the mechanisms guarantee inherent message security. After some number of tokens have been exchanged, the GSSAPI at both ends inform their local application that a security context has been established.
Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server. Typical protections guaranteed by GSSAPI wrapping include confidentiality (secrecy) and integrity (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.
The GSSAPI describes about 45 procedure calls. Significant ones include:
GSS_Acquire_cred - obtains the user's identity proof, often a secret cryptographic key
GSS_Import_name - converts a username or hostname into a form that identifies a security entity
GSS_Init_sec_context - generates a client token to send to the server, usually a challenge
GSS_Accept_sec_context - processes a token from GSS_Init_sec_context and can generate a response token to return
GSS_Wrap - converts application data into a secure message token (typically encrypted)
GSS_Unwrap - converts a secure message token back into application data
The GSSAPI has been standardised for the C and Java languages.
Limitations of the GSSAPI include that it standardizes only authentication, and not authorization, and that it assumes a client-server architecture.
Anticipating new security mechanisms, the GSSAPI includes a negotiating pseudo mechanism, SPNEGO, that can discover and use new mechanisms not present when the original application was built.
略过known_hosts文件
修改ssh_config文件
vi /etc/ssh/ssh_config
增加下面两行
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
重启服务
service sshd restart
升级ssh
保险起见开启telnet,需要新建用户,默认telnet禁止root登陆
cd /etc/xinetd.d
vi krb5-telnet
修改disable = yes
为disable = no
service xinetd restart
安装ssh
tar xvzf openssh-6.5p1.tar.gz
cd openssh-6.5p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check
make
make install
ssh -V
service sshd restart
sftp连接命令
lcd 本地目录
get 下载文件
put 上传文件
get –r 下载目录
put –r 上传目录
Openssh升级
一、准备相关包
zlib-1.2.5.tar.gz
openssl-1.0.1.tar.gz
openssh-6.6p1.tar.gz
================================================
二、准备其他登录方式
由于其间有卸载ssh的操作,以免登录不上主机。
================================================
三、程序升级
1、openssl 包的安装
# tar zxvf openssl-1.0.1.tar.gz -C /usr/src
# cd /usr/src/openssl-1.0.1
# ./config -fPIC threads shared
# make
# make test
# make install
# mv /usr/bin/openssl /usr/bin/openssl.OFF
# mv /usr//openssl /usr/include/openssl.OFF
移走原先系统自带的openssl,该步骤可能提示无文件,忽略即可。
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# ln -s /usr/local/ssl/include/openssl /usr/include/openssl
将编译产生的新文件进行链接。
# chmod 755 /usr/local/ssl/lib
# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
# /sbin/ldconfig -v
# openssl version -a
提示已经安装成功。
2、卸载原openssh包
备份启动脚本
# cp /etc/init.d/sshd /root/
停止SSHD服务
# /sbin/service sshd stop
卸载系统里原有Openssh
# rpm -qa|grep openssh
# rpm -e openssh --node
# rpm -e openssh-server --nodeps
# rpm -e openssh-clients --nodeps
# rpm -e openssh-askpass
查询系统原安装的openssh包,全部卸载。
3、解压安装zlib
# tar zxvf zlib-1.2.5.tar.gz -C /usr/src
# cd /usr/src/zlib-1.2.5
# ./configure
# make && make install
4、升级openssh包
先将/etc/ssh的文件夹备份
# mv /etc/ssh /etc/ssh_bak
# tar zxvf openssh-6.6p1.tar.gz -C /usr/src
# cd /usr/src/openssh-6.6p1
# ./configure --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-md5-passs --mandir=/usr/share/man --with-pam
# make
# make install
(configure: error: PAM headers not found)
如果报此错误需要安装相应版本的 pam-devel 包。
5、启动openssh服务
# cp -p /usr/src/openssh-6.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
# chmod +x /etc/init.d/sshd
# chkconfig --add sshd
# cp /usr/src/openssh-6.6p1/sshd_config /etc/ssh/sshd_config (如提示覆盖,yes回车)
# cp /usr/src/openssh-6.6p1/sshd /usr/sbin/sshd (如提示覆盖,yes回车)
# cp /usr/src/openssh-6.6p1/ssh-keygen /usr/bin/ssh-keygen
# service sshd start
# ssh -V
测试环境升级成功。
生成https证书
1、openssl genrsa -des3 -out zhyhl.key 1024
2、openssl req -config openssl.cnf -new -key zhyhl.key -x509 -out zhyhl.crt
3、openssl req -config openssl.cnf -new -key zhyhl.key -out zhyhl.csr
欢迎关注我的公众号 扫描二维码或公众号搜索 “我的工作”
