0
点赞
收藏
分享

微信扫一扫

ssh远程登录原理(很详细)

迎月兮 2022-07-12 阅读 55
客户端4s公钥加密Linux系统/运维

今日在家详细研究了一下ssh登录的原理,对ssh服务有了很深刻的了解

1.远程命令行管理工具

telnet:明文,不加密,安全性差

ssh:加密,安全连接

openssh

基于PKI:公共密钥体系结构

HTTPS,SSH SSL/TLS

[root@localhost ~]# rpm -qa | grep openssh
openssh-clients-7.4p1-16.el7.x86_64
openssh-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
[root@localhost ~]# whereis ssh
ssh: /usr/bin/ssh /etc/ssh /usr/share/man/man1/ssh.1.gz
[root@localhost ~]# rpm -qf /usr/bin/ssh
openssh-clients-7.4p1-16.el7.x86_64

[root@localhost ~]# rpm -ql openssh-server
/etc/pam.d/sshd
/etc/ssh/sshd_config  #服务器端配置文件
/etc/sysconfig/sshd
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service  #服务配置文件
/usr/lib/systemd/system/sshd.socket
/usr/lib/systemd/system/sshd@.service
/usr/lib64/fipscheck/sshd.hmac
/usr/libexec/openssh/sftp-server
/usr/sbin/sshd  #执行程序
/usr/sbin/sshd-keygen
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd

[root@localhost ~]# rpm -ql openssh-clients
/etc/ssh/ssh_config  #客户端配置文件
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-id
/usr/bin/ssh-keyscan
/usr/lib64/fipscheck/ssh.hmac
/usr/libexec/openssh/ssh-pkcs11-helper
/usr/share/man/man1/scp.1.gz
/usr/share/man/man1/sftp.1.gz
/usr/share/man/man1/slogin.1.gz
/usr/share/man/man1/ssh-add.1.gz
/usr/share/man/man1/ssh-agent.1.gz
/usr/share/man/man1/ssh-copy-id.1.gz
/usr/share/man/man1/ssh-keyscan.1.gz
/usr/share/man/man1/ssh.1.gz
/usr/share/man/man5/ssh_config.5.gz
/usr/share/man/man8/ssh-pkcs11-helper.8.gz

PKI:

公钥与私钥

1)公钥:加密。保护数据安全,可以公开

2)私钥:解密,可以解密通过公钥加密的数据,成对的那个公钥;用于验证身份,私钥要保护好

公钥与私钥的关系:

1)公钥和私钥是成对出现的

2)唯一性

3)公钥和私钥不能相互推算出来

4)公钥加密,私钥解密 #客户端ssh登录服务器

5)私钥加密,公钥解密 #key身份验证

非对称加密算法 公钥与私钥

1)RSA

[root@localhost ~]# cd /etc/ssh
[root@localhost ssh]# ls
moduli  ssh_config  sshd_config  ssh_host_ecdsa_key  ssh_host_ecdsa_key.pub  ssh_host_ed25519_key  ssh_host_ed25519_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub
[root@localhost ssh]# ls ssh_host_rsa_key*
ssh_host_rsa_key  ssh_host_rsa_key.pub

2)ecdsa

3)ed25519

2.SSH远程连接的过程

客户端登录如下:

使用公钥加密,私钥解密

image-20220703160122850

客户端连接过程

当前客户端的公钥 known_hosts文件

[admin@serverb ~]$ ssh admin@192.168.10.25
The authenticity of host '192.168.10.25 (192.168.10.25)' can't be established.
ECDSA key fingerprint is SHA256:ZS4cqrByPcL4hpx1QejC1KjtvXUxprOOGq1dsa6+Wzg.
ECDSA key fingerprint is MD5:e5:a7:4f:f1:bf:f8:01:b2:67:4f:81:42:3e:02:b1:34.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
[admin@serverb ~]$ cd .ssh/
[admin@serverb .ssh]$ ls -al
total 0
drwx------ 2 admin admin   6 Jul  3 15:51 .
drwx------ 6 admin admin 119 Jul  3 15:51 ..
[admin@serverb .ssh]$

下载公钥

[admin@serverb .ssh]$ ssh admin@192.168.10.25
The authenticity of host '192.168.10.25 (192.168.10.25)' can't be established.
ECDSA key fingerprint is SHA256:ZS4cqrByPcL4hpx1QejC1KjtvXUxprOOGq1dsa6+Wzg.
ECDSA key fingerprint is MD5:e5:a7:4f:f1:bf:f8:01:b2:67:4f:81:42:3e:02:b1:34.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.25' (ECDSA) to the list of known hosts.
admin@192.168.10.25's password:
Last login: Sun Jul  3 15:32:10 2022
[admin@servera ~]$ exit
logout
Connection to 192.168.10.25 closed.
[admin@serverb .ssh]$ ls -al
total 4
drwx------ 2 admin admin  25 Jul  3 15:56 .
drwx------ 6 admin admin 119 Jul  3 15:51 ..
-rw-r--r-- 1 admin admin 175 Jul  3 15:56 known_hosts
[admin@serverb .ssh]$ cat known_hosts
192.168.10.25 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIaJ+CNW9DO+twz14DYh3MhUHZJu4SI8SMb+Vpa058DkomfPuIrZHoiEiKVqzGaoIKCBvqjgFWtybNjcTQTnr70=
[admin@servera ssh]$ cd /etc/ssh
[admin@servera ssh]$ ls
moduli  ssh_config  sshd_config  ssh_host_ecdsa_key  ssh_host_ecdsa_key.pub  ssh_host_ed25519_key  ssh_host_ed25519_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub
[admin@servera ssh]$ cat ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIaJ+CNW9DO+twz14DYh3MhUHZJu4SI8SMb+Vpa058DkomfPuIrZHoiEiKVqzGaoIKCBvqjgFWtybNjcTQTnr70=
后续再次连接就不需要再提示下载公钥了,因为已经下载过了,除非客户端.ssh目录被清空

3.使用密钥登录(私钥)

image-20220703162605281

客户端生成密钥

[admin@serverb ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:3ZeSGtknvM/YvlqXzJDPT5GCbwUC6nyUsK5JypyeaRc admin@serverb
The key's randomart image is:
+---[RSA 2048]----+
|       . .       |
|        + o      |
|       o o . .   |
|      + .. =o.o..|
|     . +S.+.B+++ |
|  o +Eo .  o.*O o|
|   = o.   . .o.*o|
|  ..o.      .* o.|
|  .+.       oo*..|
+----[SHA256]-----+
[admin@serverb ~]$ ls /home/admin/.ssh/ -al
total 12
drwx------ 2 admin admin   57 Jul  3 16:11 .
drwx------ 6 admin admin  119 Jul  3 15:51 ..
-rw------- 1 admin admin 1675 Jul  3 16:11 id_rsa
-rw-r--r-- 1 admin admin  395 Jul  3 16:11 id_rsa.pub
-rw-r--r-- 1 admin admin  175 Jul  3 15:56 known_hosts

上传客户端的公钥至服务器端authorized_keys文件中

[admin@servera ~]$ cd ~/.ssh
-bash: cd: /home/admin/.ssh: No such file or directory
[admin@serverb ~]$ ssh-copy-id admin@192.168.10.25
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/admin/.ssh/id_rsa.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
admin@192.168.10.25's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'admin@192.168.10.25'"
and check to make sure that only the key(s) you wanted were added.
[admin@servera ~]$ cd .ssh/
[admin@servera .ssh]$ ls -al
total 4
drwx------ 2 admin admin  29 Jul  3 16:28 .
drwx------ 6 admin admin 140 Jul  3 16:28 ..
-rw------- 1 admin admin 395 Jul  3 16:28 authorized_keys
[admin@servera .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDik7M++QzKoAtl9IP8jFnjrFYEAyUfebqqx4DLJIlJxEhE6O1uzgd9veBJxCCt0WsYpDb4stdDYmjgSG9k3zj/GBY0XCPr24RsMyAO9eRar+wbO2hBxxW8ps6v+uWETxSN3TZZDiEjxSLnkOpou0izpui0bFrV8i2WM+ENfMACANi5dvpEmiNLymrCtb31qSj0HYZaZXUnxIaaaP3rZRn/jPoCSxC33VQxHbczjVkxdddWIUnA4aVkmEMUEuHNjL4I/i6Qv0Ua/vxlM8ZMzP2YrsUjLwgMOYI+bojlfqHdIhG09KpCtOcmt8nZnawLTd5wluJWHf4kTeFDjRVp+XSB admin@serverb
[admin@serverb ~]$ cd .ssh/
[admin@serverb .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDik7M++QzKoAtl9IP8jFnjrFYEAyUfebqqx4DLJIlJxEhE6O1uzgd9veBJxCCt0WsYpDb4stdDYmjgSG9k3zj/GBY0XCPr24RsMyAO9eRar+wbO2hBxxW8ps6v+uWETxSN3TZZDiEjxSLnkOpou0izpui0bFrV8i2WM+ENfMACANi5dvpEmiNLymrCtb31qSj0HYZaZXUnxIaaaP3rZRn/jPoCSxC33VQxHbczjVkxdddWIUnA4aVkmEMUEuHNjL4I/i6Qv0Ua/vxlM8ZMzP2YrsUjLwgMOYI+bojlfqHdIhG09KpCtOcmt8nZnawLTd5wluJWHf4kTeFDjRVp+XSB admin@serverb

使用密钥验证身份:默认~/.ssh/id_rsa

指定密钥位置

[admin@serverb .ssh]$ ls
id_rsa  id_rsa.pub  known_hosts
[admin@serverb .ssh]$ cp id_rsa serverb_key
[admin@serverb .ssh]$ ssh -i serverb_key admin@192.168.10.25
Last login: Sun Jul  3 15:56:17 2022 from 192.168.10.26
注:不指定则默认使用id_rsa
[admin@servera ~]$
举报

相关推荐

ssh远程免密登录

sshubuntu服务器CentOSUbuntuLinux系统/运维

SSH远程登录与控制

linux

Ubuntu设置ssh远程登录

ubuntu远程登录运维

配置SSH远程登录和免密登录

sshlinux服务器SSH免密登录

配置SSH免密远程登录

ssh

mac远程ssh免密登录

macosssh运维

【linux基础】linux远程登录SSH

javascriptubuntu.netWindows系统/运维

linux远程登录(非常详细)

linux服务器ssh

交换机开启SSH远程登录

sshlinux运维

安装openeuler系统和ssh远程登录

elasticsearch大数据搜索引擎
0 条评论