Linux ssh命令详解

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

1.登录                   

       ssh -p22 omd@192.168.25.137               

   2.直接执行命令  -->最好全路径                   

       ssh root@192.168.25.137 ls -ltr /backup/data                       

           ==>ssh root@192.168.25.137 /bin/ls -ltr /backup/data               

   3.查看已知主机                    

        cat /root/.ssh/known_hosts

   4.ssh远程执行sudo命令

       ssh -t omd@192.168.25.137 sudo rsync hosts /etc/

   5.scp               

             1.功能   -->远程文件的安全(加密)拷贝                   

                 scp -P22 -r -p /home/omd/h.txt omd@192.168.25.137:/home/omd/               

             2.scp知识小结                   

                 scp是加密远程拷贝，cp为本地拷贝                   

                 可以推送过去，也可以拉过来                   

                 每次都是全量拷贝(效率不高，适合第一次)，增量拷贝用rsync

   6.ssh自带的sftp功能               

             1.Window和Linux的传输工具                   

                  wincp   filezip                   

               sftp  -->基于ssh的安全加密传输                   

               samba   

             2.sftp客户端连接                   

                sftp -oPort=22 root@192.168.25.137                   

                put /etc/hosts /tmp                   

                get /etc/hosts /home/omd   

            3.sftp小结：                   

                1.linux下使用命令： sftp -oPort=22 root@x.x.x.x                   

                2.put加客户端本地路径上传                  

                3.get下载服务器端内容到本地                   

                4.远程连接默认连接用户的家目录

1

2

3

4

5

6

7

usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]

           [-D [bind_address:]port] [-e escape_char] [-F configfile]

           [-i identity_file] [-L [bind_address:]port:host:hostport]

           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]

           [-R [bind_address:]port:host:hostport] [-S ctl_path]

           [-W host:port] [-w local_tun[:remote_tun]]

           [user@]hostname [command]

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

# 查询openssl软件

    rpm -qa openssh openssl

# 查询sshd进程

    ps -ef | grep ssh

        --> /usr/sbin/sshd

# 查看ssh端口

    netstat -lntup | grep ssh  

    ss | grep ssh                (效果同上，同下，好用)

    netstat -a | grep ssh(记住这个)

    netstat -lnt | grep 22    ==>  查看22端口有没有开/ssh服务有没有开启

    技巧： netstat -lnt | grep ssh | wc -l -->只要大于2个就是ssh服务就是好的

# 查看ssh的秘钥目录

    ll /root/.ssh/known_hosts  # 当前用户家目录的.ssh目录下

# ssh的配置文件

    cat /etc/ssh/sshd_config   

# ssh服务的关闭

    service sshd stop

# ssh服务的开启：

    service sshd start

# ssh服务的重启

    service sshd reload    [停止进程后重启] ==> 推荐

    service sshd restart   [干掉进程后重启] ==> 不推荐

# ssh远程登录

    ssh 192.168.1.100      # 默认利用当前宿主用户的用户名登录

    ssh omd@192.168.1.100  # 利用远程机的用户登录

    ssh omd@192.168.1.100  -o stricthostkeychecking=no # 首次登陆免输yes登录

    ssh omd@192.168.1.100 "ls /home/omd"  # 当前服务器A远程登录服务器B后执行某个命令

    ssh omd@192.168.1.100 -t "sh /home/omd/ftl.sh"  # 当前服务器A远程登录服务器B后执行某个脚本

1

2

[root@localhost ~]# cd /root/.ssh/             【root用户就在root目录下的.ssh目录】

[root@localhost ~]# cd /home/omd/.ssh/   【普通用户就是在家目录下的.ssh目录】

1

2

3

[root@localhost .ssh]# ssh-keygen -t dsa     # 一路回车即可

                id_dsa         -->私钥(钥匙)

                id_dsa.pub     -->公钥(锁)

1

2

[root@localhost .ssh]# ssh-copy-id -i id_dsa.pub omd@192.168.25.110              【 使用ssh登录的默认端口22】

[root@localhost .ssh]# ssh-copy-id -i id_dsa.pub –p 666 omd@192.168.25.120   【使用ssh登录设置的端口666】

1

[omd@localhost .ssh]$ ll /home/omd/.ssh/authorized_keys

1

ssh omd@192.168.25.110

1

2

3

4

5

6

1.多个钥匙开一把锁

      把id_dsa.pub 复制给各个服务器

2.一个钥匙开duobasuo

      把id_dsa 传给各个服务器

      把id_dsa 传给自己 

1

2

3

1.判断物理链路是否通  ping 192.168.25.130     线路 | 防火墙 | 是否同一个网的

            ping   本身是icmp协议

2.判断服务是否正常

1

telnet 192.168.25.130 22

1

3.Linux防火墙

1

service iptables status ==>  /etc/init.d/iptables status　　

1

4.打开ssh的调测进行观察

1

ssh -vvv omd@192.168.1.100

1

2

3

4

5

6

7

8

9

10

11

12

1-1修改 /etc/ssh/sshd_config
        GSSAPIAuthentication
yes    解决一台服务器管理多个ssh服务

    UseDNS no  加快响应速度因为在内网环境下

    PermitRootLogin no  不运行root用户直接登录

    Port 11544 更改访问端口号

    ListenAddress  192.168.25.130  只监听内网的IP

    Match User anoncvs     当前环境允许登录的用户

    PermitRootLogin no      是否允许root用户登录，一般不允许开

1-2重启服务

    service sshd restart       写入命令进内存

    service sshd reload(优先)  reload是一个平滑的访问，不影响用户使用

1-3查看连接端口

    netstat -an | grep EST

1

2

找  到  # StrictHostKeyChecking ask  

修改为：StrictHostKeyChecking no  

1

ssh root@192.168.25.133 -o "StrictHostKeyChecking no"

1

scp -o "StrictHostKeyChecking no" newfile.txt "mailto:root@192.168.25.133:/root">root@192.168.25.133:/root

1

2

3

4

[root@localhost ~]# tar xf sshpass-1.06.tar.gz

[root@localhost ~]# cd sshpass-1.06

[root@localhost sshpass-1.06]# ./configure

[root@localhost sshpass-1.06]# make && make install

1

2

[root@localhost sshpass-1.06]# which sshpass

/usr/local/bin/sshpass

1

sshpass -p FTL600@HH ssh omd@192.168.25.110 -o "StrictHostKeyChecking no"

1

omd@omd-virtual-machine:~/sshpass-1.06$ sudo apt install sshpass

1

omd@omd-virtual-machine:~/sshpass-1.06$ which sshpass

1

2

3

4

5

omd@omd-virtual-machine:~$ tar xf sshpass-1.06.tar.gz

omd@omd-virtual-machine:~$ cd sshpass-1.06/

omd @omd-virtual-machine:~/sshpass-1.06$ ./configure

omd@omd-virtual-machine:~/sshpass-1.06$ sudo make && make install

其同CentOS下安装

1

/etc/ssh/sshd_config

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

[root@localhost .ssh]# cat /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

#KerberosUseKuserok yes

# GSSAPI options

#GSSAPIAuthentication no

GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

UsePAM yes

# Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#ShowPatchLevel no

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

#ChrootDirectory none

# no default banner path

#Banner none

# override default of no subsystems

Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

#       X11Forwarding no

#       AllowTcpForwarding no

#       ForceCommand cvs server