NotePublic/Software/Applications/SSH/Linux_SSH_服务的安装和使用.md

167 lines
4.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Linux SSH 服务的安装和使用
## 安装 SSH Server
```sh
# Ubuntu
apt-get install openssh-server
```
## 开启 SSH 服务
当目标机上有 SSHD 的情况下,可以开启 SSHD 服务。编写 sshd_config 文件,放置到 /etc/ssh 下,内容如下:
```sh
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
#PermitRootLogin prohibit-password
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
```
注意以上配置使用了内置 SFTP 服务“Subsystem sftp internal-sftp”。之后既可以使用 SCP 上传和下载文件,也可以使用 SFTP 上传下载文件。
之后在目标机上
```sh
# 开机自运行
systemctrl enable sshd.service
# 启动 sshd 服务
systemctrl start sshd.service
# 查看 sshd 服务状态
systemctrl status sshd.service
```
如果没有 systemd可以使用如下命令
```sh
service ssh start
```
## SSH 登陆
在开发机上
```sh
ssh <User Name>@<IP> -p <port>
```
不加 -p 参数,则默认使用 22 端口。
## SCP 上传和下载
SCP 上传
```sh
scp <Local Path or File> <User Name>@<IP>:<Path or File>
```
SCP 下载
```sh
scp <User Name>@<IP>:<Path or File> <Local Path or File>
```
## 免密访问
ssh 登陆或 scp 的时候每次都输入密码很麻烦,如果用于访问 SSH 服务器的客户端值得信任的话可以授权该主机用户免密登陆。做法是先在客户端生成密钥对,如果已有密钥对可跳过本步骤:
```sh
ssh-keygen
```
之后在客户端使用:
```sh
ssh-copy-id <User Name>@<IP>
# 后续按照提示进行操作即可
```
命令将客户端的 ssh public key 提供给服务器,之后该客户端的授权账号(拥有该密钥对的账号)就可以免密访问服务器了。
在服务器的 \<User Home\>/.ssh/authorized_keys 文件中可以看到已授权客户端公钥,删除公钥可取消对应客户端账户的免密访问权限。