NotePublic/Software/Applications/SSH/Linux_SSH_服务的安装和使用.md

204 lines
5.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: post
title: "Linux SSH 服务的安装和使用"
subtitle: ""
description: "本文简要的对 Linux 下 SSH 服务的安装、配置和使用进行说明。"
excerpt: "用于指导 Linux 下 SSH 服务的配置。"
date: 2020-05-20 12:00:00
author: "Rick Chan"
tags: ["Applications", "SSH"]
categories: ["Software"]
published: true
---
## 安装 SSH Server
```bash
# Ubuntu
sudo apt install openssh-server
# Manjaro
sudo pacman -S openssh
# 生成 Host Key
ssh-keygen -A
```
## 开启 SSH 服务
当目标机上有 SSHD 的情况下,可以开启 SSHD 服务。编写 sshd_config 文件,放置到 /etc/ssh 下,内容如下:
```ini
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
#PermitRootLogin prohibit-password
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
```
注意以上配置使用了内置 SFTP 服务“Subsystem sftp internal-sftp”。之后既可以使用 SCP 上传和下载文件,也可以使用 SFTP 上传下载文件。
之后在目标机上
```bash
# 开机自运行
sudo systemctl enable sshd.service
# 启动 sshd 服务
sudo systemctl start sshd.service
# 查看 sshd 服务状态
sudo systemctl status sshd.service
# 或ubuntu12
sudo /etc/init.d/ssh restart
```
如果没有 systemd可以使用如下命令
```bash
sudo service ssh start
```
## SSH 登陆
在开发机上
```bash
ssh <User Name>@<IP> -p <port>
```
不加 -p 参数,则默认使用 22 端口。
## SCP 上传和下载
SCP 上传
```bash
scp <Local Path or File> <User Name>@<IP>:<Path or File>
```
SCP 下载
```bash
scp <User Name>@<IP>:<Path or File> <Local Path or File>
```
SCP 一次传输多个文件
```bash
scp <User Name>@<IP>:<Path>/\{file1,file2\} .
# 还可以使用正则表达式,如:
scp <User Name>@<IP>:<Path>/* .
scp <User Name>@<IP>:<Path>/*.txt .
```
## 免密访问
ssh 登陆或 scp 的时候每次都输入密码很麻烦,如果用于访问 SSH 服务器的客户端值得信任的话可以授权该主机用户免密登陆。做法是先在客户端生成密钥对,如果已有密钥对可跳过本步骤:
```bash
ssh-keygen
```
之后在客户端使用:
```bash
ssh-copy-id <User Name>@<IP>
# 后续按照提示进行操作即可
```
命令将客户端的 ssh public key 提供给服务器,之后该客户端的授权账号(拥有该密钥对的账号)就可以免密访问服务器了。
在服务器的 \<User Home\>/.ssh/authorized_keys 文件中可以看到已授权客户端公钥,删除公钥可取消对应客户端账户的免密访问权限。
## 关闭授权验证
SSH 客户端每连接一台新主机都要进行授权验证,并询问用户是否同一,并将主机信息记录到 known_hsots 文件里。有些时候需要使用自动化流程,此时无法处理授权验证过程,此时可修改 ~/.ssh/config 文件(不存在则手动创建),增加如下两行:
```bash
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
```
*关闭授权验证将增加 SSH 的安全隐患。*