Linux 远程登录(telnet ssh)
telnet
[root@rhel6 ~]# rpm -qa | grep telnet
telnet-server-0.17-47.el6.x86_64
telnet-0.17-47.el6.x86_64
[root@rhel6 ~]# vi /etc/xinetd.d/telnet //telnet是依赖于xinetd的
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
instances = 1 //设置服务器最大连接数(即只允许1个用户通过telnet登录)
# bind = 192.168.0.90 //只允许经由该适配器的数据包进来
# only_from = 192.168.0.0/24 //只允许该网段通过telnet访问
# no_access = 192.168.0.100 //不允许该IP通过telnet访问
# access_times = 9:00-18:00 //telnet服务开放的时间
}
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90…
Connected to rhel6.
Escape character is ‘^]’.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: root
Password:
Login incorrect //默认禁止root用户通过telnet登录
login: xfcy
Password:
Last login: Wed Dec 26 17:17:08 from rhel6
[xfcy@rhel6 ~]$ who
root pts/0 2012-12-27 12:01 (192.168.0.90)
xfcy pts/1 2012-12-27 12:18 (rhel5)
[xfcy@rhel6 ~]$ telnet rhel6
Trying 192.168.0.90…
Connected to rhel6.
Escape character is ‘^]’.
Connection closed by foreign host. //不允许第2个用户通过telnet登录
[root@rhel6 ~]# netstat -lntp | grep :23 //默认监听23号端口
tcp 0 0 :::23 :::* LISTEN 5169/xinetd
[xfcy@rhel6 ~]$ vi /etc/services //修改telnet服务的监听端口为230
telnet 230/tcp
telnet 230/udp
[root@rhel6 ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@rhel6 ~]# netstat -lntp | grep :23
tcp 0 0 :::230 :::* LISTEN 5319/xinetd
[root@rhel5 ~]# telnet rhel6
Trying 192.168.0.90… //默认通过23号端口无法访问telnet服务
telnet: connect to address 192.168.0.90: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@rhel5 ~]# telnet rhel6 230 //通过230端口可成功访问telnet服务
Trying 192.168.0.90…
Connected to rhel6.xfcy.org (192.168.0.90).
Escape character is ‘^]’.
Red Hat Enterprise Linux Server release 6.2 (Santiago)
Kernel 2.6.32-220.el6.x86_64 on an x86_64
login: xfcy
Password:
Last login: Thu Dec 27 12:50:16 from rhel5
[xfcy@rhel6 ~]$ netstat -an | grep :23
tcp 0 0 192.168.0.90:230 192.168.0.89:51147 ESTABLISHED
tcp 0 0 :::230 :::* LISTEN
情况下,linux不允许root用户以telnet方式登录linux主机,若要允许root用户登录,可采取以下3种方法之一:
1.修改login文件
RedHat中对于远程登录的限制体现在/etc/pam.d/login 文件中,如果把限制的内容注销掉,那么限制将不起作用。
[root@rhel5 ~]# vi /etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
#account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
2.移除securetty文件
验证规则设置在/etc/securetty 文件中,该文件定义root用户只能在tty1-tty11的终端上记录,移除该文件即可避开验证规则实现root用户远程登录。
[root@rhel5 ~]# mv /etc/securetty /etc/securetty.bak
3.修改securetty文件
[root@rhel5 ~]# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
pts/1
pts/2
pts/3
pts/4
pts/5
pts/6
pts/7
pts/8
pts/9
pts/10
pts/11
ssh
[root@rhel6 ~]# rpm -qa | grep openssh
openssh-server-5.3p1-70.el6.x86_64
openssh-clients-5.3p1-70.el6.x86_64
openssh-5.3p1-70.el6.x86_64
openssh-askpass-5.3p1-70.el6.x86_64
[root@rhel6 ~]# cat /etc/ssh/sshd_config
#Port 22 //设置ssh服务的端口
#MaxStartups 10 //设置最大连接数
#ListenAddress 0.0.0.0
#PermitRootLogin yes
Protocol 2 //只允许SSH2协议
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
当客户端登入远程服务器时,客户端会主动的接收到的服务器的公钥(public key) 去比对 ~/.ssh/known_hosts 有无相关的公钥, 然后进行底下的动作:
若接收的公钥尚未记录,则询问用户是否记录。若接受则写入 ~/.ssh/known_hosts 且继续登入的后续工作;若不接收则不写入该文件,并且离开登入工作;
若接收到的公钥已有记录,则比对记录是否相同,若相同则继续登入动作;若不相同,则出现警告信息,且离开登入的动作。
[root@rhel6 ~]# rm -f .ssh/known_hosts
[root@rhel6 ~]# ssh rhel6
The authenticity of host ‘rhel6 (192.168.1.119)’ can’t be established.
RSA key fingerprint is 1a:cf:92:de:28:7d:f2:e0:e8:e6:ad:f1:7c:40:6a:67.
Are you sure you want to continue connecting (yes/no)? yes //接受并在known_hosts中创建公钥
Warning: Permanently added ‘rhel6,192.168.1.119’ (RSA) to the list of known hosts.
root@rhel6’s password:
Last login: Mon Dec 31 11:27:22 2012 from 192.168.1.19
[root@rhel6 ~]# cat .ssh/known_hosts
rhel6,192.168.1.119 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA08gfRmTgp6wM1GPgbVBsAiL6dOaKoViS9w/aL3P/NVGjYANfKQQxx2yagOxqOIFV5wefnrutdgoEmYm9sWl+9AtIf4XgMHupGWlq3jK4LWkKrN2Lg7HdijpbKzH2XuHcI1k9sRzB6F2Xhx3YdTnQKyT8wb9spKp9hzTL4ztGXrrcRW9lXBrz7jp9m4HOwim44j6SSVPTAVrCZWho2X+I27f/6DbCHNfFXV1mi+g7ERo2c8e4KwoKComXaa+E/PsBPKWOuvJgujl1VPQ2hTAWPSVXA67eR9o+39c/cOliDPq/SGsGXtWxZei9FM7G+OZAI5RdZ/Fqmbvivzfweg7IZQ==
每一次启动sshd服务时,sshd服务端都会主动去找/etc/ssh/ssh_host*的公私钥文件,如果不存在则会重新创建公私钥
[root@rhel6 ~]# ls /etc/ssh/ssh_host_*
/etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key //私钥
/etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key.pub //公钥
[root@rhel6 ~]# rm -f /etc/ssh/ssh_host_*
[root@rhel6 ~]# ls /etc/ssh/ssh_host_*
ls: cannot access /etc/ssh/ssh_host_*: No such file or directory
[root@rhel6 ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Generating SSH1 RSA host key: [ OK ] //创建SSH1的RSA公私钥
Generating SSH2 RSA host key: [ OK ] //创建SSH2的RSA公私钥
Generating SSH2 DSA host key: [ OK ] //创建SSH2的DSA公私钥
Starting sshd: [ OK ]
[root@rhel6 ~]# ls /etc/ssh/ssh_host_*
/etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_key /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_rsa_key.pub
[root@rhel6 ~]# ssh rhel6
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1 //由于更新了公私钥,故提示known_hosts文件中第1行的信息不匹配
RSA host key for rhel6 has changed and you have requested strict checking.
Host key verification failed.
[root@rhel6 ~]# sed -i ‘1d’ .ssh/known_hosts //删除known_hosts的第一行内容
[root@rhel6 ~]# ssh rhel6
The authenticity of host ‘rhel6 (192.168.1.119)’ can’t be established.
RSA key fingerprint is 16:1b:b4:09:20:fe:8f:48:12:e1:3c:16:5e:86:67:8b.
Are you sure you want to continue connecting (yes/no)? yes //重新更新known_hosts中的公钥
Warning: Permanently added ‘rhel6,192.168.1.119’ (RSA) to the list of known hosts.
root@rhel6’s password:
Last login: Mon Dec 31 13:28:30 2012 from rhel6
ssh [-f] [-p port_num] [user@]IP [CMD]
-f :需要配合后面的[CMD],不登入远程主机直接发送一个指令,若不加-f参数则需等待后面的CMD指令执行完毕才会离开远程主机
-p :指定sshd监听的端口
-X :开启X11 Forwarding(X11 forwarding是基于SSH使用远程X-Windows应用,需配合xhost +)
-Y :开启X11 Forwarding
[root@rhel6 ~]# vi ssh_test.sh //创建一个用于测试的脚本
#!/bin/sh
echo ‘####### ssh without “-f” ############’
date
ssh rhel6 sleep 10
date
echo ‘####### ssh with “-f” ############’
date
ssh -f rhel6 sleep 10
date
[root@rhel6 ~]#chmod +x ssh_test.sh
[root@rhel6 ~]# ./ssh_test.sh
####### ssh without “-f” ############
Mon Dec 31 14:24:26 CST 2012
Mon Dec 31 14:24:36 CST 2012 //需等待远程主机的指令执行完毕才会离开
####### ssh with “-f” ############
Mon Dec 31 14:24:36 CST 2012
Mon Dec 31 14:24:36 CST 2012 //远程主机执行指令后立即离开
[root@rhel6 ~]# ssh rhel6
Last login: Mon Dec 31 15:13:16 2012 from rhel6
[root@rhel6 ~]# echo $DISPLAY
[root@rhel6 ~]# exit
[root@rhel6 ~]# ssh -X rhel6
Last login: Mon Dec 31 15:17:19 2012 from rhel6
[root@rhel6 ~]# echo $DISPLAY
localhost:10.0
ssh等价性
[root@rhel5-1 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair. “以下全部回车即可”
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a1:ef:d7:94:03:da:bb:64:f2:7d:4f:73:ad:92:29:a1 root@rhel5-1.xfcy.org
[root@rhel5-1 .ssh]# ls
id_rsa id_rsa.pub “id_rsa文件必须存在”
[root@rhel5-1 .ssh]# cat id_rsa.pub >> key
[root@rhel5-1 .ssh]# scp key rhel5-2:/root/.ssh/
The authenticity of host ‘rhel5-2 (192.168.1.22)’ can’t be established.
RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘rhel5-2,192.168.1.22’ (RSA) to the list of known hosts.
root@rhel5-2’s password:
key 100% 403 0.4KB/s 00:00
[root@rhel5-2 .ssh]# ls
key
[root@rhel5-2 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
19:51:ec:c9:87:b3:7e:de:b0:e2:7d:b4:89:09:60:8f root@rhel5-2.xfcy.org
[root@rhel5-2 .ssh]# ls
id_rsa id_rsa.pub key
[root@rhel5-2 .ssh]# cat id_rsa.pub >> authorized_keys
[root@rhel5-2 .ssh]# cat key >> authorized_keys
[root@rhel5-2 .ssh]# scp authorized_keys rhel5-1:/root/.ssh/
The authenticity of host ‘rhel5-1 (192.168.1.11)’ can’t be established.
RSA key fingerprint is 26:5a:c3:e5:58:f0:0d:57:94:02:b0:7f:01:27:34:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘rhel5-1,192.168.1.11’ (RSA) to the list of known hosts.
root@rhel5-1’s password:
authorized_keys 100% 806 0.8KB/s 00:00
[root@rhel5-2 .ssh]# ls
authorized_keys id_rsa id_rsa.pub key known_hosts
[root@rhel5-2 .ssh]# ssh rhel5-1
Last login: Thu Aug 30 15:41:33 2012 from rhel5-2.xfcy.org
此时从rhel5-2通过ssh登录到rhel5-1已不需要密码,rhel5-1通过ssh登录到rhel5-2也不需要密码
注:两端的id_rsa文件必须存在