SSHD服務搭建

SSH協議：安全外殼協議。爲Secure Shell 縮寫。SSH爲創建在應用層和傳輸層基礎上的安全協議。

 

一、檢查SSH服務端安裝狀況

1. [root@rhel6_84 ~]# rpm -qpi /mnt/Packages/openssh-server-5.3p1-94.el6.x86_64.rpm #rpm -qpi packetname 查看安裝包的內容

2. [root@rhel-6~]# rpm -qa |grep openssh #檢查ssh安裝狀況。若是沒有使用rpm安裝一遍。
3. openssh-5.3p1-94.el6.x86_64
4. openssh-clients-5.3p1-94.el6.x86_64
5. openssh-askpass-5.3p1-94.el6.x86_64
6. openssh-server-5.3p1-94.el6.x86_64

 

二、啓動SSHD服務

1. [root@rhel-6 ~]# service sshd start
   
2. [root@rhel-6 ~]# /etc/init.d/sshd start #絕對路徑方式啓動
   
3. [root@rhel-6 ~]# chkconfig sshd on #設置sshd服務開機自啓 on自啓 off關閉自啓 [root@rhel-6 ~]# chkconfig --list sshd #檢查開機自啓狀況 sshd 0:關閉 1:關閉 2:啓用 3:啓用 4:啓用 5:啓用 6:關閉

 

三、客戶端保存的密鑰

1. [root@rhel-6~]# cat .ssh/known_hosts #查看本機保存的服務端的密鑰。
2. 192.168.3.81 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCzit8dq4s0xZCk1Gme5GJfYaWZzYHW37KHMfpaU7Fc2/npmJpHpufXGiYR+h9bAR6DBJvDzp5Mr/nmoaOxLb9WH4dsD9ZyLVTLzp3gaFpk9Fc7B8VRznIgveRYmIue146DoU3+Hjt7DWA19Cg4vxGZih/RekhmUgwEbKmxoC1KW6Qm6Aqd+F5oNIdign8KtFaIMzE4cNcL6YEb1wdYTk3fdUWhUip0Fir3sej9zjrGdCCA3HPxuPbsPE+3yaQ975yfelKRHI/DUpsKegQHK88RtfElLnDOVgle/yne8vsvDgnB1JYKZTGu8XuHG+vGwQAR+E2AelQcQDVFZ0+eJ+T

 

四、SSHD服務配置文件

1. [root@rhel6_84 ~]# cp /etc/ssh/sshd_config{,.back} #修改前備份此配置文件

2. [root@rhel6_84 ~]# ls /etc/ssh/ moduli ssh_config sshd_config sshd_config.back ssh_host_dsa_key

3. [root@rhel6_84 ~]# cat -n /etc/ssh/sshd_config
4. #Port 22 #端口，默認是22，最好修改成其它

5. [root@rhel6_84 ~]# netstat -anptu |grep ssh #修改好後，查看ssh服務是否正常監聽新端口（222） tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2597/sshd tcp 0 0 0.0.0.0:222 0.0.0.0:* LISTEN 2765/sshd tcp 0 52 192.168.3.84:22 192.168.3.130:57537 ESTABLISHED 2597/sshd tcp 0 0 ::1:6010 :::* LISTEN 2597/sshd tcp 0 0 :::222 :::* LISTEN 2765/sshd


 

五、新端口ssh鏈接

1. [root@rhel6_80 ~]# ssh -p 222 root@192.168.3.84 #加上-p參數 指定222端口 鏈接新服務器

 

六、SSHD配置文件詳解

1. # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
3. # This is the sshd server system-wide configuration file. See
4. # sshd_config(5) for more information.
6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin #ssh所執行的bash目錄
8. # The strategy used for options in the default sshd_config shipped with
9. # OpenSSH is to specify options with their default value where
10. # possible, but leave them commented. Uncommented options change a
11. # default value.
13. Port222 #ssh服務端口號
14. #AddressFamily any
15. #ListenAddress 0.0.0.0
16. #ListenAddress ::
18. # Disable legacy (protocol version 1) support in the server for new
19. # installations. In future the default will change to require explicit
20. # activation of protocol 1
21. Protocol2
23. # HostKey for protocol version 1
24. #HostKey /etc/ssh/ssh_host_key
25. # HostKeys for protocol version 2
26. #HostKey /etc/ssh/ssh_host_rsa_key
27. #HostKey /etc/ssh/ssh_host_dsa_key
29. # default value.
31. Port222
32. #AddressFamily any
33. #ListenAddress 0.0.0.0
34. #ListenAddress :: #指定只監聽的IP地址，設置只容許此IP登錄
36. # Disable legacy (protocol version 1) support in the server for new
37. # installations. In future the default will change to require explicit
38. # activation of protocol 1
39. Protocol2
41. # HostKey for protocol version 1
42. #HostKey /etc/ssh/ssh_host_key
43. # HostKeys for protocol version 2
44. #HostKey /etc/ssh/ssh_host_rsa_key
45. #HostKey /etc/ssh/ssh_host_dsa_key
47. # Lifetime and size of ephemeral version 1 server key
48. #KeyRegenerationInterval 1h
49. #ServerKeyBits 1024 #定義密鑰長度，默認長度1024
51. # Logging
52. # obsoletes QuietMode and FascistLogging
53. #SyslogFacility AUTH
54. SyslogFacility AUTHPRIV
55. #LogLevel INFO
57. # Authentication:
59. #LoginGraceTime 2m #鏈接斷開前等待時間
60. #PermitRootLogin yes #禁止root用戶登錄
61. #StrictModes yes
62. #MaxAuthTries 6
63. #MaxSessions 10
65. #RSAAuthentication yes
66. #PubkeyAuthentication yes
67. #AuthorizedKeysFile .ssh/authorized_keys
68. #AuthorizedKeysCommand none
69. #AuthorizedKeysCommandRunAs nobody
71. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
72. #RhostsRSAAuthentication no
73. # similar for protocol version 2
74. #HostbasedAuthentication no
75. # Change to yes if you don't trust ~/.ssh/known_hosts for
76. # RhostsRSAAuthentication and HostbasedAuthentication
77. #IgnoreUserKnownHosts no
78. # Don't read the user's ~/.rhosts and ~/.shosts files
79. #IgnoreRhosts yes
81. # To disable tunneled clear text passwords, change to no here!
82. #PasswordAuthentication yes
83. #PermitEmptyPasswords no
84. PasswordAuthentication yes #是否容許使用帳號和密碼登錄，改成no將不容許使用帳號和密碼登錄，可以使用私鑰登錄。
86. # Change to no to disable s/key passwords
87. #ChallengeResponseAuthentication yes
88. ChallengeResponseAuthentication no
90. # Kerberos options
91. #KerberosAuthentication no
92. #KerberosOrLocalPasswd yes
93. #KerberosTicketCleanup yes
94. #KerberosGetAFSToken no
95. #KerberosUseKuserok yes
97. # GSSAPI options
98. #GSSAPIAuthentication no
99. GSSAPIAuthentication yes
100. #GSSAPICleanupCredentials yes
101. GSSAPICleanupCredentials yes
102. #GSSAPIStrictAcceptorCheck yes
103. #GSSAPIKeyExchange no
105. # Set this to 'yes' to enable PAM authentication, account processing,
106. # and session processing. If this is enabled, PAM authentication will
107. # be allowed through the ChallengeResponseAuthentication and
108. # PasswordAuthentication. Depending on your PAM configuration,
109. # PAM authentication via ChallengeResponseAuthentication may bypass
110. # the setting of "PermitRootLogin without-password".
111. # If you just want the PAM account and session checks to run without
112. # PAM authentication, then enable this but set PasswordAuthentication
113. # and ChallengeResponseAuthentication to 'no'.
114. #UsePAM no
115. UsePAM yes
117. # Accept locale-related environment variables
118. AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
119. AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
120. AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
121. AcceptEnv XMODIFIERS
123. #AllowAgentForwarding yes
124. #AllowTcpForwarding yes
125. #GatewayPorts no
126. #X11Forwarding no
127. X11Forwarding yes
128. #X11DisplayOffset 10
129. #X11UseLocalhost yes
130. #PrintMotd yes #是否打印 /etc/motd 鏈接時顯示的信息
131. #PrintLastLog yes #是否顯示上次登錄信息
132. #TCPKeepAlive yes
133. #UseLogin no
134. #UsePrivilegeSeparation yes #是否容許低權限用戶產生新鏈接進程，no表示如何用戶都是用root權限運行ssh
135. #PermitUserEnvironment no
136. #Compression delayed
137. #ClientAliveInterval 0
138. #ClientAliveCountMax 3
139. #ShowPatchLevel no
140. #UseDNS yes #是否啓用DNS驗證，外網須要啓用
141. #PidFile /var/run/sshd.pid #存放服務進程ID
142. #MaxStartups 10:30:100
143. #PermitTunnel no
144. #ChrootDirectory none
146. # no default banner path
147. #Banner none
149. # override default of no subsystems
150. Subsystem sftp /usr/libexec/openssh/sftp-server
152. # Example of overriding settings on a per-user basis
153. #Match User anoncvs
154. # X11Forwarding no
155. # AllowTcpForwarding no
156. # ForceCommand cvs server

 

 

來自爲知筆記(Wiz)