WenJunjie Blog

sysadmin

SSH Tips

| Comments

rsa das密钥 公钥

生成密钥 [local] ssh-keygen -t dsa -b 2048 #根据提示输入回车或sshphrase密码

ssh-keygen -t rsa -f jack ssh-copy-id -i ~/.ssh/jack.pub user@server

scp ~/.ssh/jack.pub user@server:/home/user/.ssh/jack.pub ssh user@server “echo cat ~/.ssh/jack.pub >> ~/.ssh/authorized_keys”

ssh -i ~/.ssh/jack.pub user@server

vim ~/.ssh/config #server alias host server #ssh username user user #remote server address hostname server #remote server port port 22 #the public key filename(without .pub) identityfile ~/.ssh/jack

ssh server -v ssh server -vvv

server: chmod 600 ~/.ssh/authorized_keys chmod 700 ~/.ssh/

公钥id_dsa.pub放到remote-host:~/.ssh/authorized_keys [remote] cat id_dsa.pub >> .ssh/authorized_keys chmod 600 .ssh/authorized_keys

ssh-agent (ssh ForwardAgent yes) [local] eval ssh-agent ssh-add #输入sshphrase密码 echo ‘eval $(ssh-agent)’ >> ~/.bash_profile echo ‘ssh-add’ >> ~/.bash_profile eval ssh-agent -k 隐患 ssh-agent工作中创建socket文件 /tmp/ssh-sfisxD8489/agent.8489 SSH_AUTH_SOCK=/tmp/ssh-sfisxD8489/agent.8489; export SSH_AUTH_SOCK; ssh-add -l

keychain [local] vim .bash_profile keychain id_dsa . ~/.keychain/$HOSTNAME-sh

Man-in-the-moddle attack 中间人攻击

跳板机

client1———| |———–server1 |——->B(跳板机)——>| client2———| |———–server2

客户端 跳板机 工作机 在跳板机 ssh-keygen -p #修改ssh-keygen的passphrase口令,可改成空密码,安全考虑需对密钥加密 echo ‘eval keychain --eval id_dsa’ >> ~/.bash_profile eval $(keychain –eval –agents ssh -Q –quiet id_ecdsa)

security安全 chmod 400 ~/.ssh/authorized_keys sudo chattr +i ~/.ssh/authorized_keys sudo chattr +i ~/.ssh 工作机authorized_keys限制只能从跳板机ip登录 man sshd 工作机authorized_keys设置成无法被用户修改 chattr +i .ssh 需要更新时chartt -i .ssh 查看lsarrt -aR

vim /etc/ssh/sshd_config PasswordAuthentication no ChallengeResponseAuthentication no

上下键查找历史

vi ~/.inputrc “\e[A”: history-search-backward “\e[B”: history-search-forward set show-all-if-ambiguous on set completion-ignore-case on

Ctrl+r line

参考

Comments