SSH,被称之为 Security Shell,是常见的用于连接服务端终端的工具.虽然它的名字中包含shell,但是它并不是通常意义上所说的bash/ksh这种shell,而只是提供从客户端到服务端的通道,并对通道中传输的数据做自动加密解密.这个通道,不仅限于登录shell,也可以用于文件传送,远程命令执行等等功能.
SSH是基于C/S架构,服务端上有个sshd之类的守护程序,客户端是ssh或者scp等进程.
关于SSH的一些术语:

SSH:SSH协议和产品的通称
SSH-1:SSH协议v1版本,常用的有SSH-1.3和SSH-1.5两个版本
SSH-2:SSH协议的V2版本,在RFC4250-4254中定义.
ssh1:最原始的实现SSH-1的免费软件
ssh2:实现SSH-2的商业软件
OpenSSH:实现SSH-1和SSH-2的开源软件.

我们现在一般都用OpenSSH.以CentOS上的OpenSSH为例.

我们的环境如下:

实验环境

两台机器(容器) ssh_server(172.17.0.2),ssh_client(172.17.0.3)

SSH服务端的简单安装与配置

在CentOS上,有如下OpenSSH安装包:

  1. [root@ssh_server /]# yum search OpenSSH
  2. Loaded plugins: fastestmirror, ovl
  3. Loading mirror speeds from cached hostfile
  4.  * base: mirrors.zju.edu.cn
  5.  * extras: mirrors.sohu.com
  6.  * updates: mirrors.sohu.com
  7. ============================================================== N/S matched: OpenSSH ==============================================================
  8. openssh-askpass.x86_64 : A passphrase dialog for OpenSSH and X
  9. openssh-keycat.x86_64 : A mls keycat backend for openssh
  10. openssh-server-sysvinit.x86_64 : The SysV initscript to manage the OpenSSH server.
  11. openssh.x86_64 : An open source implementation of SSH protocol versions 1 and 2
  12. openssh-cavs.x86_64 : CAVS tests for FIPS validation
  13. openssh-clients.x86_64 : An open source SSH client applications
  14. openssh-ldap.x86_64 : A LDAP support for open source SSH server daemon
  15. openssh-server.x86_64 : An open source SSH server daemon
  17.   Name and summary matches only, use "search all" for everything.

其中openssh-server.x86_64是服务端软件,openssh.x86_64是客户端软件.
我们可以通过yum install openssh-server.x86_64,安装OpenSSH的服务端:

  1. [root@ssh_server /]# yum install openssh-server.x86_64
  2. Loaded plugins: fastestmirror, ovl
  3. Loading mirror speeds from cached hostfile
  4.  * base: mirrors.zju.edu.cn
  5.  * extras: mirrors.sohu.com
  6.  * updates: mirrors.sohu.com
  7. Resolving Dependencies
  8. --> Running transaction check
  9. ---> Package openssh-server.x86_64 0:7.4p1-13.el7_4 will be installed
  10. --> Processing Dependency: openssh = 7.4p1-13.el7_4 for package: openssh-server-7.4p1-13.el7_4.x86_64
  11. --> Processing Dependency: fipscheck-lib(x86-64) >= 1.3.0 for package: openssh-server-7.4p1-13.el7_4.x86_64
  12. --> Processing Dependency: libwrap.so.0()(64bit) for package: openssh-server-7.4p1-13.el7_4.x86_64
  13. --> Processing Dependency: libfipscheck.so.1()(64bit) for package: openssh-server-7.4p1-13.el7_4.x86_64
  14. --> Running transaction check
  15. ---> Package fipscheck-lib.x86_64 0:1.4.1-6.el7 will be installed
  16. --> Processing Dependency: /usr/bin/fipscheck for package: fipscheck-lib-1.4.1-6.el7.x86_64
  17. ---> Package openssh.x86_64 0:7.4p1-13.el7_4 will be installed
  18. ---> Package tcp_wrappers-libs.x86_64 0:7.6-77.el7 will be installed
  19. --> Running transaction check
  20. ---> Package fipscheck.x86_64 0:1.4.1-6.el7 will be installed
  21. --> Finished Dependency Resolution
  23. Dependencies Resolved
  25. ==================================================================================================================================================
  26.  Package                                 Arch                         Version                                 Repository                     Size
  27. ==================================================================================================================================================
  28. Installing:
  29.  openssh-server                          x86_64                       7.4p1-13.el7_4                          updates                       458 k
  30. Installing for dependencies:
  31.  fipscheck                               x86_64                       1.4.1-6.el7                             base                           21 k
  32.  fipscheck-lib                           x86_64                       1.4.1-6.el7                             base                           11 k
  33.  openssh                                 x86_64                       7.4p1-13.el7_4                          updates                       509 k
  34.  tcp_wrappers-libs                       x86_64                       7.6-77.el7                              base                           66 k
  36. Transaction Summary
  37. ==================================================================================================================================================
  38. Install  1 Package (+4 Dependent packages)
  40. Total download size: 1.0 M
  41. Installed size: 3.0 M
  42. Is this ok [y/d/N]: y
  43. Downloading packages:
  44. (1/5): fipscheck-lib-1.4.1-6.el7.x86_64.rpm                                                                                |  11 kB  00:00:00     
  45. (2/5): fipscheck-1.4.1-6.el7.x86_64.rpm                                                                                    |  21 kB  00:00:00     
  46. (3/5): tcp_wrappers-libs-7.6-77.el7.x86_64.rpm                                                                             |  66 kB  00:00:00     
  47. (4/5): openssh-server-7.4p1-13.el7_4.x86_64.rpm                                                                            | 458 kB  00:00:00     
  48. (5/5): openssh-7.4p1-13.el7_4.x86_64.rpm                                                                                   | 509 kB  00:00:01     
  49. --------------------------------------------------------------------------------------------------------------------------------------------------
  50. Total                                                                                                             575 kB/s | 1.0 MB  00:00:01     
  51. Running transaction check
  52. Running transaction test
  53. Transaction test succeeded
  54. Running transaction
  55.   Installing : fipscheck-lib-1.4.1-6.el7.x86_64                                                                                               1/5 
  56.   Installing : fipscheck-1.4.1-6.el7.x86_64                                                                                                   2/5 
  57.   Installing : openssh-7.4p1-13.el7_4.x86_64                                                                                                  3/5 
  58.   Installing : tcp_wrappers-libs-7.6-77.el7.x86_64                                                                                            4/5 
  59.   Installing : openssh-server-7.4p1-13.el7_4.x86_64                                                                                           5/5 
  60.   Verifying  : openssh-7.4p1-13.el7_4.x86_64                                                                                                  1/5 
  61.   Verifying  : openssh-server-7.4p1-13.el7_4.x86_64                                                                                           2/5 
  62.   Verifying  : fipscheck-1.4.1-6.el7.x86_64                                                                                                   3/5 
  63.   Verifying  : fipscheck-lib-1.4.1-6.el7.x86_64                                                                                               4/5 
  64.   Verifying  : tcp_wrappers-libs-7.6-77.el7.x86_64                                                                                            5/5 
  66. Installed:
  67.   openssh-server.x86_64 0:7.4p1-13.el7_4                                                                                                          
  69. Dependency Installed:
  70.   fipscheck.x86_64 0:1.4.1-6.el7   fipscheck-lib.x86_64 0:1.4.1-6.el7   openssh.x86_64 0:7.4p1-13.el7_4   tcp_wrappers-libs.x86_64 0:7.6-77.el7  
  72. Complete!

在正常的系统上,安装完成ssh的服务端之后,会自动启动对应的sshd服务.在这个实验环境中,我们是在docker里安装OpenSSH服务端,所以需要手工启动sshd进程.

  1. [root@ssh_server /]# netstat -an|grep 22
  2. [root@ssh_server /]# which sshd
  3. /usr/sbin/sshd
  4. [root@ssh_server /]# ps -ef
  5. UID        PID  PPID  C STIME TTY          TIME CMD
  6. root         1     0  0 13:39 pts/0    00:00:00 bash
  7. root       112     1  0 14:00 pts/0    00:00:00 ps -ef
  8. [root@ssh_server /]# nohup /usr/sbin/sshd &
  9. [1] 113
  10. [root@ssh_server /]# nohup: ignoring input and appending output to 'nohup.out'
  12. [1]+  Exit 1                  nohup /usr/sbin/sshd
  13. [root@ssh_server /]# 
  14. [root@ssh_server /]# 
  15. [root@ssh_server /]# cat nohup.out 
  16. Could not load host key: /etc/ssh/ssh_host_rsa_key
  17. Could not load host key: /etc/ssh/ssh_host_ecdsa_key
  18. Could not load host key: /etc/ssh/ssh_host_ed25519_key
  19. sshd: no hostkeys available -- exiting.
  20. [root@ssh_server /]#

启动后直接就退出了,检查日志,发现是ssh_host_rsa_key等信息没有.如果是Ubuntu机器,可以运行sudo dpkg-reconfigure openssh-server重新配置服务端进程.这里是Centos机器,可以用手工方式生成key:

  1. [root@ssh_server /]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
  2. Generating public/private rsa key pair.
  3. Enter passphrase (empty for no passphrase): 
  4. Enter same passphrase again: 
  5. Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
  6. Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
  7. The key fingerprint is:
  8. SHA256:JbIBOaAsOXr381yZX/nnGOpQIGIO07ZkrY6RsF4xj10 root@ssh_server
  9. The key's randomart image is:
  10. +---[RSA 2048]----+
  11. |  ....           |
  12. |.o  oo .         |
  13. |=.. =.X E o      |
  14. |o. o / O + .     |
  15. |. o * B S   .    |
  16. | o o =     +   . |
  17. |  . . +   =   +  |
  18. |       + . o o +.|
  19. |        o  .+ ..+|
  20. +----[SHA256]-----+
  21. [root@ssh_server /]# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
  22. Generating public/private dsa key pair.
  23. Enter passphrase (empty for no passphrase): 
  24. Enter same passphrase again: 
  25. Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
  26. Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
  27. The key fingerprint is:
  28. SHA256:++14EgJDu2znUN0AnAp/fj38ZzgyvtB/rMxKC15+Ymc root@ssh_server
  29. The key's randomart image is:
  30. +---[DSA 1024]----+
  31. |       ..o       |
  32. |    . . o .      |
  33. |     + o . o     |
  34. |      * o . .    |
  35. |     . BS  o     |
  36. |      = +.o.+    |
  37. |     . +.oo.+o o |
  38. |        .o.O*=E =|
  39. |          +*OX=* |
  40. +----[SHA256]-----+
  41. [root@ssh_server /]# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key 
  42. Generating public/private ecdsa key pair.
  43. Enter passphrase (empty for no passphrase): 
  44. Enter same passphrase again: 
  45. Your identification has been saved in /etc/ssh/ssh_host_ecdsa_key.
  46. Your public key has been saved in /etc/ssh/ssh_host_ecdsa_key.pub.
  47. The key fingerprint is:
  48. SHA256:xRaqsG/D2EFWfKbv6Ke8ImjHXBpo3jZ3N1Xp0NVhJLg root@ssh_server
  49. The key's randomart image is:
  50. +---[ECDSA 256]---+
  51. |       .. . ...+o|
  52. |       ..ooo  o o|
  53. |    . o .++ .. o |
  54. |     = ..o E. +  |
  55. |   .. o S.   +   |
  56. |  o .=..  . . .  |
  57. | o =.+*  o .     |
  58. |  + X.ooo =      |
  59. | . o + +== .     |
  60. +----[SHA256]-----+

再次执行sshd进程:

  1. [root@ssh_server /]# >nohup.out 
  2. [root@ssh_server /]# nohup /usr/sbin/sshd &
  3. [1] 118
  4. [root@ssh_server /]# nohup: ignoring input and appending output to 'nohup.out'
  6. [1]+  Done                    nohup /usr/sbin/sshd
  7. [root@ssh_server /]# ps -ef|grep sshd
  8. root       119     1  0 23:28 ?        00:00:00 /usr/sbin/sshd
  9. root       121     1  0 23:29 pts/0    00:00:00 grep --color=auto sshd
  10. [root@ssh_server /]# netstat -an|grep 22
  11. tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
  12. tcp6       0      0 :::22                   :::*                    LISTEN     
  13. [root@ssh_server /]#

从上面的执行过程和结果可以看出,命令成功执行,我们尝试从客户端连接ssh服务端.
首先,修改下root的密码,以方便通过用户名/密码登录(这个容器启动后默认密码未知):

  1. [root@ssh_server /]# passwd 
  2. Changing password for user root.
  3. New password: 
  4. BAD PASSWORD: The password fails the dictionary check - it is too simplistic/systematic
  5. Retype new password: 
  6. passwd: all authentication tokens updated successfully.
  7. [root@ssh_server /]#

—-待续