   Copyright statement: This article is an original article by Shaon Puppet. Please indicate the original address for reprinting. Thank you very much. https://blog.csdn.net/wh211212/article/details/52932776

[1] Configure NTP service

1、 Install ntpd and configure ntp service

[ root@vdevops ~]# yum -y install ntp

 # 18 Row:Add network segments that allow synchronization
restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap<pre name="code"class="html">[root@vdevops ~]# <a target=_blank href="https://www.server-world.info/en/command/html/systemctl.html" style="color: #ffff00">systemctl</a> start ntpd

[ root@vdevops ~]# systemctl enable ntpd

2、 If Firewalld of the current system is running, you need to execute the following command

[ root@vdevops ~]# firewall-cmd --add-service=ntp --permanent
success
[ root@vdevops ~]# firewall-cmd --reload
success

3、 Confirm whether the ntp service is normal
[ root@vdevops ~]# ntpq -p
  remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================* time5.aliyun.co 10.137.38.862 u   92643630.1740.2360.524

4、 Synchronize aliyun's time server

[ root@linuxprobe ~]# ntpdate times.aliyun.com
26 Oct 11:51:30 ntpdate[2935]: step time server 120.25.115.19 offset 15075.743514 sec

[2] Configure SSH service

1、 Even if you installed CentOS using a "minimal installation", OpenSSH is already installed by default, so there is no need to install new packages. You can use password authentication to log in by default, but change some settings to be safe as follows:

[ root@vdevops ~]# vi /etc/ssh/sshd_config
# 48 Row:Uncomment and change yes to make(Prohibit root remote login)
PermitRootLogin no

# 77 Row:Uncomment
PermitEmptyPasswords no
PasswordAuthentication yes
[ root@vdevops ~]# systemctl restart sshd

2、 If Firewalld is running, you need to add the following strategy

[ root@vdevops ~]# firewall-cmd --add-service=ssh --permanent
success
[ root@vdevops ~]# firewall-cmd --reload
success

3、 ssh file transfer

Example of using SCP (secure copy)

yum -y install openssh-clients

Copy the local test file to the remote host, set the hosts file before using scp to ensure that each host contains the host IP and [domain name resolution] (https://cloud.tencent.com/product/cns?from=10680) of the other party, and correspond

[ root@vdevops ~]# scp test.txt [email protected]:/tmp
The authenticity of host 'linuxprobe.org (10.1.1.53)' can't be established.
ECDSA key fingerprint is d1:bd:3c:7f:68:71:79:44:4f:e5:2c:42:f1:06:49:14.
Are you sure you want to continueconnecting(yes/no)? yes
Warning: Permanently added 'linuxprobe.org,10.1.1.53'(ECDSA) to the list of known hosts.
[email protected]'s password: 
test.txt 
[ root@vdevops ~]# scp -P22 [email protected]:/tmp/test.txt ./
[email protected]'s password: 
test.txt

4、 Use sftp to transfer files
# sftp [Option][user@host]Operating parameters

[ redhat@vdevops ~]$ sftp [email protected]          #Connect to remote server
[email protected]'s password:# password of the user
Connected to linuxprobe.org
sftp>
# View the current directory of the remote server
sftp> pwd
Remote working directory:/home/wang
# View the current directory of the local server
sftp>!pwd
/home/redhat
# View the current directory file in the ftp server period
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 2921:33 public_html
- rw-rw-r--1 wang     wang           10 Jul 2822:53 test.txt
# View files in the current directory of the local server
sftp>!ls -l
total 4-rw-rw-r--1 redhat redhat 10 Jul 2921:31 test.txt
sftp> cd public_html                #Switch directory
sftp> pwd
Remote working directory:/home/wang/public_html
# Upload local files to remote server
sftp> put test.txt redhat.txt
Uploading test.txt to /home/wang/redhat.txt
test.txt 100%100.0KB/s 00:00
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 2921:33 public_html
- rw-rw-r--1 wang     wang           10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang     wang           10 Jul 2822:53 test.txt
sftp> put *.txt
Uploading test.txt to /home/wang/test.txt
test.txt 100%100.0KB/s 00:00
Uploading test2.txt to /home/wang/test2.txt
test2.txt 100%00.0KB/s 00:00
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 2921:33 public_html
- rw-rw-r--1 wang     wang           10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang     wang           10 Jul 2921:45 test.txt
- rw-rw-r--1 wang     wang           10 Jul 2921:46 test2.txt
# Download a single file from the remote server
sftp>get test.txt
Fetching /home/wang/test.txt to test.txt
/home/wang/test.txt 100%100.0KB/s 00:00
# Download multiple files from the remote server
sftp>get*.txt
Fetching /home/wang/redhat.txt to redhat.txt
/home/wang/redhat.txt 100%100.0KB/s 00:00
Fetching /home/wang/test.txt to test.txt
/home/wang/test.txt 100%100.0KB/s 00:00
Fetching /home/wang/test2.txt to test2.txt
/home/wang/test2.txt 100%100.0KB/s 00:00
# create a directory on remote server
sftp> mkdir testdir
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 2921:33 public_html
- rw-rw-r--1 wang     wang           10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang     wang           10 Jul 2921:45 test.txt
- rw-rw-r--1 wang     wang           10 Jul 2921:46 test2.txt
drwxrwxr-x    2 wang     wang            6 Jul 2921:53 testdir
# Delete the directory on the remote server
sftp> rmdir testdir
rmdir ok, `testdir' removed
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 2921:33 public_html
- rw-rw-r--1 wang     wang           10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang     wang           10 Jul 2921:45 test.txt
- rw-rw-r--1 wang     wang           10 Jul 2921:46 test2.txt
# Delete files on the remote service
sftp> rm test2.txt
Removing /home/wang/test2.txt
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 2921:33 public_html
- rw-rw-r--1 wang     wang           10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang     wang           10 Jul 2921:45 test.txt
# execute commands with"![command]"
sftp>!cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
......
redhat:x:1001:1001::/home/redhat:/bin/bash
# exit
sftp> quit  #Exit the sftp connection

5、 SSH keys authentication

Create a key pair for each user, so log in as a normal user and work as shown below.

[ wang@vdevops ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/wang/.ssh/id_rsa): 
Created directory '/home/wang/.ssh'.
Enter passphrase(empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in/home/wang/.ssh/id_rsa.
Your public key has been saved in/home/wang/.ssh/id_rsa.pub.
The key fingerprint is:
af:58:16:e9:f9:02:bc:95:5d:ec:4d:bd:6a:2b:39:06 [email protected]
The key's randomart image is:+--[ RSA 2048]----+|||||..||.  o ..||.  So o o  .||      o.oE....||+= o ..||.+.o = o   ||...o +..|+-----------------+[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
[ wang@vdevops ~]$ chmod 600~/.ssh/authorized_keys

Two servers include vdevops.com as the server and linuxprobe.org as the client. The id_rsa file of the service is copied to the client. The user of the object on the client can log in to the server through the authentication file

On linuxprobe.org

[ wang@linuxprobe ~]$ ls -a
.... bash_logout  .bash_profile  .bashrc
[ wang@linuxprobe ~]$ mkdir ~/.ssh
[ wang@linuxprobe ~]$ chmod 700~/.ssh
[ wang@linuxprobe ~]$ scp [email protected]:/home/wang/.ssh/id_rsa ~/.ssh/
The authenticity of host 'vdevops.com (10.1.1.56)' can't be established.
ECDSA key fingerprint is f8:d2:55:54:8f:e8:43:e0:ee:aa:d6:8d:53:8c:8e:85.
Are you sure you want to continueconnecting(yes/no)? yes
Warning: Permanently added 'vdevops.com,10.1.1.56'(ECDSA) to the list of known hosts.
[email protected]'s password: 
id_rsa                                                                                                       100%16791.6KB/s   00:00[wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa [email protected]
Last login: Wed Oct 2615:39:182016                   #login successful

If you want to log in to the remote server more securely, you can set PasswordAuthentication=no and restart the sshd service, so that when you log in to the remote server locally, you need not only password verification, but also key file verification.

6、 Set up SFTP and Chroot

Some users who apply this setting can only use SFTP to access, or access the specified and allowed directories.

For example, set Chroot directory /home

 # Create a specific group for SFTP
[ root@vdevops ~]# groupadd sftp_users

# Add user wang to the sftp group

[ root@vdevops ~]# usermod -G sftp_users cent

[ root@vdevops ~]# vi /etc/ssh/sshd_config
# line 147:Uncomment and add a line
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# Add the following lines below
Match Group sftp_users
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /home
 ForceCommand internal-sftp
[ root@vdevops ~]# systemctl restart sshd    #Restart the sshd service

6.2、 Test user login

[ root@linuxprobe ~]# ssh [email protected]
[email protected]'s password: 
Could not chdir to home directory /home/wang: No such file or directory
This service allows sftp connections only.
Connection to 10.1.1.56 closed.[root@linuxprobe ~]# sftp [email protected]
[email protected]'s password: 
Connected to 10.1.1.56.
sftp> ls -l
drwx------21000100059 Oct 2517:02 shaon
drwx------21002100359 Oct 262016 testuser
drwx------31001100190 Oct 2607:39 wang
sftp> pwd
Remote working directory:/
sftp> exit

7、 SSH port forwarding

For example, configure the forwarding settings to forward the local 8081 to the local 5901 (VNC).

# forward the connection to 8081 to 5901 on local
[ wang@linuxprobe ~]$ ssh -L 0.0.0.0:8081:localhost:5901 wang@localhost
wang@localhost's password:   # the password of the working user(it means the login to local to local)
Last login: Thu Jul 1001:35:152014
# confirm
[ wang@linuxprobe ~]$ netstat -lnp | grep 8081(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        000.0.0.0:80810.0.0.0:*               LISTEN      3238/ssh
# keep this session and go next
# it's possbile to start the process on background as a daemon with"-f" option but then it needs to kill it by hand after working.

Then connect to the VNC server through port 8081

8、 Use SSHPass to automatically enter password authentication passwords
This is very convenient, but there are security risks (password leakage), so be extra careful if you use it.

< div class="color2">#Install from EPEL source</div>[root@vdevops ~]# yum --enablerepo=epel -y install sshpass
# Use sshpass
[ root@vdevops ~]# sshpass -p fangbuxia..0 ssh 10.1.1.53 hostname
linuxprobe.org
[ root@vdevops ~]# echo "fangbuxia..0" sshpass.txt
fangbuxia..0 sshpass.txt
[ root@vdevops ~]# echo "fangbuxia..0"> sshpass.txt
[ root@vdevops ~]# chmod 600 sshpass.txt 
[ root@vdevops ~]# sshpass -f sshpass.txt ssh 10.1.1.53 hostname
linuxprobe.org
[ root@vdevops ~]# export SSHPASS=fangbuxia..0[root@vdevops ~]# sshpass -e ssh 10.1.1.53 hostname
linuxprobe.org

9、 Use SSH-Agent to automatically enter the password for key pair authentication

9.1、 SSH key verification

Configure the SSH server to log in using key authentication. Create a private key for the client and a public key for the server.

Take vdevops.com as the server:

Create a key pair for each user, so log in as a normal user and work as follows:

[ wang@vdevops ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/wang/.ssh/id_rsa):/home/wang/.ssh/id_rsa already exists.Overwrite(y/n)? y
Enter passphrase(empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in/home/wang/.ssh/id_rsa.
Your public key has been saved in/home/wang/.ssh/id_rsa.pub.
The key fingerprint is:75:6c:9b:02:0a:00:78:3b:aa:6a:10:71:99:42:a7:62 [email protected]
The key's randomart image is:+--[ RSA 2048]----+|+o.+||+ B..||.E ....+||+ o  .. o o o   || o .. S . o    ||o          .||o                ||..||+|+-----------------+[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys 
[ wang@vdevops ~]$ chmod 600~/.ssh/authorized_keys

The key created on the server is transmitted to the client, and then the key authentication can be used to log in.

linuxprobe.org as the client:

[ wang@linuxprobe ~]$ mkdir ~/.ssh              #Create the default path to store the key file, if it already exists, do not need to create it again
[ wang@linuxpeobe ~]$ mkdir 700~/.ssh
[ wang@linuxprobe ~]$ scp [email protected]:/home/wang/.ssh/id_rsa ~/.ssh/   #Copy the private key of the server
[email protected]'s password: 
id_rsa                                                                                                       100%16751.6KB/s   00:00[wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa [email protected]                 #Use the private key of the server to log in to the server
Last login: Thu Oct 2709:24:182016[wang@vdevops ~]$   #login successful
# Client creates public key file
[ wang@linuxprobe ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/wang/.ssh/id_rsa): y
Enter passphrase(empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in y.
Your public key has been saved in<span style="color:#FF6666;">y.pub</span>.
The key fingerprint is:
3 e:de:94:77:cc:11:8c:a5:df:38:30:63:32:25:a1:81 [email protected]
The key's randomart image is:+--[ RSA 2048]----+|.. o...||      E  o o =||. o B o  ||+=+||        S     =.||.. o o ||        o o .+||.+..||..|+-----------------+

# Put y.Copy the pub to the server and add it to authorized_In the keys, you can log in to the client from the server without password

10、 Use parallel SSH

[1] Install pssh
# Install from EPEL source
[ root@vdevops ~]# yum --enablerepo=epel -y install pssh
[2] How to use PSSH.
Ensure that the key pair authentication is set up between the servers
# Connect to the server to execute commands
[ wang@vdevops ~]$ pssh -H "10.1.1.51 10.1.1.52"-i "hostname"[1]17:28:02[SUCCESS]10.1.1.51
node01.linuxprobe
[2]17:28:02[ SUCCESS]10.1.1.52
node02.linuxprobe
# it's possible to read host list fron a file

[ wang@vdevops ~]$ vi pssh_hosts.txt
# Custom host file, according to the following format
[email protected]
[email protected][wang@vdevops ~]$ pssh -h pssh_hosts.txt -i "uptime"[1]19:37:59[SUCCESS] [email protected]:37:59 up  1:35,0 users,  load average:0.00,0.00,0.00[2]19:37:59[SUCCESS] [email protected]:37:59 up  1:35,0 users,  load average:0.00,0.00,0.00[3]Password authentication can be used, but you need to ensure that the passwords of the same host account defined in the host file are the same
[ wang@vdevops ~]$ pssh -h pssh_hosts.txt -A -O PreferredAuthentications=password -i "uname -r"
Warning:do not enter your password if anyone else has superuser
privileges or access to your account.
Password: # input password

[1]12:54:06[ SUCCESS] [email protected]_64
[2]12:54:06[ SUCCESS] [email protected]_64<span id="transmark" style="display: none; width: 0px; height: 0px;"></span>

Summary: When configuring related services on CentOS, it is recommended to configure a few more articles to get a general understanding of the principle of the service.

CentOS 7 set up NTP, SSH service

On linuxprobe.org

If you want to log in to the remote server more securely, you can set PasswordAuthentication=no and restart the sshd service, so that when you log in to the remote server locally, you need not only password verification, but also key file verification.

Then connect to the VNC server through port 8081

Summary: When configuring related services on CentOS, it is recommended to configure a few more articles to get a general understanding of the principle of the service.