Copyright statement: This article is an original article by Shaon Puppet. Please indicate the original address for reprinting. Thank you very much. https://blog.csdn.net/wh211212/article/details/52932776
[1] Configure NTP service
1、 Install ntpd and configure ntp service
[ root@vdevops ~]# yum -y install ntp
# 18 Row:Add network segments that allow synchronization
restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap<pre name="code"class="html">[root@vdevops ~]# <a target=_blank href="https://www.server-world.info/en/command/html/systemctl.html" style="color: #ffff00">systemctl</a> start ntpd
[ root@vdevops ~]# systemctl enable ntpd
2、 If Firewalld of the current system is running, you need to execute the following command
[ root@vdevops ~]# firewall-cmd --add-service=ntp --permanent
success
[ root@vdevops ~]# firewall-cmd --reload
success
3、 Confirm whether the ntp service is normal
[ root@vdevops ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================* time5.aliyun.co 10.137.38.862 u 92643630.1740.2360.524
4、 Synchronize aliyun's time server
[ root@linuxprobe ~]# ntpdate times.aliyun.com
26 Oct 11:51:30 ntpdate[2935]: step time server 120.25.115.19 offset 15075.743514 sec
[2] Configure SSH service
1、 Even if you installed CentOS using a "minimal installation", OpenSSH is already installed by default, so there is no need to install new packages. You can use password authentication to log in by default, but change some settings to be safe as follows:
[ root@vdevops ~]# vi /etc/ssh/sshd_config
# 48 Row:Uncomment and change yes to make(Prohibit root remote login)
PermitRootLogin no
# 77 Row:Uncomment
PermitEmptyPasswords no
PasswordAuthentication yes
[ root@vdevops ~]# systemctl restart sshd
2、 If Firewalld is running, you need to add the following strategy
[ root@vdevops ~]# firewall-cmd --add-service=ssh --permanent
success
[ root@vdevops ~]# firewall-cmd --reload
success
3、 ssh file transfer
Example of using SCP (secure copy)
yum -y install openssh-clients
Copy the local test file to the remote host, set the hosts file before using scp to ensure that each host contains the host IP and [domain name resolution] (https://cloud.tencent.com/product/cns?from=10680) of the other party, and correspond
[ root@vdevops ~]# scp test.txt [email protected]:/tmp
The authenticity of host 'linuxprobe.org (10.1.1.53)' can't be established.
ECDSA key fingerprint is d1:bd:3c:7f:68:71:79:44:4f:e5:2c:42:f1:06:49:14.
Are you sure you want to continueconnecting(yes/no)? yes
Warning: Permanently added 'linuxprobe.org,10.1.1.53'(ECDSA) to the list of known hosts.
[email protected]'s password:
test.txt
[ root@vdevops ~]# scp -P22 [email protected]:/tmp/test.txt ./
[email protected]'s password:
test.txt
4、 Use sftp to transfer files
# sftp [Option][user@host]Operating parameters
[ redhat@vdevops ~]$ sftp [email protected] #Connect to remote server
[email protected]'s password:# password of the user
Connected to linuxprobe.org
sftp>
# View the current directory of the remote server
sftp> pwd
Remote working directory:/home/wang
# View the current directory of the local server
sftp>!pwd
/home/redhat
# View the current directory file in the ftp server period
sftp> ls -l
drwxrwxr-x 2 wang wang 6 Jul 2921:33 public_html
- rw-rw-r--1 wang wang 10 Jul 2822:53 test.txt
# View files in the current directory of the local server
sftp>!ls -l
total 4-rw-rw-r--1 redhat redhat 10 Jul 2921:31 test.txt
sftp> cd public_html #Switch directory
sftp> pwd
Remote working directory:/home/wang/public_html
# Upload local files to remote server
sftp> put test.txt redhat.txt
Uploading test.txt to /home/wang/redhat.txt
test.txt 100%100.0KB/s 00:00
sftp> ls -l
drwxrwxr-x 2 wang wang 6 Jul 2921:33 public_html
- rw-rw-r--1 wang wang 10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang wang 10 Jul 2822:53 test.txt
sftp> put *.txt
Uploading test.txt to /home/wang/test.txt
test.txt 100%100.0KB/s 00:00
Uploading test2.txt to /home/wang/test2.txt
test2.txt 100%00.0KB/s 00:00
sftp> ls -l
drwxrwxr-x 2 wang wang 6 Jul 2921:33 public_html
- rw-rw-r--1 wang wang 10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang wang 10 Jul 2921:45 test.txt
- rw-rw-r--1 wang wang 10 Jul 2921:46 test2.txt
# Download a single file from the remote server
sftp>get test.txt
Fetching /home/wang/test.txt to test.txt
/home/wang/test.txt 100%100.0KB/s 00:00
# Download multiple files from the remote server
sftp>get*.txt
Fetching /home/wang/redhat.txt to redhat.txt
/home/wang/redhat.txt 100%100.0KB/s 00:00
Fetching /home/wang/test.txt to test.txt
/home/wang/test.txt 100%100.0KB/s 00:00
Fetching /home/wang/test2.txt to test2.txt
/home/wang/test2.txt 100%100.0KB/s 00:00
# create a directory on remote server
sftp> mkdir testdir
sftp> ls -l
drwxrwxr-x 2 wang wang 6 Jul 2921:33 public_html
- rw-rw-r--1 wang wang 10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang wang 10 Jul 2921:45 test.txt
- rw-rw-r--1 wang wang 10 Jul 2921:46 test2.txt
drwxrwxr-x 2 wang wang 6 Jul 2921:53 testdir
# Delete the directory on the remote server
sftp> rmdir testdir
rmdir ok, `testdir' removed
sftp> ls -l
drwxrwxr-x 2 wang wang 6 Jul 2921:33 public_html
- rw-rw-r--1 wang wang 10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang wang 10 Jul 2921:45 test.txt
- rw-rw-r--1 wang wang 10 Jul 2921:46 test2.txt
# Delete files on the remote service
sftp> rm test2.txt
Removing /home/wang/test2.txt
sftp> ls -l
drwxrwxr-x 2 wang wang 6 Jul 2921:33 public_html
- rw-rw-r--1 wang wang 10 Jul 2921:39 redhat.txt
- rw-rw-r--1 wang wang 10 Jul 2921:45 test.txt
# execute commands with"![command]"
sftp>!cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
......
redhat:x:1001:1001::/home/redhat:/bin/bash
# exit
sftp> quit #Exit the sftp connection
5、 SSH keys authentication
Create a key pair for each user, so log in as a normal user and work as shown below.
[ wang@vdevops ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/wang/.ssh/id_rsa):
Created directory '/home/wang/.ssh'.
Enter passphrase(empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/home/wang/.ssh/id_rsa.
Your public key has been saved in/home/wang/.ssh/id_rsa.pub.
The key fingerprint is:
af:58:16:e9:f9:02:bc:95:5d:ec:4d:bd:6a:2b:39:06 [email protected]
The key's randomart image is:+--[ RSA 2048]----+|||||..||. o ..||. So o o .|| o.oE....||+= o ..||.+.o = o ||...o +..|+-----------------+[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
[ wang@vdevops ~]$ chmod 600~/.ssh/authorized_keys
Two servers include vdevops.com as the server and linuxprobe.org as the client. The id_rsa file of the service is copied to the client. The user of the object on the client can log in to the server through the authentication file
[ wang@linuxprobe ~]$ ls -a
.... bash_logout .bash_profile .bashrc
[ wang@linuxprobe ~]$ mkdir ~/.ssh
[ wang@linuxprobe ~]$ chmod 700~/.ssh
[ wang@linuxprobe ~]$ scp [email protected]:/home/wang/.ssh/id_rsa ~/.ssh/
The authenticity of host 'vdevops.com (10.1.1.56)' can't be established.
ECDSA key fingerprint is f8:d2:55:54:8f:e8:43:e0:ee:aa:d6:8d:53:8c:8e:85.
Are you sure you want to continueconnecting(yes/no)? yes
Warning: Permanently added 'vdevops.com,10.1.1.56'(ECDSA) to the list of known hosts.
[email protected]'s password:
id_rsa 100%16791.6KB/s 00:00[wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa [email protected]
Last login: Wed Oct 2615:39:182016 #login successful
6、 Set up SFTP and Chroot
Some users who apply this setting can only use SFTP to access, or access the specified and allowed directories.
For example, set Chroot directory /home
# Create a specific group for SFTP
[ root@vdevops ~]# groupadd sftp_users
# Add user wang to the sftp group
[ root@vdevops ~]# usermod -G sftp_users cent
[ root@vdevops ~]# vi /etc/ssh/sshd_config
# line 147:Uncomment and add a line
# Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# Add the following lines below
Match Group sftp_users
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home
ForceCommand internal-sftp
[ root@vdevops ~]# systemctl restart sshd #Restart the sshd service
6.2、 Test user login
[ root@linuxprobe ~]# ssh [email protected]
[email protected]'s password:
Could not chdir to home directory /home/wang: No such file or directory
This service allows sftp connections only.
Connection to 10.1.1.56 closed.[root@linuxprobe ~]# sftp [email protected]
[email protected]'s password:
Connected to 10.1.1.56.
sftp> ls -l
drwx------21000100059 Oct 2517:02 shaon
drwx------21002100359 Oct 262016 testuser
drwx------31001100190 Oct 2607:39 wang
sftp> pwd
Remote working directory:/
sftp> exit
7、 SSH port forwarding
For example, configure the forwarding settings to forward the local 8081 to the local 5901 (VNC).
# forward the connection to 8081 to 5901 on local
[ wang@linuxprobe ~]$ ssh -L 0.0.0.0:8081:localhost:5901 wang@localhost
wang@localhost's password: # the password of the working user(it means the login to local to local)
Last login: Thu Jul 1001:35:152014
# confirm
[ wang@linuxprobe ~]$ netstat -lnp | grep 8081(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 000.0.0.0:80810.0.0.0:* LISTEN 3238/ssh
# keep this session and go next
# it's possbile to start the process on background as a daemon with"-f" option but then it needs to kill it by hand after working.
8、 Use SSHPass to automatically enter password authentication passwords
This is very convenient, but there are security risks (password leakage), so be extra careful if you use it.
< div class="color2">#Install from EPEL source</div>[root@vdevops ~]# yum --enablerepo=epel -y install sshpass
# Use sshpass
[ root@vdevops ~]# sshpass -p fangbuxia..0 ssh 10.1.1.53 hostname
linuxprobe.org
[ root@vdevops ~]# echo "fangbuxia..0" sshpass.txt
fangbuxia..0 sshpass.txt
[ root@vdevops ~]# echo "fangbuxia..0"> sshpass.txt
[ root@vdevops ~]# chmod 600 sshpass.txt
[ root@vdevops ~]# sshpass -f sshpass.txt ssh 10.1.1.53 hostname
linuxprobe.org
[ root@vdevops ~]# export SSHPASS=fangbuxia..0[root@vdevops ~]# sshpass -e ssh 10.1.1.53 hostname
linuxprobe.org
9、 Use SSH-Agent to automatically enter the password for key pair authentication
9.1、 SSH key verification
Configure the SSH server to log in using key authentication. Create a private key for the client and a public key for the server.
Take vdevops.com as the server:
Create a key pair for each user, so log in as a normal user and work as follows:
[ wang@vdevops ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/wang/.ssh/id_rsa):/home/wang/.ssh/id_rsa already exists.Overwrite(y/n)? y
Enter passphrase(empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/home/wang/.ssh/id_rsa.
Your public key has been saved in/home/wang/.ssh/id_rsa.pub.
The key fingerprint is:75:6c:9b:02:0a:00:78:3b:aa:6a:10:71:99:42:a7:62 [email protected]
The key's randomart image is:+--[ RSA 2048]----+|+o.+||+ B..||.E ....+||+ o .. o o o || o .. S . o ||o .||o ||..||+|+-----------------+[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
[ wang@vdevops ~]$ chmod 600~/.ssh/authorized_keys
The key created on the server is transmitted to the client, and then the key authentication can be used to log in.
linuxprobe.org as the client:
[ wang@linuxprobe ~]$ mkdir ~/.ssh #Create the default path to store the key file, if it already exists, do not need to create it again
[ wang@linuxpeobe ~]$ mkdir 700~/.ssh
[ wang@linuxprobe ~]$ scp [email protected]:/home/wang/.ssh/id_rsa ~/.ssh/ #Copy the private key of the server
[email protected]'s password:
id_rsa 100%16751.6KB/s 00:00[wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa [email protected] #Use the private key of the server to log in to the server
Last login: Thu Oct 2709:24:182016[wang@vdevops ~]$ #login successful
# Client creates public key file
[ wang@linuxprobe ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key(/home/wang/.ssh/id_rsa): y
Enter passphrase(empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in y.
Your public key has been saved in<span style="color:#FF6666;">y.pub</span>.
The key fingerprint is:
3 e:de:94:77:cc:11:8c:a5:df:38:30:63:32:25:a1:81 [email protected]
The key's randomart image is:+--[ RSA 2048]----+|.. o...|| E o o =||. o B o ||+=+|| S =.||.. o o || o o .+||.+..||..|+-----------------+
# Put y.Copy the pub to the server and add it to authorized_In the keys, you can log in to the client from the server without password
10、 Use parallel SSH
[1] Install pssh
# Install from EPEL source
[ root@vdevops ~]# yum --enablerepo=epel -y install pssh
[2] How to use PSSH.
Ensure that the key pair authentication is set up between the servers
# Connect to the server to execute commands
[ wang@vdevops ~]$ pssh -H "10.1.1.51 10.1.1.52"-i "hostname"[1]17:28:02[SUCCESS]10.1.1.51
node01.linuxprobe
[2]17:28:02[ SUCCESS]10.1.1.52
node02.linuxprobe
# it's possible to read host list fron a file
[ wang@vdevops ~]$ vi pssh_hosts.txt
# Custom host file, according to the following format
[email protected]
[email protected][wang@vdevops ~]$ pssh -h pssh_hosts.txt -i "uptime"[1]19:37:59[SUCCESS] [email protected]:37:59 up 1:35,0 users, load average:0.00,0.00,0.00[2]19:37:59[SUCCESS] [email protected]:37:59 up 1:35,0 users, load average:0.00,0.00,0.00[3]Password authentication can be used, but you need to ensure that the passwords of the same host account defined in the host file are the same
[ wang@vdevops ~]$ pssh -h pssh_hosts.txt -A -O PreferredAuthentications=password -i "uname -r"
Warning:do not enter your password if anyone else has superuser
privileges or access to your account.
Password: # input password
[1]12:54:06[ SUCCESS] [email protected]_64
[2]12:54:06[ SUCCESS] [email protected]_64<span id="transmark" style="display: none; width: 0px; height: 0px;"></span>
Recommended Posts