Linux ssh 命令原理详解
Linux ssh 命令
SSH 为 Secure Shell 的缩写,由 IETF 的网络小组(Network Working Group)所制定;SSH 为建立在应用层基础上的安全协议。
SSH 是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用 SSH 协议可以有效防止远程管理过程中的信息泄露问题。SSH最初是UNIX系统上的一个程序,后来又迅速扩展到其他操作平台。SSH在正确使用时可弥补网络中的漏洞。SSH客户端适用于多种平台。几乎所有UNIX平台—包括 HP-UX、Linux、Unix、AIX、Solaris、Digital UNIX、Irix,以及其他平台,都可运行SSH。
SSH(远程连接工具)连接原理:ssh服务是一个守护进程(demon),系统后台监听客户端的连接,ssh服务端的进程名为sshd,负责实时监听客户端的请求(IP 22默认端口),包括公共秘钥等交换等信息。
ssh服务端由2部分组成: openssh(提供ssh服务) openssl(提供加密的程序)
ssh的客户端可以用 XShell,XManager、SecureCRT,Putty、Mobaxterm 等工具进行远程连接、登录
SSH 工作机制
服务器启动的时候自己产生一个密钥(768bit公钥),本地的ssh客户端发送连接请求到ssh服务器,服务器检查连接点客户端发送的数据和IP地址,确认合法后,ssh服务器会发送密钥(768bits)给客户端,此时客户端将本地私钥(256bit)和服务器的公钥(768bit)结合成密钥对key(1024bit),发回给服务器端,建立连接通过key-pair数据传输。
SSH 加密技术
加密技术:传输过程,数据加密。
1、SSH1没有对客户端的秘钥进行校验,很容易被植入恶意代码
2、SSH2增加了一个确认联机正确性的Diffe_Hellman机制,每次数据的传输,Server都会检查数据来源的正确性,避免黑客入侵。
SSH2支持RSA和DSA密钥:
1)DSA:Digital Signature Algorithm 数字签名
2)RSA:既可以数字签名又可以加密
SSH 知识小结
1)SSH是安全的加密协议,用于远程连接Linux服务器
2)SSH的默认端口是22,安全协议版本是SSH2 ,注:端口可以自己修改,请见米扑博客:Linux 修改SSH 默认端口 22,防止被破解密码
3)SSH服务器端主要包含2个服务功能:SSH连接和SFTP服务器
4)SSH客户端包含ssh连接命令和远程拷贝scp命令等
如何防止SSH登录入侵
1)密钥登录,更改端口,请见米扑博客:Linux 修改SSH 默认端口 22,防止被破解密码
2)牤牛阵法
3)监听本地内网IP(ListenAddress 192.168.25.*)
ssh 功能大全
1、远程登录
ssh mimvp@192.168.25.137 -p22
2、直接执行命令 -->最好全路径
ssh root@192.168.25.137 ls -ltr /backup/data
ssh root@192.168.25.137 /bin/ls -ltr /backup/data
3、查看已知主机
cat /root/.ssh/known_hosts
4、ssh远程执行sudo命令
ssh -t mimvp@192.168.25.137 sudo rsync hosts /etc/
5、scp 远程拷贝
1)远程文件的安全(加密)拷贝
scp -P22 -r -p /home/mimvp/h.txt mimvp@192.168.25.137:/home/mimvp/
2)scp 知识小结
scp是加密远程拷贝,cp为本地拷贝;
scp 可以从本地电脑和远程服务器之间双向拷贝;
scp 每次都是全量拷贝(效率不高,适合第一次),增量拷贝请用 rsync
6、ssh自带的 sftp 功能
1)Window和Linux的传输工具
wincp filezip
sftp -->基于ssh的安全加密传输
samba
2)sftp客户端连接
sftp -oPort=22 root@192.168.25.137
put /etc/hosts /tmp
get /etc/hosts /home/mimvp
3)sftp小结:
a)linux下使用命令: sftp -oPort=22 root@x.x.x.x
b)put加客户端本地路径上传
c)get下载服务器端内容到本地
d)远程连接默认连接用户的家目录
ssh 常见命令参数
# ssh --help
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
ssh 后台服务的相关
# 查询openssl软件
rpm -qa openssh openssl
# 查询sshd进程
ps -ef | grep ssh
--> /usr/sbin/sshd
# 查看ssh端口
netstat -lntup | grep ssh
ss | grep ssh (效果同上,同下,好用)
netstat -a | grep ssh(记住这个)
netstat -lnt | grep 22 ==> 查看22端口有没有开/ssh服务有没有开启
技巧: netstat -lnt | grep ssh | wc -l -->只要大于2个就是ssh服务就是好的
# 查看ssh的秘钥目录
ll /root/.ssh/known_hosts # 当前用户家目录的.ssh目录下
# ssh的配置文件
cat /etc/ssh/sshd_config
# ssh服务的关闭
service sshd stop
# ssh服务的开启:
service sshd start
# ssh服务的重启
service sshd reload [停止进程后重启] ==> 推荐
service sshd restart [干掉进程后重启] ==> 不推荐
# ssh远程登录
ssh 192.168.1.100 # 默认利用当前宿主用户的用户名登录
ssh omd@192.168.1.100 # 利用远程机的用户登录
ssh omd@192.168.1.100 -o stricthostkeychecking=no # 首次登陆免输yes登录
ssh omd@192.168.1.100 "ls /home/omd" # 当前服务器A远程登录服务器B后执行某个命令
ssh omd@192.168.1.100 -t "sh /home/omd/ftl.sh" # 当前服务器A远程登录服务器B后执行某个脚本
例如:查看正在运行的 ssh 进程
# ps -ef | grep ssh root 18872 29204 0 10:26 pts/0 00:00:00 grep --color=auto ssh root 29170 1 0 09:20 ? 00:00:00 sshd: dc2-user [priv] dc2-user 29173 29170 0 09:20 ? 00:00:00 sshd: dc2-user@pts/0 root 31024 1 0 09:25 ? 00:00:00 /usr/sbin/sshd -D
ssh 免密设置
1、进入用户的家目录
# whoami root // 【root用户就在root目录下的.ssh目录】 # ll /root/.ssh/ total 4 -rw------- 1 root root 0 Nov 11 15:39 authorized_keys -rw-r--r-- 1 root root 182 Nov 19 21:44 known_hosts # exit $ whoami mimvp-user // 【普通用户就是在家目录下的.ssh目录】 $ ll /home/mimvp-user/. ./ ../ .bash_history .bash_logout .bash_profile .bashrc $ ll /home/mimvp-user/.ssh ls: cannot access /home/mimvp-user/.ssh: No such file or directory $ ll ~/.ssh ls: cannot access /home/mimvp-user/.ssh: No such file or directory
如上可知:
root超级用户,默认有 /root/.ssh/ 目录
mimvp-user普通用户 ,默认没有 /home/mimvp-user/.ssh 目录,可以自己创建.ssh目录: mkdir mimvp-user/home/mimvp-user/.ssh
2、根据DSA算法生成私钥和公钥【默认建立在当前用户的家目录】
$ ssh-keygen -t dsa // 一路回车即可 Generating public/private dsa key pair. Enter file in which to save the key (/home/mimvp-user/.ssh/id_dsa): Created directory '/home/mimvp-user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/mimvp-user/.ssh/id_dsa. Your public key has been saved in /home/mimvp-user/.ssh/id_dsa.pub. The key fingerprint is: SHA256:yvdMKVnV2fgYNAy+8oZa9URO54VymFxLZcr0wENpe30 mimvp-user@mimvp-gz The key's randomart image is: +---[DSA 1024]----+ | .=Ooo| | o X*% | | B.&o*| | . B.*E| | S o o +.+| | . . o * o | | o + = o . | | . B . | | . o | +----[SHA256]-----+ $ $ ls ~/.ssh/ id_dsa id_dsa.pub $ $ ll /home/mimvp-user/.ssh/ total 8 -rw------- 1 mimvp-user mimvp-user 668 Nov 20 13:53 id_dsa // 私钥(留在本地电脑上) -rw-r--r-- 1 mimvp-user mimvp-user 605 Nov 20 13:53 id_dsa.pub // 公钥(传给远程服务器)
3、拷贝公钥给目标远程服务器
拷贝公钥命令:
ssh-copy-id -i ~/.ssh/id_dsa.pub mimvp@48.192.80.72 -p 2345
说明:拷贝命令为 ssh-copy-id(不是scp),远程服务器 ip为 48.192.80.72,端口号 2345(修改了默认端口22为2345),用户名 mimvp(不是root)
完整示例如下:
$ ssh-copy-id -i ~/.ssh/id_dsa.pub mimvp@48.192.80.72 -p 2345 // 拷贝本地公钥到远程服务器的 /home/mimvp/.ssh/authorized_keys 授权文件里 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mimvp-user/.ssh/id_dsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys mimvp@48.192.80.72's password: // 输入远程服务器密码 Number of key(s) added: 1 Now try logging into the machine, with: "ssh -p '50186' 'mimvp@48.192.80.72'" and check to make sure that only the key(s) you wanted were added. $ $ cat ~/.ssh/id_dsa.pub ssh-dss AAAAB3NzaC1kc3MAAACBAfJW8+skRNrUQFXnfKTitvn77P8vlZlOFUq4c6ZpjJFzXZILfn2SZZ42DfmB+6vybVfgpgtpo8OuX8zsD7Ust3nmeo9wCP+Oh6inaQbjkRLR77wNBPjTBXbV6Q9eYGr+LzkPsaws6LmNAAAAFQC77OmVJBpXpzJyUn+2/qEYt5MRYMFWXxghThH8ytU9Zf36dOU07M3NSkVXNazwAAAIEAkWXpGWmXNjyGGqUV2NyRMKqyGrxhI2ciYibNz/01nfHVUVyt+0e0pzrZgoAHbq7H1SvtK8Qy63Uxg9XyzHL57/Nq1AuFWqDpE1bowG68zzstirSrVrv5u+bomtcIUejjhF4Zh9IAAACAQSpaoSw5ZDW6m5VCVNVxOzYfVWDivHAJ9L3pspqGDwKHMInocK+GJgrTfdpMJTCTmOa6r20gBAGNl5mfzC9blAeEzSaPjvMWDmknRxEWaEG092dVJRbfKH2viTAsxfIvn3VcFsqq1Pmcc/wnZ9jcUNdvPsVQS9oB5TueYK56LjR4EOxxXtc+i70jeX0Isp3fpTJMIwTPFhO7c= mimvp-user@mimvp-gz
4、查看目标远程服务器生成的文件
查看远程服务器的 /home/mimvp/.ssh/authorized_keys 授权文件
# cat /home/mimvp/.ssh/authorized_keys ssh-dss AAAAB3NzaC1kc3MAAACBAfJW8+skRNrUQFXnfKTitvn77P8vlZlOFUq4c6ZpjJFzXZILfn2SZZ42DfmB+6vybVfgpgtpo8OuX8zsD7Ust3nmeo9wCP+Oh6inaQbjkRLR77wNBPjTBXbV6Q9eYGr+LzkPsaws6LmNAAAAFQC77OmVJBpXpzJyUn+2/qEYt5MRYMFWXxghThH8ytU9Zf36dOU07M3NSkVXNazwAAAIEAkWXpGWmXNjyGGqUV2NyRMKqyGrxhI2ciYibNz/01nfHVUVyt+0e0pzrZgoAHbq7H1SvtK8Qy63Uxg9XyzHL57/Nq1AuFWqDpE1bowG68zzstirSrVrv5u+bomtcIUejjhF4Zh9IAAACAQSpaoSw5ZDW6m5VCVNVxOzYfVWDivHAJ9L3pspqGDwKHMInocK+GJgrTfdpMJTCTmOa6r20gBAGNl5mfzC9blAeEzSaPjvMWDmknRxEWaEG092dVJRbfKH2viTAsxfIvn3VcFsqq1Pmcc/wnZ9jcUNdvPsVQS9oB5TueYK56LjR4EOxxXtc+i70jeX0Isp3fpTJMIwTPFhO7c= mimvp-user@mimvp-gz
由此发现,远程服务器的 /home/mimvp/.ssh/authorized_keys 授权文件里的公钥密文,包含刚才本地电脑拷贝过来的公钥密文,相当于在远程服务器上添加了本地电脑的白名单授权(公钥、私钥授权),
5、在本地电脑上,免密码登录目标远程服务器
$ ssh mimvp@48.192.80.72 -p 2345 // 本地电脑,免密码登录远程服务器 Last login: Wed Nov 20 14:14:32 2019 from 106.39.149.6 Welcome to Alibaba Cloud Elastic Compute Service ! [root@mimvp-bj mimvp]# exit // 因为登录后, 自动进入了root账户,先退root账户,后退mimvp账户 [mimvp@mimvp-bj ~]$ logout $ $ ssh mimvp@48.192.80.72 -p 2345 "cat /etc/passwd" // 免密登录远程服务器查看文件,但不留在远程服务器上 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
6、总结一下钥匙和锁的关系
1)多个钥匙开一把锁,把id_dsa.pub 复制给各个服务器
2)一个钥匙开多把锁,把id_dsa 传给各个服务器,把id_dsa 传给自己
ssh 排查问题
1、判断物理链路是否通
ping 48.192.80.72 线路 | 防火墙 | 是否同一个网的, ping 本身是icmp协议
2、判断服务是否正常
telnet 48.192.80.72 22
3、Linux防火墙
service iptables status
/etc/init.d/iptables status
示例:
# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 DROP tcp -- 47.98.238.6 0.0.0.0/0 2 DROP tcp -- 118.31.37.125 0.0.0.0/0 3 DROP tcp -- 120.77.38.67 0.0.0.0/0 4 DROP tcp -- 119.191.58.30 0.0.0.0/0 5 DROP tcp -- 120.230.102.146 0.0.0.0/0 6 DROP tcp -- 120.230.102.185 0.0.0.0/0
systemctl status iptables.service
# systemctl status iptables.service ● iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled) Active: active (exited) since Sun 2019-05-05 23:02:31 CST; 6 months 16 days ago Main PID: 32150 (code=exited, status=0/SUCCESS) CGroup: /system.slice/iptables.service May 05 23:02:31 mimvp-bj systemd[1]: Starting IPv4 firewall with iptables... May 05 23:02:31 mimvp-bj systemd[1]: Started IPv4 firewall with iptables. May 05 23:02:31 mimvp-bj iptables.init[32150]: iptables: Applying firewall rules: [ OK ]
4、打开ssh的调测进行观察
ssh -vvv mimvp@48.192.80.72 -p 2345
示例:
$ ssh -vvv mimvp@48.192.80.72 // 端口号错误,非默认22端口 OpenSSH_7.6p1, OpenSSL 1.0.2s 28 May 2019 debug1: Reading configuration data /usr/local/etc/ssh/ssh_config debug2: resolving "48.192.80.72" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 48.192.80.72 [48.192.80.72] port 22. debug1: connect to address 48.192.80.72 port 22: Connection refused // 端口号错误,非默认22端口 ssh: connect to host 48.192.80.72 port 22: Connection refused $ $ ssh -vvv mimvp@48.192.80.72 -p 2345 // 输入正确的端口号 2345 OpenSSH_7.6p1, OpenSSL 1.0.2s 28 May 2019 debug1: Reading configuration data /usr/local/etc/ssh/ssh_config debug2: resolving "48.192.80.72" port 2345 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 48.192.80.72 [48.192.80.72] port 2345. // 输入正确的端口号 2345 debug1: Connection established. debug1: identity file /Users/homer/.ssh/id_rsa type 0 debug1: key_load_public: No such file or directory debug1: identity file /Users/homer/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /Users/homer/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory
SSH 批量分发与管理方案小结
1、利用root做ssh key验证
优点:简单,易用
缺点:安全性能差,无法禁止root远程连接
2、利用普通用户mimvp(推荐)
思路:把要分发的文件拷贝到服务器用户的家目录,然后利用sudo提权拷贝分发的文件和对应目录
优点:安全
缺点:复杂,配置麻烦
1)sudo提权
echo 'mimvp All=(All) NOPASSWD:/usr/bin/rsync' >> /etc/sudoers
visudo -c
grep mimvp /etc/sudoers
2)ssh分发到服务器的家目录
ssh -p22 -r /etc/hosts mimvp@48.192.80.72:~
3)ssh使用sudo复制到目标服务器的/etc
ssh -t mimvp@48.192.80.72 sudo rsync hosts /etc/
3、拓展方案2,不用sudo,而是设置suid对固定命令提权
优点:相当安全
缺点:复杂,安全性较差,任何人都可以处理带有suid权限的命令
1)which rsync
2)chmod 4755 /usr/bin/rsync
ssh 服务的启动文件sshd的几个点
1、修改 /etc/ssh/sshd_config
GSSAPIAuthentication yes // 解决一台服务器管理多个ssh服务
UseDNS no // 加快响应速度因为在内网环境下
PermitRootLogin no // 不运行root用户直接登录
Port 2345 // 更改访问端口号
ListenAddress 48.192.80.72 // 只监听内网的IP
Match User anoncvs // 当前环境允许登录的用户
PermitRootLogin no // 是否允许root用户登录,一般不允许开
2、重启服务
service sshd restart // 写入命令进内存 service sshd reload // 推荐,reload是一个平滑的热加载,不影响用户使用
3、查看连接端口
netstat -an | grep EST
SSH 跳过HostKeyChecking,不用手工输入yes
SSH 跳过输入ssh跳过RSA key fingerprint输入 yes/no
在配置大量的节点之间需要ssh连通的时候,如果自动复制很多节点,都需要手工输入yes,两两节点之间都要互通一次,这样会造成很大的麻烦
解决1;修改配置文件 /etc/ssh/ssh_config
vim /etc/ssh/ssh_config
找到 # StrictHostKeyChecking ask
修改为:StrictHostKeyChecking no
解决2: 添加参数 –o 【o=option】
ssh root@48.192.80.72 -p 2345 -o "StrictHostKeyChecking no" ssh root@48.192.80.72 -p 2345 -o StrictHostKeyChecking=no -q scp -o "StrictHostKeyChecking no" newfile.txt -P 2345 root@48.192.80.72:/root
ssh + sshpass 实现免密码登录 (强烈推荐)
详见米扑博客:ssh + sshpass 自动输入密码登录服务器
ssh 用法小结
1)ssh远程的加密连接协议,相关软件openssh,openssl
2)默认端口 22,端口可以自己修改,请见米扑博客:Linux 修改SSH 默认端口 22,防止被破解密码
3)ssh 版本协议
4)服务器ssh连接,ftp连接,sshd守护进程,开机启动
5)ssh客户端重要命令:ssh(用户登录&&远程命令),scp,sftp
6)安全验证方式:口令,密钥,学习原理,请见米扑博客:ssh + sshpass 自动输入密码登录服务器
7)ssh服务优化:改端口,改监听,no root,no empty,no DNS
8)ssh密钥对,公钥在服务器端,私钥在客户端
ssh 配置文件
vim /etc/ssh/sshd_config
[root@mimvp .ssh]# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server
参考推荐:
Linux 修改默认端口、增加普通用户、使用密钥等安全登录SSH
Linux shell 脚本通过expect实现自动输入密码
Linux之/etc/profile、~/.bash_profile等几个文件的执行过程
nohup、&、disown、setsid、screen、jobs 后台运行命令区别
版权所有: 本文系米扑博客原创、转载、摘录,或修订后发表,最后更新于 2020-01-06 05:59:17
侵权处理: 本个人博客,不盈利,若侵犯了您的作品权,请联系博主删除,莫恶意,索钱财,感谢!
转载注明: Linux ssh 命令原理详解 (米扑博客)