首页 > 系统 > 其他 >

CentOS 7设置NTP、SSH服务

2016-10-29

CentOS 7设置NTP、SSH服务

1、配置NTP服务

1、安装ntpd并配置ntp服务 [root@vdevops ~]# yum -y install ntp # 18行: 添加允许同步的网络段 restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap [root@vdevops ~]# systemctl start ntpd [root@vdevops ~]# systemctl enable ntpd

2、如果当前系统的Firewalld是运行状态,需要执行下面命令
[root@vdevops ~]# firewall-cmd --add-service=ntp --permanent
success
[root@vdevops ~]# firewall-cmd --reload
success 
3、确认ntp服务是否正常
[root@vdevops ~]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*time5.aliyun.co 10.137.38.86     2 u   92   64   36   30.174    0.236   0.524
4、同步aliyun的时间服务器
[root@linuxprobe ~]# ntpdate times.aliyun.com
26 Oct 11:51:30 ntpdate[2935]: step time server 120.25.115.19 offset 15075.743514 sec
【2】配置SSH服务

1、即使您使用“最小安装”安装了CentOS,OpenSSH也已默认安装,因此不必安装新软件包。您可以默认使用密码验证登录,但更改一些设置为安全如下:

[root@vdevops ~]# vi /etc/ssh/sshd_config
# 48行: 取消注释改变yes为弄 ( 禁止root远程登录 )
PermitRootLogin no

# 77 行:取消注释
PermitEmptyPasswords no
PasswordAuthentication yes
[root@vdevops ~]# systemctl restart sshd 
2、如果Firewalld是运行状态,需要添加以下策略
[root@vdevops ~]# firewall-cmd --add-service=ssh --permanent
success
[root@vdevops ~]# firewall-cmd --reload
success 
3、ssh文件传输

使用SCP(安全复制)的例子

yum -y install openssh-clients
拷贝本地的测试文件到远程主机,使用scp前设置hosts文件,保证每台主机上包含对方的主机IP和域名解析,并且对应起来
[root@vdevops ~]# scp test.txt wang@linuxprobe.org:/tmp
The authenticity of host 'linuxprobe.org (10.1.1.53)' can't be established.
ECDSA key fingerprint is d1:bd:3c:7f:68:71:79:44:4f:e5:2c:42:f1:06:49:14.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'linuxprobe.org,10.1.1.53' (ECDSA) to the list of known hosts.
wang@linuxprobe.org's password: 
test.txt 
[root@vdevops ~]# scp -P22 wang@linuxprobe.org:/tmp/test.txt ./
wang@linuxprobe.org's password: 
test.txt    
 4、使用sftp传输文件
# sftp [Option] [user@host] 操作参数

[redhat@vdevops ~]$ sftp wang@linuxprobe.org          #连接远程服务器
wang@linuxprobe.org's password:# password of the user
Connected to linuxprobe.org
sftp>
# 查看远程服务器当前目录
sftp> pwd
Remote working directory: /home/wang
# 查看本地服务器当前目录
sftp> !pwd
/home/redhat
# 查看ftp服务器期当前目录文件
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html
-rw-rw-r--    1 wang     wang           10 Jul 28 22:53 test.txt
# 查看本地服务器当前目录文件
sftp> !ls -l
total 4
-rw-rw-r-- 1 redhat redhat 10 Jul 29 21:31 test.txt
sftp> cd public_html                #切换目录
sftp> pwd
Remote working directory: /home/wang/public_html
# 上传本地文件到远程服务器
sftp> put test.txt redhat.txt
Uploading test.txt to /home/wang/redhat.txt
test.txt 100% 10 0.0KB/s 00:00
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html
-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt
-rw-rw-r--    1 wang     wang           10 Jul 28 22:53 test.txt
sftp> put *.txt
Uploading test.txt to /home/wang/test.txt
test.txt 100% 10 0.0KB/s 00:00
Uploading test2.txt to /home/wang/test2.txt
test2.txt 100% 0 0.0KB/s 00:00
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html
-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt
-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt
-rw-rw-r--    1 wang     wang           10 Jul 29 21:46 test2.txt
# 从远程服务器上面下载单个文件
sftp> get test.txt
Fetching /home/wang/test.txt to test.txt
/home/wang/test.txt 100% 10 0.0KB/s 00:00
# 从远程服务器上面下载多个文件
sftp> get *.txt
Fetching /home/wang/redhat.txt to redhat.txt
/home/wang/redhat.txt 100% 10 0.0KB/s 00:00
Fetching /home/wang/test.txt to test.txt
/home/wang/test.txt 100% 10 0.0KB/s 00:00
Fetching /home/wang/test2.txt to test2.txt
/home/wang/test2.txt 100% 10 0.0KB/s 00:00
# create a directory on remote server
sftp> mkdir testdir
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html
-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt
-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt
-rw-rw-r--    1 wang     wang           10 Jul 29 21:46 test2.txt
drwxrwxr-x    2 wang     wang            6 Jul 29 21:53 testdir
# 删除远程服务器上面的目录
sftp> rmdir testdir
rmdir ok, `testdir' removed
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html
-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt
-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt
-rw-rw-r--    1 wang     wang           10 Jul 29 21:46 test2.txt
# 删除远程服务上面的文件
sftp> rm test2.txt
Removing /home/wang/test2.txt
sftp> ls -l
drwxrwxr-x    2 wang     wang            6 Jul 29 21:33 public_html
-rw-rw-r--    1 wang     wang           10 Jul 29 21:39 redhat.txt
-rw-rw-r--    1 wang     wang           10 Jul 29 21:45 test.txt
# execute commands with "![command]"
sftp> !cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...
redhat:x:1001:1001::/home/redhat:/bin/bash
# exit
sftp> quit  #退出sftp连接
5、SSH keys认证

为每个用户创建密钥对,因此使用普通用户登录并按如下所示工作。

[wang@vdevops ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wang/.ssh/id_rsa): 
Created directory '/home/wang/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wang/.ssh/id_rsa.
Your public key has been saved in /home/wang/.ssh/id_rsa.pub.
The key fingerprint is:
af:58:16:e9:f9:02:bc:95:5d:ec:4d:bd:6a:2b:39:06 wang@vdevops.com
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|           .   . |
|         .  o . .|
|     .  So o o  .|
|      o.oE. . .. |
|       += o . .  |
|      .+.o = o   |
|      . ..o +..  |
+-----------------+
[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
[wang@vdevops ~]$ chmod 600 ~/.ssh/authorized_keys 
两台服务器其中vdevops.com作为服务端,linuxprobe.org作为客户端,拷贝服务的id_rsa文件到客户端,客户端上面对象的用户可以通过认证文件登录到服务端

#在linuxprobe.org上

[wang@linuxprobe ~]$ ls -a
.  ..  .bash_logout  .bash_profile  .bashrc
[wang@linuxprobe ~]$ mkdir ~/.ssh
[wang@linuxprobe ~]$ chmod 700 ~/.ssh
[wang@linuxprobe ~]$ scp wang@vdevops.com:/home/wang/.ssh/id_rsa ~/.ssh/
The authenticity of host 'vdevops.com (10.1.1.56)' can't be established.
ECDSA key fingerprint is f8:d2:55:54:8f:e8:43:e0:ee:aa:d6:8d:53:8c:8e:85.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'vdevops.com,10.1.1.56' (ECDSA) to the list of known hosts.
wang@vdevops.com's password: 
id_rsa                                                                                                       100% 1679     1.6KB/s   00:00    
[wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa wang@vdevops.com
Last login: Wed Oct 26 15:39:18 2016                   #登录成功
#如果想要更加安全的登录远程服务器,可以设置PasswordAuthentication=no,重启sshd服务,这样从本地登录远程服务器的时候不仅需要密码验证还需要key文件验证

6、设置SFTP和Chroot

应用此设置的某些用户只能使用SFTP访问,或者访问制定允许的目录。

例如,设置Chroot目录/ home

 # 针对SFTP创建一个特定的组
[root@vdevops ~]# groupadd sftp_users

# 把用户wang加到sftp组中

[root@vdevops ~]# usermod -G sftp_users cent

[root@vdevops ~]# vi /etc/ssh/sshd_config
# line 147: 取消注释并添加一行
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
# 在下面增加下面几行内容
Match Group sftp_users
  X11Forwarding no
  AllowTcpForwarding no
  ChrootDirectory /home
  ForceCommand internal-sftp
[root@vdevops ~]# systemctl restart sshd    #重启sshd服务
6.2、测试用户登录
[root@linuxprobe ~]# ssh wang@10.1.1.56
wang@10.1.1.56's password: 
Could not chdir to home directory /home/wang: No such file or directory
This service allows sftp connections only.
Connection to 10.1.1.56 closed.
[root@linuxprobe ~]# sftp wang@10.1.1.56
wang@10.1.1.56's password: 
Connected to 10.1.1.56.
sftp> ls -l
drwx------    2 1000     1000           59 Oct 25 17:02 shaon
drwx------    2 1002     1003           59 Oct 26  2016 testuser
drwx------    3 1001     1001           90 Oct 26 07:39 wang
sftp> pwd
Remote working directory: /
sftp> exit
7、SSH端口转发

例如,配置转发设置,将本地的8081转发到本地的5901(VNC)。

# forward the connection to 8081 to 5901 on local
[wang@linuxprobe ~]$ ssh -L 0.0.0.0:8081:localhost:5901 wang@localhost
wang@localhost's password:   # the password of the working user (it means the login to local to local)
Last login: Thu Jul 10 01:35:15 2014
# confirm
[wang@linuxprobe ~]$ netstat -lnp | grep 8081
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      3238/ssh
# keep this session and go next
# it's possbile to start the process on background as a daemon with "-f" option but then it needs to kill it by hand after working.
#然后通过8081端口连接VNC服务端

\

8、使用SSHPass自动输入密码身份验证密码
这很方便,但有安全隐患(密码泄漏),如果你使用它时要格外小心。


# 从EPEL源安装
[root@vdevops ~]# yum --enablerepo=epel -y install sshpass # 使用sshpass [root@vdevops ~]# sshpass -p fangbuxia..0 ssh 10.1.1.53 hostname linuxprobe.org [root@vdevops ~]# echo "fangbuxia..0" sshpass.txt fangbuxia..0 sshpass.txt [root@vdevops ~]# echo "fangbuxia..0" > sshpass.txt [root@vdevops ~]# chmod 600 sshpass.txt [root@vdevops ~]# sshpass -f sshpass.txt ssh 10.1.1.53 hostname linuxprobe.org [root@vdevops ~]# export SSHPASS=fangbuxia..0 [root@vdevops ~]# sshpass -e ssh 10.1.1.53 hostname linuxprobe.org 9、用SSH-Agent自动输入密钥对身份验证的密码

9.1、SSH密钥验证

配置SSH服务器以使用密钥验证进行登录。为客户端创建一个私钥,并为服务器创建一个公钥。

以vdevops.com为服务端:

为每个用户创建密钥对,因此使用普通用户登录并按如下所示工作:

[wang@vdevops ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wang/.ssh/id_rsa): 
/home/wang/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wang/.ssh/id_rsa.
Your public key has been saved in /home/wang/.ssh/id_rsa.pub.
The key fingerprint is:
75:6c:9b:02:0a:00:78:3b:aa:6a:10:71:99:42:a7:62 wang@vdevops.com
The key's randomart image is:
+--[ RSA 2048]----+
|+o.+             |
|+ B.       .     |
|.E ..   . . +    |
|+ o  . . o o o   |
| o .  . S . o    |
|o          .     |
|o                |
|..               |
|+                |
+-----------------+
[wang@vdevops ~]$ mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys 
[wang@vdevops ~]$ chmod 600 ~/.ssh/authorized_keys 
将在服务器上创建的密钥传输到客户端,然后可以使用密钥身份验证登录。

linuxprobe.org作为客户端:

[wang@linuxprobe ~]$ mkdir ~/.ssh              #创建存放密钥文件的默认路径,如果已存在不需要重复创建
[wang@linuxpeobe ~]$ mkdir 700 ~/.ssh
[wang@linuxprobe ~]$ scp wang@10.1.1.56:/home/wang/.ssh/id_rsa ~/.ssh/   #拷贝服务端的私钥
wang@10.1.1.56's password: 
id_rsa                                                                                                       100% 1675     1.6KB/s   00:00    
[wang@linuxprobe ~]$ ssh -i ~/.ssh/id_rsa wang@10.1.1.56                 #使用服务端的私钥登录到服务端
Last login: Thu Oct 27 09:24:18 2016
[wang@vdevops ~]$   #登录成功
#客户端创建公钥文件
[wang@linuxprobe ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wang/.ssh/id_rsa): y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in y.
Your public key has been saved in y.pub.
The key fingerprint is:
3e:de:94:77:cc:11:8c:a5:df:38:30:63:32:25:a1:81 wang@linuxprobe.org
The key's randomart image is:
+--[ RSA 2048]----+
|       .. o.. .  |
|      E  o o =   |
|        . o B o  |
|           + = + |
|        S     = .|
|       .   . o o |
|        o o . +  |
|       . + . .   |
|        . .      |
+-----------------+

#把y.pub拷贝到服务端加入到authorized_keys里面,即可从服务端免密码登录到客户端

10、使用并行SSH

[1] 安装pssh
# 从EPEL源安装
[root@vdevops ~]# yum --enablerepo=epel -y install pssh
[2] 如何使用PSSH.
确保服务器之间设置好密钥对认证
# 连接到服务器上执行命令
[wang@vdevops ~]$ pssh -H "10.1.1.51 10.1.1.52" -i "hostname"
[1] 17:28:02 [SUCCESS] 10.1.1.51
node01.linuxprobe
[2] 17:28:02 [SUCCESS] 10.1.1.52
node02.linuxprobe
# it's possible to read host list fron a file

[wang@vdevops ~]$ vi pssh_hosts.txt
# 自定义host文件,按照下面的格式
wang@10.1.1.51
wang@10.1.1.52
[wang@vdevops ~]$ pssh -h pssh_hosts.txt -i "uptime"

[1] 19:37:59 [SUCCESS] wang@10.1.1.52
 19:37:59 up  1:35,  0 users,  load average: 0.00, 0.00, 0.00
[2] 19:37:59 [SUCCESS] wang@10.1.1.51
 19:37:59 up  1:35,  0 users,  load average: 0.00, 0.00, 0.00

[3] 可以采用密码认证的方式,但是需要保证host文件中定义的主机同一账户的密码是相同的
[wang@vdevops ~]$ pssh -h pssh_hosts.txt -A -O PreferredAuthentications=password -i "uname -r"
Warning: do not enter your password if anyone else has superuser
privileges or access to your account.
Password: # input password

[1] 12:54:06 [SUCCESS] wang@10.1.1.51
2.6.32-504.12.2.el6.x86_64
[2] 12:54:06 [SUCCESS] wang@10.1.1.52
2.6.32-504.12.2.el6.x86_64

#总结:在CentOS配置相关服务时,建议多配置几篇,大致了解服务的原理。

相关文章
最新文章
热点推荐