本节内容:
ssh配置教程
一、ssh相关知识
什么是ssh?
ssh 为 secure shell 的缩写,由 ietf 的网络工作小组(networkworking group)所制定;ssh 为建立在应用层和传输层基础上的安全协议。
ssh 是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用 ssh协议可以有效防止远程管理过程中的信息泄露问题。
ssh最初是unix系统上的一个程序,后来又迅速扩展到其他操作平台。ssh在正确使用时可弥补网络中的漏洞。
ssh客户端适用于多种平台。几乎所有unix平台—包括hp-ux、linux、aix、solaris、digital unix、irix,以及其他平台—都可运行ssh。
#带有d:守护
#查询安装包
[root@client01 opt]# rpm -qa|grep openssh
openssh-clients-5.3p1-52.el6.x86_64
openssh-5.3p1-52.el6.x86_64
openssh-server-5.3p1-52.el6.x86_64
[root@client01opt]# rpm -ql openssh-server
/etc/pam.d/ssh-keycat
/etc/pam.d/sshd
/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/libexec/openssh/sftp-server
/usr/libexec/openssh/ssh-keycat
/usr/sbin/.sshd.hmac
/usr/sbin/sshd
/usr/share/doc/openssh-server-5.3p1
/usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd
#telnet:明文传输,不安全。不建议使用
[root@client01 opt]# cd /etc/ssh/
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config
-rw-------. 1 root root 3872 Apr 5 2011 sshd_config
-rw-------. 1 root root 668 Jul 23 00:58 ssh_host_dsa_key
-rw-r--r--. 1 root root 590 Jul 23 00:58 ssh_host_dsa_key.pub
-rw-------. 1 root root 963 Jul 23 00:58 ssh_host_key
-rw-r--r--. 1 root root 627 Jul 23 00:58 ssh_host_key.pub
-rw-------. 1 root root 1675 Jul 23 00:58 ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Jul 23 00:58 ssh_host_rsa_key.pub
#ssh_config:ssh命令的配置文件
#sshd_config:重点学习
[root@client01 ssh]# rm -rf~/.ssh/known_hosts
[root@larrywen /]# ssh 192.168.1.12
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOINGSOMETHING NASTY!
Someone could be eavesdropping on you rightnow (man-in-the-middle attack)!
It is also possible that the RSA host keyhas just been changed.
The fingerprint for the RSA key sent by theremote host is
3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Please contact your system administrator.
Add correct host key in/root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:7
RSA host key for 192.168.1.12 has changedand you have requested strict checking.
Host key verification failed.
#出现上述问题,删除该文件
[root@client01 ssh]# rm -rf~/.ssh/known_hosts
#如果还是不行,本机也删除
[root@larrywen .ssh]# rm -rf known_hosts
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config
-rw-------. 1 root root 3872 Apr 5 2011 sshd_config
-rw-------. 1 root root 668 Jul 23 00:58 ssh_host_dsa_key
-rw-r--r--. 1 root root 590 Jul 23 00:58 ssh_host_dsa_key.pub
-rw-------. 1 root root 963 Jul 23 00:58 ssh_host_key
-rw-r--r--. 1 root root 627 Jul 23 00:58 ssh_host_key.pub
-rw-------. 1 root root 1675 Jul 23 00:58 ssh_host_rsa_key
-rw-r--r—. 1 root root 382 Jul 23 00:58 ssh_host_rsa_key.pub
#我们删除ssh_host_*文件,然后重启服务,发现文件自动生成了
[root@client01 ssh]# rm -f ssh_host_*
[root@client01 ssh]# ll
total 132
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config
-rw-------. 1 root root 3872 Apr 5 2011 sshd_config
[root@client01 ssh]# /etc/init.d/sshdrestart
Stopping sshd: [ OK ]
Generating SSH1 RSA host key: [ OK ]
Generating SSH2 RSA host key: [ OK ]
Generating SSH2 DSA host key: [ OK ]
Starting sshd: [ OK ]
[root@client01 ssh]# ll
total 156
-rw-------. 1 root root 125811 Apr 5 2011moduli
-rw-r--r--. 1 root root 2047 Apr 5 2011 ssh_config
-rw-------. 1 root root 3872 Apr 5 2011 sshd_config
-rw-------. 1 root root 672 Aug 6 10:38 ssh_host_dsa_key
-rw-r--r--. 1 root root 590 Aug 6 10:38 ssh_host_dsa_key.pub
-rw-------. 1 root root 963 Aug 6 10:38 ssh_host_key
-rw-r--r--. 1 root root 627 Aug 6 10:38 ssh_host_key.pub
-rw-------. 1 root root 1675 Aug 6 10:38 ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Aug 6 10:38 ssh_host_rsa_key.pub
[root@client01 ssh]# man 5 sshd_config
#修改端口,然后重启,重新登录
[root@client01 ssh]# vim sshd_config
[root@client01 ssh]# grep "Port"sshd_config
#Port 22
Port 2222
#GatewayPorts no
[root@client01 ssh]# /etc/init.d/sshdrestart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@client01 ~]# netstat -lanput | grepsshd
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 1814/sshd
tcp 0 0 :::2222 :::* LISTEN 1814/sshd
#修改端口后按照以前的登录方式会出错
[root@larrywen /]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refu
sed
#指定端口,参数可以放在前面或者后面
[root@larrywen /]# ssh 192.168.1.11 -p 2222
The authenticity of host'[192.168.1.11]:2222 ([192.168.1.11]:2222)' can't be established.
RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67.
Are you sure you want to
continueconnecting (yes/no)? yes
Warning: Permanently added'[192.168.1.11]:2222' (RSA) to the list of known hosts.
root@192.168.1.11's password:
Last login: Tue Aug 6 09:54:46 2013 from 192.168.1.1
[root@client01 ~]# exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh -p 2222 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug 6 10:42:48 2013 from 192.168.1.1
#scp:借助SSH服务
[root@larrywen begin]# scp ule-begin.pdf 192.168.1.11:/root-P 2222
2222: No such file or directory
[root@larrywen begin]# scp -P 2222ule-begin.pdf 192.168.1.11:/root
root@192.168.1.11's password:
ule-begin.pdf 100% 14MB 13.6MB/s 00:00
二、ssh修改端口
#修改端口:安全考虑
[root@client01 ~]# vim /etc/ssh/sshd_config
[root@client01 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@client01 ~]# netstat -langput | grepsshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1969/sshd
tcp 0 0 :::22 :::* LISTEN 1969/sshd
[root@client01 ~]# ifconfig
eth0:1192.168.1.111 netmask 255.255.255.0
[root@client01 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr00:0C:29:07:DD:3B
inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe07:dd3b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13261 errors:0 dropped:0 overruns:0 frame:0
TX packets:2665 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15228499 (14.5 MiB) TXbytes:402371 (392.9 KiB)
eth0:1 Link encap:Ethernet HWaddr00:0C:29:07:DD:3B
inet addr:192.168.1.111 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0(0.0 b)
[root@larrywen /]# ssh -p 2222192.168.1.111
ssh: connect to host 192.168.1.111 port2222: Connection refused
[root@larrywen /]# ssh 192.168.1.111
The authenticity of host '192.168.1.111(192.168.1.111)' can't be established.
RSA key fingerprint is26:c7:6e:26:d8:9d:84:e4:25:46:d4:43:1f:d5:54:67.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.111'(RSA) to the list of known hosts.
root@192.168.1.111's password:
Last login: Tue Aug 6 10:57:55 2013 from 192.168.1.1
[root@client01 ~]#
[root@client01 ssh]# grep "ListenAddress"sshd_config
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.1.111
[root@client01 ~]# exit
logout
Connection to 192.168.1.111 closed.
[root@larrywen /]# ssh 192.168.1.111
root@192.168.1.111's password:
Last login: Tue Aug 6 11:05:55 2013 from 192.168.1.1
[root@client01 ~]# netstat -langput | grepsshd
tcp 0 0 192.168.1.111:22 0.0.0.0:* LISTEN 2011/sshd
[root@larrywen /]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refused
三、ssh实现只允许内网登录,不允许外网登录
#添加一张网卡,网段是172.16.1.0
#默认情况都可以访问
[root@larrywen /]# ssh 172.16.1.11
The authenticity of host '172.16.1.11(172.16.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '172.16.1.11'(RSA) to the list of known hosts.
root@172.16.1.11's password:
Last login: Tue Aug 6 19:15:21 2013 from 192.168.1.1
#绑定
IP地址,内网可以访问,外网不绑定
[root@serv01 ~]# vim /etc/ssh/sshd_config
[root@serv01 ~]# grep "Address"/etc/ssh/sshd_config
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress 192.168.1.11
#重启服务
[root@serv01 ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@serv01 ~]# exit
logout
Connection to 172.16.1.11 closed.
#连接172.16.1.11,不可以
[root@larrywen /]# ssh 172.16.1.11
ssh: connect to host 172.16.1.11 port 22:Connection refused
#连接192.168.1.11,可以正常登录
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug 6 19:13:51 2013
[root@serv01 ~]# exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Last login: Tue Aug 6 19:15:33 2013 from 172.16.1.1
#查看网络状态
[root@serv01 ~]# netstat -lanput | grepsshd
tcp 0 0 192.168.1.11:22 0.0.0.0:* LISTEN 1375/sshd
四、ssh登录不需要密码实现
#不要密码
[root@serv01 ~]# vim /etc/ssh/sshd_config
[root@serv01 ~]# grep"#PermitEmptyPasswords" /etc/ssh/sshd_config -n
65:#PermitEmptyPasswords no
[root@serv01 ~]# grep"PermitEmptyPasswords" /etc/ssh/sshd_config -n
65:#PermitEmptyPasswords no
67:PermitEmptyPasswords yes
#添加用户
[root@serv01 ssh]# useradd hongyi
[root@serv01 ssh]# vim /etc/passwd
[root@serv01 ssh]# tail -n1 /etc/passwd
hongyi::500:500::/home/hongyi:/bin/bash
[root@serv01 ssh]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@larrywen /]# ssh hongyi@192.168.1.11
[hongyi@serv01 ~]$
五、ssh不允许root用户登录
[root@serv01 ssh]# grep"PermitRootLogin" sshd_config -n
42:#PermitRootLogin yes
43:PermitRootLogin no
93:# the setting of "PermitRootLoginwithout-password".
[root@serv01 ssh]# man sshd_config
[root@serv01 ssh]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@serv01 ssh]# vim /etc/passwd
[root@serv01 ssh]# tail -n1 /etc/passwd
hongyi:x:500:500::/home/hongyi:/bin/bash
[root@serv01 ssh]# passwd hongyi
[root@larrywen /]# ssh 192.168.1.11
root@192.168.1.11's password:
Permission denied, please try again.
[root@larrywen /]# ssh hongyi@192.168.1.11
hongyi@192.168.1.11's password:
Last login: Tue Aug 6 19:29:05 2013 from 192.168.1.1
六、ssh指定用户或者组登录
#允许用户 拒绝用户
AllowUsers hongyi
AllowUsers hongyi up01
DenyUsers zhink
AllowGroups
DenyGroups
[root@serv01 ssh]# useradd zhink
[root@serv01 ssh]# passwd zhink
[root@serv01 ssh]# useradd up01
[root@serv01 ssh]# passwd up01
[root@serv01 ssh]# grep "Users"sshd_config -n
47:AllowUsers hongyi up01
48:DenyUsers zhink
[root@serv01 ssh]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@serv01 ssh]# man sshd_config
[root@larrywen /]# ssh hongyi@192.168.1.11
hongyi@192.168.1.11's password:
Last login: Tue Aug 6 19:40:50 2013 from 192.168.1.1
[hongyi@serv01 ~]$ exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh up01@192.168.1.11
up01@192.168.1.11's password:
[up01@serv01 ~]$ exit
logout
Connection to 192.168.1.11 closed.
[root@larrywen /]# ssh zhink@192.168.1.11
zhink@192.168.1.11's password:
Permission denied, please try again.
zhink@192.168.1.11's password:
七、ssh等效性
#不用密码登录别人的机器
#ssh等效性
#生成认证文件:公钥 私钥
[root@larrywen /]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
86:49:93:08:44:01:03:85:5c:f8:2b:de:2b:08:c2:4froot@larrywen.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|**Oo |
|.+ . . . |
| .. + |
| .. + |
|. . o S |
|oo E . |
|= = |
|.o o |
| ... |
+-----------------+
[root@larrywen /]# cd ~/.ssh/
[root@larrywen .ssh]# ls
id_rsa id_rsa.pub known_hosts
[root@larrywen .ssh]# ssh-copy-id -iid_rsa.pub 192.168.0.217
root@192.168.0.217's password:
Now try logging into the machine, with"ssh '192.168.0.217'", and check in:
.ssh/authorized_keys
[root@larrywen ssh]# ssh 192.168.0.217
Last login: Fri Aug 2 11:33:41 2013 from 192.168.0.10
[root@similar ~]#
to make sure we haven't added extra keysthat you weren't expecting.
[root@larrywen .ssh]#
yum installopenssh-clients -y
#双向SSH等效性
[root@serv01 .ssh]# ssh-keygen
[root@serv01 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.12
The authenticity of host '192.168.1.12(192.168.1.12)' can't be established.
RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts.
root@192.168.1.12's password:
Now try logging into the machine, with"ssh '192.168.1.12'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keysthat you weren't expecting.
[root@serv01 .ssh]# ssh 192.168.1.12
Last login: Tue Aug 6 22:10:09 2013 from 192.168.1.11
[root@serv02 ~]#
[root@serv02 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
54:6b:99:8a:21:2c:28:0d:2f:89:2e:1a:b1:b3:ef:9eroot@serv02.host.com
The key's randomart image is:
+--[ RSA 2048]----+
|. . |
|.* . . + |
|B + o . . = |
|o+ . . + o |
|=. . S |
|o+ |
|o |
| . . |
| oE |
+-----------------+
[root@serv02 .ssh]# ssh-copy-id -iid_rsa.pub 192.168.1.11
The authenticity of host '192.168.1.11(192.168.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts.
root@192.168.1.11's password:
Now try logging into the machine, with"ssh '192.168.1.11'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keysthat you weren't expecting.
[root@serv02 .ssh]# ssh 192.168.1.11
Last login: Tue Aug 6 22:09:27 2013 from 192.168.1.12
[root@serv01 ~]#
#私钥被Serv03拿去,可以登录
#私密加密
[root@serv01 /]# ssh-keygen
[root@serv01 .ssh]# ssh-copy-id -iid_rsa192.168.1.13
[root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.13
The authenticity of host '192.168.1.13(192.168.1.13)' can't be established.
RSA key fingerprint isac:ca:a2:ca:b4:27:b5:aa:5d:1a:eb:6e:5f:3c:2e:51.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.13'(RSA) to the list of known hosts.
root@192.168.1.13's password:
Now try logging into the machine, with"ssh '192.168.1.13'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keysthat you weren't expecting.
[root@serv01 .ssh]# ssh 192.168.1.13
Last login: Tue Aug 6 21:47:04 2013 from 192.168.1.1
[root@serv03 ~]#
#私密不需要密码——SSH代理
#重启后失效
[root@serv01 .ssh]# ssh-agent $SHELL
[root@serv01 .ssh]# ssh-add
[root@serv01 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bd:5d:d4:1b:52:32:2f:a3:4e:60:d1:7a:1d:91:c2:4croot@serv01.host.com
The key's randomart image is:
+--[ RSA 2048]----+
| .=E +o. |
| .= o=. |
| o. o+oo.|
| .o...o+ o|
| S oo .. |
| oo . |
| ... |
| |
| |
+-----------------+
[root@serv01 .ssh]# ssh-copy-id -i id_rsa192.168.1.12
The authenticity of host '192.168.1.12(192.168.1.12)' can't be established.
RSA key fingerprint is3e:bd:1e:76:c4:c7:b4:98:dc:95:fc:61:d7:a8:45:71.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.12'(RSA) to the list of known hosts.
root@192.168.1.12's password:
Now try logging into the machine, with"ssh '192.168.1.12'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keysthat you weren't expecting.
[root@serv01 .ssh]# ssh 192.168.1.12
Enter passphrase for key'/root/.ssh/id_rsa':
Last login: Tue Aug 6 22:14:11 2013 from 192.168.1.11
[root@serv02 ~]# exit
logout
Connection to 192.168.1.12 closed.
[root@serv01 .ssh]# ssh-agent $SHELL
[root@serv01 .ssh]# ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa(/root/.ssh/id_rsa)
[root@serv01 .ssh]# ssh 192.168.1.12
Last login: Tue Aug 6 22:18:36 2013 from 192.168.1.11
八、xinetd和ssh结合使用
#进程:
#1.独立守护进程:单独的向外提供服务,有单独的端口
#2.超级守护进程:管理其他服务 xinetd
#xinetd:不对外提供服务,管理服务
[root@serv01 .ssh]# yum install xinetd* -y
[root@serv01 .ssh]# chkconfig
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rhnsd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rhsmcertd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:on 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
xinetd based services:
chargen-dgram: off
chargen-stream: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
discard-stream: off
echo-dgram: off
echo-stream: off
tcpmux-server: off
time-dgram: off
time-stream: off
#服务被频繁地使用:不需要管理;比如
apache
#当然服务使用少,需要被管理
#包含文件:yum源 日志切换
#配置文件
[root@serv01 etc]# ls /etc/xinetd.conf
/etc/xinetd.conf
[root@serv01 etc]# cd xinetd.d/
[root@serv01 xinetd.d]# ll
total 44
-rw-r--r--. 1 root root 1157 Feb 28 2011 chargen-dgram
-rw-r--r--. 1 root root 1159 Feb 28 2011 chargen-stream
-rw-r--r--. 1 root root 1157 Feb 28 2011 daytime-dgram
-rw-r--r--. 1 root root 1159 Feb 28 2011 daytime-stream
-rw-r--r--. 1 root root 1157 Feb 28 2011 discard-dgram
-rw-r--r--. 1 root root 1159 Feb 28 2011 discard-stream
-rw-r--r--. 1 root root 1148 Feb 28 2011 echo-dgram
-rw-r--r--. 1 root root 1150 Feb 28 2011 echo-stream
-rw-r--r--. 1 root root 1212 Feb 28 2011 tcpmux-server
-rw-r--r--. 1 root root 1149 Feb 28 2011 time-dgram
-rw-r--r--. 1 root root 1150 Feb 28 2011 time-stream
[root@serv01 xinetd.d]# man xinetd.conf
#stream:TCP
#dgram:UDP
#让xinetd服务管理sshd
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
socket_type = stream
wait = no
nice = 10
user = root
server =/usr/sbin/sshd
disable = no
}
#查看服务,可以看到显示on
[root@serv01 xinetd.d]# chkconfig
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
xinetd based services:
chargen-dgram: off
chargen-stream: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
discard-stream: off
echo-dgram: off
echo-stream: off
ssh: on
tcpmux-server: off
time-dgram: off
time-stream: off
#禁止,查看服务,可以看到显示off
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
socket_type = stream
wait = no
nice = 10
user = root
server =/usr/sbin/sshd
disable = yes
}
[root@serv01 xinetd.d]# chkconfig
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
xinetd based services:
chargen-dgram: off
chargen-stream: off
daytime-dgram: off
daytime-stream: off
discard-dgram: off
discard-stream: off
echo-dgram: off
echo-stream: off
ssh: off
tcpmux-server: off
time-dgram: off
time-stream: off
#关闭sshd服务
[root@serv01 xinetd.d]# /etc/init.d/sshdstop
Stopping sshd: [ OK ]
#重启xinetd服务
[root@serv01 xinetd.d]# /etc/init.d/xinetdrestart
Stopping xinetd: [FAILED]
Starting xinetd: [ OK ]
#查看网络状态,发现没有xinetd
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1144/master
tcp 0 0 192.168.1.11:22 192.168.1.1:37741 ESTABLISHED 1377/0
tcp 0 0 ::1:25 :::* LISTEN 1144/master
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1034/avahi-daemon:
udp 0 0 0.0.0.0:54455 0.0.0.0:* 1034/avahi-daemon:
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ---------------------------
lo 1 224.0.0.1
eth1 1 224.0.0.251
eth1 1 224.0.0.1
eth0 1 224.0.0.251
eth0 1 224.0.0.1
lo 1 ff02::1
eth1 1 ff02::1:ff07:dd45
eth1 1 ff02::1
eth0 1 ff02::1:ff07:dd3b
eth0 1 ff02::1
#远程连接,发生失败
[root@larrywen .ssh]# ssh 192.168.1.11
ssh: connect to host 192.168.1.11 port 22:Connection refused
#再次编辑,加上 server_args = -I
#可以通过man xinetd.conf查看server_args
[root@serv01 xinetd.d]# man xinetd.conf
server_args
[root@serv01 xinetd.d]# vim ssh
[root@serv01 xinetd.d]# cat ssh
service ssh
{
socket_type = stream
wait = no
nice = 10
user = root
server =/usr/sbin/sshd
disable = no
server_args = -i
}
#重启服务
[root@serv01 xinetd.d]# /etc/init.d/xinetdrestart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
#再次查看,发现有xinetd服务
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1144/master
tcp 0 0 192.168.1.11:22 192.168.1.1:37741 ESTABLISHED 1377/0
tcp 0 0 :::22 :::* LISTEN 2410/xinetd
tcp 0 0 ::1:25 :::* LISTEN 1144/master
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1034/avahi-daemon:
udp 0 0 0.0.0.0:54455 0.0.0.0:* 1034/avahi-daemon:
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ---------------------------
lo 1 224.0.0.1
eth1 1 224.0.0.251
eth1 1 224.0.0.1
eth0 1 224.0.0.251
eth0 1 224.0.0.1
lo 1 ff02::1
eth1 1 ff02::1:ff07:dd45
eth1 1 ff02::1
eth0 1 ff02::1:ff07:dd3b
eth0 1 ff02::1
#远程连接
[root@larrywen .ssh]# ssh 192.168.1.11
The authenticity of host '192.168.1.11(192.168.1.11)' can't be established.
RSA key fingerprint isf5:82:df:5b:07:2a:4a:b2:91:75:86:76:12:49:54:24.
Are you sure you want to continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.1.11'(RSA) to the list of known hosts.
root@192.168.1.11's password:
Last login: Tue Aug 6 22:15:35 2013 from 192.168.1.12
[root@serv01 ~]#
#再次查看,发现有xinetd服务
[root@serv01 xinetd.d]# netstat -langput
Active Internet connections (servers andestablished)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1144/master
tcp 0 0 192.168.1.11:22 192.168.1.1:37741 ESTABLISHED 1377/0
tcp 0 0 192.168.1.11:22 192.168.1.1:52605 ESTABLISHED 2413/1
tcp 0 0 :::22 :::* LISTEN 2410/xinetd
tcp 0 0 ::1:25 :::* LISTEN 1144/master
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1034/avahi-daemon:
udp 0 0 0.0.0.0:54455 0.0.0.0:* 1034/avahi-daemon:
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ---------------------------
lo 1 224.0.0.1
eth1 1 224.0.0.251
eth1 1 224.0.0.1
eth0 1 224.0.0.251
eth0 1 224.0.0.1
lo 1 ff02::1
eth1 1 ff02::1:ff07:dd45
eth1 1 ff02::1
eth0 1 ff02::1:ff07:dd3b
eth0 1 ff02::1
#查看sshd命令的位置
[root@serv01 xinetd.d]# grep"SSHD" /etc/init.d/sshd -n
41:SSHD=/usr/sbin/sshd
