文章目录
- yum工具使用
- 1.yum的配置文件
- 2.yum仓库的管理
- 本地仓库
- 网络仓库
- 3.使用yum管理软件
- list
- clean
- repolist
- install
- update
- downgrade
- remove
- info
- provides
- history
- deplist
- grouplist
- groupinstall
- openssh
- sshd服务
- Secure Shell 示例
- ssh主机密钥
- 配置免密登录
- SSH 安全注意事项
yum工具使用
1.yum的配置文件
yum的repo配置文件的路径
[root@LC ~]# cd /etc/yum.repos.d/
[root@LC yum.repos.d]# pwd
/etc/yum.repos.d
[root@LC yum.repos.d]#
#yum的repo文件要以.repo结尾,要不然系统不会读取
[root@LC yum.repos.d]# ls
lcc.repo lc.repo redhat.repo
[root@LC yum.repos.d]#
yum的主配置文件
/etc/yum.conf
[root@LC ~]# cat /etc/yum.conf
[main]
gpgcheck=1
installonly_limit=3
clean_requirements_on_remove=True
best=True
skip_if_unavailable=False
[root@LC ~]#
主配置文件的各种各样的参数
vim /etc/yum.conf
cachedir=/var/cache/yum/$basearch/$releasever //缓存目录
keepcache=0 //缓存软件包, 1启动 0 关闭
debuglevel=2 //调试级别
logfile=/var/log/yum.log //日志记录位置
exactarch=1 //检查平台是否兼容
obsoletes=1 //检查包是否废弃
gpgcheck=1 //检查来源是否合法,需要有制作者的公钥信息
plugins=1 //是否启用插件
tolerant={1|0} //容错功能,1为开启,0为关闭,当设为0时,如果用yum安装多个软件包且其中某个软件包已经安装过就会报错;当设为1时,当要安装的软件已经安装时自动忽略
installonly_limit=5
bugtracker_url
# metadata_expire=90m //每小时手动检查元数据
# in /etc/yum.repos.d //包含repos.d目录
yum的repo配置文件的内容
(这是搭建好的本地仓库)
[root@LC yum.repos.d]# cat lc.repo
[BaseOS]
name=BaseOS
baseurl=file:///mnt/BaseOS
enabled=1
gpgcheck=0
[AppStream]
name=AppStream
baseurl=file:///mnt/AppStream
enabled=1
gpgcheck=0
[root@LC yum.repos.d]#
[Repo_Name]:仓库名称
name:描述信息(可以自定义)
baseurl:仓库的具体路径,接受以下三种类型
ftp://
http://
file:///
enabled:可选值{1|0},1为启用此仓库,0为禁用此仓库
gpgcheck:可选值{1|0},1为检查软件包来源合法性,0为不检查来源
如果gpgcheck设为1,则必须用gpgkey定义密钥文件的具体路径
gpgkey=/PATH/TO/KEY
2.yum仓库的管理
根据你的需求去定义一个repo文件,你可以使用本地镜像的资源,也可以使用网络镜像的资源
官方网络yum仓库(国外)
阿里云yum仓库
163yum仓库
xx大学yum仓库
epel源
本地仓库
搭建一个本地仓库:
1.先确定本地的iso光盘是否连接
或者在右下角找到这个小圆圈右键
右键它可以选择连接,已连接就不用管了
2.挂载光盘
临时挂载
[root@LC ~]# mount /dev/sr0 /mnt/
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@LC ~]# df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs tmpfs 972M 0 972M 0% /dev/shm
tmpfs tmpfs 389M 11M 379M 3% /run
/dev/mapper/rhel-root xfs 17G 1.4G 16G 9% /
/dev/sda1 xfs 1014M 236M 779M 24% /boot
tmpfs tmpfs 195M 0 195M 0% /run/user/0
/dev/sr0 iso9660 9.0G 9.0G 0 100% /mnt //显示出挂载信息
[root@LC ~]#
永久挂载
[root@LC ~]# mount /dev/sr0 /mnt/
mount: /mnt: /dev/sr0 already mounted on /mnt.
[root@LC ~]# vim /etc/fstab
[root@LC ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Mon Jun 26 09:53:32 2023
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
/dev/mapper/rhel-root / xfs defaults 0 0
UUID=b1821db2-a464-452f-b583-aef06d6d8b38 /boot xfs defaults 0 0
/dev/mapper/rhel-swap none swap defaults 0 0
/dev/sr0 /mnt iso9660 defaults 0 0 //手动添加此行内容
[root@LC ~]#
3.进入repo配置文件目录,编写一个.repo结尾的文件
[root@LC ~]# cd /etc/yum.repos.d/
[root@LC yum.repos.d]# vim lc.repo
[root@LC yum.repos.d]# cat lc.repo
[BaseOS]
name=BaseOS
baseurl=file:///mnt/BaseOS
enabled=1
gpgcheck=0
[AppStream]
name=AppStream
baseurl=file:///mnt/AppStream
enabled=1
gpgcheck=0
[root@LC yum.repos.d]#
4.清除缓存
[root@LC ~]# yum clean all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Repository BaseOS is listed more than once in the configuration
Repository AppStream is listed more than once in the configuration
13 files removed
[root@LC ~]#
5.检查本地仓库文件
[root@LC yum.repos.d]# yum list all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
BaseOS 228 MB/s | 1.7 MB 00:00
AppStream 341 MB/s | 6.3 MB 00:00
Installed Packages
NetworkManager.x86_64 1:1.42.2-1.el9 @anaconda
NetworkManager-initscripts-updown.noarch 1:1.42.2-3.el9_2 @BaseOS
NetworkManager-libnm.x86_64 1:1.42.2-1.el9 @anaconda
NetworkManager-team.x86_64 1:1.42.2-1.el9 @anaconda
NetworkManager-tui.x86_64 1:1.42.2-1.el9 @anaconda
acl.x86_64 2.3.1-3.el9 @anaconda
alternatives.x86_64 1.20-2.el9 @anaconda
audit.x86_64 3.0.7-103.el9 @anaconda
audit-libs.x86_64 3.0.7-103.el9 @anaconda
(省略)
网络仓库
搭建网络仓库很简单,就是repo配置文件里面的baseurl后面的链接换成网络镜像站里面的连接
当然你要自己根据需求去找到对应的包的连接
注意:本地仓库和网络仓库不能同时开启
清华大学开源镜像站
阿里云镜像站
配置网络仓库
1.根据需求找到对应的链接,复制下来
2.编写一个repo配置文件
baseurl后面就写找到的链接
[root@LC yum.repos.d]# vim lcc.repo
[root@LC yum.repos.d]# cat lcc.repo
[BaseOS]
name=BaseOS
baseurl=https://mirror.tuna.tsinghua.edu.cn/centos-stream/9-stream/BaseOS/x86_64/os/
gpgcheck=0
enabled=1
[AppStream]
name=AppStream
baseurl=https://mirror.tuna.tsinghua.edu.cn/centos-stream/9-stream/AppStream/x86_64/os/
gpgcheck=0
enabled=1
[root@LC yum.repos.d]#
3.清除缓存
[root@LC ~]# yum clean all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
13 files removed
[root@LC ~]#
4.查看仓库文件
[root@LC ~]# yum list all
(省略)
3.使用yum管理软件
语法:yum [options] [command] [package ...]
--nogpgcheck //如果从网上下载包有时会检查gpgkey,此时可以使用此命令跳过gpgkey的检查
-y //自动回答为"yes"
-q //静默模式,安装时不输出信息至标准输出
--disablerepo=repoidglob //临时禁用此处指定的repo
--enablerepo=repoidglob //临时启用此处指定的repo
--noplugins //禁用所有插件
常用的参数
list //列表
all //默认项
available //列出仓库中有的,但尚未安装的所有可用的包
installed //列出已经安装的包
updates //可用的升级
clean //清理缓存
packages
headers
metadata
dbcache
all
repolist //显示repo列表及其简要信息
all
enabled //默认项
disabled
install //安装
yum install packages [...]
update //升级
yum update packages [...]
update_to //升级为指定版本
downgrade package1 [package2 ...] //降级
remove|erase //卸载
info //显示rpm -qi package的结果
yum info packages
provides|whatprovides //查看指定的文件或特性是由哪个包安装生成的
search string1 [string2 ...] //以指定的关键字搜索程序包名及summary信息
deplist package [package2 ...] //显示指定包的依赖关系
history //查看yum的历史事务信息
localinstall //安装本地rpm包,自动解决依赖关系
grouplist //列出可用的组
groupinstall "group name" //安装一组软件
createrepo命令 //创建yum仓库的元数据信息
list
list //列表
all //默认项
available //列出仓库中有的,但尚未安装的所有可用的包
installed //列出已经安装的包
updates //可用的升级
例子:
[root@LC ~]# yum list all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
BaseOS 741 kB/s | 6.2 MB 00:08
AppStream 1.1 MB/s | 17 MB 00:16
Last metadata expiration check: 0:00:01 ago on Tue 04 Jul 2023 10:53:02 AM CST.
Installed Packages
NetworkManager.x86_64 1:1.42.2-1.el9 @anaconda
NetworkManager-initscripts-updown.noarch 1:1.42.2-3.el9_2 @BaseOS
NetworkManager-libnm.x86_64 1:1.42.2-1.el9 @anaconda
NetworkManager-team.x86_64 1:1.42.2-1.el9 @anaconda
NetworkManager-tui.x86_64 1:1.42.2-1.el9 @anaconda
acl.x86_64 2.3.1-3.el9 @anaconda
alternatives.x86_64 1.20-2.el9 @anaconda
(省略)
clean
clean //清理缓存
packages
headers
metadata
dbcache
all
例子:
清理所有缓存:yum clean all
[root@LC ~]# yum clean all
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
13 files removed
清理包:yum clean packages
[root@LC ~]# yum clean packages
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
0 files removed
(省略)
repolist
repolist //显示repo列表及其简要信息
all
enabled //默认项
disabled
例子:
[root@LC ~]# yum repolist
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
repo id repo name
AppStream AppStream
BaseOS BaseOS
[root@LC ~]#
[root@LC ~]# yum repolist all
看最后一列字符可以知道库是否启用
- enabled代表启动
- disabled代表未启动
查看正在启用的库
[root@LC yum.repos.d]# yum repolist enabled
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
repo id repo name
AppStream AppStream
[root@LC yum.repos.d]#
查看未启用的库
[root@LC yum.repos.d]# yum repolist disabled
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
repo id repo name
BaseOS BaseOS
[root@LC yum.repos.d]#
install
//安装
yum install packages [...]
-y 确定安装
-q 静默安装 (不显示过程)
[root@LC ~]# yum -y install vim
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
BaseOS 14 kB/s | 3.9 kB 00:00
AppStream 11 kB/s | 4.4 kB 00:00
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
vim-enhanced x86_64 2:8.2.2637-20.el9 AppStream 1.8 M
Installing dependencies:
gpm-libs x86_64 1.20.7-29.el9 AppStream 21 k
vim-common x86_64 2:8.2.2637-20.el9 AppStream 7.0 M
vim-filesystem noarch 2:8.2.2637-20.el9 BaseOS 18 k
Transaction Summary
================================================================================
Install 4 Packages
Total download size: 8.8 M
Installed size: 34 M
Downloading Packages:
(1/4): vim-filesystem-8.2.2637-20.el9.noarch.rp 40 kB/s | 18 kB 00:00
(2/4): gpm-libs-1.20.7-29.el9.x86_64.rpm 45 kB/s | 21 kB 00:00
(3/4): vim-enhanced-8.2.2637-20.el9.x86_64.rpm 1.8 MB/s | 1.8 MB 00:00
(4/4): vim-common-8.2.2637-20.el9.x86_64.rpm 2.7 MB/s | 7.0 MB 00:02
--------------------------------------------------------------------------------
Total 3.3 MB/s | 8.8 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : gpm-libs-1.20.7-29.el9.x86_64 1/4
Installing : vim-filesystem-2:8.2.2637-20.el9.noarch 2/4
Installing : vim-common-2:8.2.2637-20.el9.x86_64 3/4
Installing : vim-enhanced-2:8.2.2637-20.el9.x86_64 4/4
Running scriptlet: vim-enhanced-2:8.2.2637-20.el9.x86_64 4/4
Verifying : vim-filesystem-2:8.2.2637-20.el9.noarch 1/4
Verifying : gpm-libs-1.20.7-29.el9.x86_64 2/4
Verifying : vim-common-2:8.2.2637-20.el9.x86_64 3/4
Verifying : vim-enhanced-2:8.2.2637-20.el9.x86_64 4/4
Installed products updated.
Installed:
gpm-libs-1.20.7-29.el9.x86_64 vim-common-2:8.2.2637-20.el9.x86_64
vim-enhanced-2:8.2.2637-20.el9.x86_64 vim-filesystem-2:8.2.2637-20.el9.noarch
Complete!
[root@LC ~]#
update
update //升级
yum update packages [...]
update_to //升级为指定版本
演示:
[root@LC ~]# rpm -qa | grep which
which-2.21-28.el9.x86_64 //已经安装了发行号为28的版本
[root@LC ~]# yum list updates | grep which
which.x86_64 2.21-29.el9 BaseOS //查询出有发行号为29的新版本
[root@LC ~]#
//更新版本
[root@LC ~]# yum -y update which.x86_64
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 0:12:39 ago on Tue 04 Jul 2023 11:11:30 AM CST.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Upgrading:
which x86_64 2.21-29.el9 BaseOS 41 k
Transaction Summary
================================================================================
Upgrade 1 Package
Total download size: 41 k
Downloading Packages:
which-2.21-29.el9.x86_64.rpm 72 kB/s | 41 kB 00:00
--------------------------------------------------------------------------------
Total 72 kB/s | 41 kB 00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : which-2.21-29.el9.x86_64 1/2
Cleanup : which-2.21-28.el9.x86_64 2/2
Running scriptlet: which-2.21-28.el9.x86_64 2/2
Verifying : which-2.21-29.el9.x86_64 1/2
Verifying : which-2.21-28.el9.x86_64 2/2
Installed products updated.
Upgraded:
which-2.21-29.el9.x86_64
Complete!
[root@LC ~]# rpm -qa | grep which
which-2.21-29.el9.x86_64 //已经更新为发行号为29的版本
[root@LC ~]#
downgrade
downgrade package1 [package2 ...] //降级
remove
//卸载
-y 确定
-q 静默(不显示过程)
[root@LC ~]# yum -y remove vim
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Removing:
vim-enhanced x86_64 2:8.2.2637-20.el9 @AppStream 3.8 M
Removing unused dependencies:
gpm-libs x86_64 1.20.7-29.el9 @AppStream 28 k
vim-common x86_64 2:8.2.2637-20.el9 @AppStream 30 M
vim-filesystem noarch 2:8.2.2637-20.el9 @BaseOS 40
Transaction Summary
================================================================================
Remove 4 Packages
Freed space: 34 M
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Erasing : vim-enhanced-2:8.2.2637-20.el9.x86_64 1/4
Erasing : vim-common-2:8.2.2637-20.el9.x86_64 2/4
Erasing : vim-filesystem-2:8.2.2637-20.el9.noarch 3/4
Erasing : gpm-libs-1.20.7-29.el9.x86_64 4/4
Running scriptlet: gpm-libs-1.20.7-29.el9.x86_64 4/4
Verifying : gpm-libs-1.20.7-29.el9.x86_64 1/4
Verifying : vim-common-2:8.2.2637-20.el9.x86_64 2/4
Verifying : vim-enhanced-2:8.2.2637-20.el9.x86_64 3/4
Verifying : vim-filesystem-2:8.2.2637-20.el9.noarch 4/4
Installed products updated.
Removed:
gpm-libs-1.20.7-29.el9.x86_64 vim-common-2:8.2.2637-20.el9.x86_64
vim-enhanced-2:8.2.2637-20.el9.x86_64 vim-filesystem-2:8.2.2637-20.el9.noarch
Complete!
info
和rpm -qi显示的内容一样
[root@LC ~]# yum info which.x86_64
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 0:24:35 ago on Tue 04 Jul 2023 11:11:30 AM CST.
Installed Packages
Name : which
Version : 2.21
Release : 29.el9
Architecture : x86_64
Size : 80 k
Source : which-2.21-29.el9.src.rpm
Repository : @System
From repo : BaseOS
Summary : Displays where a particular program in your path is located
URL : https://savannah.gnu.org/projects/which/
License : GPLv3
Description : The which command shows the full pathname of a specified program,
: if the specified program is in your PATH.
[root@LC ~]#
provides
//查看指定的文件或特性是由哪个包安装生成的
[root@LC ~]# yum provides /usr/bin/ls
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 0:55:28 ago on Tue 04 Jul 2023 11:11:30 AM CST.
coreutils-8.32-31.el9.x86_64 : A set of basic GNU tools commonly used in shell
: scripts
Repo : BaseOS
Matched from:
Filename : /usr/bin/ls
coreutils-8.32-32.el9.x86_64 : A set of basic GNU tools commonly used in shell
: scripts
Repo : BaseOS
Matched from:
Filename : /usr/bin/ls
(省略)
[root@LC ~]# yum provides /etc/passwd
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 0:56:23 ago on Tue 04 Jul 2023 11:11:30 AM CST.
setup-2.13.7-6.el9.noarch : A set of system configuration and setup files
Repo : BaseOS
Matched from:
Filename : /etc/passwd
setup-2.13.7-7.el9.noarch : A set of system configuration and setup files
Repo : BaseOS
Matched from:
Filename : /etc/passwd
setup-2.13.7-8.el9.noarch : A set of system configuration and setup files
Repo : BaseOS
Matched from:
Filename : /etc/passwd
setup-2.13.7-9.el9.noarch : A set of system configuration and setup files
Repo : @System
Matched from:
Filename : /etc/passwd
setup-2.13.7-9.el9.noarch : A set of system configuration and setup files
Repo : BaseOS
Matched from:
Filename : /etc/passwd
[root@LC ~]#
history
//查看yum的历史事务信息
[root@LC ~]# yum history
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
ID | Command line | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
26 | -y install vim | 2023-07-04 11:34 | Install | 4
25 | -y remove vim | 2023-07-04 11:34 | Removed | 4
24 | -y update which.x86_64 | 2023-07-04 11:24 | Upgrade | 1
23 | -y -q remove wget.x86_64 | 2023-07-04 11:15 | Removed | 1
22 | -y install vim | 2023-07-04 11:11 | Install | 4
21 | -y remove vim | 2023-07-04 11:10 | Removed | 4
20 | update -y kmod-kvdo | 2023-07-04 09:35 | I, U | 4
19 | -y install wget | 2023-07-03 14:05 | Install | 1
18 | -y install bind-utils.x8 | 2023-07-03 09:00 | Install | 7
17 | -y install NetworkManage | 2023-06-30 16:00 | Install | 1
16 | -y install net-tools | 2023-06-30 15:49 | Install | 1
15 | -y install bash-completi | 2023-06-30 14:41 | Install | 5
14 | -y install biosdevname | 2023-06-30 14:11 | Install | 1
13 | -y remove biosdevname | 2023-06-30 14:11 | Removed | 1
12 | -y install biosdevname | 2023-06-30 14:10 | Install | 1
11 | remove nano | 2023-06-30 08:51 | Removed | 1
10 | -y install nano | 2023-06-30 08:50 | Install | 1
9 | -y install bzip2 | 2023-06-28 14:22 | Install | 1
8 | -y install vdo kmod-kvdo | 2023-06-27 15:11 | Install | 2
7 | -y install tree | 2023-06-27 15:02 | Install | 1
6 | remove tree | 2023-06-27 15:01 | Removed | 1
5 | -y install vim | 2023-06-27 15:00 | Install | 4
4 | remove vim | 2023-06-27 15:00 | Removed | 4
3 | -y install tree | 2023-06-27 14:18 | Install | 1
2 | -y install vim | 2023-06-27 10:01 | Install | 4
1 | | 2023-06-26 17:53 | Install | 383 EE
[root@LC ~]#
deplist
//显示指定包的依赖关系
[root@LC ~]# yum deplist which
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 1:00:06 ago on Tue 04 Jul 2023 11:11:30 AM CST.
package: which-2.21-27.el9.x86_64
dependency: libc.so.6(GLIBC_2.34)(64bit)
provider: glibc-2.34-68.el9.x86_64
dependency: rtld(GNU_HASH)
provider: glibc-2.34-68.el9.i686
provider: glibc-2.34-68.el9.x86_64
package: which-2.21-28.el9.x86_64
dependency: libc.so.6(GLIBC_2.34)(64bit)
provider: glibc-2.34-68.el9.x86_64
dependency: rtld(GNU_HASH)
provider: glibc-2.34-68.el9.i686
provider: glibc-2.34-68.el9.x86_64
package: which-2.21-29.el9.x86_64
dependency: libc.so.6(GLIBC_2.34)(64bit)
provider: glibc-2.34-68.el9.x86_64
dependency: rtld(GNU_HASH)
provider: glibc-2.34-68.el9.i686
provider: glibc-2.34-68.el9.x86_64
[root@LC ~]#
grouplist
//列出可用的组
[root@LC ~]# yum grouplist
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered with an entitlement server. You can use subscription-manager to register.
Last metadata expiration check: 1:01:35 ago on Tue 04 Jul 2023 11:11:30 AM CST.
Available Environment Groups:
Server with GUI
Server
Workstation
Custom Operating System
Virtualization Host
Installed Environment Groups:
Minimal Install
Available Groups:
Legacy UNIX Compatibility
Console Internet Tools
Container Management
Development Tools
.NET Development
Graphical Administration Tools
Headless Management
Network Servers
RPM Development Tools
Scientific Support
Security Tools
Smart Card Support
System Tools
[root@LC ~]#
groupinstall
安装一组软件
[root@LC ~]# yum -y groupinstall "resolvedep"
(省略)
openssh
常见的远程登录工具有:
telnet
ssh
dropbear
telnet //远程登录协议,23/TCP
认证明文
数据传输明文
ssh //Secure SHell,应用层协议,22/TCP
通信过程及认证过程是加密的,主机认证
用户认证过程加密
数据传输过程加密
dropbear //嵌入式系统专用的SSH服务器端和客户端工具
sshd服务
服务器端 //sshd,配置文件在/etc/ssh/sshd_config
客户端 //ssh,配置文件在/etc/ssh/ssh_config
ssh-keygen //密钥生成器
ssh-copy-id //将公钥传输至远程服务器
scp //跨主机安全复制工具
服务状态
[root@LC ~]# systemctl status sshd
默认是开启的,如果没有开启,就不能进行ssh远程连接
服务的配置文件
1.服务端的配置文件
[root@LC ~]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# To modify the system-wide sshd configuration, create a *.conf file under
# /etc/ssh/sshd_config.d/ which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
(省略)
2.客户端的配置文件
[root@LC ~]# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
(省略)
Secure Shell 示例
//以当前用户身份创建远程交互式shell,然后在结束时使用exit命令返回到之前的shell
[root@LC ~]# ssh 192.168.179.133 //这里没有指定用户,就默认是以对面主机的root用户
root@192.168.179.133's password:
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Tue Jul 4 16:26:32 2023 from 192.168.179.1
[root@lc9-2 ~]#
在第一次远程联机对面主机时,对面主机会发送一个公钥过来,这个文件会存到本地主机的.ssh下的叫konw.hosts的文件,里面的内容就是公钥 (主机认证)
[root@LC ~]# cd .ssh/
[root@LC .ssh]# ls
known_hosts known_hosts.old
[root@LC .ssh]#
[root@LC .ssh]# cat known_hosts.old
192.168.179.133 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPydM5QDi58bRc7KwZnjOdFNfU0S+dZNhSvRD3prWFgF
[root@LC .ssh]#
//以其他用户身份(remoteuser)在选定主机(remotehost)上连接到远程shell
[root@LC ~]# ssh lc2@192.168.179.133 //这里的lc2是对面主机上的普通用户
lc2@192.168.179.133's password:
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Tue Jul 4 16:33:19 2023
[lc2@lc9-2 ~]$
//以远程用户身份(remoteuser)在远程主机(remotehost)上通过将输出返回到本地显示器的方式来执行单一命令
示例一:这里执行的ip a 是在对面主机上执行的,但是结果显示在本机上
[root@LC ~]# ssh root@192.168.179.133 'ip a'
root@192.168.179.133's password:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:a6:c7:16 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.179.133/24 brd 192.168.179.255 scope global noprefixroute ens160
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fea6:c716/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@LC ~]#
示例二:用本机连接对面的主机,在/tmp下创建一个名为666的文件
[root@LC ~]# ssh root@192.168.179.133 'touch /tmp/666'
root@192.168.179.133's password:
[root@LC ~]#
[root@lc9-2 ~]# ls /tmp/
666 //666在这里已经创建好了
systemd-private-e90a7a38564048a89373d0a0f7253af1-chronyd.service-Z6oJ41
systemd-private-e90a7a38564048a89373d0a0f7253af1-dbus-broker.service-XZy8SA
systemd-private-e90a7a38564048a89373d0a0f7253af1-systemd-logind.service-HlMuNo
vmware-root_843-4021784525
[root@lc9-2 ~]#
ssh主机密钥
当用户第一次使用ssh连接到特定服务器时,`ssh`命令可在用户的~/.ssh/known_hosts文件中存储该服务器的公钥。在此之后每当用户进行连接时,客户端都会通过对比~/.ssh/known_hosts文件中的服务器条目和服务器发送的公钥,确保从服务器获得相同的公钥。如果公钥不匹配,客户端会假定网络通信已遭劫持或服务器已被入侵,并且中断连接。
这意味着,如果服务器的公钥发生更改(由于硬盘出现故障导致公钥丢失,或者出于某些正当理由替换公钥),用户则需要更新其~/.ssh/known_hosts文件并删除旧的条目才能够进行登录。
存储在本地客户端公钥文件
[root@LC ~]# cd .ssh/
[root@LC .ssh]# ls
known_hosts known_hosts.old
[root@LC .ssh]# cat known_hosts.old
192.168.179.133 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPydM5QDi58bRc7KwZnjOdFNfU0S+dZNhSvRD3prWFgF
[root@LC .ssh]#
存储在服务端的公钥文件
.pub是公钥 (ssh_host_ecdsa_key )
没有.pub是私钥 (ssh_host_ecdsa_key.pub)
[root@LC ~]# cd /etc/ssh
[root@LC ssh]# ls
moduli sshd_config.d ssh_host_ed25519_key.pub
ssh_config ssh_host_ecdsa_key ssh_host_rsa_key
ssh_config.d ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub
sshd_config ssh_host_ed25519_key
[root@LC ssh]#
配置免密登录
尝试远程连接
[root@LC ~]# ssh root@192.168.179.133
root@192.168.179.133's password:
(发现需要密码,ctrl+c终止连接)
生成密钥
[root@LC ~]# ls .ssh/
known_hosts known_hosts.old
[root@LC ~]#
[root@LC ~]# ssh-keygen -t rsa //一直回车
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:69OZTOWszssu0nSt99wBuoDgOw+Bn7BAx8U/yuMCoXU root@LC
The key's randomart image is:
+---[RSA 3072]----+
| .. |
| . .. |
| . o . |
|..o E o . |
|.o.+.o. S = . |
|... =++ o.o = . |
| ...=.+.* * . |
| . o+.+oO o. ..|
| ..oo.=*+ .o .|
+----[SHA256]-----+
[root@LC ~]#
[root@LC ~]# ls .ssh/
id_rsa id_rsa.pub known_hosts known_hosts.old //此时多了两个文件
[root@LC ~]#
id_rsa.pub是公钥
id_rsa 是私钥
//将公钥传输给远程主机上
[root@LC ~]# ssh-copy-id root@192.168.179.133
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.179.133's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.179.133'"
and check to make sure that only the key(s) you wanted were added.
[root@LC ~]#
去对面主机查看
[root@lc9-2 ~]# ls .ssh/
authorized_keys known_hosts known_hosts.old //authorized_keys就是
[root@lc9-2 ~]#
//使用ssh无密码登录远程主机
[root@LC ~]# ssh root@192.168.179.133
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Tue Jul 4 17:11:06 2023 from 192.168.179.123
[root@lc9-2 ~]#
//直接登录进来了
scp命令远程下载
在远程主机上创建一个文件
[root@lc9-2 ~]# touch /opt/999
[root@lc9-2 ~]# ls /opt/
999
[root@lc9-2 ~]#
在本机上使用scp命令下载文件999到本地
[root@LC ~]# scp root@192.168.179.133:/opt/999 /root
[root@LC ~]#
[root@LC ~]# ls /root/
anaconda-ks.cfg 999
scp命令远程传输
在本机创建一个文件888
[root@LC ~]# touch /opt/888
[root@LC ~]# ls /opt/
888
[root@LC ~]#
在本机上使用scp命令把文件888传输到远程主机
[root@LC ~]# scp /opt/888 root@192.168.179.133:/opt/
888 100% 0 0.0KB/s 00:00
[root@LC ~]#
在远程主机上查看
[root@lc9-2 ~]# ls /opt/
888 999
[root@lc9-2 ~]#
SSH 安全注意事项
生成密码
tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs //生成30位的密码
[root@LC ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs
0gskmwWT3kWF_K_h4JfVqIycaHAdQS
[root@LC ~]#
![[极客大挑战 2019]EasySQL](https://img-blog.csdnimg.cn/c25e8706e69b464f8bdab4098dd3d1aa.png)
