####################
###### 第七单元 ##############################################1.进程定义####################进程就是cpu未完成的工作进程状态包括:running ##正在运行sleeping ##休眠,释放资源stopped ##停止zombie ##僵尸进程,不释放资源[root@localhost Desktop]# gnome-system-monitor ##在图形中查看进程####################2.ps命令####################ps 参数 a ##关于当前环境的所有进程 x ##与当前环境无关的所有进程 f ##显示进程从属关系 e ##显示当前用户环境中的所有进程 l ##长列表显示进程的详细信息 u ##显示进程的用户信息通常情况下:aux一起用,ef一起用------------------------------baidu---------------------具体命令解释如下: 1)ps a 显示现行终端机下的所有程序,包括其他用户的程序。 2)ps -A 显示所有程序。 3)ps c 列出程序时,显示每个程序真正的指令名称,而不包含路径,参数或常驻服务的标示。 4)ps -e 此参数的效果和指定"A"参数相同。 例如: ps -e|grep sshd 5)ps e 列出程序时,显示每个程序所使用的环境变量。 6)ps f 用ASCII字符显示树状结构,表达程序间的相互关系。 7)ps -H 显示树状结构,表示程序间的相互关系。 8)ps -N 显示所有的程序,除了执行ps指令终端机下的程序之外。 9)ps s 采用程序信号的格式显示程序状况。10)ps S 列出程序时,包括已中断的子程序资料。11)ps -t <终端机编号> 指定终端机编号,并列出属于该终端机的程序的状况。12)ps u 以用户为主的格式来显示程序状况。13)ps x 显示所有程序,不以终端机来区分。最常用的方法是ps -aux,然后再利用一个管道符号导向到grep去查找特定的进程,然后再对特定的进程进行操作。 ----------------------------------------------------------####################[root@localhost Desktop]# ps a PID TTY STAT TIME COMMAND 592 tty1 Ss+ 0:18 /usr/bin/Xorg :0 -background none -verbose -auth /run 2151 pts/0 Ss 0:00 -bash 4410 pts/0 R+ 0:00 ps a[root@localhost Desktop]# ps e PID TTY STAT TIME COMMAND 592 tty1 Ss+ 0:18 /usr/bin/Xorg :0 -background none -verbose -auth /run 2151 pts/0 Ss 0:00 -bash LC_PAPER=en_US.UTF-8 LC_MONETARY=en_US.UTF-8 LC 4411 pts/0 R+ 0:00 ps e LC_PAPER=en_US.UTF-8 XDG_SESSION_ID=2 HOSTNAME=l##在没有其他用户(仅"root")登入的情况下,"ps a"和"ps e"没有太大区别,"ps e"仅仅比"ps a"多显示了环境变量[root@localhost Desktop]# su - studentLast login: Thu Oct 13 00:29:36 EDT 2016 on pts/0[student@localhost ~]$ ps a PID TTY STAT TIME COMMAND 592 tty1 Ss+ 0:18 /usr/bin/Xorg :0 -background none -verbose -auth /run 2151 pts/0 Ss 0:00 -bash 4415 pts/0 S 0:00 su - student 4416 pts/0 S 0:00 -bash 4451 pts/0 R+ 0:00 ps a[student@localhost ~]$ ps a -o userUSERrootrootrootstudentstudent[student@localhost ~]$ ps e PID TTY STAT TIME COMMAND 4416 pts/0 S 0:00 -bash TERM=xterm-256color HOME=/home/student SHELL=/b 4453 pts/0 R+ 0:00 ps e XDG_SESSION_ID=2 HOSTNAME=localhost SHELL=/bin/b[student@localhost ~]$ ps e -o userUSERstudentstudent##在有其他用户登入的情况下,"ps a"显示所有用户shell中的所有进程,"ps e"显示当前用户shell中的所有进程[student@localhost ~]$ ps PID TTY TIME CMD 4416 pts/0 00:00:00 bash 4720 pts/0 00:00:00 ps[student@localhost ~]$ ps -o userUSERstudentstudent[student@localhost ~]$ exitlogout[root@localhost Desktop]# ps PID TTY TIME CMD 2151 pts/0 00:00:00 bash 4733 pts/0 00:00:00 ps[root@localhost Desktop]# ps -o userUSERrootroot##"ps"仅显示当前用户在当前shell中的进程[root@localhost Desktop]# ps x -o user...... ##显示全是"root"##显示当前用户的所有进程(包括当前用户shell中的进程和当前用户shell之外的进程)[root@localhost Desktop]# ps ax -o user...... ##显示多个用户##显示所有进程(所有用户,所有用户shell中的进程,所有用户shell之外的进程)以上实验中的"-o user"也可以用"-o uid"和"-o euid"来代替"uid"表示该进程是哪个用户创建的"euid"表示该进程具备哪个用户的权限一般来说,"uid"="euid"。特殊情况:"u+s"使用"euid"来做实验是最准确的,但是非"特殊情况"下,没有区别####################ps ax -o %cpu,%mem,user,group,comm,nice ##指定显示进程的某些信息%cpu ##显示进程cpu负载%mem ##显示进程内存负载user ##进程用户group ##进程组comm ##进程名称nice ##进程优先级ps ax -o %cpu,comm --sort <+|-%cpu> <+|-%mem> ##进程按指定方式排序+ ##正序- ##倒序%cpu ##cpu负载排序%mem ##内存负载pstree ##查看系统进程树####################3.进程优先级####################1.进程的优先级范围-20~19数值越低表示越优先被处理普通用户只能在0~19之间取值,超级用户可以在-20~19之间任意取值####################[root@localhost Desktop]# vim &[1] 1719[root@localhost Desktop]# renice -n -21 17191719 (process ID) old priority 0, new priority -20[1]+ Stopped vim[root@localhost Desktop]# ps af -o pid,nice,comm PID NI COMMAND 2151 0 bash 1719 -20 \_ vim ##输入-21,最多只能改到-20 1725 0 \_ ps 592 0 Xorg[root@localhost Desktop]# renice -n 20 17191719 (process ID) old priority -20, new priority 19[root@localhost Desktop]# ps af -o pid,nice,comm PID NI COMMAND 2151 0 bash 1719 19 \_ vim ##输入20,最多只能改到19 1731 0 \_ ps 592 0 Xorg########################################[student@localhost ~]$ nice -n 1 vim &[1] 1038[student@localhost ~]$ nice -n -1 vim &[2] 1039[1]+ Stopped nice -n 1 vim[student@localhost ~]$ nice: cannot set niceness: Permission denied ##nice取值超越权限[2]+ Stopped nice -n -1 vim[student@localhost ~]$ ps a -o pid,nice,comm PID NI COMMAND 592 0 Xorg 907 0 su 908 0 bash 1038 1 vim 1039 0 vim 1067 0 ps 2151 0 bash 3745 0 bash[student@localhost ~]$ renice -n -2 1038renice: failed to set priority for 1038 (process ID): Permission denied ##nice取值超越权限[student@localhost ~]$ ps a -o pid,nice,comm PID NI COMMAND 592 0 Xorg 907 0 su 908 0 bash 1038 1 vim 1039 0 vim 1067 0 ps####################2.优先级查看ps ax -o pid,nice,comm3.指定某个优先级开启进程nice -n 优先级数字 进程名称nice -n -5 vim & ##开启vim并且指定程序优先级为-54.改变进程优先级renice -n 优先级数字 进程pidrenice -n -5 1806 ##改变1806进程的优先级为-5[root@localhost Desktop]# ps a -o pid,nice,comm PID NI COMMAND 614 0 Xorg 1128 0 agetty 1625 0 bash 1785 0 vim 1806 -5 vim 1824 -5 vim 1835 0 ps####################[root@localhost Desktop]# ps af -o pid,nice,comm PID NI COMMAND 2107 0 bash 533 0 \_ ps 585 0 Xorg[root@localhost Desktop]# renice -n -5 21072107 (process ID) old priority 0, new priority -5[root@localhost Desktop]# ps af -o pid,nice,comm PID NI COMMAND 2107 -5 bash 580 -5 \_ ps 585 0 Xorg[root@localhost Desktop]# nice -n -5 vim &[1] 592[1]+ Stopped nice -n -5 vim[root@localhost Desktop]# ps af -o pid,nice,comm PID NI COMMAND 2107 -5 bash 592 -10 \_ vim ##在父进程的优先级上加上“-5”,变成“-10” 598 -5 \_ ps 585 0 Xorg[root@localhost Desktop]# renice -n -5 592592 (process ID) old priority -10, new priority -5[root@localhost Desktop]# ps af -o pid,nice,comm PID NI COMMAND 2107 -5 bash 592 -5 \_ vim ##被强制改成了“-5” 740 -5 \_ ps 585 0 Xorg########################################4.环境中进程的前后台调用####################jobs ##查看被打入环境后台的进程ctrl+z ##把占用终端的进程打入后台停止fg [job号] ##把后台进程调回前台bg [job号] ##把后台暂停的进程运行comm & ##让命令直接在后台运行####################[root@localhost Desktop]# vim &[1] 8682[root@localhost Desktop]# jobs[1]+ Stopped vim[root@localhost Desktop]# vim &[2] 8685[root@localhost Desktop]# jobs[1]- Stopped vim[2]+ Stopped vim[root@localhost Desktop]# vim &[3] 8687[root@localhost Desktop]# jobs[1] Stopped vim[2]- Stopped vim[3]+ Stopped vimjobs命令下,"+"表示优先处理,"-"表示次优先处理,没有符号表示等待可以使用命令"man bg",查看jobs命令下"+"和"-"的意思########################################[root@localhost Desktop]# vim &[1] 8530[root@localhost Desktop]# jobs[1]+ Stopped vim[root@localhost Desktop]# bg[1]+ vim &[root@localhost Desktop]# jobs[1]+ Stopped vim发现使用"bg"没有效果因为启用vim要占用终端,否则vim没有交互界面,就无法工作########################################5.进程信号####################1.常用信号等级1 ##进程重新加载配置,不重启服务(reload进程)2 ##删除进程在内存中的数据(ctrl+c)3 ##删除鼠标在内存中的数据9 ##强行结束单个进程15 ##正常关闭进程18 ##运行停止的进程19 ##停止某个进程20 ##把进程打入后台(ctrl+z)9和19不能被系统阻塞,忽略和停止15和20可以被系统阻塞,忽略和停止信号等级的内容还有很多,自行百度“Linux 信号”查找也可以使用"man 7 signal"来查看解释把鼠标放在shell上,按"ctrl"+"反斜杠",鼠标消失???自己电脑上实验不出来:物理机没反应,虚拟机输入任意字符都会消失??????kill -3也实验不出来???2.信号的发起kill的作用是向内核传递一个信号kill -信号 进程pidkillall -信号 进程名字pkill -u [username] -信号pkill -t pts/0 -9 ##把终端0强行关闭####################终端1:[root@localhost Desktop]# su - studentLast login: Thu Oct 13 03:37:26 EDT 2016 on pts/1[student@localhost ~]$ vim终端0:[root@localhost Desktop]# ps af PID TTY STAT TIME COMMAND12418 pts/1 Ss 0:00 /bin/bash12450 pts/1 S 0:00 \_ su - student12451 pts/1 S 0:00 \_ -bash12569 pts/1 S+ 0:00 \_ vim10387 pts/0 Ss 0:00 -bash12571 pts/0 R+ 0:00 \_ ps af 592 tty1 Ss+ 1:13 /usr/bin/Xorg :0 -background none -verbose -auth /run10419 pts/0 S 0:00 dbus-launch --autolaunch=946cb0e817ea4adb916183df8c4f[root@localhost Desktop]# kill -15 12451[root@localhost Desktop]# ps af PID TTY STAT TIME COMMAND12418 pts/1 Ss 0:00 /bin/bash12450 pts/1 S 0:00 \_ su - student12451 pts/1 S 0:00 \_ -bash ##信号15被系统忽略了12569 pts/1 S+ 0:00 \_ vim10387 pts/0 Ss 0:00 -bash12575 pts/0 R+ 0:00 \_ ps af 592 tty1 Ss+ 1:13 /usr/bin/Xorg :0 -background none -verbose -auth /run10419 pts/0 S 0:00 dbus-launch --autolaunch=946cb0e817ea4adb916183df8c4f[root@localhost Desktop]# kill -9 12451[root@localhost Desktop]# ps af PID TTY STAT TIME COMMAND12418 pts/1 Ss+ 0:00 /bin/bash10387 pts/0 Ss 0:00 -bash12582 pts/0 R+ 0:00 \_ ps af 592 tty1 Ss+ 1:13 /usr/bin/Xorg :0 -background none -verbose -auth /run12569 pts/1 S 0:00 vim10419 pts/0 S 0:00 dbus-launch --autolaunch=946cb0e817ea4adb916183df8c4fPID为"12451"的进程被杀死了,但是子进程没有被杀死切换至终端1时出现故障--------------------------------------------------[root@localhost Desktop]# vim &[1] 13234[root@localhost Desktop]# vim &[2] 13236[1]+ Stopped vim[root@localhost Desktop]# vim &[3] 13243[2]+ Stopped vim[root@localhost Desktop]# ps PID TTY TIME CMD10387 pts/0 00:00:00 bash10419 pts/0 00:00:00 dbus-launch13234 pts/0 00:00:00 vim13236 pts/0 00:00:00 vim13243 pts/0 00:00:00 vim13247 pts/0 00:00:00 ps[3]+ Stopped vim[root@localhost Desktop]# killall -9 vim[1] Killed vim[2]- Killed vim[3]+ Killed vim[root@localhost Desktop]# ps PID TTY TIME CMD10387 pts/0 00:00:00 bash10419 pts/0 00:00:00 dbus-launch13266 pts/0 00:00:00 ps所有名字为vim的进程全被强行关闭--------------------------------------------------终端1:[root@localhost Desktop]# su - studentLast login: Thu Oct 13 04:17:08 EDT 2016 on pts/1[student@localhost ~]$ vim终端0:[root@localhost Desktop]# ps auf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 12826 0.0 0.1 116260 2780 pts/1 Ss 04:17 0:00 /bin/bashroot 12859 0.0 0.1 182780 2268 pts/1 S 04:17 0:00 \_ su - studenstudent 12860 0.0 0.1 116144 2756 pts/1 S 04:17 0:00 \_ -bashstudent 12935 1.0 0.2 151368 4520 pts/1 S+ 04:18 0:00 \_ vimroot 10387 0.0 0.1 116276 2976 pts/0 Ss 03:29 0:00 -bashroot 12937 0.0 0.0 123352 1288 pts/0 R+ 04:18 0:00 \_ ps aufroot 592 0.2 1.9 188628 37596 tty1 Ss+ Oct12 1:15 /usr/bin/Xorg :root 10419 0.0 0.0 16040 588 pts/0 S 03:29 0:00 dbus-launch --a[root@localhost Desktop]# pkill -u student -9[root@localhost Desktop]# ps auf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMANDroot 12826 0.0 0.1 116260 2836 pts/1 Ss+ 04:17 0:00 /bin/bashroot 10387 0.0 0.1 116276 2980 pts/0 Ss 03:29 0:00 -bashroot 12952 0.0 0.0 123352 1288 pts/0 R+ 04:18 0:00 \_ ps aufroot 592 0.2 1.9 188628 37596 tty1 Ss+ Oct12 1:15 /usr/bin/Xorg :root 10419 0.0 0.0 16040 588 pts/0 S 03:29 0:00 dbus-launch --a所有USER为student的进程全部被强行关闭########################################6.用户登陆审计####################1.w ##查看使用系统的当前用户有哪些w -f ##"-f"查看使用地点2.last ##查看用户登陆成功历史3.lastb ##查看用户登陆未成功历史####################7.top命令####################top ##监控系统负载工具top用法:u usernamek pid-->信号h 帮助s 刷新时间,默认3秒m 是否显示内存信息c 切换"命令行/命令名"虚拟机下打开top,按"k"后千万不敢双击回车否则会默认选取"gnome-shell"进程,默认使用信号15图形就挂了其它用法自行百度top命令详解####################虚拟机图形挂了怎么办?点虚拟机左上角Send key-->ctrl+alt+f6init 3init 5################################################ 第八单元 ############################1.systemd系统初始化程序,系统开始的第一个进程,pid为1什么是服务(service)?服务就是在系统中运行的软件,这个软件主要是对外提供某项功能,那么我们把这一类软件叫做服务简单来说,服务就是:自己不用,开了给别人用2.systemctl命令systemctl list-units ##列出当前系统服务的状态systemctl list-unit-files ##查看服务的开机状态systemctl status sshd ##查看指定服务的状态systemctl stop sshd ##关闭指定服务systemctl start sshd ##开启指定服务systemctl restart sshd ##重新启动服务systemctl enable sshd ##设定指定服务开机启动systemctl disable sshd ##设定指定服务开机关闭systemctl reload sshd ##使指定服务重新加载配置(不关闭重启)systemctl list-dependencies sshd ##查看指定服务的依赖关系systemctl mask sshd ##冻结指定服务systemctl unmask sshd ##启用服务systemctl set-default multi-user.target ##开机不启动图形systemctl set-default graphical.target ##开机启动图形systemctl = systemctl list-units####################[root@localhost Desktop]# cd /etc/ssh/[root@localhost ssh]# lsmoduli sshd_config ssh_host_ecdsa_key.pub ssh_host_rsa_key.pubssh_config ssh_host_ecdsa_key ssh_host_rsa_key[root@localhost ssh]# rm -fr ssh_host_*[root@localhost ssh]# lsmoduli ssh_config sshd_config[root@localhost ssh]# systemctl restart sshd.service [root@localhost ssh]# lltotal 268-rw-------. 1 root root 242153 Mar 19 2014 moduli-rw-r--r--. 1 root root 2123 Mar 19 2014 ssh_config-rw-r--r--. 1 root root 4439 Jul 10 2014 sshd_config-rw-r-----. 1 root ssh_keys 227 Oct 13 05:22 ssh_host_ecdsa_key-rw-r--r--. 1 root root 162 Oct 13 05:22 ssh_host_ecdsa_key.pub-rw-r-----. 1 root ssh_keys 1679 Oct 13 05:22 ssh_host_rsa_key-rw-r--r--. 1 root root 382 Oct 13 05:22 ssh_host_rsa_key.pub被删除的文件全部恢复########################################[root@foundation50 Desktop]# which rht-vmctl/usr/local/bin/rht-vmctl[root@foundation50 Desktop]# whereis rht-vmctlrht-vmctl: /usr/local/bin/rht-vmctl[root@foundation50 Desktop]# uname -r3.10.0-327.el7.x86_64 ##显示操作系统的发行编号[root@foundation50 Desktop]# uname -aLinux foundation50.ilt.example.com 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux ##显示操作系统全部信息####################3.服务状态systemctl status 服务名称loaded ##系统服务已经初始化完成,加载过配置active(running) ##服务正在被系统利用active(exited) ##服务已经加载配置,等待被系统利用active(waiting) ##服务等待被系统处理inactive ##服务关闭enabled ##服务开机启动disabled ##服务开机不自启static ##服务开机启动项不可被管理failed ##系统配置错误active(exited)和active(waiting)的区别:exited已经加载配置waiting还没有加载配置【老李课堂上想展示"exited"状态,但是没成功,可遇不可求】####################[root@localhost ssh]# systemctl status sshdsshd.service - OpenSSH server daemon Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled) Active: active (running) since Thu 2016-10-13 05:22:50 EDT; 10min ago ##active (running) Process: 2901 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS) Main PID: 2914 (sshd) CGroup: /system.slice/sshd.service └─2914 /usr/sbin/sshd -DOct 13 05:22:49 localhost systemd[1]: Starting OpenSSH server daemon...Oct 13 05:22:50 localhost sshd-keygen[2901]: Generating SSH2 RSA host key: [...]Oct 13 05:22:50 localhost sshd-keygen[2901]: Generating SSH2 ECDSA host key:...]Oct 13 05:22:50 localhost systemd[1]: Started OpenSSH server daemon.Oct 13 05:22:50 localhost sshd[2914]: Server listening on 0.0.0.0 port 22.Oct 13 05:22:50 localhost sshd[2914]: Server listening on :: port 22.Hint: Some lines were ellipsized, use -l to show in full.####################Linux之前版本init的定义:init 0 ##Halt[停机]init 1 ##Single user[单用户模式]init 2 ##multi user without network[多用户,没有NFS(net file system)]init 3 ##Multi user[完全多用户模式(标准的运行级)]init 4 ##unuse[安全模式]init 5 ##X11(xwindow)[图形化模式]init 6 ##Reboot[重新启动]Linux企业7把单用户,无图形,无网络都改成init 3############################ 第九单元 ################################################1.openssh-sever####################功能:让远程主机可以通过网络访问sshd服务,开启一个安全的shell####################2.客户端连接方式####################ssh 远程主机用户@远程主机ip[root@foundation50 Desktop]# rm -fr /root/.ssh/*[root@foundation50 Desktop]# ssh root@172.25.50.100The authenticity of host '172.25.50.100 (172.25.50.100)' can't be established.ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.Are you sure you want to continue connecting (yes/no)? yes ##连接陌生主机时需要建立认证关系Warning: Permanently added '172.25.50.100' (ECDSA) to the list of known hosts.root@172.25.50.100's password: ##远程用户密码Last login: Thu Oct 13 06:02:16 2016[root@localhost ~]# ##登陆成功ssh 远程主机用户@远程主机ip -X ##调用远程主机图形工具ssh 远程主机用户@远程主机ip command ##直接在远程主机运行某条命令####################[root@foundation50 Desktop]# sftp root@172.25.50.100The authenticity of host '172.25.50.100 (172.25.50.100)' can't be established.ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.25.50.100' (ECDSA) to the list of known hosts.root@172.25.50.100's password: Connected to 172.25.50.100.sftp> lsDesktop Documents Downloads Music Pictures Public Templates Videos sftp> exit[root@foundation50 Desktop]#[root@foundation50 Desktop]# ssh root@172.25.50.100 -X "gedit 123 & firefox""gedit 123"后如果不跟"&"就会被打入后台,从而影响shell,导致"firefox"无法执行########################################3.sshkey加密####################1.生成公钥私钥[root@localhost Desktop]# ssh-keygen ##生成公钥私钥工具Generating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): ##加密字符保存文件(建议用默认)Created directory '/root/.ssh'.Enter passphrase (empty for no passphrase): ##密钥密码,必须>4个字符Enter same passphrase again: ##确认密码Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:e0:03:1a:6c:43:26:61:5a:3e:14:bc:5b:3d:62:09:4f root@localhostThe key's randomart p_w_picpath is:+--[ RSA 2048]----+|o+*. ||oOo E ||. B=.o. || ..=*oo. || .+ .o.S || . . || || || |+-----------------+[root@localhost Desktop]# ls /root/.ssh/id_rsa id_rsa.pubid_rsa ##私钥,就是钥匙id_rsa.pub ##公钥,就是锁2.添加key认证方式[root@localhost Desktop]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.50.100ssh-copy-id ##添加key认证方式的工具-i ##指定加密key文件/root/.ssh/id_rsa.pub ##加密keyroot ##加密用户为root172.25.50.100 ##被加密主机ipauthorized_keys ##此文件在目标用户家目录的.ssh中,这个文件就是目标用户被加密的标识,文件内容为公钥内容。3.分发钥匙给client主机[root@localhost Desktop]# scp /root/.ssh/id_rsa root@172.25.50.250:/root/.ssh/4.测试[root@foundation50 Desktop]# ssh root@172.25.50.100 ##通过id_rsa直接连接不需要输入用户密码Last login: Thu Oct 13 22:01:14 2016 from 172.25.50.250[root@localhost ~]# /root/.ssh/known_hosts ##ssh第一次连接后就会把信息记录在这里,下次连接就不问"yes/no"了####################4.提升openssh的安全级别####################1.openssh-server配置文件/etc/ssh/sshd_config ##sshd服务的配置文件 78 PasswordAuthentication yes|no ##是否开启用户密码认证,yes为支持,no为不支持 48 PermitRootLogin yes|no ##是否允许超级用户登陆 AllowUsers root ##用户白名单,只有在名单中出现的用户可以使用sshd建立shell DenyUsers student ##用户黑名单####################真机:[root@foundation50 Desktop]# cat /root/.ssh/known_hosts172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=[root@foundation50 Desktop]# rm -fr /root/.ssh/*虚拟机:[root@localhost Desktop]# rm -fr /root/.ssh/[root@localhost Desktop]# ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:e0:03:1a:6c:43:26:61:5a:3e:14:bc:5b:3d:62:09:4f root@localhostThe key's randomart p_w_picpath is:+--[ RSA 2048]----+|o+*. ||oOo E ||. B=.o. || ..=*oo. || .+ .o.S || . . || || || |+-----------------+[root@localhost Desktop]# ls /root/.ssh/ ##查看公钥和私钥id_rsa id_rsa.pub[root@localhost Desktop]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.50.100The authenticity of host '172.25.50.100 (172.25.50.100)' can't be established.ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.Are you sure you want to continue connecting (yes/no)? yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysroot@172.25.50.100's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@172.25.50.100'"and check to make sure that only the key(s) you wanted were added.[root@localhost Desktop]# ls /root/.ssh/authorized_keys id_rsa id_rsa.pub known_hosts[root@localhost Desktop]# vim /etc/ssh/sshd_config --------------------------------------------------/authorized_keys ##查看解释 56 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 57 # but this is overridden so installations will only check .ssh/authorized_keys 58 AuthorizedKeysFile .ssh/authorized_keys:wq--------------------------------------------------[root@localhost Desktop]# cat /root/.ssh/known_hosts 172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=[root@localhost Desktop]# scp /root/.ssh/id_rsa root@172.25.50.250:/root/.ssh/The authenticity of host '172.25.50.250 (172.25.50.250)' can't be established.ECDSA key fingerprint is de:97:57:f9:3c:66:ed:4b:7c:9d:00:28:c2:33:1f:9b.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.25.50.250' (ECDSA) to the list of known hosts.root@172.25.50.250's password: id_rsa 100% 1679 1.6KB/s 00:00 [root@localhost Desktop]# cat /root/.ssh/known_hosts 172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=172.25.50.250 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDrRBCFotaacwrRRPy27SsJTuIPW5AFe41r8VJEaX7N+rUEocdlASfAsVyyYQfHSC2LE8r8EqCyeoaUI20fUHK4=真机:[root@foundation50 Desktop]# ls /root/.ssh/id_rsa[root@foundation50 Desktop]# ssh root@172.25.50.100 ##第一次登陆要询问是否建立连接The authenticity of host '172.25.50.100 (172.25.50.100)' can't be established.ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '172.25.50.100' (ECDSA) to the list of known hosts.Last login: Thu Oct 13 22:00:13 2016 from 172.25.50.250[root@localhost ~]# exitlogoutConnection to 172.25.50.100 closed.[root@foundation50 Desktop]# ssh root@172.25.50.100 ##直接登陆Last login: Thu Oct 13 22:01:14 2016 from 172.25.50.250[root@localhost ~]# exitlogout[root@foundation50 Desktop]# ls /root/.ssh/id_rsa known_hosts[root@foundation50 Desktop]# cat /root/.ssh/known_hosts172.25.50.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=虚拟机:[root@localhost Desktop]# cat /root/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXSB6ejnSiwy6OWS7bpBDI8PH5aaUeWhAeVvwbgHgLXCGOSPnb+6iH3WjdCyIY+QoHsFNQA4XyshN6xA6K1+X72Ntx2DeQSK4jyF1B5CEJ6oLJ9mhPI+jG1vwmJ6BIhGmdZ6dbOAf4c3yRqIEkBguG1KUJf/fhfT8CsK+pMsZ2dXb0+wcMhb//pYpqiaJTco/ncwPp3gZM5fepT9J3fvsca6p/QMGOq0aQvZjedBl77wgQ9XcI/utAHESEPBOTbx5PXWaka3xxZ/UoK5Q37DOfnpInLKDmlW0VoOINnx63QZAOGlFUwA4IPyavOUtv74NOpp7xLECLd+2RIMaIZ80B root@localhost[root@localhost Desktop]# cat /root/.ssh/id_rsa.pub ##id_rsa.pub和authorized_keys的内容一样ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXSB6ejnSiwy6OWS7bpBDI8PH5aaUeWhAeVvwbgHgLXCGOSPnb+6iH3WjdCyIY+QoHsFNQA4XyshN6xA6K1+X72Ntx2DeQSK4jyF1B5CEJ6oLJ9mhPI+jG1vwmJ6BIhGmdZ6dbOAf4c3yRqIEkBguG1KUJf/fhfT8CsK+pMsZ2dXb0+wcMhb//pYpqiaJTco/ncwPp3gZM5fepT9J3fvsca6p/QMGOq0aQvZjedBl77wgQ9XcI/utAHESEPBOTbx5PXWaka3xxZ/UoK5Q37DOfnpInLKDmlW0VoOINnx63QZAOGlFUwA4IPyavOUtv74NOpp7xLECLd+2RIMaIZ80B root@localhost[root@localhost Desktop]# rm -fr /root/.ssh/authorized_keys ##删除认证key真机:[root@foundation50 Desktop]# ssh root@172.25.50.100root@172.25.50.100's password: ##变成密码登陆,证明认证key失效^C[root@foundation50 Desktop]# 虚拟机:[root@localhost Desktop]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys ##复制认证key真机:[root@foundation50 Desktop]# ssh root@172.25.50.100 ##登陆成功Last login: Thu Oct 13 22:04:51 2016虚拟机:[root@localhost Desktop]# vim /etc/ssh/sshd_config -------------------------------------------------- 78 PasswordAuthentication no ##关闭密码认证方式:wq--------------------------------------------------[root@localhost Desktop]# systemctl restart sshd.service 真机:[root@foundation50 Desktop]# ssh student@172.25.50.100Permission denied (publickey,gssapi-keyex,gssapi-with-mic).虚拟机:[root@localhost Desktop]# vim /etc/ssh/sshd_config -------------------------------------------------- 78 PasswordAuthentication yes ##启用密码认证方式:wq--------------------------------------------------[root@localhost Desktop]# systemctl restart sshd.service 真机:[root@foundation50 Desktop]# ssh student@172.25.50.100student@172.25.50.100's password: Last login: Thu Oct 13 22:05:53 2016 from 172.25.50.250[student@localhost ~]$ exitlogoutConnection to 172.25.50.100 closed.[root@foundation50 Desktop]# 虚拟机:[root@localhost Desktop]# man 5 sshd_config--------------------------------------------------/PermitRootLogin发现"The default is “yes”."q--------------------------------------------------[root@localhost Desktop]# vim /etc/ssh/sshd_config -------------------------------------------------- 48 PermitRootLogin no ##不允许root登陆:wq--------------------------------------------------[root@localhost ~]# systemctl restart sshd.service 真机:[root@foundation50 Desktop]# ssh root@172.25.50.100root@172.25.50.100's password: Permission denied, please try again. ##登陆失败root@172.25.50.100's password: [root@foundation50 Desktop]# 虚拟机:[root@localhost Desktop]# vim /etc/ssh/sshd_config -------------------------------------------------- 48 PermitRootLogin yes ##允许root登陆 49 AllowUsers root ##设置白名单,只允许"root"用户通过:wq--------------------------------------------------或者-------------------------------------------------- 48 PermitRootLogin yes ##允许root登陆 49 DenyUsers student ##设置黑名单,阻止"student"用户通过:wq--------------------------------------------------[root@localhost Desktop]# systemctl restart sshd.service真机:[root@foundation50 Desktop]# ssh root@172.25.50.100Last login: Thu Oct 13 22:07:46 2016 from 172.25.50.250 ##登陆成功[root@localhost ~]# exitlogoutConnection to 172.25.50.100 closed.[root@foundation50 Desktop]# ssh student@172.25.50.100 student@172.25.50.100's password: Permission denied, please try again. ##登陆失败student@172.25.50.100's password: ^C[root@foundation50 Desktop]# ########################################如果使用两台虚拟机做实验,为防止卡顿,建议在实验前改小虚拟机内存步骤如下:关闭虚拟机Applications-->Virtual Machine Manager-->双击"desktop"-->点击“灯泡”-->Memory-->将内存改为1024MB打开虚拟机####################