Linux下ftp和ssh详解

时间:2023-11-12 13:32:26

学习了几天Linux下ftp和ssh的搭建和使用,故记录一下。学习ftp和ssh的主要目的是为了连接远程主机,并且进行文件传输。废话不多说,直接开讲!

ftp服务器

1. 环境搭建

本人的系统是Archlinux,我是基于vsftpd来搭建的,首先需要安装它: pacman -S vsftpd

接着对其配置文件进行编辑,打开/etc/vsftpd.conf(也可能在/etc/vsftdp/.vsftpd.conf)

以下是我的配置文件内容:

# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf. for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf. manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
#
# Uncomment this to allow local users to log in.
#local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is . You may wish to change this to ,
# if your users expect that ( is used by most other ftpd's)
#local_umask=
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
anon_upload_enable=YES
anon_other_write_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
#xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
#xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
#ftpd_banner=Welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES
anon_root=/var/ftp

在以上的配置文件中,我们允许匿名用户登录,并且其有删除和上传的权限,不过这些操作仅限于在权限为777的目录下进行。我们配置匿名用户默认进入的目录为/var/ftp,此外,我们要创建一个目录upload权限为777,匿名用户可以在其中任意的操作文件。这些操作如下(本机中):

mkdir -p /var/upload

chmod /var/ftp/upload

至此,我们的环境搭建完成。

2. 使用示例

首先,配置好ftp服务器之后,需要重启,Archlinux下是

system restart vsftpd

Linux下ftp和ssh详解

其中,172.17.23.164是要连接的ftp服务器的IP地址

接着我们匿名登录,即用户名为anonymous,密码为空即可

Linux下ftp和ssh详解

这里我们用到了一些基本的命令,ls,cd等,put、get为上传/下载命令,这些百度都能轻易得知。

上图可知,我们能够在upload目录中随意操作!

ssh服务器

1. 环境搭配

安装openssh,Archlinux下直接:

pacman -S openssh

它的配置文件为/etc/ssh/sshd_config,配置后如下:

#    $OpenBSD: sshd_config,v 1.101 // :: djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config() for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value. Port
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying
#RekeyLimit default none # Logging
#SyslogFacility AUTH
#LogLevel INFO # Authentication: #LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries
#MaxSessions #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no # Change to no to disable s/key passwords
ChallengeResponseAuthentication no # Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no # GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes #AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval
#ClientAliveCountMax
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups ::
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none # no default banner path
#Banner none # override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server # Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

这里需要注意的是:

1. 打开port端口,将Port 22注释去除

2. 设置允许以root登录,将PermitRootLogin prohibit-password的注释去除

至此,最简单的配置完成了!

2. 密钥

一般而言,如果知道远程服务器的ip地址(假设是1.1.1.1)以及其某个用户(假设是root)的密码为000000,则可以直接:

ssh root@1.1.1.1

接着根据提示输入密码即可

但是每次都要输入密码未免太烦,于是可以采用ssh密钥机制

将ssh密钥理解为指纹,客户端的指纹在服务器端留下备份,访问的时候服务器查看客户端指纹,发现存在列表中,就可以免去登录了。

要做到这些,首先需要生成客户端自己的指纹:

ssh-keygen -t rsa

一路回车,会看到在.ssh目录下生成了密钥id_rsa和公钥id_rsa.pub,接着需要将公钥上传至服务器主机.ssh下authorized_keys中即可

一种做法是:

scp .ssh/id_rsa.pub root@1.1.1.1:/root/

这个命令将公钥上传到了服务器的/root目录下,接着进入服务器(输密码):

echo id_rsa.pub >> .ssh/authorized_keys