RH124-09 OpenSSH服务配置与安全

第九章 OpenSSH服务配置与安全

9.1 通过ssh访问远程命令

OpenSSH提供一个安全的远程shell,用于管理远程Linux、unix系统.

OpenSSH使用非对称加密手段加密保护通信数据.

$ ssh remotehost

$ ssh [email protected] 或 ssh -l remoteuser remotehost

$ ssh [email protected] remote-command

$ w -f

相关文件:

客户端会首次登陆远程机器的时候,会把远程机器的公钥保存在~/.ssh/know_hosts,以后每次登陆到某服务器的时候,都会对比远程机器的公钥和存在在本机的该服务器公钥是否相同,如果不相同就会终止连接,防止黑客伪装服务器.

服务端把相关的公钥和私钥存在/etc/ssh/*key*中

9.2 配置ssh的密钥验证

默认情况下,通过ssh登陆到远程的系统,需要提供远程系统上的帐号与密码,但为了降低密码泄露的机率和提高登陆的方便性,可以使用基于密钥的验证.

1) 客户端生成密钥对

$ shh-keygen -t rsa

一路回车,不需要输入任何东西

2) 客户端把公钥发送给远程的系统

$ ssh-copy-id -i ~/.ssh/id_rsa.pub  server0

$ ssh-copy-id -i ~/.ssh/id_rsa.pub  [email protected]

3) 登陆

$  ssh server0

结果: 免去密码验证,直接登陆到远程的系统

9.3 自定义优化ssh的服务配置

如何找到sshd服务的配置文件?

需要了解的一些安全选项:

PermitRootLogin yes|no  是否允许root通过ssh登陆到本机

PermitRootLogin  without-password  只允许root通过密钥验证的手段ssh登陆到本机,对其他用户不生效

PasswordAuthentication yes|no  默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆,针对所有用户。

笔记:

9.1

方法1:  首次登陆要求保存远端发过来的公钥

[[email protected] ~]# ssh server0 用server0登陆

[email protected]‘s password:

Last login: Sat Jun  3 10:43:43 2017 from desktop0.example.com

[[email protected] ~]#

[[email protected] ~]# host server0  登陆前提是可以解析到这个IP地址

server0.example.com has address 172.25.0.11

[[email protected] ~]# ssh 172.25.0.11   也可以直接登陆IP地址

[email protected]‘s password:

Last login: Sat Jun  3 10:44:08 2017 from desktop0.example.com

[[email protected] ~]#

方法2:

[[email protected] ~]# ssh [email protected]

The authenticity of host ‘server0 (172.25.0.11)‘ can‘t be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘server0,172.25.0.11‘ (ECDSA) to the list of known hosts.

[email protected]‘s password:

Last login: Thu May 11 11:57:56 2017

[[email protected] ~]$

[[email protected] ~]# ssh [email protected]

[email protected]‘s password:

Last login: Sat Jun  3 10:45:43 2017 from desktop0.example.com

[[email protected] ~]#

方法3:

[[email protected] ~]# ssh 172.25.0.11 -l root      -l就是-login

[email protected]‘s password:

Last login: Sat Jun  3 10:49:27 2017 from server0.example.com

[[email protected] ~]#

[[email protected] ~]# ssh server0 -l student

[email protected]‘s password:

Last login: Sat Jun  3 10:48:49 2017 from server0.example.com

[[email protected] ~]$

只需要远程过去输出一条命令过来,如取名字,如关机

[[email protected] ~]# ssh [email protected] hostname

[email protected]erver0‘s password:

server0.example.com

[[email protected] ~]#

[[email protected] ~]# w -f             可以看到哪些登陆到本机  :0代表是图形界面

11:01:53 up 23 min,  3 users,  load average: 0.00, 0.02, 0.08

USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT

root     pts/0    desktop0.example 10:45    1.00s  0.24s  0.16s ssh [email protected]

root     pts/1    server0.example. 10:49    1.00s  0.15s  0.02s w -f

[[email protected] ~]#

[[email protected] Desktop]$ ssh [email protected]

The authenticity of host ‘server0 (172.25.0.11)‘ can‘t be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘server0,172.25.0.11‘ (ECDSA) to the list of known hosts.

[email protected]‘s password:

Last login: Sat Jun  3 10:50:21 2017 from server0.example.com

[[email protected] ~]# ls /etc/ssh/*key*                             server0存放的公钥

/etc/ssh/ssh_host_ecdsa_key      /etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_ecdsa_key.pub  /etc/ssh/ssh_host_rsa_key.pub

[[email protected] ~]#

[[email protected] ~]#

[[email protected] ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=

[[email protected] ~]# logout

Connection to server0 closed.

[[email protected] Desktop]$ grep server0 ~/.ssh/known_hosts                本机存放公钥的地方

server0,172.25.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=

[[email protected] Desktop]$

9.2   演示整个过程

[[email protected] Desktop]$ :> ~/.ssh/known_hosts  清空

[[email protected] Desktop]$ cat ~/.ssh/known_hosts

[[email protected] Desktop]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/student/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/student/.ssh/id_rsa.

Your public key has been saved in /home/student/.ssh/id_rsa.pub.

The key fingerprint is:

65:09:74:d4:45:2b:86:7d:11:6e:96:0a:2d:b9:ce:81 [email protected]

The key‘s randomart image is:

+--[ RSA 2048]----+

|       .o.o. o=. |

|         o *.. + |

|          O = B  |

|         + = *   |

|        E o .    |

|         o .     |

|          o      |

|                 |

|                 |

+-----------------+

[[email protected] Desktop]$

[[email protected] Desktop]$ ls /home/student/.ssh/

authorized_keys  id_rsa  id_rsa.pub  known_hosts

[[email protected] Desktop]$

ssh-copy-id -i ~/.ssh/id/id_rsa.pub server0   这样登陆就可以保存用户名和密码,下次就不用输入了

[[email protected] Desktop]$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]‘s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ‘[email protected]‘"

and check to make sure that only the key(s) you wanted were added.

[[email protected] Desktop]$ ssh [email protected]

Last login: Sat Jun  3 11:10:04 2017 from desktop0.example.com

[[email protected] ~]#

[[email protected] ~]# cat /root/.ssh/authorized_keys   存放在这里!!

9.3

改SSH配置

[[email protected] Desktop]# vim /etc/ssh/sshd_config

第48排,

#PermitRootLogin no

[[email protected] Desktop]# systemctl restart sshd   重启生效  /实验未做成功   生产中会把管理员用户名码禁掉。

清空后再次用desk登陆server,提示不行

[[email protected] Desktop]#  :> ~/.ssh/known_hosts

[[email protected] Desktop]# ssh [email protected]

The authenticity of host ‘server0 (172.25.0.11)‘ can‘t be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘server0,172.25.0.11‘ (ECDSA) to the list of known hosts.

Last login: Sat Jun  3 12:09:25 2017 from desktop0.example.com

[[email protected] ~]#

9.3总结

改都是在这个文件内vim /etc/ssh/sshd_config

PermitRootLogin yes|no  是否允许root通过ssh登陆到本机

PermitRootLogin  without-password  只允许root通过密钥验证的手段ssh登陆到本机,对其他用户不生效

PasswordAuthentication yes|no  默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆,针对所有用户。

时间: 2024-08-18 16:21:55

RH124-09 OpenSSH服务配置与安全的相关文章

Openssh服务配置:控制用户登录 构建密钥对验证ssh

一.项目简介:OpenSSH 是 SSH (Secure SHell) 协议的免费开源实现.OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据,并由此来代替原来的类似服务.二.版本介绍:OpenSSH 支持 SSH 协议的版本 1.3.1.5.和 2.自从 OpenSSH 的版本2.9以来,默认的协议是版本2,该协议默认使用 RSA 钥匙.de:OpenSSH en:OpenSSHes:OpenSSH fr:OpenSSHit:OpenSSH ja:OpenS

openssh 服务配置

openssh 端口:22 1.SSH程序包 openssh.xxxx.xxxx.rpm 2.守护进程 sshd systemctl restart sshd 查看端口状态 netstat -lant 22 查看远程连接端口 lsof -i:22 查看服务端口号 vim /etc/services 实验:一 服务器端10.2:安装程序包,启动服务 客户端10.10:远程登录 ssh server_ip 默认以root的身份进行远程连接 ssh [email protected]_ip 以指定用户

centos7服务搭建常用服务配置之一:SSH

目录 1 SSH服务协议 1.1 ssh服务协议说明 1.2 ssh服务工作机制 1.3 ssh加密技术说明 1.3.1 ssh实现安全链接建立,利用要是和锁头 1.3.2 ssh加密算法 1.4 ssh知识要点 2.ssh服务软件详细说明 2.1 ssh服务软件安装 2.2 openssh-clients软件的主要内容 2.3 openssh-server软件的主要内容 2.4 启动sshd服务 2.5 ssh服务配置文件说明 2.5.1 ssh服务的配置文件路径 2.5.3 配置文件语法检查

rsync备份服务配置流程

目录 第1章 rsync服务配置流程... 2 1.1 系统优化... 2 1.2 查看操作系统信息及rsync服务... 2 1.3 编辑rsync服务/etc/rsyncd.conf配置文件... 2 第2章 rsync服务搭建细节... 3 2.1 创建rsync用户,御用rsynd进程的登录... 3 2.2 创建备份目录并修改权限... 3 2.3 编辑rsync服务的密码文件并修改文件权限... 3 第3章检查服务配置结果... 3 3.1 开启并检查rsync服务... 3 3.2

CentOS7.0下智能DNS服务配置

CentOS7.0下智能DNS服务配置 智能DNS简介 智能DNS是域名服务在业界首创的智能解析服务.能自动判断访问者的IP地址并解析出对应的IP地址,使网通用户会访问到网通服务器,电信用户会访问到电信服务器. 实验环境:Centos7.0最小化四台,XP三台. Bind Server:192.168.9.203 Apache Server(电信): 192.168.9.204 Apache Server(网通): 192.168.9.205 Apache Server(any): 192.16

smb服务配置详解

配置用户共享用户 环境说明 服务端IP 客户端IP 192.168.24.248 192.168.24.145 在服务端操作如下 1.环境准备 关闭防火墙和selinux [[email protected] ~]systemctl disable firewalld [[email protected] ~]systemctl stop firewalld [[email protected] ~]sed -ri '#^SELINUX=#cSELINUX=Disabled' /etc/seli

Samba服务配置详解(匿名,身份,别名,访问控制,挂载访问)

Samba服务配置详解 Samba是在Linux和UNIX系统上实现SMB协议的一个免费软件,由服务器及客户端程序构成.SMB(Server Messages Block,信息服务块)是一种在局域网上共享文件和打印机的一种通信协议,它为局域网内的不同计算机之间提供文件及打印机等资源的共享服务.SMB协议是客户机/服务器型协议,客户机通过该协议可以访问服务器上的共享文件系统.打印机及其他资源.通过设置"NetBIOS over TCP/IP"使得Samba不但能与局域网络主机分享资源,还

实操:华为单臂路由和dhcp服务配置实验,简单有效

华为设备单臂路由实验 实验对象:一台路由器.一台交换机.两台PC机实验环境:eNSP 实验原理: interface eth-trunk 1.10dot1q termination vid 10(该接口属于vlan10)ip add 192.168.10.1 24arp broadcast enable(开启arp广播) 注意:在生产环境中,要先查看版本,保存信息,然后根据当前环境确定是否需要升级系统,这是个好习惯 R1 The device is running! <Huawei>syste

DNS服务配置及拓展(1)

DNS服务配置及拓展 一.DNS服务的信息说明: A##正向记录 PTR##反向,ip到域名 host -l example.com##查看域中的所有主机 dig -t soa example.com##辅助dns 软件包: bind DNS主配置目录:/var/named/chroot/ DNS主配置文件:/etc/named.conf DNS A记录存放目录:/var/named/chroot/var/named 二.如何配置dns正向解析: 1.vim /etc/named.conf#编辑