SSH(secure shell)是一種安全通道協議,主要用來實現字符界面的遠程登錄,遠程複製等功能。SSH協議對於通信雙方的數據傳輸進行了加密處理,其中包括你用戶登錄時輸入的用戶口令。與早期的telnet遠程登錄、RSH遠程執行命令、RCP遠程文件複製等應用相比,SSH協議提供了更好的安全性。
OpenSSH是實現SSH協議的開源軟件項目,適用於各種UNIX、Linux操作系統。關於Openssh項目的更多內容可以訪問其官網http://www.openssh.com。
Openssh是一種典型的C/S構架,是一種很實用的網絡安全解決方案。
Openssh登錄驗證方式:
v 密碼驗證:以服務器中本地系統用戶的登錄名稱,密碼進行驗證。這種方式使用最爲簡單,但從客戶機的角度來看,正在連接的服務器有可能被假冒;從服務器的角度來看,當遭遇密碼窮舉(暴力破解)***時防禦能力也比較弱。
v 密鑰對驗證:要求提供相匹配的密鑰信息才能通過驗證。通常現在客戶機中創建一對密鑰文件(公鑰、私鑰),然後將公鑰文件放到服務器中的指定位置。遠程登錄時,系統將使用公鑰,私鑰進行加密/解密關聯驗證,大大增強了遠程管理的安全性。
當密碼驗證與密鑰對驗證都啓用時,服務器將優先使用密鑰對驗證。
在配置文件/etc/ssh/sshd_config中
PasswordAuthentication 密碼驗證方式啓用
PubkeyAuthentication 密鑰對驗證方式啓用
實驗環境及要求
準備兩臺Linux系統服務器與客戶機,分別添加普通用戶zhangsan與lisi。並給普通zhangsan添加ifconfig的使用權;普通用戶lisi上生成密鑰對,上傳公鑰給zhangsan進行openssh的密鑰對驗證。
服務器配置
[root@local ~]# useradd zhangsan //創建zhangsan用戶
[root@local ~]# echo "123" | passwd --stdin zhangsan //設置密碼
[root@local ~]# vim /etc/pam.d/su //修改認證配置
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid //啓用它,這樣普通用戶就無法登陸到root用戶了
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
[root@local ~]# vi /etc/ssh/sshd_config //修改一些sshd服務的文件
Port 22
#AddressFamily any
ListenAddress 192.168.100.100
#ListenAddress ::
PubkeyAuthentication yes 啓用祕鑰對登錄
AuthorizedKeysFile .ssh/authorized_keys指定公鑰數據文件(用來保存客戶機上傳的公鑰文本,以便於客戶機本地的私鑰文件進行匹配)
[root@local ~]# service sshd restart
停止 sshd: [確定]
正在啓動 sshd: [確定]
[root@local ~]# su - zhangsan //登陸到普通用戶
[zhangsan@local ~]$ su - root //轉換到管理員用戶
密碼: //由於之前已經修改了認證配置,所以這裏密碼即使輸入正確也會提示錯誤
su: 密碼不正確
[zhangsan@local ~]$ exit //退出普通用戶
Logout
[root@local ~]# visudo //給普通用戶添加權限
大G到行尾輸入下面內容
zhangsan local=/sbin/ifconfig 給zhangsan用戶添加ifconfig的使用權限
%wheel ALL=NOPASSWD: ALL 不需要密碼
[root@local ~]# su - zhangsan
[zhangsan@local ~]$ ifconfig //zhangsan用戶有權限使用ifconfig命令
eth0 Link encap:Ethernet HWaddr 00:0C:29:4B:1E:4E
inet addr:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe4b:1e4e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1797 errors:0 dropped:0 overruns:0 frame:0
TX packets:1401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:171259 (167.2 KiB) TX bytes:192192 (187.6 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:80 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5928 (5.7 KiB) TX bytes:5928 (5.7 KiB)
客戶端配置與驗證
1、登錄服務端root管理員用戶
[root@root ~]# ssh [email protected]
[email protected]'s password: //輸入服務器管理員密碼
Last login: Tue Aug 18 11:27:47 2015 from 192.168.100.1
[root@local ~]# id zhangsan //驗證:查看服務器上的zhangsan用戶
uid=500(zhangsan) gid=500(zhangsan) 組=500(zhangsan)
[root@local ~]#
2、登錄服務端普通用戶zhangsan
[root@root ~]# ssh [email protected]
The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
RSA key fingerprint is c5:0c:2a:f9:56:53:0a:28:f1:60:c9:a7:37:0c:8c:bc.
Are you sure you want to continue connecting (yes/no)? yes //輸入yes
Warning: Permanently added '192.168.100.100' (RSA) to the list of known hosts.
[email protected]'s password: //輸入zhangsan用戶密碼
[zhangsan@local ~]$ su - root
密碼:
su: 密碼不正確
[zhangsan@local ~]$
[root@root ~]# useradd lisi //添加用戶
[root@root ~]# echo "123" | passwd --stdin lisi
更改用戶 lisi 的密碼 。
passwd: 所有的身份驗證令牌已經成功更新。
[root@root ~]# su - lisi
[lisi@root ~]$ whoami//驗證當前用戶(命令/sbin/ifconfig eth0 | grep "inet addr"確認當前主機IP)
lisi
[lisi@root ~]$ ssh-keygen -t rsa //創建密鑰對
Generating public/private rsa key pair.
Enter file in which to save the key (/home/lisi/.ssh/id_rsa): //回車
Created directory '/home/lisi/.ssh'.
Enter passphrase (empty for no passphrase): //輸入密鑰口令(如果不設置口令也就可以不用口令直接登錄了)
Enter same passphrase again: //在輸入一遍(確認口令)
Your identification has been saved in /home/lisi/.ssh/id_rsa.
Your public key has been saved in /home/lisi/.ssh/id_rsa.pub.
The key fingerprint is:
fe:fa:38:6d:fa:33:76:8b:f1:74:0a:15:f4:35:1a:2e lisi@root
The key's randomart image is:
+--[ RSA 2048]----+
| .. ..|
| ...o..|
| E.o. |
| .. |
| S . |
| . . |
| ..o . . |
| .o**.o |
| +O=++. |
+-----------------+
[lisi@root ~]$ ls -lh ~/.ssh/ //查看密鑰文件
總用量 8.0K
-rw-------. 1 lisi lisi 1.8K 8月 18 10:27 id_rsa
-rw-r--r--. 1 lisi lisi 391 8月 18 10:27 id_rsa.pub
[lisi@root ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]//上傳公鑰到服務器上
[email protected]'s password: //輸入口令
Now try logging into the machine, with "ssh '[email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[lisi@root ~]$ ssh [email protected] //遠程登陸服務器
Enter passphrase for key '/home/lisi/.ssh/id_rsa': //輸入密鑰口令
Last login: Tue Aug 18 11:55:17 2015 from 192.168.100.200
[zhangsan@local ~]$ tail -l /home/zhangsan/.ssh/authorized_keys //查看密鑰文件
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6zgczGUPFwmlq4U/abvVjr3lNyAheLUWcrWY9f/IU5BhjimfP+yJa3eDW/6fx2b1ApbA0E5M2oDUFxer5YW9dNJgYBK9k1E2SU7tJ8GkF+7Hdb4hPYFnE4B3/oEkNIA1Cp76eOH6969zNo1Bn4zDvZpISVvoS3GCKvxVwH9Twqway8RneUBcjnj5FlJ06Jhdo+mbx8FtrEWKF3quCvx3ai0QhlCrfdyLEI//4f8tWk6DlsryUa7Ovjxlp5Lja4/Hukgny9f72ASsM3/9VbyCFQdx1D/ff5MhCbjHMroMvg+iPwCiQiafj7Sn9EAH+NhN6bxq0LaT4Tvs6Q9D3Og9Pw== lisi@root //這裏說明了是哪個客戶端的用戶上傳公鑰(客戶端lisi用戶)
[zhangsan@local ~]$ ifconfig //服務端zhangsan用戶的權限測試
eth0 Link encap:Ethernet HWaddr 00:0C:29:4B:1E:4E
inet addr:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe4b:1e4e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2827 errors:0 dropped:0 overruns:0 frame:0
TX packets:2137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:278119 (271.6 KiB) TX bytes:290533 (283.7 KiB)
[zhangsan@local ~]$ su - root
密碼:
su: 密碼不正確