基於SSH的安全遠程登錄

一、SSH：Secure Shell

實現的軟件工具
1.Openssh：centos默認安裝

相關包：

• openssh
• openssh-clients
• openssh-server

配置文件：
客戶端：/etc/ssh/ssh_config
服務器端：/etc/ssh/sshd_config

2.Dropbear：開源工具

基於C/S結構
Linux Client: ssh, scp, sftp，slogin
Windows Client：xshell, putty, securecrt, sshsecureshellclient
Server: sshd

二、Openssh

配置文件路徑下的文件：私鑰、公鑰存放位置

[root@CentOS7 ~]#ll /etc/ssh/
total 604
-rw-r--r--. 1 root root     581843 Apr 11  2018 moduli
-rw-r--r--  1 root root       2305 Jul 16 20:09 ssh_config
-rw-------. 1 root root       3907 Apr 11  2018 sshd_config
-rw-r-----. 1 root ssh_keys    227 May 11 14:22 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 May 11 14:22 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 May 11 14:22 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 May 11 14:22 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   1675 May 11 14:22 ssh_host_rsa_key #私鑰文件，服務器級私鑰
-rw-r--r--. 1 root root        382 May 11 14:22 ssh_host_rsa_key.pub #公鑰文件，服務器級公鑰

第一次連接確認身份需要人工確認，連接公網主機時，需要自己計算哈希值，是否與公開的哈希值相同

兩種登錄認證方式：
1.基於密碼:每次連接需要手工輸入密碼
2.基於key:不需要輸入密碼

（一）基於密碼登錄：

1.客戶端配置

（1）客戶端第一次連接服務，會彈出是否連接的提示，可在客戶端配置中選擇是否彈出提示

[root@CentOS7 ~]#vim /etc/ssh/ssh_config 
StrictHostKeyChecking no

家目錄生成文件：連接時在提示後面敲完yes，或者客戶端設置不提示，會在客戶端家目錄~/.ssh下生成一個known_hosts 文件；用於Client和Server的雙向認證，避免中間人（man-in-the-middle attack）攻擊；每次Client向Server發起連接的時候，SSH client通過known_hosts中的host key來驗證Server的身份的

[root@CentOS7 ~]#cat .ssh/known_hosts 
#格式:DomainName/IpAddress EncryptionAlgorithm HostKey
192.168.37.100 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPmD8LimHeC8phXcEzH6qOqcdzB0b2xYNN08trPfwBH1HhZf7uG87lhr2b8Ca7ocZ4J+Q9nyMxvufvD3Pm4CPF0=

（2）SSH 客戶端使用
常用連接登錄語法：

ssh [user@] host [COMMAND]
ssh [-l user] host [COMMAND]

常用選項：
-p port：遠程服務器監聽的端口
-b：指定連接的源IP，如果客戶端有多個IP，可指定某個IP連接服務器
-v：調試模式
-C：壓縮方式，節約帶寬
-X：支持x11轉發，X協議，依賴xserver服務
-t：強制僞tty分配

ssh 默認以當前用戶名連接遠程主機

[root@CentOS7 ~]#ssh [email protected] cat /etc/passwd

-b: 客戶端指定IP連接服務器端

服務器端查看連接的主機IP：

-v： 調試模式，查看登錄過程

[root@CentOS7 ~]#ssh [email protected] -p 2222 -b 192.168.37.7 -v
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 59: Applying options for *
debug1: Connecting to 192.168.37.100 [192.168.37.100] port 2222.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.37.100:2222 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:j+FKSoZLTx3S9cFLtPfZWnJUCrx9cAONPuCAsS7hfgo
debug1: checking without port identifier
debug1: Host '192.168.37.100' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: found matching key w/out port
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:0)

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Next authentication method: password
[email protected]'s password:

-X： xclock 是X協議的客戶端，xserver服務按照客戶端指令，通過顯卡GPU繪圖；
xclock客戶端和xserver可能不在同一臺主機
xmanager（包含xshell）安裝時給window安裝xserver，windows本身不帶xserver

-t:類似跳板機，直接跳到某個主機

#最後一個主機不加-t
[root@master ~]#ssh -t 192.168.37.102 ssh -t 192.168.37.103 ssh 192.168.37.101
[email protected]'s password: 
[email protected]'s password: 
[email protected]'s password: 
Last login: Tue Jul 16 21:15:09 2019 from 192.168.37.103

2.服務器端：
修改ssh端口號：生產環境如果是基於口令登錄的，建議修改端口

[root@master ~]#vim /etc/ssh/sshd_config
 Port 2222 
[root@master ~]#systemctl restart sshd

#客戶端連接指定服務器端口
#[root@CentOS7 ~]#ssh [email protected] -p 2222

（二）基於Key的登錄驗證

測試環境：
兩臺centos7 主機：IP分別爲192.168.37.102、192.168.37.103
192.168.37.102 爲客戶端
192.168.37.103 爲服務端主機

配置如下：
1.手動生成公鑰、私鑰：基於用戶級的祕鑰對，每個用戶有不同的自己的祕鑰對；
配置過程中傳輸公鑰時，仍然需要基於密碼驗證

#192.168.37.102主機操作生成祕鑰對
[root@CentOS7 ~]#ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):   #設置保存祕鑰路徑
Enter passphrase (empty for no passphrase):  #設置私鑰密碼
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FJaHeE4S+F++zu1RcgUhu6aE81atdUsRFsBlB5heWcw [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|     ..ooo  o+*&+|
|    . o.=.. o+=.E|
|     . =.. ... ..|
|      ..... .o ..|
|       .So. = =..|
|        .+.+ *...|
|          +.o  . |
|         o.. .   |
|         .o.o    |
+----[SHA256]-----+

[root@CentOS7 ~]#ll .ssh/
total 16
-rw------- 1 root root 1675 Jul 16 22:25 id_rsa     #ssh-keygen生成的私鑰
-rw-r--r-- 1 root root  408 Jul 16 22:25 id_rsa.pub  #ssh-keygen生成的公鑰
-rw-r--r-- 1 root root  748 Jul 16 21:11 known_hosts

2.拷貝主機公鑰

#102主機第一次拷貝時需要輸入口令
[root@CentOS7 ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]

#37.103主機查看家目錄文件，拷貝過來的公鑰系統改名爲authorized_keys
[root@CentOS7 ~]#ll ~/.ssh/
total 8
-rw------- 1 root root 408 Jul 16 22:30 authorized_keys  #37.102主機的公鑰，大小相同
-rw-r--r-- 1 root root 396 Jul 16 21:12 known_hosts

102主機 /root/.ssh/id_rsa.pub 和103主機 /root/.ssh/authorized_keys 公鑰文件內容相同
3.測試登錄

#102主機測試登錄103主機
[root@CentOS7 ~]#ssh 192.168.37.103
Last login: Tue Jul 16 21:24:08 2019 from 192.168.37.102