第九章 OpenSSH服務配置與安全
9.1 通過ssh訪問遠程命令
OpenSSH提供一個安全的遠程shell,用於管理遠程Linux、unix系統.
OpenSSH使用非對稱加密手段加密保護通信數據.
$ ssh remotehost
$ ssh remoteuser@remotehost 或 ssh -l remoteuser remotehost
$ ssh remoteuset@remotehost remote-command
$ w -f
相關文件:
客戶端會首次登陸遠程機器的時候,會把遠程機器的公鑰保存在~/.ssh/know_hosts,以後每次登陸到某服務器的時候,都會對比遠程機器的公鑰和存在在本機的該服務器公鑰是否相同,如果不相同就會終止連接,防止***僞裝服務器.
服務端把相關的公鑰和私鑰存在/etc/ssh/*key*中
9.2 配置ssh的密鑰驗證
默認情況下,通過ssh登陸到遠程的系統,需要提供遠程系統上的帳號與密碼,但爲了降低密碼泄露的機率和提高登陸的方便性,可以使用基於密鑰的驗證.
1) 客戶端生成密鑰對
$ shh-keygen -t rsa
一路回車,不需要輸入任何東西
2) 客戶端把公鑰發送給遠程的系統
$ ssh-copy-id -i ~/.ssh/id_rsa.pub server0
$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@server0
3) 登陸
$ ssh server0
結果: 免去密碼驗證,直接登陸到遠程的系統
9.3 自定義優化ssh的服務配置
如何找到sshd服務的配置文件?
需要了解的一些安全選項:
PermitRootLogin yes|no 是否允許root通過ssh登陸到本機
PermitRootLogin without-password 只允許root通過密鑰驗證的手段ssh登陸到本機,對其他用戶不生效
PasswordAuthentication yes|no 默認是yes,允許通過ssh密碼驗證的方式登陸到本機.如果設定爲no,那麼只能通過密鑰驗證的手段登陸,針對所有用戶。
筆記:
9.1
方法1: 首次登陸要求保存遠端發過來的公鑰
[root@desktop0 ~]# ssh server0 用server0登陸
root@server0's password:
Last login: Sat Jun 3 10:43:43 2017 from desktop0.example.com
[root@server0 ~]#
[root@desktop0 ~]# host server0 登陸前提是可以解析到這個IP地址
server0.example.com has address 172.25.0.11
[root@desktop0 ~]# ssh 172.25.0.11 也可以直接登陸IP地址
[email protected]'s password:
Last login: Sat Jun 3 10:44:08 2017 from desktop0.example.com
[root@server0 ~]#
方法2:
[root@server0 ~]# ssh student@server0
The authenticity of host 'server0 (172.25.0.11)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.
student@server0's password:
Last login: Thu May 11 11:57:56 2017
[student@server0 ~]$
[root@server0 ~]# ssh root@server0
root@server0's password:
Last login: Sat Jun 3 10:45:43 2017 from desktop0.example.com
[root@server0 ~]#
方法3:
[root@server0 ~]# ssh 172.25.0.11 -l root -l就是-login
[email protected]'s password:
Last login: Sat Jun 3 10:49:27 2017 from server0.example.com
[root@server0 ~]#
[root@server0 ~]# ssh server0 -l student
student@server0's password:
Last login: Sat Jun 3 10:48:49 2017 from server0.example.com
[student@server0 ~]$
只需要遠程過去輸出一條命令過來,如取名字,如關機
[root@server0 ~]# ssh root@server0 hostname
root@server0's password:
server0.example.com
[root@server0 ~]#
[root@server0 ~]# w -f 可以看到哪些登陸到本機 :0代表是圖形界面
11:01:53 up 23 min, 3 users, load average: 0.00, 0.02, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 desktop0.example 10:45 1.00s 0.24s 0.16s ssh root@server
root pts/1 server0.example. 10:49 1.00s 0.15s 0.02s w -f
[root@server0 ~]#
[student@desktop0 Desktop]$ ssh root@server0
The authenticity of host 'server0 (172.25.0.11)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.
root@server0's password:
Last login: Sat Jun 3 10:50:21 2017 from server0.example.com
[root@server0 ~]# ls /etc/ssh/*key* server0存放的公鑰
/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key.pub
[root@server0 ~]#
[root@server0 ~]#
[root@server0 ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
[root@server0 ~]# logout
Connection to server0 closed.
[student@desktop0 Desktop]$ grep server0 ~/.ssh/known_hosts 本機存放公鑰的地方
server0,172.25.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
[student@desktop0 Desktop]$
9.2 演示整個過程
[student@desktop0 Desktop]$ :> ~/.ssh/known_hosts 清空
[student@desktop0 Desktop]$ cat ~/.ssh/known_hosts
[student@desktop0 Desktop]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/student/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/student/.ssh/id_rsa.
Your public key has been saved in /home/student/.ssh/id_rsa.pub.
The key fingerprint is:
65:09:74:d4:45:2b:86:7d:11:6e:96:0a:2d:b9:ce:81 [email protected]
The key's randomart p_w_picpath is:
+--[ RSA 2048]----+
| .o.o. o=. |
| o *.. + |
| O = B |
| + = * |
| E o . |
| o . |
| o |
| |
| |
+-----------------+
[student@desktop0 Desktop]$
[student@desktop0 Desktop]$ ls /home/student/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[student@desktop0 Desktop]$
ssh-copy-id -i ~/.ssh/id/id_rsa.pub server0 這樣登陸就可以保存用戶名和密碼,下次就不用輸入了
[student@desktop0 Desktop]$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@server0
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@server0's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@server0'"
and check to make sure that only the key(s) you wanted were added.
[student@desktop0 Desktop]$ ssh root@server0
Last login: Sat Jun 3 11:10:04 2017 from desktop0.example.com
[root@server0 ~]#
[root@server0 ~]# cat /root/.ssh/authorized_keys 存放在這裏!!
9.3
改SSH配置
[root@server0 Desktop]# vim /etc/ssh/sshd_config
第48排,
#PermitRootLogin no
[root@server0 Desktop]# systemctl restart sshd 重啓生效 /實驗未做成功 生產中會把管理員用戶名碼禁掉。
清空後再次用desk登陸server,提示不行
[root@desktop0 Desktop]# :> ~/.ssh/known_hosts
[root@desktop0 Desktop]# ssh root@server0
The authenticity of host 'server0 (172.25.0.11)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.
Last login: Sat Jun 3 12:09:25 2017 from desktop0.example.com
[root@server0 ~]#
9.3總結
改都是在這個文件內vim /etc/ssh/sshd_config
PermitRootLogin yes|no 是否允許root通過ssh登陸到本機
PermitRootLogin without-password 只允許root通過密鑰驗證的手段ssh登陸到本機,對其他用戶不生效
PasswordAuthentication yes|no 默認是yes,允許通過ssh密碼驗證的方式登陸到本機.如果設定爲no,那麼只能通過密鑰驗證的手段登陸,針對所有用戶。