RH124-09 OpenSSH服务配置与安全

第九章 OpenSSH服务配置与安全

9.1 通过ssh访问远程命令

OpenSSH提供一个安全的远程shell,用于管理远程Linux、unix系统. 

OpenSSH使用非对称加密手段加密保护通信数据.

$ ssh remotehost

$ ssh remoteuser@remotehost 或 ssh -l remoteuser remotehost

$ ssh remoteuset@remotehost remote-command

$ w -f

相关文件:

客户端会首次登陆远程机器的时候,会把远程机器的公钥保存在~/.ssh/know_hosts,以后每次登陆到某服务器的时候,都会对比远程机器的公钥和存在在本机的该服务器公钥是否相同,如果不相同就会终止连接,防止***伪装服务器.

服务端把相关的公钥和私钥存在/etc/ssh/*key*中

 

9.2 配置ssh的密钥验证

默认情况下,通过ssh登陆到远程的系统,需要提供远程系统上的帐号与密码,但为了降低密码泄露的机率和提高登陆的方便性,可以使用基于密钥的验证.

1) 客户端生成密钥对

$ shh-keygen -t rsa

一路回车,不需要输入任何东西

2) 客户端把公钥发送给远程的系统

$ ssh-copy-id -i ~/.ssh/id_rsa.pub  server0

$ ssh-copy-id -i ~/.ssh/id_rsa.pub  root@server0

3) 登陆

$  ssh server0

结果: 免去密码验证,直接登陆到远程的系统

9.3 自定义优化ssh的服务配置

如何找到sshd服务的配置文件?

需要了解的一些安全选项:

PermitRootLogin yes|no  是否允许root通过ssh登陆到本机

PermitRootLogin  without-password  只允许root通过密钥验证的手段ssh登陆到本机，对其他用户不生效

PasswordAuthentication yes|no  默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆，针对所有用户。

笔记：

9.1

方法1：  首次登陆要求保存远端发过来的公钥

[root@desktop0 ~]# ssh server0 用server0登陆

root@server0's password: 

Last login: Sat Jun  3 10:43:43 2017 from desktop0.example.com

[root@server0 ~]# 

[root@desktop0 ~]# host server0  登陆前提是可以解析到这个IP地址

server0.example.com has address 172.25.0.11

[root@desktop0 ~]# ssh 172.25.0.11   也可以直接登陆IP地址

[email protected]'s password: 

Last login: Sat Jun  3 10:44:08 2017 from desktop0.example.com

[root@server0 ~]# 

方法2：

[root@server0 ~]# ssh student@server0

The authenticity of host 'server0 (172.25.0.11)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.

student@server0's password: 

Last login: Thu May 11 11:57:56 2017

[student@server0 ~]$ 

[root@server0 ~]# ssh root@server0

root@server0's password: 

Last login: Sat Jun  3 10:45:43 2017 from desktop0.example.com

[root@server0 ~]# 

方法3：

[root@server0 ~]# ssh 172.25.0.11 -l root      -l就是-login

[email protected]'s password: 

Last login: Sat Jun  3 10:49:27 2017 from server0.example.com

[root@server0 ~]# 

[root@server0 ~]# ssh server0 -l student

student@server0's password: 

Last login: Sat Jun  3 10:48:49 2017 from server0.example.com

[student@server0 ~]$ 

只需要远程过去输出一条命令过来，如取名字，如关机

[root@server0 ~]# ssh root@server0 hostname

root@server0's password: 

server0.example.com

[root@server0 ~]# 

[root@server0 ~]# w -f             可以看到哪些登陆到本机  ：0代表是图形界面

 11:01:53 up 23 min,  3 users,  load average: 0.00, 0.02, 0.08

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

root     pts/0    desktop0.example 10:45    1.00s  0.24s  0.16s ssh root@server

root     pts/1    server0.example. 10:49    1.00s  0.15s  0.02s w -f

[root@server0 ~]# 

[student@desktop0 Desktop]$ ssh root@server0

The authenticity of host 'server0 (172.25.0.11)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.

root@server0's password: 

Last login: Sat Jun  3 10:50:21 2017 from server0.example.com

[root@server0 ~]# ls /etc/ssh/*key*                             server0存放的公钥

/etc/ssh/ssh_host_ecdsa_key      /etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_ecdsa_key.pub  /etc/ssh/ssh_host_rsa_key.pub

[root@server0 ~]# 

[root@server0 ~]# 

[root@server0 ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k= 

[root@server0 ~]# logout

Connection to server0 closed.

[student@desktop0 Desktop]$ grep server0 ~/.ssh/known_hosts                本机存放公钥的地方

server0,172.25.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=

[student@desktop0 Desktop]$ 

9.2   演示整个过程

[student@desktop0 Desktop]$ :> ~/.ssh/known_hosts  清空

[student@desktop0 Desktop]$ cat ~/.ssh/known_hosts

[student@desktop0 Desktop]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/student/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/student/.ssh/id_rsa.

Your public key has been saved in /home/student/.ssh/id_rsa.pub.

The key fingerprint is:

65:09:74:d4:45:2b:86:7d:11:6e:96:0a:2d:b9:ce:81 [email protected]

The key's randomart p_w_picpath is:

+--[ RSA 2048]----+

|       .o.o. o=. |

|         o *.. + |

|          O = B  |

|         + = *   |

|        E o .    |

|         o .     |

|          o      |

|                 |

|                 |

+-----------------+

[student@desktop0 Desktop]$ 

[student@desktop0 Desktop]$ ls /home/student/.ssh/

authorized_keys  id_rsa  id_rsa.pub  known_hosts

[student@desktop0 Desktop]$ 

 ssh-copy-id -i ~/.ssh/id/id_rsa.pub server0   这样登陆就可以保存用户名和密码，下次就不用输入了

[student@desktop0 Desktop]$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@server0

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

root@server0's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@server0'"

and check to make sure that only the key(s) you wanted were added.

[student@desktop0 Desktop]$ ssh root@server0

Last login: Sat Jun  3 11:10:04 2017 from desktop0.example.com

[root@server0 ~]# 

[root@server0 ~]# cat /root/.ssh/authorized_keys   存放在这里！！

9.3

改SSH配置

[root@server0 Desktop]# vim /etc/ssh/sshd_config 

第48排，

#PermitRootLogin no

[root@server0 Desktop]# systemctl restart sshd   重启生效  /实验未做成功   生产中会把管理员用户名码禁掉。

清空后再次用desk登陆server，提示不行

[root@desktop0 Desktop]#  :> ~/.ssh/known_hosts

[root@desktop0 Desktop]# ssh root@server0

The authenticity of host 'server0 (172.25.0.11)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.

Last login: Sat Jun  3 12:09:25 2017 from desktop0.example.com

[root@server0 ~]# 

9.3总结

改都是在这个文件内vim /etc/ssh/sshd_config 

PermitRootLogin yes|no  是否允许root通过ssh登陆到本机

PermitRootLogin  without-password  只允许root通过密钥验证的手段ssh登陆到本机，对其他用户不生效

PasswordAuthentication yes|no  默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆，针对所有用户。