第九章 OpenSSH服务配置与安全
9.1 通过ssh访问远程命令
OpenSSH提供一个安全的远程shell,用于管理远程Linux、unix系统.
OpenSSH使用非对称加密手段加密保护通信数据.
$ ssh remotehost
$ ssh remoteuser@remotehost 或 ssh -l remoteuser remotehost
$ ssh remoteuset@remotehost remote-command
$ w -f
相关文件:
客户端会首次登陆远程机器的时候,会把远程机器的公钥保存在~/.ssh/know_hosts,以后每次登陆到某服务器的时候,都会对比远程机器的公钥和存在在本机的该服务器公钥是否相同,如果不相同就会终止连接,防止***伪装服务器.
服务端把相关的公钥和私钥存在/etc/ssh/*key*中
9.2 配置ssh的密钥验证
默认情况下,通过ssh登陆到远程的系统,需要提供远程系统上的帐号与密码,但为了降低密码泄露的机率和提高登陆的方便性,可以使用基于密钥的验证.
1) 客户端生成密钥对
$ shh-keygen -t rsa
一路回车,不需要输入任何东西
2) 客户端把公钥发送给远程的系统
$ ssh-copy-id -i ~/.ssh/id_rsa.pub server0
$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@server0
3) 登陆
$ ssh server0
结果: 免去密码验证,直接登陆到远程的系统
9.3 自定义优化ssh的服务配置
如何找到sshd服务的配置文件?
需要了解的一些安全选项:
PermitRootLogin yes|no 是否允许root通过ssh登陆到本机
PermitRootLogin without-password 只允许root通过密钥验证的手段ssh登陆到本机,对其他用户不生效
PasswordAuthentication yes|no 默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆,针对所有用户。
笔记:
9.1
方法1: 首次登陆要求保存远端发过来的公钥
[root@desktop0 ~]# ssh server0 用server0登陆
root@server0's password:
Last login: Sat Jun 3 10:43:43 2017 from desktop0.example.com
[root@server0 ~]#
[root@desktop0 ~]# host server0 登陆前提是可以解析到这个IP地址
server0.example.com has address 172.25.0.11
[root@desktop0 ~]# ssh 172.25.0.11 也可以直接登陆IP地址
[email protected]'s password:
Last login: Sat Jun 3 10:44:08 2017 from desktop0.example.com
[root@server0 ~]#
方法2:
[root@server0 ~]# ssh student@server0
The authenticity of host 'server0 (172.25.0.11)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.
student@server0's password:
Last login: Thu May 11 11:57:56 2017
[student@server0 ~]$
[root@server0 ~]# ssh root@server0
root@server0's password:
Last login: Sat Jun 3 10:45:43 2017 from desktop0.example.com
[root@server0 ~]#
方法3:
[root@server0 ~]# ssh 172.25.0.11 -l root -l就是-login
[email protected]'s password:
Last login: Sat Jun 3 10:49:27 2017 from server0.example.com
[root@server0 ~]#
[root@server0 ~]# ssh server0 -l student
student@server0's password:
Last login: Sat Jun 3 10:48:49 2017 from server0.example.com
[student@server0 ~]$
只需要远程过去输出一条命令过来,如取名字,如关机
[root@server0 ~]# ssh root@server0 hostname
root@server0's password:
server0.example.com
[root@server0 ~]#
[root@server0 ~]# w -f 可以看到哪些登陆到本机 :0代表是图形界面
11:01:53 up 23 min, 3 users, load average: 0.00, 0.02, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 desktop0.example 10:45 1.00s 0.24s 0.16s ssh root@server
root pts/1 server0.example. 10:49 1.00s 0.15s 0.02s w -f
[root@server0 ~]#
[student@desktop0 Desktop]$ ssh root@server0
The authenticity of host 'server0 (172.25.0.11)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.
root@server0's password:
Last login: Sat Jun 3 10:50:21 2017 from server0.example.com
[root@server0 ~]# ls /etc/ssh/*key* server0存放的公钥
/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key.pub
[root@server0 ~]#
[root@server0 ~]#
[root@server0 ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
[root@server0 ~]# logout
Connection to server0 closed.
[student@desktop0 Desktop]$ grep server0 ~/.ssh/known_hosts 本机存放公钥的地方
server0,172.25.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=
[student@desktop0 Desktop]$
9.2 演示整个过程
[student@desktop0 Desktop]$ :> ~/.ssh/known_hosts 清空
[student@desktop0 Desktop]$ cat ~/.ssh/known_hosts
[student@desktop0 Desktop]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/student/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/student/.ssh/id_rsa.
Your public key has been saved in /home/student/.ssh/id_rsa.pub.
The key fingerprint is:
65:09:74:d4:45:2b:86:7d:11:6e:96:0a:2d:b9:ce:81 [email protected]
The key's randomart p_w_picpath is:
+--[ RSA 2048]----+
| .o.o. o=. |
| o *.. + |
| O = B |
| + = * |
| E o . |
| o . |
| o |
| |
| |
+-----------------+
[student@desktop0 Desktop]$
[student@desktop0 Desktop]$ ls /home/student/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[student@desktop0 Desktop]$
ssh-copy-id -i ~/.ssh/id/id_rsa.pub server0 这样登陆就可以保存用户名和密码,下次就不用输入了
[student@desktop0 Desktop]$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@server0
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@server0's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@server0'"
and check to make sure that only the key(s) you wanted were added.
[student@desktop0 Desktop]$ ssh root@server0
Last login: Sat Jun 3 11:10:04 2017 from desktop0.example.com
[root@server0 ~]#
[root@server0 ~]# cat /root/.ssh/authorized_keys 存放在这里!!
9.3
改SSH配置
[root@server0 Desktop]# vim /etc/ssh/sshd_config
第48排,
#PermitRootLogin no
[root@server0 Desktop]# systemctl restart sshd 重启生效 /实验未做成功 生产中会把管理员用户名码禁掉。
清空后再次用desk登陆server,提示不行
[root@desktop0 Desktop]# :> ~/.ssh/known_hosts
[root@desktop0 Desktop]# ssh root@server0
The authenticity of host 'server0 (172.25.0.11)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server0,172.25.0.11' (ECDSA) to the list of known hosts.
Last login: Sat Jun 3 12:09:25 2017 from desktop0.example.com
[root@server0 ~]#
9.3总结
改都是在这个文件内vim /etc/ssh/sshd_config
PermitRootLogin yes|no 是否允许root通过ssh登陆到本机
PermitRootLogin without-password 只允许root通过密钥验证的手段ssh登陆到本机,对其他用户不生效
PasswordAuthentication yes|no 默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆,针对所有用户。