OpenSSH
1. 使用 SSH 访问远程命令行
1.1 openssh
- OpenSSH 指系统中使用的Secure Shell软件的软件实施。SSH协议族可以用来进行远程控制, 或在计算机之间传送文件。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据,并由此来代替原来的类似服务.
- 常见的远程登录工具有:
1.telnet
2.ssh
3.dropbear
telnet :远程登录协议,23/TCP
不安全
认证明文
数据传输明文
ssh :Secure SHell,应用层协议,22/TCP
比较安全, 通信过程及认证过程是加密的,主机认证
用户认证过程加密
数据传输过程加密
dropbear:嵌入式系统专用的SSH服务器端和客户端工具
1.2 SSH版本
- openssh有两个版本,分别为v1和v2
v1:基于CRC-32做MAC,无法防范中间人(man-in-middle)攻击
v2:双方主机协议选择安全的MAC方式。基于DH算法做密钥交换,基于RSA或DSA算法实现身份认证
1.3 SSH认证方式
- openssh有两种认证方式,分别是:
基于口令认证
基于密钥认证
1.4 openssh工作模式
- openSSH基于C/S(客户端/服务端)架构工作
1.客户端 sshd), 配置文件为/etc/ssh/sshd_config
2. 服务端 (ssh),配置文件为/etc/ssh/ssh_config
- ssh-keygen 密钥生成器
- ssh-copy-id 将公钥传输至远程服务器
- scp 跨主机安全复制工具
2.ssh实例
以当前用户身份创建远程交互式shell
[root@xj ~]# ssh [email protected]
The authenticity of host '192.168.23.151 (192.168.23.151)' can't be established.
ECDSA key fingerprint is SHA256:yC8VIQ5X9ztNKJdSXVaFPCTilFvQzMg5NoXp8eOQYt0.
ECDSA key fingerprint is MD5:58:67:13:8e:55:78:fc:4b:c0:75:86:15:2c:6e:43:72.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.151' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Wed Jan 9 01:16:01 2019 from 192.168.23.1
以其他用户身份在主机上连接到远程shell
[root@localhost ~]# ssh [email protected]
The authenticity of host '192.168.23.151 (192.168.23.151)' can't be established.
ECDSA key fingerprint is SHA256:yC8VIQ5X9ztNKJdSXVaFPCTilFvQzMg5NoXp8eOQYt0.
ECDSA key fingerprint is MD5:58:67:13:8e:55:78:fc:4b:c0:75:86:15:2c:6e:43:72.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.151' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Last failed login: Wed Jan 9 01:19:43 CST 2019 from 192.168.23.151 on ssh:notty
There was 1 failed login attempt since the last successful login.
[user@localhost ~]$
以远程用户身份在远程主机上通过将输出返回到本地显示器的方式来执行单一命令
[root@localhost ~]# ssh [email protected] '/usr/sbin/ip a s ens32'
[email protected]'s password:
2: ens32: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b2:d2:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.151/24 brd 192.168.23.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::764:c752:c3c4:4d3f/64 scope link
valid_lft forever preferred_lft forever
w命令可以显示当前登录到计算机的用户列表。这对于显示哪些用户使用ssh从哪些远程位置进行了登录以及执行了什么操作等内容特别有用
[root@localhost ~]# w
01:23:53 up 40 min, 3 users, load average: 0.00, 0.03, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 00:43 38:33 0.37s 0.37s -bash
root pts/0 192.168.23.1 01:16 4:09 0.01s 0.01s -bash
root pts/1 192.168.23.132 01:17 1.00s 0.05s 0.03s w
2.1 SSH主机密钥
- 当用户第一次使用ssh连接到特定服务器时,会弹出公钥副本,询问是否远程访问服务器(yes/no),no无法访问,yes进行下一步,输入用户密码,用于为通信渠道设置安全加密,并可验证客户端的服务器
[root@localhost .ssh]# ssh [email protected]
The authenticity of host '192.168.23.151 (192.168.23.151)' can't be established.
ECDSA key fingerprint is SHA256:yC8VIQ5X9ztNKJdSXVaFPCTilFvQzMg5NoXp8eOQYt0.
ECDSA key fingerprint is MD5:58:67:13:8e:55:78:fc:4b:c0:75:86:15:2c:6e:43:72.
Are you sure you want to continue connecting (yes/no)?
- 第一次使用ssh连接到特定服务器时,ssh命令可在用户的 root/.ssh/known_hosts文件中存储该服务器的公钥。在此之后每当用户进行连接时,客户端都会通过对~/.ssh/known_hosts文件中的服务器条目和服务器发送的公钥,确保从服务器获得相同的公钥。如果公钥不匹配,客户端会假定网络通信已遭劫持或服务器已被入侵,并且中断连接。
[root@localhost .ssh]# cat known_hosts
192.168.23.151 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIr6bTh6cANbFC1W/I7kG4lxs8uIYukHZi+QOZPZgD+ZlU8MD+RWV3D/mUzHvXIfttyCQHCEbX8uHMjmXItYlzI=
2.2 2. 配置基于 SSH 密钥的身份验证
-
用户可通过使用公钥身份验证进行ssh登录身份验证。ssh允许用户使用私钥-公钥方案进行身份验证。这意味着将生成私钥和公钥这两个密钥。私钥文件用作身份验证凭据,像密码一样,必须妥善保管。公钥复制到用户希望登录的系统,用于验证私钥。公钥并不需要保密。拥有公钥的ssh服务器可以发布仅持有您私钥的系统才可解答的问题。因此,可以根据所持有的密钥进行验证。如此一来,就不必在每次访问系统时键入密码,但安全性仍能得到保证
-
使用ssh-keygen命令生成密码。将会生成私钥/root/.ssh/id_rsa和公钥~/.ssh/id_rsa.pub。
-
生成ssh密钥后,密钥将默认存储在家目录下的.ssh/目录中。私钥和公钥的权限就分别为600和644。.ssh目录权限必须是700。
-
在可以使用基于密钥的身份验证前,可以使用ssh-copy-id将需要将公钥复制到目标系统上。
使用 ssh-keygen 创建公钥-私钥对
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:QCmRxJ17RftFklL4q5OKqh4b4TFeNRoR/0gp4C+jQkA [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| E.o==.o ..oo.. |
|.. .+++. +..o |
|. . o.B. ..o . |
|. . *.=. ... |
| .* + ..S .. |
|.+ B . |
|o = o |
|. + . + |
| .+.... .. . |
+----[SHA256]-----+
[root@localhost ~]# ls .ssh
id_rsa id_rsa.pub known_hosts
使用 ssh-copy-id 将公钥复制到远程系统上的正确位置
[root@localhost ~]# ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
使用 ssh 命令无密码登录远程主机
[root@localhost ~]# ssh [email protected]
Last login: Wed Jan 9 01:17:29 2019 from 192.168.23.132
- scp命令常用选项
-r //递归复制
-p //保持权限
-P //端口
-q //静默模式
-a //全部复制
使用 scp 命令传送文件到远程主机
[root@localhost ~]# scp /tmp/oooo [email protected]:/tmp/
[email protected]'s password:
oooo 100% 0 0.0KB/s 00:00
[root@localhost ~]# cd /tmp/
[root@localhost tmp]# ls
ks-script-zVCank
oooo
使用 scp 命令从远程主机上下载文件到本地
[root@localhost ~]# scp [email protected]:/tmp/oooo /usr/src/
oooo 100% 0 0.0KB/s 00:00
[root@localhost ~]# cd /usr/src/
[root@localhost src]# ls
debug kernels oooo
3. 自定义 SSH 服务配置
虽然OpenSSH服务器通常无需修改,但会提供其他安全措施,可以在配置文件/etc/ssh/sshd_config中修改OpenSSH服务器的各个方面。
PermitRootLogin {yes|no} //是否允许root用户远程登录系统
PermitRootLogin without-password //仅允许root用户基于密钥方式远程登录
PasswordAuthentication {yes|no} //是否启用密码身份验证,默认开启
4. SSH 安全注意事项
密码应该经常换且足够复杂
[root@localhost ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 40 |xargs 生成40位随机密码
BRqI71np3mpyCau77yVk9udt8jM89zMNBcvHpikT
[root@localhost ~]# openssl rand 20 -base64 生成20位随机密码
sYSpgdaQsoHyqVyogwE4VIGHbrU=
使用非默认端口
限制登录客户端地址
仅监听特定的IP地址
禁止管理员直接登录
仅允许有限制用户登录
AllowUsers
AllowGroups
使用基于密钥的认证
禁止使用空密码
禁止使用SSHv1版本
设定空闲会话超时时长
利用防火墙设置ssh访问策略
限制ssh的访问频度和并发在线数
做好日志的备份,经常分析(集中于某台服务器)
5. 防火墙设置
5.1 防火墙的种类
- iptables —默认是允许
- firewalld----默认是拒绝
- ebtables
拒绝所有ssh的流量
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.23.0/24" service name="rpc-bind" accept
[root@localhost ~]# firewall-cmd --permanent --remove-service=ssh
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.23.0/24" service name="rpc-bind" accept
允许特殊本地客户机远程访问服务器
[root@localhost ~]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.23.151/32 service name=ssh accept'
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# ssh 192.168.23.151
Last login: Wed Jan 9 01:43:35 2019 from 192.168.23.1
[root@localhost ~]# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:b2:d2:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.151/24 brd 192.168.23.255 scope global ens32
valid_lft forever preferred_lft forever
inet6 fe80::764:c752:c3c4:4d3f/64 scope link
valid_lft forever preferred_lft forever
拒绝本地客户机远程访问服务器
[root@xj ~]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=192.168.23.151/32 service name=ssh reject'
success
[root@xj ~]# firewall-cmd --reload
success
[root@xj ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens32
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.23.151/32" service name="ssh" reject
[root@localhost ~]# ssh 192.168.23.132
ssh: connect to host 192.168.23.132 port 22: Connection refused