linux基础(八)openssh-server


openssh-server

[客户端station:172.25.254.48,

服务端redhat(被远程):172.25.254.148]

一、功能

让远程主机可以通过网络访问sshd服务,开始一个安全shell

二、客户端连接方式

1.ssh    远程主机用户@远程主机ip
[root@station Desktop]# ssh [email protected]

The authenticity of host '172.25.254.148 (172.25.254.148)' can't be established.
ECDSA key fingerprint is a5:b4:2c:dd:e6:9c:2f:b4:9e:26:0a:7e:8c:5f:75:e6.
Are you sure you want to continue connecting (yes/no)? yes            ##连接陌生主机时需要建立认证关系
Warning: Permanently added '172.25.254.148' (ECDSA) to the list of known hosts.
[email protected]'s password:                                                        ##远程用户密码  
Last login: Tue Nov 14 17:17:20 2017 from 172.25.254.48
[root@redhat ~]#                                                                                          ##登陆成功
2.ssh 远程主机用户@远程主机ip -X                ##调用远程主机图形工具

linux基础(八)openssh-server_第1张图片

3.ssh     远程主机用户@远程主机ip        command        ##直接在远程主机运行某条命令

[root@station Desktop]# ssh [email protected] touch /root/Desktop/file
[email protected]'s password:
linux基础(八)openssh-server_第2张图片
##远程创建文件,成功了


三、sshkey加密

服务端:

1.生成公钥私钥

[root@redhat ~]# ssh-keygen                                                              ##生成公钥私钥的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):[enter]          ##加密字符保存文件(建议用默认)
Enter passphrase (empty for no passphrase):[enter]                     ##密钥密码,必须>4个字符(建议不设,否则一会远程连接还需要输入这个密码)
Enter same passphrase again:[enter]                                                ##确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
df:7d:d0:d4:63:76:45:da:57:cc:a5:ff:5f:ba:88:bc root@redhat
The key's randomart image is:
+--[ RSA 2048]----+
|               +*|
|               +*|
|              o+*|
|              o++|
|        S     . o|
|         . . . ..|
|          . . . +|
|         . . . oo|
|          E.. o..|
+-----------------+
[root@redhat ~]# ls /root/.ssh/
id_rsa  id_rsa.pub

###id_rsa        ##私钥,就是钥匙
###id_rsa.pub    ##公钥,就是锁

2.添加key认证方式
[root@redhat ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host '172.25.254.148 (172.25.254.148)' can't be established.
ECDSA key fingerprint is a5:b4:2c:dd:e6:9c:2f:b4:9e:26:0a:7e:8c:5f:75:e6.
Are you sure you want to continue connecting (yes/no)? yes         ##确认
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:                                                     ##输入root用户密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
####这条命可以生成authorized_keys将id_rsa.pub中的内容加到/root/.ssh/authorized_keys文件中
[root@redhat ~]#

参数说明:

ssh-copy-id        ##添加key认证方式的工具

-i                           ##指定加密key文件
/root/.ssh/id_rsa.pub    ##加密key
root                      ##加密用户为root
172.25.254.148        ##被加密主机ip
3.分发钥匙给client主机
[root@redhat ~]# scp /root/.ssh/id_rsa [email protected]:/root/.ssh/
tip:如果172.25.254.48这台主机通常需要ssh多台电脑,可以将来自不同电脑的私钥文件id_rsa改成不同的名字即可保证多个私钥都存在并且全部可以正常使用
4.测试
[root@station Desktop]# ssh [email protected]           ##通过id_rsa直接连接不需要输入用户密码
Last login: Tue Nov 14 18:17:41 2017 from 172.25.254.48
[root@redhat ~]#
四、提升openssh的安全级别
1.openssh-server配置文件
/etc/ssh/sshd_config
78 PasswordAuthentication yes|no        ##是否开启用户密码认证,yes为支持no为关闭
48 PermitRootLogin yes|no                    ##是否允许超级用户登陆
49 AllowUsers student redhat               ##用户白名单,只有在名单中出现的用户可以使用sshd建立shell
50 DenyUsers linux                                  ##用户黑名单

2.控制ssh客户端访问
vim /etc/hosts.deny
sshd:ALL        ##拒绝所有人链接sshd服务

vim /etc/hosts.allow
sshd:172.25.254.250    ##允许250主机链接sshd

sshd:172.25.254.250, 172.25.254.180    ##允许250和180链接

sshd:ALL EXCEPT 172.25.254.200        ##只不允许200链接sshd


3.ssh登陆提示修改该
vim /etc/motd        ##显示登陆后字符

hello world        ##在登陆后就会显示这个字符

你可能感兴趣的:(系统运维)