(1).SSH是传输层和应用层上的安全协议,它只能通过加密连接双方会话的方式来保证连接的安全性。当使用ssh连接成功后,将建立客户端和服务端之间的会话,该会话是被加密的,之后客户端和服务端的通信都将通过会话传输。
(2).SSH服务的守护进程为sshd,默认监听在22端口上。
(3).所有ssh客户端工具,包括ssh命令,scp,sftp,ssh-copy-id等命令都是借助于ssh连接来完成任务的。也就是说它们都连接服务端的22端口,只不过连接上之后将待执行的相关命令转换传送到远程主机上,由远程主机执行。
(4).ssh客户端命令(ssh、scp、sftp等)读取两个配置文件:全局配置文件/etc/ssh/ssh_config和用户配置文件~/.ssh/config。实际上命令行上也可以传递配置选项。它们生效的优先级是:命令行配置选项 > ~/.ssh/config > /etc/ssh/ssh_config。
(5).ssh涉及到两个验证:主机验证和用户身份验证。通过主机验证,再通过该主机上的用户验证,就能唯一确定该用户的身份。一个主机上可以有很多用户,所以每台主机的验证只需一次,但主机上每个用户都需要单独进行用户验证。
(6).ssh支持多种身份验证,最常用的是密码验证机制和公钥认证机制,其中公钥认证机制在某些场景实现双机互信时几乎是必须的。虽然常用上述两种认证机制,但认证时的顺序默认是gssapi-with-mic,hostbased,publickey,keyboard-interactive,password。注意其中的主机认证机制hostbased不是主机验证,由于主机认证用的非常少(它所读取的认证文件为/etc/hosts.equiv或/etc/shosts.equiv),所以网络上比较少见到它的相关介绍。总的来说,通过在ssh配置文件(注意不是sshd配置文件)中使用指令PreferredAuthentications改变认证顺序不失为一种验证的效率提升方式。
(7).ssh客户端其实有不少很强大的功能,如端口转发(隧道模式)、代理认证、连接共享(连接复用)等。
(8).ssh服务端配置文件为/etc/ssh/sshd_config,注意和客户端的全局配置文件/etc/ssh/ssh_config区分开来。
(9).很重要却几乎被人忽略的一点,ssh登录时会请求分配一个伪终端。但有些身份认证程序如sudo可以禁止这种类型的终端分配,导致ssh连接失败。例如使用ssh执行sudo命令时sudo就会验证是否要分配终端给ssh。
SSH 主要由三部分组成:
提供了服务器认证,保密性及完整性。此外它有时还提供压缩功能。 SSH-TRANS 通常运行在TCP/IP连接上,也可能用于其它可靠数据流上。 SSH-TRANS 提供了强力的加密技术、密码主机认证及完整性保护。该协议中的认证基于主机,并且该协议不执行用户认证。更高层的用户认证协议可以设计为在此协议之上。
用于向服务器提供客户端用户鉴别功能。它运行在传输层协议 SSH-TRANS 上面。当SSH-USERAUTH 开始后,它从低层协议那里接收会话标识符(从第一次密钥交换中的交换哈希H )。会话标识符唯一标识此会话并且适用于标记以证明私钥的所有权。 SSH-USERAUTH 也需要知道低层协议是否提供保密性保护。
将多个加密隧道分成逻辑通道。它运行在用户认证协议上。它提供了交互式登录话路、远程命令执行、转发 TCP/IP 连接和转发 X11 连接。
启动SSH服务器后,sshd运行起来并在默认的22端口进行监听(你可以用 # ps -waux | grep sshd 来查看sshd是否已经被正确的运行了)如果不是通过inetd启动的SSH,那么SSH就将一直等待连接请求。当请求到来的时候SSH守护进程会产生一个子进程,该子进程进行这次的连接处理
实验
ssh免密登录实验
准备两台以上初始化完成的虚拟机,之前文章有详细步骤
虚拟机1 ip:192.168.1.10 (客户机)
虚拟机3 ip:192.168.1.30 (服务器)
通过命令ssh命令可以远程登录sshd服务,为用户提供一个安全的shell环境,以便对服务器进行管理和维护。使用时应指定登录用户、目标主机地址作为参数。
[root@server1 ~]# ssh root@192.168.1.30 #以root用户登录服务器
The authenticity of host '192.168.1.30 (192.168.1.30)' can't be established.
ECDSA key fingerprint is SHA256:mrvZ76+kad6pXTq4E+MReynzGrfGYSjgt3UezAg8yXk.
ECDSA key fingerprint is MD5:8d:4a:fe:2b:ca:19:2d:b3:b3:2b:6c:45:f6:26:0c:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.30' (ECDSA) to the list of known hosts.
root@192.168.1.30's password: #输入密码
Last failed login: Mon Sep 7 08:52:01 CST 2020 from 192.168.1.10 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Wed Sep 2 23:12:57 2020
[root@server3 ~]# exit #exit退出登录
登出
Connection to 192.168.1.30 closed.
[root@server3 ~]# vi /etc/ssh/sshd_config
37 #LoginGraceTime 2m #登录验证时间为2分钟
38 PermitRootLogin no #yes改为no 注释去掉(禁止root登录)
39 #StrictModes yes
40 #MaxAuthTries 6 #最大重试次数为6次
41 #MaxSessions 10
42
43 #PubkeyAuthentication yes
[root@server3 ~]# systemctl restart sshd
[root@server3 ~]# useradd tom
[root@server3 ~]# echo "123123" | passwd --stdin tom
更改用户 tom 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@server1 ~]# ssh root@192.168.1.30
root@192.168.1.30's password:
Permission denied, please try again.
root@192.168.1.30's password:
Permission denied, please try again.
root@192.168.1.30's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@server1 ~]# ssh tom@192.168.1.30
tom@192.168.1.30's password:
[tom@server3 ~]$
[tom@server3 ~]$ su root
密码:
[root@server3 tom]# cd
[root@server3 ~]#
#虽然静止了tom1的禁止root账户登录还是不安全的 可以用主机的其他账户作为跳板登录
[root@server3 ~]# vi /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid #前面#注释去掉
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
[root@server3 ~]# systemctl restart sshd
[root@server1 ~]# ssh tom@192.168.1.30
tom@192.168.1.30's password:
Last login: Mon Sep 7 09:44:44 2020 from 192.168.1.30
[tom@server3 ~]$ su root
密码:
su: 拒绝权限
[tom@server3 ~]$
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
MaxAuthTries 3 #开启最大重试次数改为3次
#MaxSessions 10
[root@server1 ~]# ssh root@192.168.1.30
root@192.168.1.30's password:
Permission denied, please try again.
root@192.168.1.30's password:
Permission denied, please try again.
root@192.168.1.30's password:
Received disconnect from 192.168.1.30 port 22:2: Too many authentication failures
Authentication failed.
[root@server1 ~]#
[root@server3 ~]# vi /etc/ssh/sshd_config
AllowUsers tom@192.168.1.20
[root@server3 ~]# systemctl restart sshd
[root@server1 ~]# ssh tom@192.168.1.30
tom@192.168.1.30's password:
Permission denied, please try again.
tom@192.168.1.30's password:
Permission denied, please try again.
tom@192.168.1.30's password:
Received disconnect from 192.168.1.30 port 22:2: Too many authentication failures
Authentication failed.
[root@server1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 123213
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in 123213.
Your public key has been saved in 123213.pub.
The key fingerprint is:
SHA256:BdJLDyAqC8kXp58BKOyQdrkIRzZNTCPatpxDB+gulKw root@server1
The key's randomart image is:
+---[RSA 2048]----+
|.+BB*.oo. |
|BO.BBo .+. |
|&oOoo. . +. |
|.&.=. o ... |
|= = o S |
|E. . |
|. |
| |
| |
+----[SHA256]-----+
[root@server1 ~]# cd ~/.ssh
[root@server1 .ssh]# ls
id_rsa id_rsa.pub known_hosts #id_rsa (私钥) id_rsa.pub (公钥)
[root@server1 .ssh]# ssh-copy-id root@192.168.1.30
服务器查看
[root@server3 ~]# cd ~/.ssh/
[root@server3 .ssh]# vi authorized_keys
[root@server1 .ssh]# ssh 192.168.1.30
通过scp命令可以利用SSH安全连接与远程主机相互复制。使用scp命令时,除了必须指令复制源、目标之外,还应指定目标主机地址、登录用户、执行后提示验证口令即可
[root@server1 opt]# scp test.txt root@192.168.1.30:/root
The authenticity of host '192.168.1.30 (192.168.1.30)' can't be established.
ECDSA key fingerprint is SHA256:mrvZ76+kad6pXTq4E+MReynzGrfGYSjgt3UezAg8yXk.
ECDSA key fingerprint is MD5:8d:4a:fe:2b:ca:19:2d:b3:b3:2b:6c:45:f6:26:0c:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.30' (ECDSA) to the list of known hosts.
root@192.168.1.30's password:
test.txt 100% 4 1.9KB/s 00:00
[root@server3 ~]# ls -lh
总用量 12K
-rw-------. 1 root root 1.9K 8月 26 17:58 anaconda-ks.cfg
-rw-r--r--. 1 root root 2.0K 8月 26 18:30 initial-setup-ks.cfg
-rw-r--r--. 1 root root 4 9月 7 09:24 test.txt
drwxr-xr-x. 2 root root 6 8月 26 18:31 公共
drwxr-xr-x. 2 root root 6 8月 26 18:31 模板
drwxr-xr-x. 2 root root 6 8月 26 18:31 视频
drwxr-xr-x. 2 root root 6 8月 26 18:31 图片
drwxr-xr-x. 2 root root 6 8月 26 18:31 文档
drwxr-xr-x. 2 root root 6 8月 26 18:31 下载
drwxr-xr-x. 2 root root 6 8月 26 18:31 音乐
drwxr-xr-x. 2 root root 6 8月 26 18:31 桌面
#已经复制成功
[root@server1 opt]# scp -r tom/ root@192.168.1.30:/opt
root@192.168.1.30's password:
a.txt 100% 5 1.3KB/s 00:00
b.txt 100% 5 3.6KB/s 00:00
#-r 表示递归目录
通过sftp命令可以利用SSH安全连接与远程主机上传,下载文件,采用了与FTP类似的登录过程和交互环境,便于目录资源管理
[root@server1 ~]# sftp 192.168.1.30
The authenticity of host '192.168.1.30 (192.168.1.30)' can't be established.
ECDSA key fingerprint is SHA256:mrvZ76+kad6pXTq4E+MReynzGrfGYSjgt3UezAg8yXk.
ECDSA key fingerprint is MD5:8d:4a:fe:2b:ca:19:2d:b3:b3:2b:6c:45:f6:26:0c:59.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.30' (ECDSA) to the list of known hosts.
root@192.168.1.30's password:
Connected to 192.168.1.30.
sftp> ls
anaconda-ks.cfg b.txt initial-setup-ks.cfg
下载 公共 图片
文档 桌面 模板
视频 音乐
sftp> get b.txt
Fetching /root/b.txt to b.txt
/root/b.txt 100% 7 3.9KB/s 00:00
sftp> put a
a.txt anaconda-ks.cfg
sftp> put a.txt
Uploading a.txt to /root/a.txt
a.txt 100% 7 10.4KB/s 00:00
sftp> bye
TCP_Wrappers有一个TCP的守护进程叫作tcpd。以ssh为例,每当有ssh的连接请求时,tcpd即会截获请求,先读取系统管理员所设置的访问控制文件,符合要求,则会把这次连接原封不动的转给真正的ssh进程,由ssh完成后续工作;如果这次连接发起的ip不符合访问控制文件中的设置,则会中断连接请求,拒绝提供ssh服务
访问控制策略的配置文件:
etc/hosts.allow
etc/hosts.deny
示例:
在服务器修改配置文件hosts.allow,允许的IP地址为192.168.1.10访问,其他的都是不可以访问的
[root@server3 ~]# vi /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.10 #允许IP为192.168.1.10可以通过ssh远程访问
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:ALL #拒绝其他访问
测试1
#地址为192.168.1.10的客户机
[root@server1 ~]# ssh root@192.168.1.30
root@192.168.1.30's password:
Last login: Mon Sep 7 08:52:41 2020 from 192.168.1.10
[root@server3 ~]#
#地址为192.168.1.20的客户机
[root@server2 ~]# ssh 192.168.1.30
ssh_exchange_identification: read: Connection reset by peer
测试2
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.10
将hosts.allow文件和hosts.deny都同时设置同一个IP地址
[root@server1 ~]# ssh root@192.168.1.30
root@192.168.1.30's password:
Last login: Mon Sep 7 10:58:05 2020 from 192.168.1.20
#可以访问
测试3
地址也可以写目标网段
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.1.*
[root@server1 ~]# ssh root@192.168.1.30
ssh_exchange_identification: read: Connection reset by peer
[root@server1 ~]#
#客户机访问失败
如果您觉得对您有用的话,三连吧,求求啦!!