8_Linux中的远程登陆服务

8_Linux中的远程登陆服务

  • 一、Openssh的功能
  • 二、ssh
  • 三、sshd key认证
  • 四、sshd 安全优化参数详解


一、Openssh的功能

  • 1)sshd 服务 的用途:可以实现通过网络在远程主机中开启安全shell的操作
Secure SHell  			===>ssh		##客户端
Secure SHell  daemon	===>sshd	##服务端
  • 2)安装包
    openssh-server

  • 3)主配置文件
    /etc/ssh/sshd_conf

  • 4)默认端口
    22

  • 5)客户端命令
    ssh


二、ssh

  • 1)基本用法
ssh [-l 远程主机用户] <ip|hostname>

ssh -l root 172.25.254.105		##通过ssh命令在105主机中以root身份开启远程shell

[lee@westos_lee ~]$ ssh -l root 172.25.254.105
The authenticity of host '172.25.254.105 (172.25.254.105)' can't be established.
ECDSA key fingerprint is SHA256:1uLJ3EuYzt16BrtDrGdbjOY6wxCZcfppTLSwTI3BuCs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes   	##身份证明生成过程确认

  • 2)作用

当输入
105主机会向当前主机发送身份公钥,并保存此公钥到 ~/.ssh/know_hosts
105主机持有私钥当客户主机再次连接时会对客户主机进行身份验证
如果身份验证改变拒绝连接效果如下

[lee@westos_lee ~]$ ssh -l root 172.25.254.105
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:1uLJ3EuYzt16BrtDrGdbjOY6wxCZcfppTLSwTI3BuCs.
Please contact your system administrator.
Add correct host key in /home/lee/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/lee/.ssh/known_hosts:1
ECDSA host key for 172.25.254.105 has changed and you have requested strict checking.
Host key verification failed.

当连接因为认证问题被拒绝时解决方案
vim ~/.ssh/know_hosts :在此文件中删除报错提示相应的行即可

  • 3)ssh 常用参数
-l	#指定登陆用户
-i	#指定私钥
-X	#开启图形
-f	#后台运行
-o	#指定连接参数
	# ssh -l [email protected] -o "StrictHostKeyChecking=no"  首次连接不许要输入yes
-t	#指定连接跳板
	# ssh -l root 172.25.254.1 -t ssh -l root 172.25.254.105

三、sshd key认证

  • 1)认证类型

    • 1.对称加密

      加密和解密是同一串字符

      容易泄漏
      可暴力破解
      容易遗忘

    • 2.非对称加密

      加密用公钥,解密用私钥
      不会被盗用
      攻击者无法通过无密钥方式登陆服务器

  • 2)生成非对称加密密钥

  • 方法一

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 	##输入保存密钥文件
Enter passphrase (empty for no passphrase): 			##密钥密码
Enter same passphrase again: 					##确认密码
Your identification has been saved in /root/.ssh/id_rsa.	##私钥
Your public key has been saved in /root/.ssh/id_rsa.pub.	##公钥
The key fingerprint is:
SHA256:OZVOK9g6NyZsaUIfbZMrfAGB31GQsJ3FyviO4/psVSg [email protected]
The key's randomart image is:
+---[RSA 3072]----+
|     .o..=o      |
|    .  +oo..     |
|     .o+o++      |
|      E==*..     |
|    . ooS.o      |
|   . + =o*       |
|    . %+*        |
|     =+B..       |
|    .=+.         |
+----[SHA256]-----+

  • 方法二
$ssh-keygen -f /root/.ssh/id_rsa -P ""
  • 3)对服务器加密
ssh-copy-id -i /root/.ssh/id_rsa.pub   username@serverip
ssh-copy-id -i /root/.ssh/id_rsa.pub   [email protected]
  • 4)测试
ssh [email protected] 	##登陆lee用户不需要输入密码

四、sshd 安全优化参数详解

setenforce 0
systemctl disable --now firewalld 

Port 2222 			#设定端口为2222
PermitRootLogin yes|no		#对超级用户登陆是否禁止
PasswordAuthentication yes|no	#是否开启原始密码认证方式
AllowUsers lee			#用户白名单
DenyUsers lee			#用户黑名单




你可能感兴趣的:(linux,服务器,ssh)