SSH(secure shell)是一种安全通道协议,主要用来实现字符界面的远程登录,远程复制等功能。SSH协议对于通信双方的数据传输进行了加密处理,其中包括你用户登录时输入的用户口令。与早期的telnet远程登录、RSH远程执行命令、RCP远程文件复制等应用相比,SSH协议提供了更好的安全性。
OpenSSH是实现SSH协议的开源软件项目,适用于各种UNIX、Linux操作系统。关于Openssh项目的更多内容可以访问其官网http://www.openssh.com。
Openssh是一种典型的C/S构架,是一种很实用的网络安全解决方案。
Openssh登录验证方式:
v 密码验证:以服务器中本地系统用户的登录名称,密码进行验证。这种方式使用最为简单,但从客户机的角度来看,正在连接的服务器有可能被假冒;从服务器的角度来看,当遭遇密码穷举(暴力破解)攻击时防御能力也比较弱。
v 密钥对验证:要求提供相匹配的密钥信息才能通过验证。通常现在客户机中创建一对密钥文件(公钥、私钥),然后将公钥文件放到服务器中的指定位置。远程登录时,系统将使用公钥,私钥进行加密/解密关联验证,大大增强了远程管理的安全性。
当密码验证与密钥对验证都启用时,服务器将优先使用密钥对验证。
在配置文件/etc/ssh/sshd_config中
PasswordAuthentication 密码验证方式启用
PubkeyAuthentication 密钥对验证方式启用
实验环境及要求
准备两台Linux系统服务器与客户机,分别添加普通用户zhangsan与lisi。并给普通zhangsan添加ifconfig的使用权;普通用户lisi上生成密钥对,上传公钥给zhangsan进行openssh的密钥对验证。
服务器配置
[root@local ~]# useradd zhangsan //创建zhangsan用户
[root@local ~]# echo "123" | passwd --stdin zhangsan //设置密码
[root@local ~]# vim /etc/pam.d/su //修改认证配置
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid //启用它,这样普通用户就无法登陆到root用户了
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
[root@local ~]# vi /etc/ssh/sshd_config //修改一些sshd服务的文件
Port 22
#AddressFamily any
ListenAddress 192.168.100.100
#ListenAddress ::
PubkeyAuthentication yes 启用秘钥对登录
AuthorizedKeysFile .ssh/authorized_keys指定公钥数据文件(用来保存客户机上传的公钥文本,以便于客户机本地的私钥文件进行匹配)
[root@local ~]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
[root@local ~]# su - zhangsan //登陆到普通用户
[zhangsan@local ~]$ su - root //转换到管理员用户
密码: //由于之前已经修改了认证配置,所以这里密码即使输入正确也会提示错误
su: 密码不正确
[zhangsan@local ~]$ exit //退出普通用户
Logout
[root@local ~]# visudo //给普通用户添加权限
大G到行尾输入下面内容
zhangsan local=/sbin/ifconfig 给zhangsan用户添加ifconfig的使用权限
%wheel ALL=NOPASSWD: ALL 不需要密码
[root@local ~]# su - zhangsan
[zhangsan@local ~]$ ifconfig //zhangsan用户有权限使用ifconfig命令
eth0 Link encap:Ethernet HWaddr 00:0C:29:4B:1E:4E
inet addr:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe4b:1e4e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1797 errors:0 dropped:0 overruns:0 frame:0
TX packets:1401 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:171259 (167.2 KiB) TX bytes:192192 (187.6 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:80 errors:0 dropped:0 overruns:0 frame:0
TX packets:80 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5928 (5.7 KiB) TX bytes:5928 (5.7 KiB)
客户端配置与验证
1、登录服务端root管理员用户
[root@root ~]# ssh [email protected]
[email protected]'s password: //输入服务器管理员密码
Last login: Tue Aug 18 11:27:47 2015 from 192.168.100.1
[root@local ~]# id zhangsan //验证:查看服务器上的zhangsan用户
uid=500(zhangsan) gid=500(zhangsan) 组=500(zhangsan)
[root@local ~]#
2、登录服务端普通用户zhangsan
[root@root ~]# ssh [email protected]
The authenticity of host '192.168.100.100 (192.168.100.100)' can't be established.
RSA key fingerprint is c5:0c:2a:f9:56:53:0a:28:f1:60:c9:a7:37:0c:8c:bc.
Are you sure you want to continue connecting (yes/no)? yes //输入yes
Warning: Permanently added '192.168.100.100' (RSA) to the list of known hosts.
[email protected]'s password: //输入zhangsan用户密码
[zhangsan@local ~]$ su - root
密码:
su: 密码不正确
[zhangsan@local ~]$
[root@root ~]# useradd lisi //添加用户
[root@root ~]# echo "123" | passwd --stdin lisi
更改用户 lisi 的密码 。
passwd: 所有的身份验证令牌已经成功更新。
[root@root ~]# su - lisi
[lisi@root ~]$ whoami//验证当前用户(命令/sbin/ifconfig eth0 | grep "inet addr"确认当前主机IP)
lisi
[lisi@root ~]$ ssh-keygen -t rsa //创建密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/home/lisi/.ssh/id_rsa): //回车
Created directory '/home/lisi/.ssh'.
Enter passphrase (empty for no passphrase): //输入密钥口令(如果不设置口令也就可以不用口令直接登录了)
Enter same passphrase again: //在输入一遍(确认口令)
Your identification has been saved in /home/lisi/.ssh/id_rsa.
Your public key has been saved in /home/lisi/.ssh/id_rsa.pub.
The key fingerprint is:
fe:fa:38:6d:fa:33:76:8b:f1:74:0a:15:f4:35:1a:2e lisi@root
The key's randomart image is:
+--[ RSA 2048]----+
| .. ..|
| ...o..|
| E.o. |
| .. |
| S . |
| . . |
| ..o . . |
| .o**.o |
| +O=++. |
+-----------------+
[lisi@root ~]$ ls -lh ~/.ssh/ //查看密钥文件
总用量 8.0K
-rw-------. 1 lisi lisi 1.8K 8月 18 10:27 id_rsa
-rw-r--r--. 1 lisi lisi 391 8月 18 10:27 id_rsa.pub
[lisi@root ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]//上传公钥到服务器上
[email protected]'s password: //输入口令
Now try logging into the machine, with "ssh '[email protected]'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[lisi@root ~]$ ssh [email protected] //远程登陆服务器
Enter passphrase for key '/home/lisi/.ssh/id_rsa': //输入密钥口令
Last login: Tue Aug 18 11:55:17 2015 from 192.168.100.200
[zhangsan@local ~]$ tail -l /home/zhangsan/.ssh/authorized_keys //查看密钥文件
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6zgczGUPFwmlq4U/abvVjr3lNyAheLUWcrWY9f/IU5BhjimfP+yJa3eDW/6fx2b1ApbA0E5M2oDUFxer5YW9dNJgYBK9k1E2SU7tJ8GkF+7Hdb4hPYFnE4B3/oEkNIA1Cp76eOH6969zNo1Bn4zDvZpISVvoS3GCKvxVwH9Twqway8RneUBcjnj5FlJ06Jhdo+mbx8FtrEWKF3quCvx3ai0QhlCrfdyLEI//4f8tWk6DlsryUa7Ovjxlp5Lja4/Hukgny9f72ASsM3/9VbyCFQdx1D/ff5MhCbjHMroMvg+iPwCiQiafj7Sn9EAH+NhN6bxq0LaT4Tvs6Q9D3Og9Pw== lisi@root //这里说明了是哪个客户端的用户上传公钥(客户端lisi用户)
[zhangsan@local ~]$ ifconfig //服务端zhangsan用户的权限测试
eth0 Link encap:Ethernet HWaddr 00:0C:29:4B:1E:4E
inet addr:192.168.100.100 Bcast:192.168.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe4b:1e4e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2827 errors:0 dropped:0 overruns:0 frame:0
TX packets:2137 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:278119 (271.6 KiB) TX bytes:290533 (283.7 KiB)
[zhangsan@local ~]$ su - root
密码:
su: 密码不正确