本篇寫一些關於 Linux 網路中 SSH 服務的相關知識。 ...
本篇寫一些關於Linux網路中SSH服務的相關知識。
測試環境
| 名稱 | IP地址 |
|---|---|
| host01 | 192.168.28.128 |
| host02 | 192.168.28.129 |
| host03 | 192.168.28.130 |
禁止 root 登錄
- 查看
ssh服務埠是否開啟
[root@host01 ~]# netstat -ntuap | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 998/sshd
tcp6 0 0 :::22 :::* LISTEN 998/sshd - 預設可以使用
root用戶登錄
[root@host02 ~]# ssh [email protected]
The authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.
ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.
ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.28.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Thu Sep 12 13:54:03 2019
[root@host01 ~]# logout
Connection to 192.168.28.128 closed.- 編輯配置文件,禁止
root用戶登錄
[root@host01 ~]# vim /etc/ssh/sshd_config
PermitRootLogin no- 重新載入配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd- 不可使用
root用戶登錄
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password: - 添加普通用戶
zhangsan。
[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan
Changing password for user zhangsan.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)- 現在以
zhangsan登錄,發現可以切換至root用戶
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
[zhangsan@host01 ~]$ su - root
Password:
Last login: Thu Sep 12 14:43:14 CST 2019 from 192.168.28.129 on pts/2
Last failed login: Thu Sep 12 14:46:39 CST 2019 from 192.168.28.129 on ssh:notty
There was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.- 可以開啟
pam認證來禁止切換
[root@host01 ~]# vim /etc/pam.d/su
auth required pam_wheel.so use_uid- 現在不可以使用
zhangsan做跳板切換至root用戶
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 14:56:01 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
Password:
su: Permission denied
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.- 將
zhangsan添加至wheel組
[root@host01 ~]# gpasswd -a zhangsan wheel
Adding user zhangsan to group wheel
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)- 只有在
wheel組中的用戶才可以使用su命令
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 14:59:14 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
Password:
Last login: Thu Sep 12 14:56:13 CST 2019 on pts/2
Last failed login: Thu Sep 12 14:59:25 CST 2019 on pts/2
There was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.登錄次數嘗試
- 配置文件預設是
6次,但嘗試3次就不可再嘗試
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).- 設置參數最大次數為
5次
[root@host01 ~]# vim /etc/ssh/sshd_config
MaxAuthTries 5- 重新載入配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd- 想要使配置能夠有意義,需要使用
-o NumberOfPasswordPrompts=8參數,這裡嘗試8次,發現5次後被拒絕嘗試。
[root@host02 ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Received disconnect from 192.168.28.128 port 22:2: Too many authentication failures
Authentication failed.黑白名單
- 添加
lisi、wangwu用戶
[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi
Changing password for user lisi.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu
Changing password for user wangwu.
passwd: all authentication tokens updated successfully.- 添加白名單配置,預設沒有相關條目
zhangsan只能從129登錄,lisi可以從任何主機登錄
[root@host01 ~]# vim /etc/ssh/sshd_config
AllowUsers [email protected] lisi白名單:
AllowUsers,黑名單:DenyUsers,不要同時使用。
- 重新載入配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd- 測試
zhangsan可以從129登錄
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 16:53:09 2019 from 192.168.28.129
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.- 測試
lisi可以從129登錄
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.- 測試
wangwu不可從129登錄
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password: - 測試
zhangsan不可從130登錄
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password: - 測試
lisi可以從130登錄
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 16:56:07 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.- 測試
wangwu不可從130登錄
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password: 使用密鑰對登錄
- 開啟密鑰認證選項
[root@host01 ~]# vim /etc/ssh/sshd_config
PubkeyAuthentication yes- 重新載入配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd- 生成類型為
ecdsa橢圓曲線數字簽名加密的密鑰,可以設置一個密碼
[root@host02 ~]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:Y4AjDPfBRwYAP5exUlv7Obn08cvhSZzAsZ6Mwqt/ccE root@host02
The key's randomart image is:
+---[ECDSA 256]---+
|o.oo=o+ |
| = o.X.. |
| * O.o .. |
| = . o +Eo |
| S =. |
| . o.O.* . |
| o oo= * |
| o. + + |
| .oo. = |
+----[SHA256]-----+- 查看生成的私鑰和公鑰文件
[root@host02 ~]# ls .ssh/
id_ecdsa id_ecdsa.pub- 推送公鑰文件至
128的lisi用戶
[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.- 本地會生成一個已知主機文件
[root@host02 ~]# ls .ssh/
id_ecdsa id_ecdsa.pub known_hosts- 可以查看一下
[root@host02 ~]# cat .ssh/known_hosts
192.168.28.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/cLQC3IgLKJnuYS8mOuhuJjfnMT4V2CsSJ6GNFgBlmANrik1sLgUeSIfyPOeirGfyz0En3/AAyI+slLpA/3lQ=128的lisi用戶下生成了認證密鑰
[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEE/8T2xbTo11fmJu5sAc43OyUELuvl6OvcEiJ4WrZxaD9QR+PmJCxLZoVd5+HwyT6PFmW7EZjMk8NogcnDc9HI= root@host02- 使用
128的lisi用戶ssh登錄,提示輸入先前設置的密碼
[root@host02 ~]# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_ecdsa':
Last login: Thu Sep 12 17:09:37 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.- 可以設置免驗證操作,並輸入先前設置的密碼
[root@host02 ~]# ssh-agent bash
[root@host02 ~]# ssh-add
Enter passphrase for /root/.ssh/id_ecdsa:
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)- 現在可以免密碼登錄
[root@host02 ~]# ssh [email protected]
Last login: Tue Sep 17 00:40:47 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.更改預設埠
- 關閉防火牆、
SELinux。
[root@host01 ~]# systemctl stop firewalld
[root@host01 ~]# setenforce 0- 更改預設埠
22為2233
[root@host01 ~]# vim /etc/ssh/sshd_config
Port 2233- 重新載入配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
[root@host01 ~]# netstat -ntuap | grep sshd
tcp 0 0 0.0.0.0:2233 0.0.0.0:* LISTEN 41357/sshd
tcp6 0 0 :::2233 :::* LISTEN 41357/sshd - 直接登錄失敗
[root@host02 ~]# ssh [email protected]
ssh: connect to host 192.168.28.128 port 22: Connection refused- 指定埠登錄成功
[root@host02 ~]# ssh -p 2233 [email protected]
Last login: Tue Sep 17 01:21:11 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.scp 遠程複製
- 創建測試文件、文件夾
[root@host02 ~]# echo "this is testfile01" > testfile01.txt
[root@host02 ~]# mkdir testdir01- 遠程複製文件
[root@host02 ~]# scp testfile01.txt [email protected]:/opt/
[email protected]'s password:
testfile01.txt 100% 19 11.4KB/s 00:00 - 遠程複製文件夾
[root@host02 ~]# scp -r testdir01/ [email protected]:/opt/
[email protected]'s password: - 查看是否複製成功
[root@host01 ~]# ls /opt/
rh testdir01 testfile.txtsftp 安全文件傳輸協議
- 登錄
[root@host02 ~]# sftp [email protected]
[email protected]'s password:
Connected to 192.168.28.128.
sftp> - 可以
cd切換目錄,ls查看,put上傳
sftp> cd /home/zhangsan/
sftp> ls
sftp> put /root/testfile01.txt
Uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt
/root/testfile01.txt 100% 19 32.8KB/s 00:00
sftp> ls
testfile01.txt - 上傳成功
[root@host01 ~]# ls /home/zhangsan/
testfile01.txtget下載
sftp> get /etc/passwd
Fetching /etc/passwd to passwd
/etc/passwd 100% 2227 1.8MB/s 00:00
sftp> bye- 下載成功
[root@host02 ~]# ls
anaconda-ks.cfg passwd testdir01 testfile01.txt
