远程登录的最初阶段
早期使用远程登录telnet,但telnet十分不安全。用户的认证过程是是明文的,整个过程是十分不安全的。
用 tcpdump -i eth0 -nnX port 23 命令,可以看到,自己的验证密码都是明文的,而ssh是安全shell。它的传输过程是加密的
[root@localhost 桌面]# tcpdump -i eth0 -nnX port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:53:44.425599 IP 192.168.1.117.61187 > 192.168.1.146.22: Flags [P.], seq 408682499:408682551, ack 2552214769, win 16370, length 52
0x0000: 4500 005c 760d 4000 8006 0037 c0a8 0175 E..\v.@....7...u
0x0010: c0a8 0192 ef03 0016 185c 0003 981f b4f1 .........\......
0x0020: 5018 3ff2 c8e7 0000 0000 0010 ecde 2a85 P.?...........*.
0x0030: 2a86 026b b465 5f34 cdad f4e5 5eee d0a0 *..k.e_4....^...
0x0040: fda5 e386 d750 907d f4a5 aaf7 10cf 8e9a .....P.}........
0x0050: abb4 1713 e4fb e6df 4a2b 22e9 ........J+".
20:53:44.425819 IP 192.168.1.146.22 > 192.168.1.117.61187: Flags [.], ack 52, win 251, length 0
0x0000: 4510 0028 4f9e 4000 4006 66ca c0a8 0192 E..(O.@.@.f.....
0x0010: c0a8 0175 0016 ef03 981f b4f1 185c 0037 ...u.........\.7
0x0020: 5010 00fb 8472 0000 P....r..
20:53:44.429947 IP 192.168.1.146.22 > 192.168.1.117.61187: Flags [P.], seq 1:53, ack 52, win 251, length 52
0x0000: 4510 005c 4f9f 4000 4006 6695 c0a8 0192 E..\O.@.@.f.....
0x0010: c0a8 0175 0016 ef03 981f b4f1 185c 0037 ...u.........\.7
0x0020: 5018 00fb 84a6 0000 0000 0010 8ca5 885d P..............]
0x0030: f16c 0740 3d0a 32ec 9831 215f bdac 5d24 .l.@=.2..1!_..]$
0x0040: 6045 17a4 6164 4379 d9c3 f38b 352f 7140 `E..adCy....5/q@
0x0050: 07b2 09a5 f211 8416 b5a0 23d4 ..........#.
20:53:44.506204 IP 192.168.1.117.61187 > 192.168.1.146.22: Flags [P.], seq 52:104, ack 53, win 16357, length 52
0x0000: 4500 005c 760e 4000 8006 0036 c0a8 0175 E..\v.@....6...u
0x0010: c0a8 0192 ef03 0016 185c 0037 981f b525 .........\.7...%
0x0020: 5018 3fe5 e3a3 0000 0000 0010 7944 b5ab P.?.........yD..
0x0030: 51d2 491c 4b8e 93df d7a8 5a4d ad23 e55a Q.I.K.....ZM.#.Z
0x0040: 3a1c e5f5 84f1 3674 b63a fa84 8561 e06a :.....6t.:...a.j
0x0050: 8074 0f30 e63c 980c 8d38 b7c9 .t.0.<...8..
ssh:(Secure Shell,tcp/22)
基于C/S 架构 。
openSSH开源ssh版本
客户端 :
linux:ssh
Windows:putty,SecrureCRT,Xshell
服务器端:
sshd
有基于秘钥和基于口令的2种登录方法。
在远程登录时,一般为了密码安全。不要直接以root用户登录,万一被抓包后暴力破解。
在centos中,ssh服务是由多个rpm包组成的。
[root@localhost ~]# rpm -qa |grep ssh
openssh-6.6.1p1-25.el7_2.x86_64
openssh-server-6.6.1p1-25.el7_2.x86_64
openssh-clients-6.6.1p1-25.el7_2.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64
可以用netstat -tln 查看ssh需要的22端口是否开启
[root@localhost ~]# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::23 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
openssh的配置文件
/etc/ssh/
ssh(ssh_config) 是关于客户端的配置文件
ssh (sshd_config)是关于服务器端的配置文件
因为和安全相关,所以有些相关文件都是普通用户不可看的
[root@localhost ssh]# ll
total 276
-rw-r--r--. 1 root root 242153 Mar 22 2016 moduli
-rw-r--r--. 1 root root 2208 Mar 22 2016 ssh_config
-rw-------. 1 root root 4361 Mar 22 2016 sshd_config
-rw-r-----. 1 root ssh_keys 227 Sep 21 15:32 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 Sep 21 15:32 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 Sep 21 15:32 ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 Sep 21 15:32 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1679 Sep 21 15:32 ssh_host_rsa_key
-rw-r--r--. 1 root root 382 Sep 21 15:32 ssh_host_rsa_key.pub
跟服务器相关的配置文件。
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
#是注释,#加空格式纯注释,#没空格就是可以更改的参数
Port 改成其他,就可以以其他端口使用该服务
ListenAddress 可以启用只在某IP地址提供服务
<strong>KeyRegenerationInterval 1h</strong> 每一个小时更换一次秘钥
<pre name="code" class="plain">ServerKeyBits 1024 密码长度
48 #LoginGraceTime 2m ##登录的宽限时间
49 #PermitRootLogin yes <span style="white-space:pre"> </span> ##是否允许root登录
50 #StrictModes yes
51 #MaxAuthTries 6<span style="white-space:pre"> </span> ##最大允许密码输错几次<span style="white-space:pre"> </span>
52 #MaxSessions 10
53
54 #RSAAuthentication yes
55 #PubkeyAuthentication yes
56
57 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
58 # but this is overridden so installations will only check .ssh/authorized_keys
59 AuthorizedKeysFile .ssh/authorized_keys<span style="white-space:pre"> </span>##秘钥对生成后默认存放位置
<pre name="code" class="plain"> 79 PasswordAuthentication yes <span style="white-space:pre"> </span>##是否需要密码认证
80
81 # Change to no to disable s/key passwords
82 #ChallengeResponseAuthentication yes
83 ChallengeResponseAuthentication no
84
85 # Kerberos options
86 #KerberosAuthentication no
87 #KerberosOrLocalPasswd yes
88 #KerberosTicketCleanup yes
89 #KerberosGetAFSToken no
详细查询 man sshd_config 可以查询更多的详细信息。
AllowUsers 登录白名单
DenyUsers 登录黑名单
配置文件更改完成时一定需要
systemctl reload sshd
ssh USER@IP_ADRESS
ssh USER@IP_ADRESS 'CMD' #直接执行命令而不登陆主机
ssh USER@IP_ADRESS -X #远程登录可以执行窗口命令 -Y更安全
基于秘钥的认证。
1.生成一对秘钥
2.将公钥输至服务器某个用户家目录下的.ssh/authorized_keys文件中
使用 ssh-copy-id ,scp
scp -r 复制目录。
创建一对钥匙锁 ssh-keygen -t 指定加密算法
-f 指定保存文件的路径
[root@localhost ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)?
如果不指定选项的话 默认就是RSA2048位的算法
[wjx@localhost 桌面]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wjx/.ssh/id_rsa): Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wjx/.ssh/id_rsa.
Your public key has been saved in /home/wjx/.ssh/id_rsa.pub.
The key fingerprint is:
00:fb:85:4d:1d:e0:15:75:f6:30:54:3d:bd:f9:1e:65 wjx@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| . oo++..*.+|
| o = .. o =o|
| . o + =|
| . o oE|
| . S .o|
| ..|
| ..|
| .|
| |
+-----------------+
将公钥加密莫个用户
[wjx@localhost 桌面]$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.1.146
The authenticity of host '192.168.1.146 (192.168.1.146)' can't be established.
ECDSA key fingerprint is f4:7b:49:a0:d0:c9:e0:27:07:49:9d:5c:24:78:c9:b3.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.146's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.1.146'"
and check to make sure that only the key(s) you wanted were added.
加密成功,只需要将私钥发给客户端就可以了
总结:
1,为了安全,密码要长期更换
2,为了安全,要使用非默认端口
3,限制登录客户的地址
4,使用登录白名单
5,使用基于秘钥的
6,不使用协议版本1