新建用户
useradd nailsoul
为新用户添加登录公钥
[root@instance-fgsqqzdg ~]# su nailsoul
[nailsoul@instance-fgsqqzdg root]$ ssh-keygen -t RSA
[nailsoul@instance-fgsqqzdg root]$ cd ~/.ssh/
# 没有公钥访问文件创建并设置读写权限 注意权限必须是600
[nailsoul@instance-fgsqqzdg .ssh]$ touch authorized_keys
[nailsoul@instance-fgsqqzdg .ssh]$ chmod 600 authorized_keys
[nailsoul@instance-fgsqqzdg .ssh]$
echo ssh-rsa ... nailsoul@vip.com >> authorized_keys
把nailsoul添加到轮子组中 让它有执行sudo -i 的权利 配置文件/etc/sudoers
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
%nailsoul ALL=(ALL) NOPASSWD: ALL
ssh禁止密码登录 配置文件/etc/ssh/
sshd_config
# The default requires explicit activation of protocol 1
#Protocol 2
Protocol 2
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
#PubkeyAuthentication yes
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
重启sshd服务 使sshd配置生效
[root@instance-fgsqqzdg ~]# systemctl restart sshd.service
修改ssh端口为8888 配置文件/etc/ssh/
sshd_config
# Port 22
Port 8888
重启sshd服务 使sshd配置生效
[root@instance-fgsqqzdg ~]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1388/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1102/master
tcp6 0 0 :::22 :::* LISTEN 1388/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1102/master
[root@instance-fgsqqzdg ~]# systemctl restart sshd.service
[root@instance-fgsqqzdg ~]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 1614/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1102/master
tcp6 0 0 :::8888 :::* LISTEN 1614/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1102/master
配置防火墙
[root@instance-fgsqqzdg ~]# systemctl start firewalld.service
[root@instance-fgsqqzdg ~]# firewall-cmd --list-all-zones
...
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
[root@instance-fgsqqzdg ~]# firewall-cmd --zone=public --add-port=8888/tcp --permanent
success
[root@instance-fgsqqzdg ~]# firewall-cmd --reload
success
[root@instance-fgsqqzdg ~]# firewall-cmd --list-ports
8888/tcp
[root@instance-fgsqqzdg ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.