linux菜鸟入门之openssh

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/Ghost_leader/article/details/52760250

远程登录的最初阶段

早期使用远程登录telnet,但telnet十分不安全。用户的认证过程是是明文的,整个过程是十分不安全的。


用 tcpdump -i eth0 -nnX port 23 命令,可以看到,自己的验证密码都是明文的,而ssh是安全shell。它的传输过程是加密的

[root@localhost 桌面]# tcpdump -i eth0 -nnX port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:53:44.425599 IP 192.168.1.117.61187 > 192.168.1.146.22: Flags [P.], seq 408682499:408682551, ack 2552214769, win 16370, length 52
	0x0000:  4500 005c 760d 4000 8006 0037 c0a8 0175  E..\v.@....7...u
	0x0010:  c0a8 0192 ef03 0016 185c 0003 981f b4f1  .........\......
	0x0020:  5018 3ff2 c8e7 0000 0000 0010 ecde 2a85  P.?...........*.
	0x0030:  2a86 026b b465 5f34 cdad f4e5 5eee d0a0  *..k.e_4....^...
	0x0040:  fda5 e386 d750 907d f4a5 aaf7 10cf 8e9a  .....P.}........
	0x0050:  abb4 1713 e4fb e6df 4a2b 22e9            ........J+".
20:53:44.425819 IP 192.168.1.146.22 > 192.168.1.117.61187: Flags [.], ack 52, win 251, length 0
	0x0000:  4510 0028 4f9e 4000 4006 66ca c0a8 0192  E..(O.@.@.f.....
	0x0010:  c0a8 0175 0016 ef03 981f b4f1 185c 0037  ...u.........\.7
	0x0020:  5010 00fb 8472 0000                      P....r..
20:53:44.429947 IP 192.168.1.146.22 > 192.168.1.117.61187: Flags [P.], seq 1:53, ack 52, win 251, length 52
	0x0000:  4510 005c 4f9f 4000 4006 6695 c0a8 0192  E..\O.@.@.f.....
	0x0010:  c0a8 0175 0016 ef03 981f b4f1 185c 0037  ...u.........\.7
	0x0020:  5018 00fb 84a6 0000 0000 0010 8ca5 885d  P..............]
	0x0030:  f16c 0740 3d0a 32ec 9831 215f bdac 5d24  .l.@=.2..1!_..]$
	0x0040:  6045 17a4 6164 4379 d9c3 f38b 352f 7140  `E..adCy....5/q@
	0x0050:  07b2 09a5 f211 8416 b5a0 23d4            ..........#.
20:53:44.506204 IP 192.168.1.117.61187 > 192.168.1.146.22: Flags [P.], seq 52:104, ack 53, win 16357, length 52
	0x0000:  4500 005c 760e 4000 8006 0036 c0a8 0175  E..\v.@....6...u
	0x0010:  c0a8 0192 ef03 0016 185c 0037 981f b525  .........\.7...%
	0x0020:  5018 3fe5 e3a3 0000 0000 0010 7944 b5ab  P.?.........yD..
	0x0030:  51d2 491c 4b8e 93df d7a8 5a4d ad23 e55a  Q.I.K.....ZM.#.Z
	0x0040:  3a1c e5f5 84f1 3674 b63a fa84 8561 e06a  :.....6t.:...a.j
	0x0050:  8074 0f30 e63c 980c 8d38 b7c9            .t.0.<...8..


ssh:(Secure Shell,tcp/22)

基于C/S 架构 。


openSSH开源ssh版本


客户端 :

linux:ssh

Windows:putty,SecrureCRT,Xshell

服务器端:

sshd

基于秘钥基于口令的2种登录方法。


在远程登录时,一般为了密码安全。不要直接以root用户登录,万一被抓包后暴力破解。


在centos中,ssh服务是由多个rpm包组成的。

[root@localhost ~]# rpm -qa |grep ssh
openssh-6.6.1p1-25.el7_2.x86_64
openssh-server-6.6.1p1-25.el7_2.x86_64
openssh-clients-6.6.1p1-25.el7_2.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64

可以用netstat -tln 查看ssh需要的22端口是否开启


[root@localhost ~]# netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::23                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     

openssh的配置文件

/etc/ssh/

ssh(ssh_config) 是关于客户端的配置文件

ssh (sshd_config)是关于服务器端的配置文件


因为和安全相关,所以有些相关文件都是普通用户不可看的

[root@localhost ssh]# ll
total 276
-rw-r--r--. 1 root root     242153 Mar 22  2016 moduli
-rw-r--r--. 1 root root       2208 Mar 22  2016 ssh_config
-rw-------. 1 root root       4361 Mar 22  2016 sshd_config
-rw-r-----. 1 root ssh_keys    227 Sep 21 15:32 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 Sep 21 15:32 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Sep 21 15:32 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Sep 21 15:32 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys   1679 Sep 21 15:32 ssh_host_rsa_key
-rw-r--r--. 1 root root        382 Sep 21 15:32 ssh_host_rsa_key.pub

跟服务器相关的配置文件。

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

#是注释,#加空格式纯注释,#没空格就是可以更改的参数


Port 改成其他,就可以以其他端口使用该服务

ListenAddress 可以启用只在某IP地址提供服务

<strong>KeyRegenerationInterval 1h</strong>  每一个小时更换一次秘钥
<pre name="code" class="plain">ServerKeyBits 1024    密码长度


48 #LoginGraceTime 2m                             ##登录的宽限时间
 49 #PermitRootLogin yes               <span style="white-space:pre">		</span>  ##是否允许root登录
 50 #StrictModes yes
 51 #MaxAuthTries 6<span style="white-space:pre">				</span>  ##最大允许密码输错几次<span style="white-space:pre">	</span>
 52 #MaxSessions 10
 53 
 54 #RSAAuthentication yes
 55 #PubkeyAuthentication yes
 56 
 57 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 58 # but this is overridden so installations will only check .ssh/authorized_keys
 59 AuthorizedKeysFile      .ssh/authorized_keys<span style="white-space:pre">	</span>##秘钥对生成后默认存放位置

<pre name="code" class="plain"> 79 PasswordAuthentication yes                 <span style="white-space:pre">		</span>##是否需要密码认证
 80 
 81 # Change to no to disable s/key passwords
 82 #ChallengeResponseAuthentication yes
 83 ChallengeResponseAuthentication no
 84 
 85 # Kerberos options
 86 #KerberosAuthentication no
 87 #KerberosOrLocalPasswd yes
 88 #KerberosTicketCleanup yes
 89 #KerberosGetAFSToken no
 


详细查询 man sshd_config 可以查询更多的详细信息。

     AllowUsers  登录白名单
     DenyUsers 登录黑名单



配置文件更改完成时一定需要

systemctl reload sshd


ssh 登录时不指定用户名时,默认是本主机的用户名。

ssh USER@IP_ADRESS 

ssh USER@IP_ADRESS 'CMD'    #直接执行命令而不登陆主机

ssh USER@IP_ADRESS -X          #远程登录可以执行窗口命令    -Y更安全


基于秘钥的认证。


1.生成一对秘钥

2.将公钥输至服务器某个用户家目录下的.ssh/authorized_keys文件中

使用 ssh-copy-id   ,scp

   scp -r 复制目录。


创建一对钥匙锁  ssh-keygen  -t  指定加密算法

-f 指定保存文件的路径

[root@localhost ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? 



如果不指定选项的话  默认就是RSA2048位的算法

[wjx@localhost 桌面]$ ssh-keygen
Generating public/private rsa key pair.


Enter file in which to save the key (/home/wjx/.ssh/id_rsa): Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/wjx/.ssh/id_rsa.
Your public key has been saved in /home/wjx/.ssh/id_rsa.pub.
The key fingerprint is:
00:fb:85:4d:1d:e0:15:75:f6:30:54:3d:bd:f9:1e:65 wjx@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|    .   oo++..*.+|
|     o = ..  o =o|
|    . o +       =|
|     . o       oE|
|      . S      .o|
|               ..|
|               ..|
|                .|
|                 |
+-----------------+
将公钥加密莫个用户

[wjx@localhost 桌面]$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.1.146
The authenticity of host '192.168.1.146 (192.168.1.146)' can't be established.
ECDSA key fingerprint is f4:7b:49:a0:d0:c9:e0:27:07:49:9d:5c:24:78:c9:b3.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.146's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.1.146'"
and check to make sure that only the key(s) you wanted were added.

加密成功,只需要将私钥发给客户端就可以了



总结:

1,为了安全,密码要长期更换

2,为了安全,要使用非默认端口

3,限制登录客户的地址

4,使用登录白名单

5,使用基于秘钥的

6,不使用协议版本1





展开阅读全文

没有更多推荐了,返回首页