Linux安装配置OpenSSH
什么是OpenSSH?
OpenSSH 是 SSH (Secure SHell) 协议的免费开源实现。SSH协议族可以用来进行远程控制, 或在计算机之间传送文件。而实现此功能的传统方式,如telnet(终端仿真协议)、 rcp ftp、 rlogin、rsh都是极为不安全的,并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据,并由此来代替原来的类似服务。
Secure Shell(安全外壳协议,简称SSH)是一种加密的网络传输协议,可在不安全的网络中为网络服务提供安全的传输环境。SSH通过在网络中创建安全隧道来实现SSH客户端与服务器之间的连接。虽然任何网络服务都可以通过SSH实现安全传输,SSH最常见的用途是远程登录系统,人们通常利用SSH来传输命令行界面和远程执行命令。使用频率最高的场合类Unix系统,但是Windows操作系统也能有限度地使用SSH。2015年,微软宣布将在未来的操作系统中提供原生SSH协议支持。
部署OpenSSH
实验所需两台虚拟机
服务器 | ip地址 |
---|---|
主服务器-ssh01 | 20.0.0.100 |
从服务器-ssh02 | 20.0.0.200 |
使用wheel组修复访问root管理员漏洞
关闭服务端管理员ssh远程,客户端登录服务端用户账号发现漏洞(知道root密码时可随意进入)
----------------------------------------------------------------------------主服务器-ssh01----------------------------------------------------------------------------------
[root@localhost ~]# systemctl stop firewalld.service && setenforce 0
[root@localhost ~]# hostnamectl set-hostname ssh01
[root@localhost ~]# su
[root@ssh01 ~]# vim /etc/ssh/sshd_config
## ssh配置文件位置
38 PermitRootLogin no
## 此时修改过后客户端不能ssh远程服务器端口
[root@ssh01 ~]# rpm -qa | grep open
## ssh安装的软件包
java-1.8.0-openjdk-headless-1.8.0.131-11.b12.el7.x86_64
openssl-1.0.2k-8.el7.x86_64
openjpeg-libs-1.5.1-17.el7.x86_64
open-vm-tools-10.1.5-3.el7.x86_64
openssl-libs-1.0.2k-8.el7.x86_64
open-sans-fonts-1.10-1.el7.noarch
xmlsec1-openssl-1.2.20-5.el7.x86_64
openssh-clients-7.4p1-11.el7.x86_64
openssh-server-7.4p1-11.el7.x86_64
openldap-2.4.44-5.el7.x86_64
java-1.7.0-openjdk-headless-1.7.0.141-2.6.10.5.el7.x86_64
opencc-0.4.3-3.el7.x86_64
java-1.7.0-openjdk-1.7.0.141-2.6.10.5.el7.x86_64
openssh-7.4p1-11.el7.x86_64
open-vm-tools-desktop-10.1.5-3.el7.x86_64
java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64
[root@ssh02 ~]# vim /etc/ssh/sshd_config
42 AllowUsers zhangsan
[root@ssh01 ~]# service sshd restart
## 修改过配置文件需要重启重定向
Redirecting to /bin/systemctl restart sshd.service
----------------------------------------------------------------------------从服务器-ssh02----------------------------------------------------------------------------------
[root@localhost ~]# systemctl stop firewalld.service && setenforce 0
[root@localhost ~]# hostnamectl set-hostname ssh02
[root@localhost ~]# su
[root@ssh02 ~]# ssh zhansan@20.0.0.100
zhansan@20.0.0.100's password:
[zhansan@ssh01 ~]$ su - root
密码:
上一次登录:五 4月 14 21:42:56 CST 2023pts/0 上
[root@ssh01 ~]# exit
登出
将所需要的用户添加到wheel组(提权),可访问root ,不在组中的用户无法登录root
----------------------------------------------------------------------------主服务器-ssh01----------------------------------------------------------------------------------
[root@ssh01 ~]# vim /etc/ssh/sshd_config
## 添加白名单 zhangsan用户
42 AllowUsers zhangsan lisi
[root@ssh01 ~]# useradd lisi
[root@ssh01 ~]# echo "123123" | passwd --stdin lisi
更改用户 zhangsan 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@ssh01 ~]# gpasswd -a zhangsan wheel
正在将用户“zhangsan ”加入到“wheel”组中
[root@ssh01 ~]# vim /etc/pam.d/su
## 开启whell组
auth required pam_wheel.so use_uid
[root@ssh01 ~]# service sshd restart
## 每次修改配置文件信息需要重启重定向服务
Redirecting to /bin/systemctl restart sshd.service
----------------------------------------------------------------------------从服务器-ssh02----------------------------------------------------------------------------------
[root@ssh02 ~]# ssh lisi@20.0.0.100
lisi@20.0.0.100's password:
[lisi@ssh01 ~]$ su - root
密码:
su: 拒绝权限
## zhangsan用户不在whell组里,无权限登录root
启用密码验证、密钥对验证(核对客户的私钥、服务器公钥是否匹配)
添加客户端密钥
----------------------------------------------------------------------------主服务器-ssh01-----------------------------------------------------------------------------------
[root@ssh01 ~]# vim /etc/ssh/sshd_config
## 开启密钥验证
45 PubkeyAuthentication yes
49 AuthorizedKeysFile .ssh/authorized_keys
root@ssh01 ~]# service sshd restart
## 每次修改配置文件信息需要重启重定向服务
Redirecting to /bin/systemctl restart sshd.service
----------------------------------------------------------------------------从服务器-ssh02-----------------------------------------------------------------------------------
[root@ssh02 ~]# useradd wangwu
[root@ssh02 ~]# echo "123123" | passwd --stdin wangwu
更改用户 wangwu 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@ssh02 ~]# su - wangwu
上一次登录:五 4月 14 23:32:47 CST 2023pts/0 上
[wangwu@ssh02 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wangwu/.ssh/id_rsa):
Created directory '/home/wangwu/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wangwu/.ssh/id_rsa.
Your public key has been saved in /home/wangwu/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:RO6d68O0RL/JVfcOQcp+mE0fwQL1NZcPXx4kcLIa3yw wangwu@ssh02
The key's randomart image is:
+---[RSA 2048]----+
| . +++oo+|
| o +.===|
| o. o o.==|
| o .=.= o.*|
| SooE B ++|
| o.* = o|
| +.o = o |
| .+ + .|
| .. |
+----[SHA256]-----+
[lisi@ssh02 ~]$ ls -a /home/wangwu
. .. .bash_logout .bash_profile .bashrc .cache .config .mozilla .ssh
[lisi@ssh02 ~]$ cd /home/wangwu/.ssh
[lisi@ssh02 .ssh]$ ls
id_rsa id_rsa.pub
[wangwu@ssh02 .ssh]$ ssh-copy-id -i id_rsa.pub zhangsan@20.0.0.100
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
The authenticity of host '20.0.0.100 (20.0.0.100)' can't be established.
ECDSA key fingerprint is SHA256:dyAr//+vuQ6Mp56OWAgl5Zvhv9coKboIyQAL8kOyC1M.
ECDSA key fingerprint is MD5:a8:89:86:cd:86:fa:5c:8e:4c:dc:f3:49:cd:5c:bb:94.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
zhangsan@20.0.0.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'zhangsan@20.0.0.100'"
and check to make sure that only the key(s) you wanted were added.
验证、使用密钥登录
----------------------------------------------------------------------------主服务器-ssh01-----------------------------------------------------------------------------------
[root@ssh01 ~]# su - zhangsan
上一次登录:五 4月 14 23:21:52 CST 2023从 20.0.0.200pts/1 上
[zhangsan@ssh01 ~]$ cd /home/zhangsan
[zhangsan@ssh01 ~]$ ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc .cache .config .mozilla .ssh
[zhangsan@ssh01 ~]$ cd .ssh/
[zhangsan@ssh01 .ssh]$ ls
authorized_keys
[zhangsan@ssh01 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5KmFuZNdyyF6EVIyHo8lbwKJ8fYJP0aU+xoEgzqFdimAnZVRYmrOXXoXtVe5rZFGZvScXmEpMxZevlUbuJfdSjBcfnfwkTBSTabHCVoAFyaiMSM7DjFgmRLcP7giQlBzjj0qkizkbGOiMZiGYvzfg4UrBJmm5hOEQTcLsXMwR8Imy377P2GX3BBLvu4OgKdJGopRG60uPinYRSebQvGMIAW/ACnGHsz/OqNieAPXJ8tORNPDdBMg9HGDYEd4vvNYNTZB+zLGJNYJGX/1oEtD8Dnm79zV611eoBKc87PH/d84zrs+3ByxoDsX0lOhgjyxEpDl2FpSCyL0K/434Lrvf wangwu@ssh02
----------------------------------------------------------------------------从服务器-ssh02-----------------------------------------------------------------------------------
[wangwu@ssh02 .ssh]$ ssh zhangsan@20.0.0.100
Enter passphrase for key '/home/wangwu/.ssh/id_rsa':
Last login: Fri Apr 14 23:43:36 2023
[zhangsan@ssh01 ~]$ exit
登出
Connection to 20.0.0.100 closed.
在客户机上设置ssh 代理功能 不需要设置密码就能访问(注:但不安全)
[wangwu@ssh02 .ssh]$ ssh-agent bash
[wangwu@ssh02 .ssh]$ ssh-add
Enter passphrase for /home/wangwu/.ssh/id_rsa:
Identity added: /home/wangwu/.ssh/id_rsa (/home/wangwu/.ssh/id_rsa)
[wangwu@ssh02 .ssh]$ ssh zhangsan@20.0.0.100
Last login: Fri Apr 14 23:47:08 2023 from 20.0.0.200
[zhangsan@ssh01 ~]$