目录
前言
很多时候服务器并没有显示器,我们也不可能每次都通过控制台去管理服务器,这时就需要远程登录。远程登录到服务器可以通过Telnet或ssh的方式。但是用Telnet登录,整个过程都是以明文的方式传输的,不安全。所以,建议使用ssh的方式来登录,因为ssh在整个连 接过程中,数据都是加密的。
1.ssh的基本用法:
ssh 主机名 /IP
这里如果没有指定用什么用户连接,则以当前用户连接。当第一次远程连接到服务器时,要记录服务器的公钥指纹信息。
[root@RHEL8 ~]# ssh 192.168.103.15
The authenticity of host '192.168.103.15 (192.168.103.15)' can't be established.
ECDSA key fingerprint is SHA256:l7c8I7iKMwQMIr93fDjQLIewAdD1twFhSTN/5DOjjP0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.103.15' (ECDSA) to the list of known hosts.
root@192.168.103.15's password:
Permission denied, please try again.
root@192.168.103.15's password:
Permission denied, please try again.
root@192.168.103.15's password:
root@192.168.103.15: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
如果输入的是 no ,则连接终止。输入yes,则保存在了当前用户家目录下
的.ssh/known_hosts文件中
1.1 ssh的基本用法(2)
ssh 用户名@主机名 /IP
现在使用bdqn用户登录进去
[root@RHEL8 ~]# ssh bdqn@192.168.103.15
bdqn@192.168.103.15's password:
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Thu Nov 30 22:05:21 2023 from 192.168.103.14
[bdqn@RHEL812 ~]$
可以看到,此时已经正常的登录进去了,只要输入“exit”命令就可以退出。
[bdqn@RHEL812 ~]$ exit
注销
Connection to 192.168.103.15 closed.
[root@RHEL8 ~]#
2.ssh无密码登录
2.1密码认证
前面通过bdqn账户连接到RHEL812时,命令如下
[root@RHEL8 ~]# ssh bdqn@192.168.103.15
bdqn@192.168.103.15's password:
这里需要输入密码才能正常登录,这种就是密码认证。
2.2密钥认证
如果做了密钥认证,远程登录时不需要密码就可以直接登录。这里 RHEL8上的lduan准备以 bdqn身份无密码连接到RHEL812。为了好描述,RHEL8上面的Iduan用户被称为bdqn@RHEL8,RHEL812上面的用户被称为bdqn@RHEL812。bdqn@RHEL8需要生成一个密钥对,命令如下
[bdqn@RHEL8 ~]$ ssh-keygen -f ~/.ssh/id_rsa -N ""
Generating public/private rsa key pair.
Created directory '/home/bdqn/.ssh'.
Your identification has been saved in /home/bdqn/.ssh/id_rsa.
Your public key has been saved in /home/bdqn/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:U/flBPqDDmZGPSd0QVHJ1M4RYac6RArKvqYeKxLkPvI bdqn@RHEL8
The key's randomart image is:
+---[RSA 3072]----+
| . o.OOB|
| . . . = o.*o|
| o + B oo+|
| . . o o O +o|
|o . S = + + .|
|.. . = o . . |
|.. . o . |
|oo. = |
|.oEo+ |
+----[SHA256]-----+
[bdqn@RHEL8 ~]$
这条命令会生成一个密钥对(私钥和公钥),这里-f指定了生成私钥的路径和名称,如果不指定,默认也是这个路径。-N后面的双引号中没有空格,意思是不对生成的私钥加密。
这样blab生成了自己的密钥对,存放在自己家目录的.ssh目录下,命令如下。
[bdqn@RHEL8 ~]$ ls .ssh/
id_rsa id_rsa.pub
[bdqn@RHEL8 ~]$
其中,id_rsa是私钥,id_rsa.pub是公钥
然后通过ssh-copy-id把公钥内容存储在bdqn@192.168.103.15家目录下的.ssh/authorized_keys文件中,如果没有此文件,拷贝过去后会自动创建,命令如下。
[root@RHEL812 ~]# ls .ssh
ls: 无法访问'.ssh': 没有那个文件或目录
[root@RHEL812 ~]#
下面执行ssh-copy-id进行拷贝,命令如下。
[bdqn@RHEL8 ~]$ ssh-copy-id bdqn@192.168.103.15
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/bdqn/.ssh/id_rsa.pub"
The authenticity of host '192.168.103.15 (192.168.103.15)' can't be established.
ECDSA key fingerprint is SHA256:l7c8I7iKMwQMIr93fDjQLIewAdD1twFhSTN/5DOjjP0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
bdqn@192.168.103.15's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'bdqn@192.168.103.15'"
and check to make sure that only the key(s) you wanted were added.
[bdqn@RHEL8 ~]$
这样,bdqn的公钥就存放在bdqn@RHEL812家目录下的.ssh/authorized keys文件中了
[bdqn@RHEL812 ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCUg54LrHXcgXa39U/n/xtcVCqYSdzuwatBazQ+2YUMg9giYjQNaSoqS9MMErJgVwTvZPFqAPRlyeVoXfEaTT6j4l8VwM/gvKBWyMB5UWwuV+eY7dh/g3kctF7PC2NsjvYVR90p6VPc5CsNRn1o0ItsRTipkl5xKv7d52EZ+KLxNPr16bAg9P/6ZlA4HsVPUk31QXC5n1GmRkAc+96q+DI5+v3m6C2NZwXf58cfgzYtEnS3Amc+LmTDxbLHxAMYzpwOkqJb2ohnvQOLubBbhVK24yfTjPUa1sWpSaorU7M3+l5kuKt8GmTWH6iGxJxlgfO5LCTKeLRdbyLS6Bw1kul+wWPVsX6qYzSdhYaMXng98m7Sqt/CLn7vtm4SJhxy5UGZlVXkdNu5zcrNbaKOscw6Aep90/ZkADkcTf8QH75155pWnkvxfWO7CwweiSjauc5Xm94DAEGUJG4fIyqksEfBbjmT8rFleBfIFRjV1IXotvsGEmG2q4r4gxRf66lFZOE= bdqn@RHEL8
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDE5XiRV8YcL0Gii3rxxY72Lkco6iafNonC3dTbiGFyF+Hsd7DDT6gvHPBfj9lrerxObHypCMPsW1i82UyxW1adiKJchYG4EGe0AxVpG4wzDYXA/yaGepOhwqDruGOzhAx4OW6eQS3J5pjM7p0TpHs0zck83KRLQhntye5iq2uQ+VnxjrqEY+C42OgsJRC8oib+57fs0T5JGmpcgh5NmR1zPa7DltAwro9Wasm0agER1oMAvYrdBDOWD946EBfUauSmnS7EllxZudeLovjY1KEqscUPmWoMzAjK3JAoEu8YAqBXHUPS+BH5rYwSyZMIDkE39mIeA40g5SnTElX8HrtRaGFeQHdxY1kfll8Qb1OxSrXWlgBP1O6b/IuS9+sOR1E1q7Ipj/+xyz/IG3qSgLkAQpJs7uBjVherCEj8gUNu9EbE45tWrwg9z1OZaIpFldFUciGoBj7gefW4Zp+WOgrM1IdVt14f36VjYhrA7pAS7frBc9XhgIcmMdQNSozjUtc= root@RHEL8
[bdqn@RHEL812 ~]$
通过对比,发现这个文件的内容就是 bdqn@RHEL8的公钥的内容
下面进行远程登录测试,命令如下
[bdqn@RHEL8 ~]$ ssh bdqn@192.168.103.15
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Thu Nov 30 23:05:43 2023 from 192.168.103.1
[bdqn@RHEL812 ~]$
可以看到,bdqn账户登录过去的时候已经不需要密码了, 这个就是密钥认证。
3.SSH的安全设置
前面已经讲了,ssh有两种认证方式:密码认证和密钥认证。bdqn@RHEL8到 bdqn@RHEL812用的是密钥认证,其他用户的登录方式仍然是密码登录,现在想设置只能用其中一种认证,是否可以?答案是可以的。
3.1 禁用密钥登录
在RHEL812上,以 root用户编辑/etc/ssh/sshd_config,找到 PubkeyAuthentication,修改内容如下。 将#PubkeyAuthentication yes修改为PubkeyAuthentication no(需要注意的是,这里前面的注释符#被删除了),这样就禁用了密钥登录,保存退出并重启sshd,命令如下
[root@RHEL812 ~]# vim /etc/ssh/sshd_config
[root@RHEL812 ~]# systemctl restart sshd
此时已经禁用了密钥登录,只能使用密码登录,到RHEL8上面测试一下,命令如下
[bdqn@RHEL812 ~]$ ssh bdqn@192.168.103.15
The authenticity of host '192.168.103.15 (192.168.103.15)' can't be established.
ECDSA key fingerprint is SHA256:l7c8I7iKMwQMIr93fDjQLIewAdD1twFhSTN/5DOjjP0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.103.15' (ECDSA) to the list of known hosts.
bdqn@192.168.103.15's password:
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Thu Nov 30 23:07:58 2023 from 192.168.103.14
[bdqn@RHEL812 ~]$
这里只能使用密码登录,原来配置的密钥生效不再生效。
再次设置允许密钥登录,命令如下
将PubkeyAuthentication no修改为PubkeyAuthentication yes,并重启sshd,命令如下。
[root@RHEL812 ~]# vim /etc/ssh/sshd_config
[root@RHEL812 ~]# systemctl restart sshd
[root@RHEL812 ~]#
3.2 禁用密码登录
在RHEL812上,以root用户编辑/etc/ssh/sshd_config,找到PasswordAuthentication,修改内容如下。将PasswordAuthentication yes修改为PasswordAuthentication no,这样就禁用了密码登录,保存退出并重启sshd,命令如下
[root@RHEL812 ~]# vim /etc/ssh/sshd_config
[root@RHEL812 ~]# systemctl restart sshd
[root@RHEL812 ~]#
此时,只允许密钥登录,不允许密码登录。
为了测试方便,我们在RHEL812上面新建一个用户bob,密码为haha001。命令如下
[root@RHEL812 ~]# useradd bob
[root@RHEL812 ~]# echo haha001 | passwd --stdin bob
更改用户 bob 的密码 。
passwd:所有的身份验证令牌已经成功更新。
[root@RHEL812 ~]#
在RHEL8上进行验证,首先以 bdqn身份连接过去。
[bdqn@RHEL8 ~]$ ssh bdqn@192.168.103.15
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Fri Dec 1 01:26:43 2023 from 192.168.103.1
[bdqn@RHEL812 ~]$
可以看到,使用bdqn登录192.168.103.15时是可以无密码登录的
然后以bob身份登录过去,命令如下
[bdqn@RHEL812 ~]$ ssh bob@192.168.103.15
bob@192.168.103.15: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[bdqn@RHEL812 ~]$
因为我们并没有做bob用户无密码登录到RHEL812,只能使用密码登录,而密码登录被禁用,所以bob登录失败。