##### 1.sshd简介#####
sshd = secure shell
可以通过网络在主机中开机shell的服务
客户端软件:sshd
连接方式:
ssh username@ip ##文本模式连接
ssh username@ip -X ##可以在连接成功后开机图形
注意:
第一次连接陌生主机使要建立认证文件
所以会询问是否建立,需要输入yes
再次连接此主机时,因为已经成成~/.ssh/know_hosts文件所以不需要再次询问
远程复制:
scp filename root@ip:dir ##上传
scp root@ip:filename dir ##下载
##### 2.sshd的key认证 #####
1.生成认证KEY
[kiosk@foundation36 Desktop]$ ssh-keygen ##生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kiosk/.ssh/id_rsa): ##指定保存加密字符的文件(默认)
Enter passphrase (empty for no passphrase): ##设定密码
Enter same passphrase again: ##确认密码
Your identification has been saved in /home/kiosk/.ssh/id_rsa. ##私钥(钥匙)
Your public key has been saved in /home/kiosk/.ssh/id_rsa.pub ##公钥(锁)
The key fingerprint is:
48:61:8c:86:96:31:a3:e2:39:49:b5:72:0f:fd:ea:3d kiosk@foundation36.ilt.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| += oo |
| .=o=... |
|o+ = .. |
|+ = o... |
| = ...S |
| . . |
| . |
| . .E |
| . .. |
+-----------------+
^ 在服务端(被访问)生成“锁”
2.加密sshd服务
[kiosk@foundation36 .ssh]$ ls
id_rsa id_rsa.pub
[kiosk@foundation36 .ssh]$ ssh-copy-id -i id_rsa 172.25.254.36 ##加密本机 ^
被加密主机的id
The authenticity of host '172.25.254.36 (172.25.254.36)' can't be established.
ECDSA key fingerprint is d1:52:c9:7e:bc:23:e4:c7:86:3b:2b:16:9c:2b:cc:a2.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
kiosk@172.25.254.36's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '172.25.254.36'"
and check to make sure that only the key(s) you wanted were added.
[kiosk@foundation36 .ssh]$ ls
authorized_keys id_rsa id_rsa.pub known_hosts
^
此文件说明加密成功
3.分发钥匙
scp /root/.ssh/ root@172.25.254.236:/root/.ssh/
4.测试
##### 3.sshd的安全设定 #####
vim /etc/ssh/sshd_config
78 PasswordAuthentication yes|no ##是否允许用户通过登陆系统的密码做sshd的认证
48 PermitRootLogin yes|no ##是否允许root用户通过sshd服务的认证
52 Allowusers student westos ##设定用户白名单,白名单出现默认不在名单中的用户不能使用sshd
53 Denyusers westos ##设定用户黑名单,黑名单出现默认不在名单中的用户可以使用sshd
注意:黑白名单设置的用户是“本机哪些用户可以/不可以被连接”,
与客户端用什么用户身份访问无关
##### 4.sshd登陆信息 #####
vim /etc/motd ##文件内容就是登陆后显示的信息
##### 5.登陆审计 #####
查看使用当前系统的用户:
1.w ##查看正在使用当前系统的用户
-f ##查看使用来源
-i ##显示IP
数据存储文件:/var/run/utmp
2.last ##查看使用过并退出的用户信息
数据存储文件:/var/log/wtmp
3.lastb ##试图登陆但没有成功的用户
数据存储文件:/var/log/btmp
设置登陆权限:
/etc/hosts.deny ##登陆黑名单
/etc/hosts.allow ##登陆白名单