sshd远程连接安全配置设置 加密认证

                                                   openssh

1.当主机中开启openssh服务时，就对外开放了远程连接的接口
openssh服务端：sshd
openssh客户端：ssh

2.在客户端连接sshd的方式：

ssh  服务端客户@服务端ip

[kiosk@foundation64 Desktop]$ ssh root@172.25.254.132
root@172.25.254.132's password:
Last login: Mon Apr  9 11:53:33 2018 from 172.25.254.64
当exit时就会退出对服务端的连接：
[root@localhost ~]# exit
登出
Connection to 172.25.254.132 closed.

3.ssh 服务端客户@服务端ip -X
能够打开远程主机的图形功能

4.给ssh 服务添加新的认证方式key认证

 1.在服务端生成锁和钥匙

[root@localhost～]#ssh-keygen         #生成密钥的命令
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
#私钥位置
Your public key has been saved in /root/.ssh/id_rsa.pub.
#密钥位置
The key fingerprint is:
b1:76:d4:25:29:e3:74:89:23:3e:38:62:1d:b5:45:a6 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
|       ...+..o.  |
|      . .=*.+o   |
|     . +E+.=.    |
|    o + o+.      |
|   . . .S..      |
|       . .       |
|                 |
|                 |
|                 |
+-----------------+

一路回车，文件的字符用默认

2.加密ssh用户的认证

   在server端：
   ssh-copy-id -i  /root/.ssh/id_rsa.pub root@172.25.254.132
   ssh-copy-id                               #加密命令
    -i                                              #指定密钥
   /root/.ssh/id_rsa.pub                #密钥
   root                                          #加密用户
   172.25.254.132                       #主机ip

 

3.验证在客户端

   #远程传输私钥给客户端
 scp /root/.ssh/id_rsa   root@172.25.254.232:/root/.ssh/
   #在客户端连接服务端时可以免密

 4.在客户端删除私钥

  rm -fr /root/.ssh/authorized_keys
  #此时服务端在可以输入密码远程连接服务端主机时，需要输入密码才能连接上服务端主机
  #当希望可以免密连接时可以
  cp /root/.ssh/id_rsa.pub /root/.ssh/autherized_keys

  #因为autherized_keys中的内容和id_rsa.pub是一样的

 2.sshd的安全配置

  1.禁止原始认证方式 

[root@localhost ~]# vim /etc/ssh/sshd_config
 78：PasswordAuthentication  no|yes         #开启或关闭ssh默认的认证方式即当没有密钥的时候可以用密码登陆服务端主机
 78 PasswordAuthentication yes
 48：PermitRootLogin  no|yes                #开启或关闭root用户的登陆权限
[root@localhost ~]$ systemctl restart sshd.service
[kiosk@foundation64 Desktop]$ ssh root@172.25.254.132
ssh: connect to host 172.25.254.132 port 22: Connection refused
[root@localhost ~]# vim /etc/ssh/sshd_config
79 AllowUsers  student
[kiosk@foundation64 Desktop]$ ssh student@172.25.254.132
student@172.25.254.132's password:
Last login: Tue Apr 10 11:48:26 2018 from 172.25.254.232
80：DenyUsers  linux                       #黑名单用户，即不能登陆的用户，即使linux有密码，也无权登陆
[root@localhost ~]# useradd
[root@localhost ~]# passwd linux
Changing password for user linux.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[kiosk@foundation64 Desktop]$ ssh linux@172.25.254.132
ssh: connect to host 172.25.254.132 port 22: Connection refused

#黑名单和白名单不能同时出现

3.远程连接sshd的设置

#开启服务端的sshd接口
  systemctl start sshd.service
#关闭服务端的sshd接口
  systemctl stop sshd.service
#在开机时开启sshd接口
  systemctl enable sshd.service
#开机时关闭sshd接口
  systemctl disable sshd.service
#查看sshd接口运行状态
  systemctl status sshd.service
#查看当前系统服务的状态
  systemctl list-units
#查看开机时运行状态
  systemctl list-unit-files
#重新加载配置相当于kill -1
  systemctl reload sshd
#重新启动服务
  systemctl restart sshd
#查看指定服务的依赖关系
  systemctl list-dependencies sshd
#冻结指定服务
  systemctl mask sshd
#解冻结
  systemctl unmask sshd
#开机不启动图形
  systemctl set-default  mault-user.target
#开机启动图形
  systemctl set-default graphical.target
#文本界面设定
  settern
  vga=ask

[root@localhost ~]# systemctl list-units
UNIT                                    LOAD   ACTIVE SUB       DESCRIPTION
proc-sys-fs-binfmt_misc.automount       loaded active waiting   Arbitrary Executable File Formats File
sys-devices-...-virtio0-net-eth0.device loaded active plugged   Virtio network device
sys-devices-...o1-block-vda-vda1.device loaded active plugged   /sys/devices/pci0000:00/0000:00:04.0/vi
sys-devices-...virtio1-block-vda.device loaded active plugged   /sys/devices/pci0000:00/0000:00:04.0/vi
sys-devices-...o2-block-vdb-vdb1.device loaded active plugged   LVM PV SIaPf4-OdHu-OzAW-NlQG-vZ3D-X8ZO-
sys-devices-...virtio2-block-vdb.device loaded active plugged   /sys/devices/pci0000:00/0000:00:05.0/vi
sys-devices-...ial8250-tty-ttyS1.device loaded active plugged   /sys/devices/platform/serial8250/tty/tt
sys-devices-...ial8250-tty-ttyS2.device loaded active plugged   /sys/devices/platform/serial8250/tty/tt
sys-devices-...ial8250-tty-ttyS3.device loaded active plugged   /sys/devices/platform/serial8250/tty/tt
sys-devices-pnp0-00:04-tty-ttyS0.device loaded active plugged   /sys/devices/pnp0/00:04/tty/ttyS0
sys-devices-...ual-block-dm\x2d0.device loaded active plugged   /sys/devices/virtual/block/dm-0
sys-module-configfs.device              loaded active plugged   /sys/module/configfs
[root@localhost ~]# systemctl list-dependencies sshd
sshd.service
├─system.slice
└─basic.target
  ├─alsa-restore.service
  ├─alsa-state.service
  ├─firewalld.service
  ├─microcode.service
  ├─rhel-autorelabel-mark.service
  ├─rhel-autorelabel.service
  ├─rhel-configure.service
  ├─rhel-dmesg.service
  ├─rhel-loadmodules.service
  ├─paths.target
  ├─slices.target
  │ ├─-.slice
  │ └─system.slice
  ├─sockets.target
  │ ├─avahi-daemon.socket
  │ ├─cups.socket