openssh
1.当主机中开启openssh服务时,就对外开放了远程连接的接口
openssh服务端:sshd
openssh客户端:ssh
2.在客户端连接sshd的方式:
ssh 服务端客户@服务端ip
[kiosk@foundation64 Desktop]$ ssh root@172.25.254.132
root@172.25.254.132's password:
Last login: Mon Apr 9 11:53:33 2018 from 172.25.254.64
当exit时就会退出对服务端的连接:
[root@localhost ~]# exit
登出
Connection to 172.25.254.132 closed.
3.ssh 服务端客户@服务端ip -X
能够打开远程主机的图形功能
4.给ssh 服务添加新的认证方式key认证
1.在服务端生成锁和钥匙
[root@localhost~]#ssh-keygen #生成密钥的命令
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
#私钥位置
Your public key has been saved in /root/.ssh/id_rsa.pub.
#密钥位置
The key fingerprint is:
b1:76:d4:25:29:e3:74:89:23:3e:38:62:1d:b5:45:a6 root@localhost
The key's randomart image is:
+--[ RSA 2048]----+
| ...+..o. |
| . .=*.+o |
| . +E+.=. |
| o + o+. |
| . . .S.. |
| . . |
| |
| |
| |
+-----------------+
一路回车,文件的字符用默认
2.加密ssh用户的认证
在server端:
ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.132
ssh-copy-id #加密命令
-i #指定密钥
/root/.ssh/id_rsa.pub #密钥
root #加密用户
172.25.254.132 #主机ip
3.验证在客户端
#远程传输私钥给客户端
scp /root/.ssh/id_rsa root@172.25.254.232:/root/.ssh/
#在客户端连接服务端时可以免密
4.在客户端删除私钥
rm -fr /root/.ssh/authorized_keys
#此时服务端在可以输入密码远程连接服务端主机时,需要输入密码才能连接上服务端主机
#当希望可以免密连接时可以
cp /root/.ssh/id_rsa.pub /root/.ssh/autherized_keys
#因为autherized_keys中的内容和id_rsa.pub是一样的
2.sshd的安全配置
1.禁止原始认证方式
[root@localhost ~]# vim /etc/ssh/sshd_config
78:PasswordAuthentication no|yes #开启或关闭ssh默认的认证方式即当没有密钥的时候可以用密码登陆服务端主机
78 PasswordAuthentication yes
48:PermitRootLogin no|yes #开启或关闭root用户的登陆权限
[root@localhost ~]$ systemctl restart sshd.service
[kiosk@foundation64 Desktop]$ ssh root@172.25.254.132
ssh: connect to host 172.25.254.132 port 22: Connection refused
[root@localhost ~]# vim /etc/ssh/sshd_config
79 AllowUsers student
[kiosk@foundation64 Desktop]$ ssh student@172.25.254.132
student@172.25.254.132's password:
Last login: Tue Apr 10 11:48:26 2018 from 172.25.254.232
80:DenyUsers linux #黑名单用户,即不能登陆的用户,即使linux有密码,也无权登陆
[root@localhost ~]# useradd
[root@localhost ~]# passwd linux
Changing password for user linux.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[kiosk@foundation64 Desktop]$ ssh linux@172.25.254.132
ssh: connect to host 172.25.254.132 port 22: Connection refused
#黑名单和白名单不能同时出现
3.远程连接sshd的设置
#开启服务端的sshd接口
systemctl start sshd.service
#关闭服务端的sshd接口
systemctl stop sshd.service
#在开机时开启sshd接口
systemctl enable sshd.service
#开机时关闭sshd接口
systemctl disable sshd.service
#查看sshd接口运行状态
systemctl status sshd.service
#查看当前系统服务的状态
systemctl list-units
#查看开机时运行状态
systemctl list-unit-files
#重新加载配置相当于kill -1
systemctl reload sshd
#重新启动服务
systemctl restart sshd
#查看指定服务的依赖关系
systemctl list-dependencies sshd
#冻结指定服务
systemctl mask sshd
#解冻结
systemctl unmask sshd
#开机不启动图形
systemctl set-default mault-user.target
#开机启动图形
systemctl set-default graphical.target
#文本界面设定
settern
vga=ask
[root@localhost ~]# systemctl list-units
UNIT LOAD ACTIVE SUB DESCRIPTION
proc-sys-fs-binfmt_misc.automount loaded active waiting Arbitrary Executable File Formats File
sys-devices-...-virtio0-net-eth0.device loaded active plugged Virtio network device
sys-devices-...o1-block-vda-vda1.device loaded active plugged /sys/devices/pci0000:00/0000:00:04.0/vi
sys-devices-...virtio1-block-vda.device loaded active plugged /sys/devices/pci0000:00/0000:00:04.0/vi
sys-devices-...o2-block-vdb-vdb1.device loaded active plugged LVM PV SIaPf4-OdHu-OzAW-NlQG-vZ3D-X8ZO-
sys-devices-...virtio2-block-vdb.device loaded active plugged /sys/devices/pci0000:00/0000:00:05.0/vi
sys-devices-...ial8250-tty-ttyS1.device loaded active plugged /sys/devices/platform/serial8250/tty/tt
sys-devices-...ial8250-tty-ttyS2.device loaded active plugged /sys/devices/platform/serial8250/tty/tt
sys-devices-...ial8250-tty-ttyS3.device loaded active plugged /sys/devices/platform/serial8250/tty/tt
sys-devices-pnp0-00:04-tty-ttyS0.device loaded active plugged /sys/devices/pnp0/00:04/tty/ttyS0
sys-devices-...ual-block-dm\x2d0.device loaded active plugged /sys/devices/virtual/block/dm-0
sys-module-configfs.device loaded active plugged /sys/module/configfs
[root@localhost ~]# systemctl list-dependencies sshd
sshd.service
├─system.slice
└─basic.target
├─alsa-restore.service
├─alsa-state.service
├─firewalld.service
├─microcode.service
├─rhel-autorelabel-mark.service
├─rhel-autorelabel.service
├─rhel-configure.service
├─rhel-dmesg.service
├─rhel-loadmodules.service
├─paths.target
├─slices.target
│ ├─-.slice
│ └─system.slice
├─sockets.target
│ ├─avahi-daemon.socket
│ ├─cups.socket