（十二）Linux中的远程登录服务

最新推荐文章于 2024-09-26 13:31:19 发布

moumumu

最新推荐文章于 2024-09-26 13:31:19 发布

阅读量818

点赞数 2

分类专栏： Linux学习文章标签： linux 服务器 ssh

本文链接：https://blog.csdn.net/moumumu/article/details/126142648

版权

Linux学习专栏收录该内容

17 篇文章 0 订阅

订阅专栏

文章目录

前言
一、openssh的功能
二、ssh
- 1.基本用法
- 2.ssh常用参数
三、sshd key认证
四、sshd安全优化参数详解

前言

在学习工作中，我们常常需要对其他主机进行远程访问并且进行操作，所以远程访问也是我们必须要学习的内容，其中会涉及到ssh，sshkey的认证；对服务器加密等等

一、openssh的功能

#1.sshd服务的用途#
作用：可以实现通过网络在远程主机中开启安全shell的操作
Secure SHell ===>ssh ##客户端
Secure SHell daemon ===>sshd ##服务端
#2.安装包#
openssh-server
#3.主配置文件#
/etc/ssh/sshd_conf
#4.默认端口#
22
#5.客户端命令#
ssh

二、ssh

1.基本用法

ssh [-l 远程主机用户] <ip|hostname>
ssh -l root 172.25.254.105 ##通过ssh命令在105主机中以root身份开启远程shell

[root@westos_student50 Desktop]# ssh -l root 192.168.0.30
The authenticity of host '192.168.0.30 (192.168.0.30)' can't be established.
ECDSA key fingerprint is SHA256:/UV0cQ6NzCbQwWO9Me2xZhwr9zPEZ8NnEn/qoMX40q4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.30' (ECDSA) to the list of known hosts.
root@192.168.0.30's password: 
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Thu Aug  4 00:29:46 2022 from 192.168.0.199

在远程访问的时候，会首先问到你是否要访问，我们需要回答yes，然后会要求我们输入密码，成功之后就可以成功访问

[root@westos_student50 ssh]# ls
moduli      ssh_config.d  ssh_host_ecdsa_key      ssh_host_ed25519_key      ssh_host_rsa_key
ssh_config  sshd_config   ssh_host_ecdsa_key.pub  ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub
[root@westos_student50 ssh]# cat ssh_
ssh_config                ssh_host_ecdsa_key        ssh_host_ed25519_key      ssh_host_rsa_key          
ssh_config.d/             ssh_host_ecdsa_key.pub    ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub      
[root@westos_student50 ssh]# cat ssh_host_ecdsa_key
ssh_host_ecdsa_key      ssh_host_ecdsa_key.pub  
[root@westos_student50 ssh]# cat ssh_host_ecdsa_key
ssh_host_ecdsa_key      ssh_host_ecdsa_key.pub  
[root@westos_student50 ssh]# cat ssh_host_ecdsa_key.pub   **连接过一次后，会将私钥储存在这个文件中**
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcTWdZSmoNHKT/m9mcrQdKN8gDTLS0T2oXjuPV3IkIeFpsu+lVOXTMfWSO9YEtYknnZPLWQ40I7c6cuHE4h8hs= 
[root@westos_student50 ssh]# ssh -l root 192.168.0.30
root@192.168.0.30's password: 
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Thu Aug  4 00:37:57 2022 from 192.168.0.28

远程连接过一次之后，在此链接就不会再问是否要继续连接，直接输入密码即可

[root@westos_student50 ssh]# cat ssh_host_ecdsa_key.pub 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcTWdZSmoNHKT/m9mcrQdKN8gDTLS0T2oXjuPV3IkIeFpsu+lVOXTMfWSO9YEtYknnZPLWQ40I7c6cuHE4h8hs= 
[root@westos_student50 ssh]# rm -fr ssh_host_ecdsa_key*
[root@westos_student50 ssh]# ls
moduli  ssh_config  ssh_config.d  sshd_config  ssh_host_ed25519_key  ssh_host_ed25519_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub
[root@westos_student50 ssh]# systemctl restart sshd
[root@westos_student50 ssh]# ls
moduli      ssh_config.d  ssh_host_ecdsa_key      ssh_host_ed25519_key      ssh_host_rsa_key
ssh_config  sshd_config   ssh_host_ecdsa_key.pub  ssh_host_ed25519_key.pub  ssh_host_rsa_key.pub
[root@westos_student50 ssh]# cat ssh_host_ecdsa_key.pub 
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFIDdyCSTIvFM5JBY24yiXhzJRQ2hcIIeIRLrQHQR7HOeR7c5CkPASaDVaLOVmIBG6IX1KV2GF2ukknUDyYCJe0= 
[root@westos_student50 ssh]#

在我们的服务端删除密钥并且重新开启sshd服务后，会重新生成新的密钥，那么我们的客户端再次连接时，会出现以下情况：

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:pbBlOpOMeuKf6eY+3o5GO9pu4dWwfte7StoNf1bw8TU.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:3
ECDSA host key for 192.168.0.30 has changed and you have requested strict checking.
Host key verification failed.

[root@westos_student50 ssh]# vim /root/.ssh/known_hosts

这个时候我们在客户端进入这个配置文件，将之前保存下来的密钥删除，再次连接就可以连接

2.ssh常用参数

-l #指定登陆用户
-i #指定私钥
-X #开启图形
-f #后台运行
-o #指定连接参数
#ssh -l root@172.25.254.x -o “StrictHostKeyChecking=no” 首次连接不需要输入yes
-t #指定连接跳板
#ssh -l root 172.25.254.1 -t ssh -l root 172.25.254.105

[root@westos_student50 ssh]# ssh -l root 192.168.0.30 -o "StrictHostKeyChecking=no"
这个命令就不用输入yes直接输入密码登录即可

三、sshd key认证

1.认证类型

1.对称加密
加密和解密是同一串字符
容易泄漏
可暴力破解
容易遗忘
2.非对称加密
加密用公钥，解密用私钥
不会被盗用
攻击者无法通过无密钥方式登陆服务器

2.生成非对称加密密钥

#方法1

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##输入保存密钥文件
Enter passphrase (empty for no passphrase): ##密钥密码
Enter same passphrase again: ##确认密码
Your identification has been saved in /root/.ssh/id_rsa. ##私钥
Your public key has been saved in /root/.ssh/id_rsa.pub. ##公钥
The key fingerprint is:
SHA256:OZVOK9g6NyZsaUIfbZMrfAGB31GQsJ3FyviO4/psVSg root@localhost.localdomain
The key's randomart image is:
+---[RSA 3072]----+
| .o..=o | | . +oo.. | | .o+o++ | | E==*.. | | . ooS.o | | . + =o* | | . %+* |
| =+B.. | | .=+. |   
+----[SHA256]-----+

#方法二

$ssh-keygen -f /root/.ssh/id_rsa -P ""
#3.对服务器加密#
ssh-copy-id -i /root/.ssh/id_rsa.pub username@serverip
ssh-copy-id -i /root/.ssh/id_rsa.pub lee@172.25.254.105
#测试#
ssh lee@172.25.254.105 ##登陆lee用户不需要输入密码

方法一：ssh-keygen

[root@westos_student50 ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:xl0LaWohBf/Twu+6poVKC6F13bTSn8bZ6Xjmmz2zQBI root@westos_student50.westos.org
The key's randomart image is:
+---[RSA 3072]----+
|      ...        |
|       o   .     |
|      . o =E.    |
|       + @ =..   |
|    o . S X.o.   |
|   o o o o *o+ . |
|  . . . . . B.o  |
|     o o ..o o+= |
|      o .oooo+=o=|
+----[SHA256]-----+
[root@westos_student50 ssh]# ls /.ssh/
ls: cannot access '/.ssh/': No such file or directory
[root@westos_student50 ssh]# ls ~/.ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts

方法二：ssh-keygen -f ~/root/.ssh/id_rsa -P “”

[root@westos_student50 .ssh]# ssh-keygen -f ~/root/.ssh/id_rsa -P ""
Generating public/private rsa key pair.
Saving key "/root/root/.ssh/id_rsa" failed: No such file or directory
[root@westos_student50 .ssh]# ssh-keygen -f ~/.ssh/id_rsa -P ""
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ly/oHv3cE9a3nYW68eglWWNOUVwiLk7ebMeWdR8C7ik root@westos_student50.westos.org
The key's randomart image is:
+---[RSA 3072]----+
|           .. ..+|
|          .... o.|
|          o.....o|
|         +.=...++|
|        SE=o+ Xo.|
|         +.o O+.+|
|        o o =oo.*|
|       . . +.B.o.|
|       .o  .*.o. |
+----[SHA256]-----+

3.对服务器加密

ssh-copy-id -i /root/.ssh/id_rsa.pub username@serverip
ssh-copy-id -i /root/.ssh/id_rsa.pub lee@172.25.254.105
#测试#
ssh lee@172.25.254.105 ##登陆lee用户不需要输入密码

[root@westos_student50 .ssh]# ssh-copy-id -i ~/.ssh/id/_rsa.pub root@192.168.0.30

/usr/bin/ssh-copy-id: ERROR: failed to open ID file '/root/.ssh/id/_rsa.pub': No such file or directory
[root@westos_student50 .ssh]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.0.30
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.0.30's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.0.30'"
and check to make sure that only the key(s) you wanted were added.

[root@westos_student50 .ssh]# ssh -l root 192.168.0.30
Activate the web console with: systemctl enable --now cockpit.socket

This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register

Last login: Thu Aug  4 01:27:47 2022 from 192.168.0.28
[root@westos_student50 ~]# exit
logout
Connection to 192.168.0.30 closed.

四、sshd安全优化参数详解

setenforce 0
systemctl disable --now firewalld 
Port 2222 #设定端口为2222
PermitRootLogin yes|no #对超级用户登陆是否禁止
PasswordAuthentication yes|no #是否开启原始密码认证方式
AllowUsers lee #用户白名单
DenyUsers lee #用户黑名单

[root@westos_student50 .ssh]# systemctl stop firewalld.service    关闭防火墙
[root@westos_student50 .ssh]# setenforce 0                        内核加强

Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

将端口改为2222之后，我们在远程连接时就要加上端口，不然会有问题出现，如下

[root@westos_student50 ssh]# vim /etc/ssh/sshd_config 
[root@westos_student50 ssh]# ssh -l root 192.168.0.28
ssh: connect to host 192.168.0.28 port 22: Connection refused
[root@westos_student50 ssh]# ssh -p 2222 -l root 192.168.0.28
The authenticity of host '[192.168.0.28]:2222 ([192.168.0.28]:2222)' can't be established.
ECDSA key fingerprint is SHA256:/UV0cQ6NzCbQwWO9Me2xZhwr9zPEZ8NnEn/qoMX40q4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^C