一.sshd简介
ssh root@172.25.254.100 远程登陆虚拟机
server +200 desktop+100
ssh后跟的用户就是登陆的用户
sshd= secure shell
可以通过网络在主机中开机shell的服务
客户端软件
sshd
连接方式:
ssh username@ip ##文本模式的链接
ssh username@ip -X ##可以在连接成功后开启图形
注意:
第一次链接陌生主机是要建立认证文件
所以加会询问是否建立,需要输入yes
再次链接此台主机时,因为已经生成~/.ssh/know_hosts 文件所以不需要再次输入yes
从主机连入虚拟机客户端
从主机连入虚拟机服务端
远程复制:(不用登陆上去)
scp file root@ip:dir(绝对路径) ##上传 ip为要上传的ip
scp root@ip:file(要下载的文件的绝对路径) dir(要拷贝的地方) ##下载
从client上传文件test到server
从server下载文件到client
二.sshd的key认证
1.生成认证key ssh-keygen ##生成密钥的命令
[root@server Desktop]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##指定保存加密字符的文件(使用默认)
Enter passphrase (empty for no passphrase): ##设定密码(使用空密码)
Enter same passphrase again: ##确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
73:b8:c8:a6:fa:ee:47:55:b4:33:97:ac:d7:99:65:f2 root@server.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| .. |
| .o . |
| .+ + . o|
| .. = . B |
| .S o . + E|
| ... + . |
| .+ . |
| o. |
| .==. |
+-----------------+
生成钥匙
2.加密服务
[root@server ~]# cd /root/.ssh/
[root@server .ssh]# ls
id_rsa id_rsa.pub
[root@server .ssh]# ssh-copy-id -i id_rsa.pub root@172.25.254.224
The authenticity of host '172.25.254.224 (172.25.254.224)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.254.224's password:
Permission denied, please try again.
root@172.25.254.224's password:
Permission denied, please try again.
root@172.25.254.224's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.25.254.224'"
and check to make sure that only the key(s) you wanted were added.
[root@server .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
^z这个代表成功
加密服务
3.分发钥匙
[root@server .ssh]# scp /root/.ssh/id_rsa root@172.25.254.124:/root/.ssh/##分发钥匙命令
The authenticity of host '172.25.254.124 (172.25.254.124)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.124' (ECDSA) to the list of known hosts.
root@172.25.254.124's password:
id_rsa 100% 1679 1.6KB/s
给client分发钥匙
4.测试
在客户主机中(172.25.254.124)
ssh root@172.25.254.224 ##连接时发现直接登陆不需要root登陆系统的密码认证
不需要密码就可以登陆
三.sshd的安全设定
78 PasswordAuthentication yes/no ##是否允许用户通过登录系统的密码作sshd的认证(不用输密码)
48 PermitRootLogin yes|no ##是否允许root用户通过sshd服务的认证
Allowusers student westos ##设定用户白名单,白名单出现默认不再名单中的用户不能使用sshd
Denyusers westos ##设定用户黑名单,黑名单出现默认不再名单中的用户可以使用sshd
PasswordAuthentication no ##用户不通过登录系统的密码作sshd的认证
PermitRootLogin no ##root用户不能通过sshd服务的认证
四.添加sshd登陆信息
vim /etc/motd ##文件内容就是登陆后显示的信息
五.用户的登陆审计
1.w ##查看正在使用当前系统的用户
w -f ##查看使用来源
w -i ##显示登陆i
/var/run/utmp
2.last ##查看使用过并退出的用户信息
/var/log/wtmp
3.lastb ##试图登陆但没成功的用户
/var/log/btmp 信息在这存储
> /var/log/btmp ##清空
vim /etc/host.deny
vim /etc.host.allow