openssh
1.使用ssh访问远程命令行
1.1 openssh的介绍
-
SSH为Secure Shell的缩写,由 IETF 的网络工作小组(Network Working Group)所制定;SSH 为建立在应用层和传输层基础上的安全协议。
-
SSH是目前可靠的,专为远程登录会话和其他网络服务提供安全性的协议。常用于远程登录,以及用户之间进行资料拷贝。利用SSH协议可以有效防止远程管理过程中的信息泄露问题
-
使用SSH服务,需要安装相应的服务器和客户端。客户端和服务器的关系:如果,A机器想被B机器远程控制,那么,A机器需要安装SSH服务器,B机器需要安装SSH客户端
1.2openssh的应用
- OpenSSH是SSH(Secure SHell)协议的免费开源实现。
- SSH协议族可以用来进行远程控制,或在计算机之间传送文件。
- 而实现此功能的传统方式,如telnet(终端仿真协议)、 rcp ftp、
- rlogin、rsh都是极为不安全的,并且会使用明文传送密码。OpenSSH提供了
- 服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据
- 并由此来代替原来的类似服务
2.实验环境说明
主机名和IP地址 | 客户机名和IP地址 |
---|---|
@zhiyong 192.168.26.168 | @wuli 192.168.26.53 |
2.1.Secure Shell示例
2.1.1 以当前用户身份创建远程交互式shell,然后在结束时使用exit命令返回到之前的shell
root@zhiyong ~]# ssh 192.168.26.53
root@192.168.26.53's password:
Last login: Mon Jan 7 23:22:43 2019 from 192.168.26.168
[root@wuli ~]# exit
登出
Connection to 192.168.26.53 closed.
[root@zhiyong ~]#
2.1.2 以其他用户身份(remoteuser)在选定主机(remotehost)上连接到远程shell
- 在主机上创建tom用户,在客户端用ssh远程去连接
[root@zhiyong ~]# passwd tom
更改用户 tom 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[tom@wuli ~]$ ssh tom@192.168.26.168
tom@192.168.26.168's password:
Last failed login: Mon Jan 7 16:52:52 CST 2019 from 192.168.26.53 on ssh:notty
There was 1 failed login attempt since the last successful login.
[tom@zhiyong ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
2.1.3 以远程用户身份(remoteuser)在远程主机(remotehost)上通过将输出返回到本地显示器的方式来执行一个作业
[root@zhiyong ~]# useradd jerry
[root@zhiyong ~]# passwd jerry
更改用户 jerry 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@wuli ~]# ssh jerry@192.168.26.168 'touch a;ls -l'
jerry@192.168.26.168's password:
总用量 0
-rw-rw-r--. 1 jerry jerry 0 1月 7 17:12 a
[root@wuli ~]# ssh jerry@192.168.26.168 '/usr/sbin/ip a s ens33'
jerry@192.168.26.168's password:
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:44:f2:a7 brd ff:ff:ff:ff:ff:ff
inet 192.168.26.168/24 brd 192.168.26.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe44:f2a7/64 scope link
valid_lft forever preferred_lft forever
2.1.4 w命令可以显示当前登录到计算机的用户列表。这对于显示哪些用户使用ssh从哪些远程位置进行了登录以及执行了何种操作等内容特别有用
[root@zhiyong ~]# w
17:23:00 up 2:29, 2 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 14:53 2:03m 0.99s 0.99s -bash
root pts/0 192.168.26.1 14:57 4.00s 0.22s 0.01s w
3.配置基于 SSH 密钥的身份验证
- 第一步创建公钥-私匙对
[root@wuli ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1pDPnkjsLzYKFmGvNKkmXX0WYnQeSClD+FpuX8vw3og root@wuli
The key's randomart image is:
+---[RSA 2048]----+
| o..ooo |
| . o.oo o |
| .ooo = |
| .o* o * |
| +* o S + |
| ..+o+.*.o . |
|. +.+. =o.o |
| o . ...B+ |
| E+ooo |
+----[SHA256]-----+
- 第二步使用ssh-copy-id将公钥复制到远程系统上的正确位置
[root@wuli ~]# ls .ssh/
id_rsa id_rsa.pub
[root@wuli ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.26.53
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.26.53 (192.168.26.53)' can't be established.
ECDSA key fingerprint is SHA256:jy+dyp938gsO7bDGG/IdlqjObnjIO+Zvwg0iyIZUmYA.
ECDSA key fingerprint is MD5:e8:96:24:94:2c:7d:0f:13:40:c3:21:25:e2:58:a6:86.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.26.53's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.26.53'"
and check to make sure that only the key(s) you wanted were added.
- 第三步使用ssh命令无密码登录远程主机
[root@wuli ~]# ssh root@192.168.26.53
Last login: Tue Jan 8 02:35:13 2019 from 192.168.26.168
[root@wuli ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:7a:9e:f2 brd ff:ff:ff:ff:ff:ff
inet 192.168.26.53/24 brd 192.168.26.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::647b:b818:b9a7:4dfa/64 scope link noprefixroute
valid_lft forever preferred_lft forever
- 第四步在客户机上将公钥拷贝到主机上
[root@wuli .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@wuli .ssh]# scp id_rsa.pub root@192.168.26.168:/root/.ssh/authorized_keys
The authenticity of host '192.168.26.168 (192.168.26.168)' can't be established.
ECDSA key fingerprint is SHA256:1ahNIZLjIcyvHzKnwD+/5doXTxLVg7vz1+8R+4U3udU.
ECDSA key fingerprint is MD5:f0:9f:0e:c7:c3:8d:e2:e8:39:72:b7:b8:8f:95:4a:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.26.168' (ECDSA) to the list of known hosts.
root@192.168.26.168's password:
Permission denied, please try again.
root@192.168.26.168's password:
id_rsa.pub 100% 391 261.3KB/s 00:00
- 第五步在客户机上远程连接主机
[root@wuli .ssh]# ssh root@192.168.26.168
Last failed login: Mon Jan 7 18:39:11 CST 2019 from 192.168.26.53 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Mon Jan 7 15:12:46 2019 from 192.168.26.1
[root@zhiyong ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:44:f2:a7 brd ff:ff:ff:ff:ff:ff
inet 192.168.26.168/24 brd 192.168.26.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe44:f2a7/64 scope link
valid_lft forever preferred_lft forever
4利用防火墙设置ssh访问策略
第一步检查防火墙设置
- a 检查防火墙是否开启
[root@zhiyong ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since 一 2019-01-07 14:53:22 CST; 6h ago
Docs: man:firewalld(1)
Main PID: 763 (firewalld)
CGroup: /system.slice/firewalld.service
└─763 /usr/bin/python -Es /usr/sbin/firewalld --nofork --no...
- b 如果防火墙开启,检查端口是否放行
firewall-cmd --zone=public --list-port - c 如果端口不放行,则放行此端口
[root@zhiyong ~]# firewall-cmd --zone=public --add-port=22/tcp --permanent
success
- d 重载防火墙设置
[root@zhiyong ~]# firewall-cmd --reload
success
检查selinux(访问控制系统)
- a 检查SELinux是否开启,enabled表示开启
[root@zhiyong ~]# sestatus -v | grep "SELinux status"
SELinux status: enabled
- b 通过semanage(默认系统不自带,需要安装)设置SELinux,允许新的SSH端口
1 yum install policycoreutils-python
2 semanage port -a -t ssh_port_t -p tcp 22
3 semanage port -l | grep ssh
限制ssh登录的ip
- 设置禁止所有ip连接服务器的SSH
[root@zhiyong ~]# vim /etc/hosts.deny
See 'man 5 hosts_options' and 'man 5 hosts_access'
for information on rule syntax.
See 'man tcpd' for information on tcp_wrappers
sshd:192.168.26.53:deny
- 设置允许指定ip连接服务器的SSH
[root@zhiyong ~]# vim /etc/hosts.allow
See 'man 5 hosts_options' and 'man 5 hosts_access'
for information on rule syntax.
See 'man tcpd' for information on tcp_wrappers
sshd:192.168.26.168
重启ssh服务,并进行验证
[root@zhiyong ~]# systemctl restart sshd.service
[root@zhiyong ~]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since 一 2019-01-07 21:25:09 CST; 9s ago
Docs: man:sshd(8)
man:sshd_config(5)
[root@zhiyong ~]# ssh root@192.168.26.53
root@192.168.26.53's password:
[root@zhiyong ~]# ssh root@192.168.26.168
root@192.168.26.168's password:
Last failed login: Mon Jan 7 21:28:10 CST 2019 from zhiyong on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Jan 7 21:03:34 2019 from 192.168.26.1