openssh

最新推荐文章于 2023-01-04 08:43:21 发布

wuli 阿勇

最新推荐文章于 2023-01-04 08:43:21 发布

阅读量424

点赞数

本文链接：https://blog.csdn.net/qq_43181762/article/details/86019513

版权

openssh

1.使用ssh访问远程命令行

1.1 openssh的介绍

SSH为Secure Shell的缩写，由 IETF 的网络工作小组（Network Working Group）所制定；SSH 为建立在应用层和传输层基础上的安全协议。
SSH是目前可靠的，专为远程登录会话和其他网络服务提供安全性的协议。常用于远程登录，以及用户之间进行资料拷贝。利用SSH协议可以有效防止远程管理过程中的信息泄露问题
使用SSH服务，需要安装相应的服务器和客户端。客户端和服务器的关系：如果，A机器想被B机器远程控制，那么，A机器需要安装SSH服务器，B机器需要安装SSH客户端

1.2openssh的应用

OpenSSH是SSH（Secure SHell）协议的免费开源实现。
SSH协议族可以用来进行远程控制，或在计算机之间传送文件。
而实现此功能的传统方式，如telnet(终端仿真协议)、 rcp ftp、
rlogin、rsh都是极为不安全的，并且会使用明文传送密码。OpenSSH提供了
服务端后台程序和客户端工具，用来加密远程控制和文件传输过程中的数据
并由此来代替原来的类似服务

2.实验环境说明

主机名和IP地址	客户机名和IP地址
@zhiyong 192.168.26.168	@wuli 192.168.26.53

2.1.Secure Shell示例

2.1.1 以当前用户身份创建远程交互式shell，然后在结束时使用exit命令返回到之前的shell

root@zhiyong ~]# ssh 192.168.26.53
root@192.168.26.53's password: 
Last login: Mon Jan  7 23:22:43 2019 from 192.168.26.168
[root@wuli ~]# exit
登出
Connection to 192.168.26.53 closed.
[root@zhiyong ~]#

2.1.2 以其他用户身份（remoteuser）在选定主机（remotehost）上连接到远程`shell`

在主机上创建tom用户，在客户端用ssh远程去连接

[root@zhiyong ~]# passwd tom
更改用户 tom 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。

[tom@wuli ~]$ ssh tom@192.168.26.168
tom@192.168.26.168's password: 
Last failed login: Mon Jan  7 16:52:52 CST 2019 from 192.168.26.53 on ssh:notty
There was 1 failed login attempt since the last successful login.
[tom@zhiyong ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host

2.1.3 以远程用户身份（remoteuser）在远程主机（remotehost）上通过将输出返回到本地显示器的方式来执行一个作业

[root@zhiyong ~]# useradd jerry 
[root@zhiyong ~]# passwd jerry
更改用户 jerry 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。

[root@wuli ~]# ssh jerry@192.168.26.168 'touch a;ls -l' 
jerry@192.168.26.168's password: 
总用量 0
-rw-rw-r--. 1 jerry jerry 0 1月   7 17:12 a
[root@wuli ~]# ssh jerry@192.168.26.168 '/usr/sbin/ip a s ens33' 
jerry@192.168.26.168's password: 
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:44:f2:a7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.168/24 brd 192.168.26.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe44:f2a7/64 scope link 
       valid_lft forever preferred_lft forever

2.1.4 w命令可以显示当前登录到计算机的用户列表。这对于显示哪些用户使用ssh从哪些远程位置进行了登录以及执行了何种操作等内容特别有用

[root@zhiyong ~]# w
 17:23:00 up  2:29,  2 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1                      14:53    2:03m  0.99s  0.99s -bash
root     pts/0    192.168.26.1     14:57    4.00s  0.22s  0.01s w

3.配置基于 SSH 密钥的身份验证

第一步创建公钥-私匙对

[root@wuli ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1pDPnkjsLzYKFmGvNKkmXX0WYnQeSClD+FpuX8vw3og root@wuli
The key's randomart image is:
+---[RSA 2048]----+
|   o..ooo        |
|  . o.oo o       |
|   .ooo =        |
|   .o* o *       |
|   +* o S +      |
| ..+o+.*.o .     |
|. +.+. =o.o      |
| o . ...B+       |
|      E+ooo      |
+----[SHA256]-----+

第二步使用ssh-copy-id将公钥复制到远程系统上的正确位置

[root@wuli ~]# ls .ssh/
id_rsa  id_rsa.pub
[root@wuli ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.26.53
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.26.53 (192.168.26.53)' can't be established.
ECDSA key fingerprint is SHA256:jy+dyp938gsO7bDGG/IdlqjObnjIO+Zvwg0iyIZUmYA.
ECDSA key fingerprint is MD5:e8:96:24:94:2c:7d:0f:13:40:c3:21:25:e2:58:a6:86.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.26.53's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.26.53'"
and check to make sure that only the key(s) you wanted were added.

第三步使用ssh命令无密码登录远程主机

[root@wuli ~]# ssh root@192.168.26.53
Last login: Tue Jan  8 02:35:13 2019 from 192.168.26.168
[root@wuli ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:7a:9e:f2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.53/24 brd 192.168.26.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::647b:b818:b9a7:4dfa/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

第四步在客户机上将公钥拷贝到主机上

[root@wuli .ssh]# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
[root@wuli .ssh]# scp id_rsa.pub root@192.168.26.168:/root/.ssh/authorized_keys 
The authenticity of host '192.168.26.168 (192.168.26.168)' can't be established.
ECDSA key fingerprint is SHA256:1ahNIZLjIcyvHzKnwD+/5doXTxLVg7vz1+8R+4U3udU.
ECDSA key fingerprint is MD5:f0:9f:0e:c7:c3:8d:e2:e8:39:72:b7:b8:8f:95:4a:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.26.168' (ECDSA) to the list of known hosts.
root@192.168.26.168's password: 
Permission denied, please try again.
root@192.168.26.168's password: 
id_rsa.pub                                                                    100%  391   261.3KB/s   00:00

第五步在客户机上远程连接主机

[root@wuli .ssh]# ssh root@192.168.26.168
Last failed login: Mon Jan  7 18:39:11 CST 2019 from 192.168.26.53 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Mon Jan  7 15:12:46 2019 from 192.168.26.1
[root@zhiyong ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:44:f2:a7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.26.168/24 brd 192.168.26.255 scope global ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fe44:f2a7/64 scope link 
       valid_lft forever preferred_lft forever

4利用防火墙设置ssh访问策略

第一步检查防火墙设置

a 检查防火墙是否开启

[root@zhiyong ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
  Active: active (running) since 一 2019-01-07 14:53:22 CST; 6h ago
    Docs: man:firewalld(1)
Main PID: 763 (firewalld)
  CGroup: /system.slice/firewalld.service
          └─763 /usr/bin/python -Es /usr/sbin/firewalld --nofork --no...

b 如果防火墙开启，检查端口是否放行
firewall-cmd --zone=public --list-port
c 如果端口不放行，则放行此端口

[root@zhiyong ~]# firewall-cmd --zone=public --add-port=22/tcp --permanent
success

d 重载防火墙设置

[root@zhiyong ~]# firewall-cmd --reload
success

检查selinux(访问控制系统)

a 检查SELinux是否开启，enabled表示开启

[root@zhiyong ~]# sestatus -v | grep "SELinux status"
SELinux status:                 enabled

b 通过semanage(默认系统不自带，需要安装)设置SELinux，允许新的SSH端口

1 yum install policycoreutils-python
2 semanage port -a -t ssh_port_t -p tcp 22
3  semanage port -l | grep ssh

限制ssh登录的ip

设置禁止所有ip连接服务器的SSH

[root@zhiyong ~]# vim /etc/hosts.deny

             See 'man 5 hosts_options' and 'man 5 hosts_access'
              for information on rule syntax.
             See 'man tcpd' for information on tcp_wrappers
sshd:192.168.26.53:deny

设置允许指定ip连接服务器的SSH

[root@zhiyong ~]# vim /etc/hosts.allow
See 'man 5 hosts_options' and 'man 5 hosts_access'
              for information on rule syntax.
              See 'man tcpd' for information on tcp_wrappers
  sshd:192.168.26.168

重启ssh服务，并进行验证

[root@zhiyong ~]# systemctl restart sshd.service
[root@zhiyong ~]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
  Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
  Active: active (running) since 一 2019-01-07 21:25:09 CST; 9s ago
    Docs: man:sshd(8)
          man:sshd_config(5)
[root@zhiyong ~]# ssh root@192.168.26.53
root@192.168.26.53's password: 
[root@zhiyong ~]# ssh root@192.168.26.168
root@192.168.26.168's password: 
Last failed login: Mon Jan  7 21:28:10 CST 2019 from zhiyong on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Jan  7 21:03:34 2019 from 192.168.26.1

wuli 阿勇

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
3
评论
openssh

openssh1.使用ssh访问远程命令行1.1 openssh的介绍SSH为Secure Shell的缩写，由 IETF 的网络工作小组（Network Working Group）所制定；SSH 为建立在应用层和传输层基础上的安全协议。SSH是目前可靠的，专为远程登录会话和其他网络服务提供安全性的协议。常用于远程登录，以及用户之间进行资料拷贝。利用SSH协议可以有效防止远程管理...
复制链接

扫一扫