实验环境:
两台centos7系统的主机
- 一台IP地址:10.0.0.10
- 一台IP地址:10.0.0.20
1.1 在centos7系统中默认已经安装好了SSH服务,接下来在10.0.0.20这台主机上使用ssh命令远程连接10.0.0.10这台主机
[root@centos7 ~]#ssh 10.0.0.10 The authenticity of host '10.0.0.10 (10.0.0.10)' can't be established. ECDSA key fingerprint is SHA256:OINfHd6lkF7emcExR5AFuoqD1megVlK1mSAEXBXw6dQ. ECDSA key fingerprint is MD5:7a:8c:c7:84:18:f3:e0:22:f8:5a:7b:15:cf:52:e3:95. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.0.0.10' (ECDSA) to the list of known hosts. root@10.0.0.10's password: Last login: Wed Aug 16 17:40:43 2023 from 10.0.0.1 [root@centos7 ~]#ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4e:b0:a2 brd ff:ff:ff:ff:ff:ff inet 10.0.0.10/24 brd 10.0.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe4e:b0a2/64 scope link valid_lft forever preferred_lft forever [root@centos7 ~]#exit logout Connection to 10.0.0.10 closed.
实验过程如图所示:
在10.0.0.20主机上
1.2 禁止root用户使用SSH方式远程登录服务器
在10.0.0.10主机上
[root@centos7 ~]#vim /etc/ssh/sshd_config
1.3 重启ssh服务
[root@centos7 ~]#systemctl restart sshd
1.4 再次从10.0.0.20主机上使用ssh命令远程连接10.0.0.10,使用正确root用户的密码都无法登录
[root@centos7 ~]#ssh 10.0.0.10 root@10.0.0.10's password: Permission denied, please try again. root@10.0.0.10's password: Permission denied, please try again. root@10.0.0.10's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
实验过程如图所示:
在10.0.0.20主机上
1.5 安全密钥验证
第一步:在客户端10.0.0.20主机上生成密钥对
[root@centos7 ~]#ssh-keygen
第二步:把10.0.0.20主机中生成的公钥文件传送到10.0.0.10计算机上
(因为我使用root登录,前面我们禁止了root用户远程连接所以我们先把10.0.0.10主机上的ssh配置文件第38行注释先 #PermitRootLogin no)
[root@centos7 ~]#ssh-copy-id 10.0.0.10
第三步:在10.0.0.10主机上设置,使其只允许密钥验证,拒绝传统口令验证方式
[root@centos7 ~]#vim /etc/ssh/sshd_config 62 # To disable tunneled clear text passwords, change to no here! 63 #PasswordAuthentication yes 64 #PermitEmptyPasswords no 65 PasswordAuthentication no(将yes改为no) [root@centos7 ~]#systemctl restart sshd
第四步:在10.0.0.20主机上登录服务器。此时就不用输入密码也可以成功登录
[root@centos7 ~]#ssh 10.0.0.10 Last failed login: Wed Aug 16 18:33:48 CST 2023 from 10.0.0.20 on ssh:notty There were 6 failed login attempts since the last successful login. Last login: Wed Aug 16 18:04:02 2023 from 10.0.0.20
实验过程如图所示:
在10.0.0.20上
在10.0.0.10上