1.ssh服务
1.1 ssh介绍
ssh协议: 网络加密协议,对在网络上传输的数据进行加密
ssh服务: 实现远程登录和远程控制
默认端口号是22,用openssh实现,一般默认安装了。
1.2 配置文件的简单介绍
sshd_config : openssh的配置文件
Port 22:指定连接ssh的端口,一般为了增加保密性,会设置个不常用的端口,而非22号端口
AllowUsers DenyUsers 允许或禁止的用户
PermitRootLogin no: 是否禁止root用户登录
UseDNS no: 是否进行DNS解析
1.3 ssh连接产生的文件
know_hosts:客户机使用ssh第一次连接服务器时,将服务器上sshd守护进程的公钥复制到本地,存放本地~/.ssh/known_hosts文件中,每行存放一台服务器的公钥用来验证服务器的身份。
[root@dhcp .ssh]# cat known_hosts
192.168.249.154 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMHb7wmanGDAsuHykEwbd9EsuSryRnIiVKRaELvHI2kPBiEMmaX8ELDIbGjTany981qBVbKlKV/DZC+bSWkYH+8=
authorized_keys:存放用来进行合法身份验证,存放在被建立连接的服务器上。就是别人对你建立免密你就有这个文件,存放的是别人的公钥。
[root@test .ssh]# ls
authorized_keys
[root@test .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFywG2XtblfXH+Z3Vb6ifw3ljZjFWdwclYuERQlxeQ18hiMXZawBLFjLlWL0wZO0kBWMXTWU1c28K/DCtkUH2rATaliD2Pd2w+KpUGbYpOefcrgl3Q1p42nyCtzw3LG2bktwW+9VY/Ym1jtHQ9mz5+Hg0oOckKk2ICGMWRW7cbV4Fa/qr4vtspMGqXtL/w0hf4WqDh83yCV5D2ap9LF+X6P/VWlKzuxQicqCGcwOrnPyTYnSx78NIfF0eFtz6o1lZ8YE+b6qxyrQaZ2j94mqfS/BXf63Z8hcaMgSTw9yKhwNDcIPP45hsTXGkwTZGDHw68D/WHb1StkDXtSN9ttkHX root@dhcp
/var/log/secure:可以查看ssh连接的情况
[root@test .ssh]# cat /var/log/secure|tail
Jan 5 09:30:18 test sshd[1090]: Server listening on :: port 22.
Jan 5 09:31:08 test sshd[1881]: Accepted password for root from 192.168.249.1 port 9968 ssh2
Jan 5 09:31:08 test sshd[1881]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 5 10:01:12 test sshd[2012]: Connection closed by 192.168.249.160 port 51454 [preauth]
Jan 5 10:01:14 test sshd[2014]: Connection closed by 192.168.249.160 port 51456 [preauth]
Jan 5 10:01:21 test sshd[2016]: Accepted password for root from 192.168.249.160 port 51458 ssh2
Jan 5 10:01:21 test sshd[2016]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 5 10:01:21 test sshd[2016]: Received disconnect from 192.168.249.160 port 51458:11: disconnected by user
Jan 5 10:01:21 test sshd[2016]: Disconnected from 192.168.249.160 port 51458
Jan 5 10:01:21 test sshd[2016]: pam_unix(sshd:session): session closed for user root
1.4 建立免密通道
1.ssh-keygen 生成密钥 , 一直回车就行,因为不设置秘密。
-t 可以指定生成密钥类型,默认是rsa
2.ssh-copy-id -i id_rsa.pub root@192.168.249.154 -p 22 把密钥传给所需建立免密通道的服务器。
-i 指定传输的公钥,最好是绝对路径,我是在对应的目录下,就是相对路径了。
-p 指定对应端口,没有修改,默认是22,可以不指定。
3.ssh 'root@192.168.249.154验证是否成功。
4.如果没有成功,可以将~/.ssh/authorized_keys文件中对应的一行密钥删掉继续在执行一遍。
[root@dhcp ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/HsDBGdkotdPkNrL+Y5EaNwLXdEvJUDFXfZ0nIvA6pc root@dhcp
The key's randomart image is:
+---[RSA 2048]----+
| ..=o+=.oB|
| ..+++ .++*|
| . .*o + .+o|
| +.=o+ ....|
| So+oo . |
| . ==E |
| =o |
| . o+ |
| oo.. |
+----[SHA256]-----+
[root@dhcp ~]# cd .ssh/
[root@dhcp .ssh]# ls
id_rsa id_rsa.pub
[root@dhcp .ssh]# ssh-copy-id -i id_rsa.pub root@192.168.249.154
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
The authenticity of host '192.168.249.154 (192.168.249.154)' can't be established.
ECDSA key fingerprint is SHA256:Pymk0+pfZx3ITcZIdUO9PgXzrj3LeZaNmH+j65nmMqA.
ECDSA key fingerprint is MD5:38:5d:24:9d:cb:39:1f:71:2b:a8:f1:a9:27:eb:90:fe.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.249.154's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.249.154'"
and check to make sure that only the key(s) you wanted were added.
2. TCP Wrappers对ssh进行管控
ssh 使用TCP Wrappers实现访问控制
主要配置文件
/etc/hosts.allow --> 白名单
/etc/hosts.deny --> 黑名单
TCP Wrappers的访问控制原则
首先检查 hosts.allow 文件,若找到相匹配的策略,则允许访问
否则继续检查 hosts.deny 文件,若找到相匹配的策略,则拒绝访问
如果两个文件中都没有相匹配的策略,则允许访问
[root@dhcp .ssh]# cat /etc/hosts.allow
sshd:192.168.249.1 # 允许自己电脑访问
[root@dhcp .ssh]# cat /etc/hosts.deny
sshd:all # 除了hosts.allow允许的机器,其它机器不能访问,
[root@test .ssh]# ssh root@192.168.249.160
ssh_exchange_identification: read: Connection reset by peer