一 介绍
SSH - Secure Shell 安全外壳协议:SSH 为建立在应用层基础上的安全协议。SSH 是较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用 SSH 协议可以有效防止远程管理过程中的信息泄露问题;
服务端口:TCP 22;
此服务默认安装并开启,此处我们只研究其使用方法
[root@slave1 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-12-12 06:46:02 EST; 2 days ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1104 (sshd)
Tasks: 1
Memory: 1.9M
CGroup: /system.slice/sshd.service
└─1104 /usr/sbin/sshd -D
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
SSH和TELNET的区别
SSH是加密的,基于SSL。而TELNET是明码传输的,发送的数据被监听后不需要解密就可以看到内容。两者本来端口也有差异,但是ssh的监听端口可以修改,所以这个也不能算是区别。
一般不建议使用telnet。
二 配置文件内容详解
SSH服务配置路径:/etc/ssh/sshd_config
[root@slave1 ~]# cat /etc/ssh/sshd_config
#Port 22 /监听端口;
#AddressFamily any /兼用IPv4和IPv6;
#ListenAddress 0.0.0.0 /监听地址,0.0.0.0表示所有IPv4地址;
#ListenAddress :: /监听地址,0.0.0.0表示所有IPv6地址;
HostKey /etc/ssh/ssh_host_rsa_key /rsa私钥认证;
HostKey /etc/ssh/ssh_host_ecdsa_key /ecdsa私钥认证;
HostKey /etc/ssh/ssh_host_ed25519_key /ed25519私钥认证;
#SyslogFacility AUTH
SyslogFacility AUTHPRIV /当被登录时会记录登录信息;
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes /允许root用户直接登录;
#StrictModes yes /允许sshd检查用户主目录或相关文件的权限数据;
#MaxAuthTries 6 /最大登录尝试次数,全部失败需要等待;
#MaxSessions 10 /最大会话数;
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys /服务器生成一对公私钥之后,会将公钥放到.ssh/authorized_keys里面,将公钥发给客户端;
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no /是否反解DNS;
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server /支持sftp连接;
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
三 服务配置
1 修改登陆端口号
注意关闭防火墙和selinux
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0
# 修改端口
[root@localhost ~]# cat /etc/ssh/sshd_config | grep Port
Port 222
[root@localhost ~]# systemctl restart sshd
# 验证结果,注意端口号和地址之间不需要冒号,否则会作为一个地址使用导致无法解析
# 用户名可加可不加,实验嘛
[c:\~]$ ssh root@192.168.247.134 222
Connecting to 192.168.247.134:222...
Connection established.
2 限制root账户直接登录
# 新建用户并创建密码
[root@localhost ~]# useradd wangjie
[root@localhost ~]# id wangjie
uid=1000(wangjie) gid=1000(wangjie) groups=1000(wangjie)
[root@localhost ~]# passwd wangjie
Changing password for user wangjie.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
# 修改配置
[root@localhost ~]# cat /etc/ssh/sshd_config | grep PermitRoot
PermitRootLogin no
[root@localhost ~]# systemctl restart sshd
验证结果:root不能主动登陆,但是新建的用户可以
[c:\~]$ ssh wangjie@192.168.247.134 222
Connecting to 192.168.247.134:222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last failed login: Thu Dec 16 03:19:07 CST 2021 from 192.168.247.1 on ssh:notty
There was 1 failed login attempt since the last successful login.
/usr/bin/xauth: file /home/wangjie/.Xauthority does not exist
[wangjie@192 ~]$
[wangjie@192 ~]$ pwd
/home/wangjie
[wangjie@192 ~]$ su - root
Password:
Last login: Thu Dec 16 01:38:47 CST 2021 on :0
Last failed login: Thu Dec 16 03:28:38 CST 2021 from 192.168.247.1 on ssh:notty
There were 2 failed login attempts since the last successful login.
[root@192 ~]# pwd
/root
# 输入Ctrl + D
[root@192 ~]# logout
[wangjie@192 ~]$ logout
3 限制登录账户
[root@localhost ~]# cat /etc/ssh/sshd_config | grep AllowUser
AllowUsers root
# #本配置sshd主配置文件没有相关语句,需要在后面自行添加,若多个账户需要被限制用空格隔开
[root@localhost ~]# systemctl restart sshd
# 测试结果:redhat不能主动登录,root可以主动登录
[c:\~]$ ssh root@192.168.247.134 222
Connecting to 192.168.247.134:222...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Thu Dec 16 03:29:58 2021
/usr/bin/xauth: file /root/.Xauthority does not exist
[root@192 ~]#