一、openssh-server

1.功能:让远程主机可以通过网络访问sshd服务,开始一个安全shell

(1)先创建两个环境---开启两台虚拟机

(2)一台作为服务端,将其主机名用一下命令更改(以便区分)

hostnamectl set-hostname ssh-sever.example.com

另一台作为客户端,同样将其主机名进行修改

hostnamectl set-hostname client.example.com

(注:example.com是域名,不予显示)

 注:修改完成后,一定要关掉shell再重新开启shell修改才生效。

wKiom1nnTPDhJATOAACc8kT0Xbg448.png-wh_50

nm-connection-editor 配置ip

点击add

wKioL1nnTX_RzE15AAApe6dg8R8454.png-wh_50

单击creat

wKioL1nnTX-AD4xmAAB8uMm6NVs578.png-wh_50

wKiom1nnUDXRHfaaAAB-so3EDbU159.png-wh_50

设置完成后点击save

wKiom1nnUDbB29BXAACp_IqO-A8098.png-wh_50

ip配置完成

wKioL1nnTYHwgncBAAAyi9__fn0813.png-wh_50

设置完成

wKiom1nnUYGwKLn4AAEenJNknHo017.png-wh_50

ip addr show 查看ip

wKiom1nnTPLSBU40AAGgd6aaBd0325.png-wh_50

服务端同样

wKiom1nnTPWjPdZ-AAHB_Ul8qdk630.png-wh_50

wKioL1nnSkCBS9ccAAG7DsgEdO4007.png-wh_50

2.ssh远程主机用户@远程主机ip

ssh远程主机用户@远程主机ip

[root@client ~]ssh root@172.25.60.11

The authenticity of host '172.25.60.11 (172.25.60.11)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes连接陌生主机时需要建立认证关系

Warning: Permanently added '172.25.60.11' (ECDSA) to the list of known hosts.

root@172.25.60.11's password:  远程用户密码

Last login: Mon Oct  3 03:13:47 2016

[root@ssh-server ~]登陆成功 

wKioL1nnSkDiRFZMAACou4KDgB0845.png-wh_50

ssh 远程主机用户@远程主机ip -X 调用远程主机图形工具

ssh     远程主机用户@远程主机ipcommand 直接在远程主机运行某

wKiom1nnTPfxL8HgAADAmyeXHko278.png-wh_50

wKiom1nnTPfijoWDAACQdzhRvbE744.png-wh_50

产生的进程在服务端

wKioL1nnSkOytoZvAAGXuQkfX2M990.png-wh_50

在服务端关闭进程客户端也会关闭

wKioL1nnSkTDt_VMAAHnaqHZMcQ417.png-wh_50

服务端进程关闭

wKiom1nnVFCyN-sxAAFSQqMh214961.png-wh_50

在服务端建立文件

wKiom1nnVFSQxebMAADYOTQ32uk629.png-wh_50

远程连接进行删除文件命令

wKioL1nnUPnCSWAkAAAub5R_CGM866.png-wh_50

删除图片成功

wKioL1nnUiHDNvl1AAAmzWzVhwY881.png-wh_50

w -f 查看谁登陆过我

wKioL1nnUPqABzqjAADtMpG3am8893.png-wh_50

wKiom1nnU7Dho6kKAABwKvFxa2I174.png-wh_50

3.登录提示字符

vim /etc/motd

wKioL1nnUPqCH_teAAA2SuuOt_A617.png-wh_50

wKiom1nnVbvja-hbAAB7DkaCUgQ235.png-wh_50

客户端登录显示该字符

wKioL1nnUweRsLDJAAB06DNhqcs394.png-wh_50

以上是第一种加密方式

二、sshkey加密

1.生成公钥私钥

[root@ssh-server ~]# ssh-keygen  生成公钥私钥工具

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):[enter]  加密字符保存文件(建议用默认)

Created directory '/root/.ssh'.

Enter passphrase (empty for no passphrase): [enter] 密钥密码,必须>4个字符

Enter same passphrase again: [enter] 确认密码

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

ab:3c:73:2e:c8:0b:75:c8:39:3a:46:a2:22:34:84:81 root@server0.example.com

The key's randomart image is:

+--[ RSA 2048]----+

|o              |

|E.             

|..             |

|.  . o          |

|.o. * . S         |

|oo.o o   .       |

|+ =. .  .        |

|o. oo.+..         |

|    ..o*.       |

+-----------------+

[root@server0 ~]# ls /root/.ssh/

id_rsa  id_rsa.pub

id_rsa 私钥,就是钥匙

id_rsa.pub 公钥,就是锁

ssh-keygen 生成公钥私钥工具

以下是第二种加密方式

wKioL1nnUwnQdP5kAAHGW8vPSso089.png-wh_50

ls 列出.ssh 可以看到已生成锁和钥匙

2.添加key认证方式

[root@ssh-server ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub  root@172.25.60.11

ssh-copy-id 添加key认证方式的工具

-i 指定加密key文件

/root/.ssh/id_rsa.pub 加密key

root 加密用户为root

172.25.60.11被加密主机ip 

wKiom1nnVcKR3wIFAAIR0XrwtIU965.png-wh_50

wKiom1nnVcaRTKBlAAGo-Z0Scqs542.png-wh_50

3.提升安全级别

更改配置文件 vim /etc/ssh/ssh_config

将78行 yes改为no,restart该文件,密钥加密生效

wKioL1nnUP7TtxVfAAAlQrWvlAU619.png-wh_50

wKioL1nnUP7TPUh7AADR0dil2bs886.png-wh_50

权利被禁止

wKiom1nnU7TTuyYGAAA1RIGQVGU497.png-wh_50

4.分发钥匙给client主机

[root@ssh-server ~]# scp /root/.ssh/id_rsa root@172.25.60.10:/root/.ssh/

wKioL1nnUQDi3WMFAAGnymgVpjk318.png-wh_50

分发钥匙成功

wKiom1nnU7eiLTqBAABlzvaKijY264.png-wh_50

登录成功

5.提升安全级别

(1)更改配置文件 vim/etc/ssh/sshd_config

将78行 yes改为no 

wKioL1nnUQGzIPYEAAA5HRMTrjk222.png-wh_50

wKiom1nnU7fj-GBsAADfo-qIwTU491.png-wh_50

wKiom1nnU7iCebWqAAA1lN7xaTw290.png-wh_50

wKioL1nnUQOAXbeWAABxTK6xHxQ437.png-wh_50

wKioL1nnUQOSMeRKAAA7G5FJX50902.png-wh_50

(2)提升安全级别

更改配置 vim /etc/ssh_config 

79 Allowusers ww root 允许ww root 用户登录

设置白名单

wKiom1nnU7rRIaKyAAAlSZea6lY392.png-wh_50

wKioL1nnUQWyW7vUAAFs4XVl4J8539.png-wh_50

wKiom1nnU7yAyqETAAA6ntPBzEc776.png-wh_50

登录成功

wKiom1nnU7zDFkEYAACbLePEjkY157.png-wh_50

(3)提升安全级别

# 注释掉白名单用户

80 Denyusers ww  拒绝ww用户登录

设置黑名单用户

wKioL1nnUQfTdk0gAAA3tWUBS6M622.png-wh_50

wKiom1nnU7_DyiOoAAGicFerq7s864.png-wh_50

wKiom1nnU7-ilLOwAAA6rjPH2yo824.png-wh_50

ww是黑名单用户,权利被禁止

wKioL1nnUQrC8IvQAAB_Q-8YVcE331.png-wh_50

wKiom1nnU8Gy98M6AABpafgfkYU952.png-wh_50

root 用户权利过大,要禁止它的权利

48 PermitRootLogin yes|no  是否允许超级用户登陆

更改如下配置文件

wKioL1nnWnOTekH9AAA4Fw7GxnA656.png-wh_50

wKiom1nnXSyASbu2AAFc0GjWp3s204.png-wh_50

wKioL1nnWnnRoL44AAA574_0DVQ983.png-wh_50

root 用户被禁止,普通用户可登陆

wKiom1nnXTPSLUiNAAEaP5j9cfU817.png-wh_50

6.控制ssh客户端访问

vim /etc/hosts.deny

sshd:ALL  拒绝所有人链接sshd服务

vim /etc/hosts.allow

sshd:172.25.254.250  允许250主机链接sshd

sshd:172.25.254.250, 172.25.254.180 允许250和180链接

sshd:ALL EXCEPT 172.25.254.200   只不允许200链接sshd

wKioL1nnWn_Dbku_AAAfi98fUz8481.png-wh_50

wKiom1nnXTeSITLVAAE3tQg8q3w276.png-wh_50

wKiom1nnXTeC-WjtAAAh9BJjjy4478.png-wh_50wKiom1nnXT2jQyj2AAAkijzwP9k524.png-wh_50

wKiom1nnXUGhaPx7AAESoN8VdF4563.png-wh_50

wKioL1nnWovC3bzmAACBZJL69vE221.png-wh_50