一.在客户端连接sshd
查看 ip : ifconfig
ssh 服务端用户@服务端ip地址 #在客户端连接服务端
exit #退出当前连接
注意:以上连接方式是不能打开远程主机的图形功能的,如果需要打开远程主机图形功能需要加上 -X
二.给ssh服务添加新的认证方式 KEY认证
1、生成锁和钥匙
ssh-keygen #生成密钥的命令
#Enter file in which to save the key (/root/.ssh/id_rsa): #保存加密字符的文件用默认
#随机加密数是在/dev/random 下取的
[root@server2 ~]# cd /root/.ssh
[root@server2 .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@server2 .ssh]# rm -rf *
[root@server2 .ssh]# ls
[root@server2 .ssh]# ssh-keygen #生成密钥的命令
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #指定保存加密字符的文件(使用默认)
Enter passphrase (empty for no passphrase): #设定密码(使用默认)
Enter same passphrase again: #确认密码(使用默认)
Your identification has been saved in /root/.ssh/id_rsa. #私钥(钥匙)
Your public key has been saved in /root/.ssh/id_rsa.pub. #公钥(锁)
The key fingerprint is:
9e:9b:3b:d8:3a:7a:f1:c6:c1:b0:16:0f:8e:67:f8:0c root@server2
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
| + |
| + BS |
| E B.+. |
| B *o. |
| * *o |
| .o.++o |
+-----------------+
2、加密ssh用户的认证
挂锁
在服务端
ssh-copy-id -i /root/.ssh/id_rsa.pub 加密用户名@主机ip
ssh-copy-id ##加密命令
-i ##指定密钥
/root/.ssh/id_rsa.pub ##密钥
[root@server2 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.60.2
The authenticity of host '172.25.60.2 (172.25.60.2)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.60.2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.25.60.2'"
and check to make sure that only the key(s) you wanted were added.
[root@server2 .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
^
此文件出现标示加密(挂锁)完成
3、验证
1.客户端连接时需要密码
2.把解密文件传输到客户端则不需要密码,发钥匙
1)把服务端把服务端文件复制到客户端(上传文件)
scp /root/.ssh/id_rsa root@172.25.254.196:/root/.ssh/
复制 服务端文件 客户端:位置
2)在客户端把服务端文件复制到客户端(下载文件)
scp root@172.25.254.169:/root/.ssh/id_rsa /root/.ssh/
复制 服务端:文件 客户端位置
#如果用户没有/root/.ssh目录,在复制时就会自动生成一个.ssh文件,可以建立一个/root/.ssh目录,但是权限会比系统的大,需要手动修改权限
authorized_keys #当此文件被服务端删除,客户端解密文件失效,连接需要密码
cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys #在服务端重新生成锁文件,解密文件功能恢复,客户端不需密码
[root@server2 .ssh]# scp /root/.ssh/id_rsa root@172.25.60.1:/root/.ssh/
The authenticity of host '172.25.60.1 (172.25.60.1)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.60.1' (ECDSA) to the list of known hosts.
root@172.25.60.1's password:
id_rsa 100% 1679 1.6KB/s 00:00
[root@server2 .ssh]# scp /root/.ssh/id_rsa student@172.25.60.1:/home/student/.ssh/
student@172.25.60.1's password:
id_rsa 100% 1679 1.6KB/s 00:00
4.测试
[root@desktop1 ~]# ssh root@172.25.60.2
Last login: Sat Jan 12 15:16:42 2019 from 172.25.60.1
[root@server2 ~]#
desktop1免密登陆了server2
[student@desktop1 .ssh]$ ssh root@172.25.60.2
The authenticity of host '172.25.60.2 (172.25.60.2)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.60.2' (ECDSA) to the list of known hosts.
Last login: Sat Jan 12 15:22:44 2019 from 172.25.60.1
三.sshd的安全设定
sshd的配置文件为 /etc/ssh/sshd_config,
vim /etc/ssh/sshd_config,修改完后一定要
systemctl restart sshd.service 重启sshd的配置
1.是否允许用户通过登陆系统密码作为sshd的认证
78行 PasswordAuthentication yes/no #当no时只能用ssh认证登陆,有密码也不行
[root@server2 .ssh]# vim /etc/ssh/sshd_config
[root@server2 .ssh]# systemctl restart sshd.service
[root@desktop1 ~]# su - test
Last login: Sat Jan 12 15:32:36 EST 2019 on pts/2
[test@desktop1 ~]$ ssh root@172.25.60.2
The authenticity of host '172.25.60.2 (172.25.60.2)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/test/.ssh/known_hosts).
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
2.root用户的家门管理
48行 PermitRootLogin no/yes root家门修改处,若为no,则不能以root身份ssh进入,一般都注释起来
[root@desktop1 ~]# ssh root@172.25.60.2
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
#不能以root用户访问172.25.60.2
3.sshd用户的白名单、黑名单 (该用户存在,且该用户有公钥(锁子))
52行 allowusers username(student) #sshd用户的白名单,只有名
单内的用户可以作为家门登陆,其他人(包括root)都不行
[root@desktop1 ~]# ssh student@172.25.60.2
student@172.25.60.2's password:
[student@server2 ~]$ exit
logout
Connection to 172.25.60.2 closed.
[root@desktop1 ~]# ssh root@172.25.60.2
root@172.25.60.2's password:
Permission denied, please try again.
root@172.25.60.2's password:
Permission denied, please try again.
root@172.25.60.2's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
#root用户不在白名单内,被拒绝访问
同理,也在52行,Denyusers username(黑名单)名单内的禁止以家门访问,关闭家门
修改后在客户端的student无法通过密码连接服务器(88)
[root@vm138 ~]# su - student
[student@vm138 ~]$ ssh root@172.25.254.88
The authenticity of host '172.25.254.88 (172.25.254.88)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.88' (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
#student在黑名单内,被拒绝访问
4.添加sshd登陆信息
[root@server2 .ssh]# vim /etc/motd
[root@server2 .ssh]# cat /etc/motd
Welcome 弟弟~
测试:
[root@desktop1 ~]# ssh root@172.25.60.2
Last login: Sat Jan 12 15:47:22 2019 from 172.25.60.1
Welcome 弟弟~
5.用户登陆审计
w #查看正在使用当前系统的用户
13:37:03 up 4:27, 3 users, load average: 0.00, 0.01, 0.05
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
root :0 09:09 ?xdm? 26.97s 0.12s gdm-session-worker [pam/gdm-passwo
root pts/0 09:09 4:27m 0.02s 0.02s /bin/bash
root pts/1 13:36 7.00s 0.03s 0.01s w
w -f #查看使用来源
[root@server2 .ssh]# w -f
15:55:24 up 1:05, 4 users, load average: 0.01, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 14:52 ?xdm? 1:08 0.12s gdm-session-worker [pam/gdm-password]
root pts/0 :0 14:52 43:00 0.07s 0.07s /bin/bash
root pts/1 172.25.60.1 15:54 28.00s 0.01s 0.01s -bash
root pts/2 172.25.60.1 15:16 4.00s 0.07s 0.00s w -f
w -i #显示IP,存储在/var/run/utmp中
[root@server2 .ssh]# w -i
15:55:45 up 1:05, 4 users, load average: 0.01, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :0 :0 14:52 ?xdm? 1:08 0.12s gdm-session-worker [pam/gdm-password]
root pts/0 :0 14:52 43:21 0.07s 0.07s /bin/bash
root pts/1 172.25.60.1 15:54 49.00s 0.01s 0.01s -bash
root pts/2 172.25.60.1 15:16 1.00s 0.07s 0.00s w -i
last #查看使用过并退出的用户信息 存储在/var/log/wtmp
[root@server2 .ssh]# last
root pts/1 172.25.60.1 Sat Jan 12 15:54 still logged in
root pts/1 172.25.60.1 Sat Jan 12 15:47 - 15:52 (00:04)
student pts/1 172.25.60.1 Sat Jan 12 15:45 - 15:45 (00:00)
root pts/1 172.25.60.1 Sat Jan 12 15:32 - 15:32 (00:00)
wtmp begins Tue Jan 6 22:20:41 2015
lastb # 试图登陆但没有成功的用户 存储在/var/log/btmp
[root@server2 .ssh]# lastb
root ssh:notty 172.25.60.1 Sat Jan 12 15:45 - 15:45 (00:00)
root ssh:notty 172.25.60.1 Sat Jan 12 15:45 - 15:45 (00:00)
root ssh:notty 172.25.60.1 Sat Jan 12 15:45 - 15:45 (00:00)
btmp begins Sat Jan 12 15:45:31 2019