【centos6.5】
目录
一、OpenSSH的配置
二、SSH客户端程序的使用
三、构建密匙对验证的SSH体系
四、时TCP Wrappers
一、OpenSSH的配置
1、OpenSSH安装包
客户端
[root@localhost ~]# rpm -qa |grep openssh*
openssh-server-5.3p1-94.el6.x86_64
openssh-clients-5.3p1-94.el6.x86_64
openssl-1.0.1e-15.el6.x86_64
openssh-5.3p1-94.el6.x86_64
openssh-askpass-5.3p1-94.el6.x86_64
服务端
[root@localhost ~]# rpm -qa |grep openssh*
openssh-server-5.3p1-94.el6.x86_64
openssh-clients-5.3p1-94.el6.x86_64
openssl-1.0.1e-15.el6.x86_64
openssh-5.3p1-94.el6.x86_64
openssh-askpass-5.3p1-94.el6.x86_64
2、服务端OpenSSH配置
[root@localhost ~]# cd /etc/ssh
[root@localhost ssh]# ls
moduli ssh_host_dsa_key ssh_host_key.pub
ssh_config ssh_host_dsa_key.pub ssh_host_rsa_key
sshd_config ssh_host_key ssh_host_rsa_key.pub
[root@localhost ssh]# cp -p sshd_config sshd_config.$(date +%Y%m%d%H%M)
[root@localhost ssh]# ls
moduli sshd_config.201904040247 ssh_host_key ssh_host_rsa_key.pub
ssh_config ssh_host_dsa_key ssh_host_key.pub
sshd_config ssh_host_dsa_key.pub ssh_host_rsa_key
修改配置文件加快Xshell的连接速度
[root@localhost ssh]# vim sshd_config
81 GSSAPIAuthentication no
122 UseDNS no
保存退出
修改配置文件后,重启sshd服务
二、SSH客户端程序的使用
1、命令程序
1.1 ssh 命令(远程安全登录)
格式:ssh user@host (若客户机与主机用户名相同,可省去user@)
端口选项: -p 22
服务端
[root@localhost ssh]# hostname Server-SSH.amber.com
[root@localhost ssh]# bash
[root@Server-SSH ssh]# cd
[root@Server-SSH ~]# useradd amber
[root@Server-SSH ~]# echo "123123" |passwd --stdin amber &> /dev/null
客户端
[root@localhost ~]# useradd admin
[root@localhost ~]# echo "123123" |passwd --stdin admin &> /dev/null
[root@localhost ~]# su - admin
[admin@localhost ~]$ ssh amber@192.168.157.6 【登录服务端,证明可以联机】
The authenticity of host '192.168.157.6 (192.168.157.6)' can't be established.
RSA key fingerprint is f6:47:a0:06:53:f7:b5:96:e9:9e:6a:74:0e:4e:37:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.157.6' (RSA) to the list of known hosts.
amber@192.168.157.6's password:123123
[amber@Server-SSH ~]$ whoami
amber
[amber@Server-SSH ~]$ logout
Connection to 192.168.157.6 closed.
1.2 scp命令 (远程安全复制)
格式1: scp user@host:file file2
格式2: scp file user@host:file2
1.2.1 从服务器复制文件到客户端
服务端
[root@Server-SSH ~]# mkdir /aaa
[root@Server-SSH ~]# touch /aaa/test{1..10}
[root@Server-SSH ~]# ls /aaa
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
客户端
[admin@localhost ~]$ exit
logout
[root@localhost ~]# mkdir /bbb
[root@localhost ~]# ls /bbb
[root@localhost ~]# scp amber@192.168.157.6:/aaa/* /bbb/
The authenticity of host '192.168.157.6 (192.168.157.6)' can't be established.
RSA key fingerprint is f6:47:a0:06:53:f7:b5:96:e9:9e:6a:74:0e:4e:37:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.157.6' (RSA) to the list of known hosts.
amber@192.168.157.6's password:
test1 100% 0 0.0KB/s 00:00
test10 100% 0 0.0KB/s 00:00
test2 100% 0 0.0KB/s 00:00
test3 100% 0 0.0KB/s 00:00
test4 100% 0 0.0KB/s 00:00
test5 100% 0 0.0KB/s 00:00
test6 100% 0 0.0KB/s 00:00
test7 100% 0 0.0KB/s 00:00
test8 100% 0 0.0KB/s 00:00
test9 100% 0 0.0KB/s 00:00
[root@localhost ~]# ls /bbb
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
1.2.2 从客户端复制文件到服务端
客户端
[root@localhost ~]# echo ceshi > client.txt
[root@localhost ~]# scp client.txt amber@192.168.157.6:~amber/client1.txt
amber@192.168.157.6's password: 123123
client.txt 100% 6 0.0KB/s 00:00
服务端
[root@Server-SSH ~]# ll ~amber
总用量 4
-rw-r--r--. 1 amber amber 6 4月 4 03:57 client1.txt
1.3 sftp命令 (安全FTP上传下载)
格式:sftp user@host
客户端
[root@localhost ~]# mkdir /ccc
[root@localhost ~]# cd /ccc
[root@localhost ccc]# ls
[root@localhost ccc]# sftp amber@192.168.157.6
Connecting to 192.168.157.6...
amber@192.168.157.6's password: 123123
sftp> ls /aaa
/aaa/test1 /aaa/test10 /aaa/test2 /aaa/test3 /aaa/test4 /aaa/test5 /aaa/test6
/aaa/test7 /aaa/test8 /aaa/test9
sftp> mget /aaa/* 【下载多个文件】
Fetching /aaa/test1 to test1
Fetching /aaa/test10 to test10
Fetching /aaa/test2 to test2
Fetching /aaa/test3 to test3
Fetching /aaa/test4 to test4
Fetching /aaa/test5 to test5
Fetching /aaa/test6 to test6
Fetching /aaa/test7 to test7
Fetching /aaa/test8 to test8
Fetching /aaa/test9 to test9
sftp> exit
[root@localhost ccc]# ls
test1 test10 test2 test3 test4 test5 test6 test7 test8 test9
三、构建密匙对验证的SSH体系
1、在客户端创建密钥对
ssh-keygen命令
可用的加密算法:RSA 或 DSA
[root@localhost ccc]# su - admin
[admin@localhost ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa): 回车【这时让输入文件名】
Enter passphrase (empty for no passphrase):
Enter same passphrase again: 回车【输入秘钥对的验证密码(和linux角色密码没有关系)】
Your identification has been saved in /home/admin/.ssh/id_rsa.
Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The key fingerprint is:回车【再次输入密码】
48:de:55:3e:45:40:ca:1f:b3:68:66:f6:26:00:49:c2 admin@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| .. . .+oo |
| Eo . . + . |
| + + = |
| o + . o = |
| o S * o |
| * . |
| . o |
| o |
| |
+-----------------+
[admin@localhost ~]$ ls .ssh
id_rsa id_rsa.pub known_hosts
2、将公钥上传至服务器
2.1 方法一:任何方式均可(共享、FTP、Email、SCP....)
客户端
[admin@localhost ~]$ scp .ssh/id_rsa.pub amber@192.168.157.6:~amber
amber@192.168.157.6's password: 123123
id_rsa.pub 100% 409 0.4KB/s 00:00
服务器
在服务器中导入公钥文本
[root@Server-SSH ~]# su - amber
[amber@Server-SSH ~]$ ls -a
. .bash_history .bash_profile client1.txt id_rsa.pub
.. .bash_logout .bashrc .gnome2 .mozilla
[amber@Server-SSH ~]$ mkdir .ssh
[amber@Server-SSH ~]$ cat id_rsa.pub >> .ssh/authorized_keys
[amber@Server-SSH ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvdgo59LqsLL19+6089m+G1HAhqyKjW1yQlRpHewy9jLFO6yXad3nj3YbwU4cjHyW1E5S5wsi7BbVw91BHugroQV8qjchN6wIEyHKBCX8uJWqw8yAWbbMNVItLpRhEXxBFBXLbnq+0OXTZabFAMCRXOVO5UuvAxHjRt9uizzvAxMrJ4xw64jJJJ1XrloKEVHiNO3xQHP5MG/HVj1KnqbaFlbufw7H6ODsovIxTJwNGboWewBxH94dEt5WMudVBm8VLhLkHN63bTKHmkg7vBPDFr+4th5LDTj5HyLyTYKpLVhS0ImcU+6k5IGcCylfyRw8WnboN7XAafFw/TE17jcVxQ== admin@localhost.localdomain
在此修改服务器里以下文件的权限,便于客户端秘钥对验证和客户端免密登录
[amber@Server-SSH ~]$ chmod 644 ~amber/.ssh/authorized_keys
[amber@Server-SSH ~]$ chmod 700 ~amber/.ssh
[amber@Server-SSH ~]$ ls -l ~amber/.ssh/authorized_keys
-rw-r--r--. 1 amber amber 409 4月 4 04:30 /home/amber/.ssh/authorized_keys
[amber@Server-SSH ~]$ ls -l ~amber/.ssh
总用量 4
-rw-r--r--. 1 amber amber 409 4月 4 04:30 authorized_keys
2.2 方法二 ssh-copy-id 命令
服务端删除前面拷贝的公钥文件
[amber@Server-SSH ~]$ rm -f .ssh/authorized_keys
客户端
[root@localhost ~]# su - admin
[admin@localhost ~]$ ssh-copy-id -i /home/admin/.ssh/id_rsa.pub amber@192.168.157.6
Now try logging into the machine, with "ssh 'amber@192.168.157.6'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
服务器
[amber@Server-SSH ~]$ ll .ssh
总用量 4
-rw-------. 1 amber amber 818 4月 4 04:56 authorized_keys
[amber@Server-SSH ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvdgo59LqsLL19+6089m+G1HAhqyKjW1yQlRpHewy9jLFO6yXad3nj3YbwU4cjHyW1E5S5wsi7BbVw91BHugroQV8qjchN6wIEyHKBCX8uJWqw8yAWbbMNVItLpRhEXxBFBXLbnq+0OXTZabFAMCRXOVO5UuvAxHjRt9uizzvAxMrJ4xw64jJJJ1XrloKEVHiNO3xQHP5MG/HVj1KnqbaFlbufw7H6ODsovIxTJwNGboWewBxH94dEt5WMudVBm8VLhLkHN63bTKHmkg7vBPDFr+4th5LDTj5HyLyTYKpLVhS0ImcU+6k5IGcCylfyRw8WnboN7XAafFw/TE17jcVxQ== admin@localhost.localdomain
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvdgo59LqsLL19+6089m+G1HAhqyKjW1yQlRpHewy9jLFO6yXad3nj3YbwU4cjHyW1E5S5wsi7BbVw91BHugroQV8qjchN6wIEyHKBCX8uJWqw8yAWbbMNVItLpRhEXxBFBXLbnq+0OXTZabFAMCRXOVO5UuvAxHjRt9uizzvAxMrJ4xw64jJJJ1XrloKEVHiNO3xQHP5MG/HVj1KnqbaFlbufw7H6ODsovIxTJwNGboWewBxH94dEt5WMudVBm8VLhLkHN63bTKHmkg7vBPDFr+4th5LDTj5HyLyTYKpLVhS0ImcU+6k5IGcCylfyRw8WnboN7XAafFw/TE17jcVxQ== admin@localhost.localdomain
3、在客户端使用密钥对验证
3.1 确认服务端配置文件/etc/ssh/sshd_config 已开启密钥对认证
客户端查看
[root@localhost ~]# vim /etc/ssh/sshd_config
47 #RSAAuthentication yes
48 #PubkeyAuthentication yes
49 #AuthorizedKeysFile .ssh/authorized_keys
3.1 客户端使用密钥对验证登录
[admin@localhost ~]$ ssh amber@192.168.157.6
Last login: Thu Apr 4 03:10:54 2019 from 192.168.157.7
四、时TCP Wrappers
1、保护机制的实现方式
1.1 通过tcpd主程序对其他服务程序进行包装
1.2 由其他服务程序调用libwrap.so.*链接库
2、TCP Wrappers保护的条件
3.1 必须是采用TCP协议的服务
3.2 函数库中必须包含libwrap.so.0 (可用ldd命令查看)
[root@Sever-SSH ~]# which sshd
/usr/sbin/sshd
[root@Sever-SSH ~]# ldd /usr/sbin/sshd |grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f883acb0000)
[root@Sever-SSH ~]# which httpd
/usr/sbin/httpd
[root@Sever-SSH ~]# ldd /usr/sbin/httpd |grep libwrap
[root@Sever-SSH ~]#
由此可见,sshd服务可以采用TCP Wrappers 进行保护,而httpd服务虽然也是采用TCP协议,但无法使用TCP Wrappers 进行保护
4、访问控制策略的配置文件
[root@Sever-SSH ~]# ll /etc/hosts.*
-rw-r--r--. 1 root root 370 1月 12 2010 /etc/hosts.allow
-rw-r--r--. 1 root root 479 4月 4 17:41 /etc/hosts.deny
[root@Sever-SSH ~]# vi /etc/hosts.deny
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.157.2 【添加这行,ip是xsell连接的vm3 的ip】
保存退出
这样用xsell再次登录会登录失败
如果在配置文件/etc/hosts.allow 也加入次ip 会登录成功
实验补充:
1、ssh的搭建,分清客户端和服务端的ip基本不会错
使用sftp命令时 使用mget下载文件时 文件必须是/aaa/这个格式
ssh-keygen -t rsa使用这个命令时加密算法rsa或dsa 字母必须是小写
在虚拟机里做实验 恢复快照之后有些配置文件不会改变,比如:/etc/ssh/sshd_config
2、通配符?代表0到9;通配符* 代表任意的
3、配置项的网段地址中,子网掩码不能简写
4、ifdown eth0 关闭网段
ifup eth1