提高SSH服务安全
3.1 问题
本案例要求提高Linux主机上SSH服务端的安全性,完成以下任务:
配置基本安全策略(禁止root、禁止空口令)
针对SSH访问采用仅允许的策略,未明确列出的用户一概拒绝登录
实现密钥验证登录(私钥口令)、免密码登入
确认密钥验证使用正常后,禁用口令验证
- 1
- 2
- 3
- 4
3.2 步骤
实现此案例需要按照如下步骤进行。
步骤一:配置基本安全策略
1)调整sshd服务配置,并重载服务
[root@svr5 ~]# vim /etc/ssh/sshd_config
.. ..
Protocol 2 //去掉SSH协议V1
PermitRootLogin no //禁止root用户登录
PermitEmptyPasswords no //禁止密码为空的用户登录
UseDNS no //不解析客户机地址
LoginGraceTime 1m //登录限时
MaxAuthTries 3 //每连接最多认证次数
.. ..
[root@svr5 ~]# systemctl restart sshd
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
2)测试基本安全策略
尝试以root用户SSH登录,失败:
[root@svr5 ~]# ssh root@192.168.4.7
root@192.168.4.7's password:
Permission denied, please try again.
- 1
- 2
- 3
将服务器上用户kate(如无该账户则先创建)的密码设为空,尝试SSH登录,也会失败:
[root@svr5 ~]# passwd -d kate //清空用户口令
清除用户的密码 kate。
passwd: 操作成功
[root@svr5 ~]# ssh kate@192.168.4.7
kate@192.168.4.7's password:
Permission denied, please try again.
- 1
- 2
- 3
- 4
- 5
- 6
步骤二:针对SSH访问采用仅允许的策略,未明确列出的用户一概拒绝登录
1)调整sshd服务配置,添加AllowUsers策略,仅允许用户zengye、john、useradm,其中useradm只能从网段192.168.4.0/24登录。
[root@svr5 ~]# vim /etc/ssh/sshd_config
.. ..
AllowUsers zengye john useradm@192.168.4.0/24 //定义账户白名单
##DenyUsers USER1 USER2 //定义账户黑名单
##DenyGroups GROUP1 GROUP2 //定义组黑名单
##AllowGroups GROUP1 GROUP2 //定义组白名单
[root@svr5 ~]# systemctl restart sshd
- 1
- 2
- 3
- 4
- 5
- 6
- 7
2)验证SSH访问控制,未授权的用户将拒绝登录。
[root@pc205 ~]# ssh useradm@192.168.4.5 //已授权的用户允许登录
useradm@192.168.4.5's password:
[useradm@svr5 ~]$ exit
[root@pc205 ~]# ssh zhangsan@192.168.4.5 //未授权的用户被拒绝登录
zhangsan@192.168.4.5's password:
Permission denied, please try again.
- 1
- 2
- 3
- 4
- 5
- 6
步骤三:实现密钥对验证登录(私钥口令)、免密码登入
1)准备客户机测试环境
为客户机的用户root建立SSH密钥对
使用ssh-keygen创建密钥对,将私钥口令设为空(直接回车):
[root@client ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): //直接回车将口令设为空
Enter same passphrase again: //再次回车确认
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
63:6e:cf:45:f0:56:e2:89:6f:62:64:5a:5e:fd:68:d2
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| . . . |
| = = |
| S = B . |
| o B = . o |
| + + = E .|
| . + + o |
| o |
+-----------------+
[root@client ~]$ ls -lh ~/.ssh/id_rsa* //确认密钥对文件
-rw-------. 1 root root 1.8K 8月 15 10:35 /root/.ssh/id_rsa
-rw-r--r--. 1 root root 403 8月 15 10:35 /root/.ssh/id_rsa.pub
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
2)将客户机上用户root的公钥部署到SSH服务器
以用户root登入客户机,使用ssh-copy-id命令将自己的公钥部署到服务器:
[root@client ~]$ ssh-copy-id root@192.168.4.5
root@192.168.4.5's password:
Now try logging into the machine, with "ssh 'root@192.168.4.5'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
- 1
- 2
- 3
- 4
- 5
3)在服务器上确认客户机用户root上传的公钥信息
默认部署位置为目标用户的家目录下 ~/.ssh/authorized_keys文件:
[root@svr5 ~]# tail -2 ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzz+5AiFMGQ7LfuiV7eBnOcmRO9JRTcqRoynGO2y5
RyFL+LxR1IpEbkNrUyIZDk5uaX1Y8rwsf+pa7UZ2NyqmUEvNSUo0hQyDGsU9SPyAdzRCCvDgwpOFhaHi/OFnT+zqjAqXH2M9fFYEVUU4PIVL8HT19zCQRVZ/q3acQA34UsQUR0PpLJAobsf1BLe2EDM8BsSHckDGsNoDT9vk+u3e83RaehBMuy1cVEN5sLAaIrIeyM8Q0WxQNlqknL908HRkTlTeKrRoHbMnOBFj8StwlnscKHlkrsKkhUf8A9WWz/vL4GDwGND5jdca3I2hdITAySjMdfL1HMHnMYOgMjPM0Q== root@192.168.4.100
- 1
- 2
- 3
4)在客户机上测试SSH密钥对验证
在客户机用户root的环境中,以远程用户root登入192.168.4.5主机时,无需验证口令即可登入(因为私钥口令为空):
[root@client ~]$ ssh root@192.168.4.5 //免交互直接登入
Last login: Thu Aug 15 10:48:09 2013 from 192.168.4.100
- 1
- 2
步骤四:确认密钥验证使用正常后,禁用口令验证
1)调整sshd服务配置,将PasswordAuthentication设为no
[root@svr5 ~]# vim /etc/ssh/sshd_config
.. ..
PasswordAuthentication no //将此行yes改成no
[root@svr5 ~]# systemctl restart sshd
- 1
- 2
- 3
- 4
</div>
<link href="https://csdnimg.cn/release/phoenix/mdeditor/markdown_views-b6c3c6d139.css" rel="stylesheet">
<div class="more-toolbox">
<div class="left-toolbox">
<ul class="toolbox-list">
<li class="tool-item tool-active is-like "><a href="javascript:;"><svg class="icon" aria-hidden="true">
<use xlink:href="#csdnc-thumbsup"></use>
</svg><span class="name">点赞</span>
<span class="count"></span>
</a></li>
<li class="tool-item tool-active is-collection "><a href="javascript:;" data-report-click="{"mod":"popu_824"}"><svg class="icon" aria-hidden="true">
<use xlink:href="#icon-csdnc-Collection-G"></use>
</svg><span class="name">收藏</span></a></li>
<li class="tool-item tool-active is-share"><a href="javascript:;" data-report-click="{"mod":"1582594662_002"}"><svg class="icon" aria-hidden="true">
<use xlink:href="#icon-csdnc-fenxiang"></use>
</svg>分享</a></li>
<!--打赏开始-->
<!--打赏结束-->
<li class="tool-item tool-more">
<a>
<svg t="1575545411852" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="5717" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><defs><style type="text/css"></style></defs><path d="M179.176 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5718"></path><path d="M509.684 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5719"></path><path d="M846.175 499.222m-113.245 0a113.245 113.245 0 1 0 226.49 0 113.245 113.245 0 1 0-226.49 0Z" p-id="5720"></path></svg>
</a>
<ul class="more-box">
<li class="item"><a class="article-report">文章举报</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div class="person-messagebox">
<div class="left-message"><a href="https://blog.csdn.net/xie_qi_chao">
<img src="https://profile.csdnimg.cn/B/F/6/3_xie_qi_chao" class="avatar_pic" username="xie_qi_chao">
<img src="https://g.csdnimg.cn/static/user-reg-year/1x/2.png" class="user-years">
</a></div>
<div class="middle-message">
<div class="title"><span class="tit"><a href="https://blog.csdn.net/xie_qi_chao" data-report-click="{"mod":"popu_379"}" target="_blank">解启超</a></span>
</div>
<div class="text"><span>发布了330 篇原创文章</span> · <span>获赞 52</span> · <span>访问量 3万+</span></div>
</div>
<div class="right-message">
<a href="https://im.csdn.net/im/main.html?userName=xie_qi_chao" target="_blank" class="btn btn-sm btn-red-hollow bt-button personal-letter">私信
</a>
<a class="btn btn-sm attented bt-button personal-watch" data-report-click="{"mod":"popu_379"}">已关注</a>
</div>
</div>
</div>
</article>