一.配置两台主机
主机1.
主机名: server.example.com
ip: 172.25.254.100
建立用户timinglee,其密码为timinglee
vmset.sh 100
[root@ntpserver ~]# hostnamectl hostname server.example.com
[root@ntpserver ~]# reboot
建立用户timinglee,其密码为timinglee
[root@server ~]# id timinglee
id: “timinglee”:无此用户
[root@server ~]# useradd timinglee
[root@server ~]# id timinglee
用户id=1005(timinglee) 组id=1005(timinglee) 组=1005(timinglee)
[root@server ~]# echo timinglee | passwd --stdin timinglee
更改用户 timinglee 的密码 。
passwd:所有的身份验证令牌已经成功更新。
主机2
主机名:client.example.com
ip: 172.25.254.200
vmset.sh 200
[root@rever ~]# hostnamectl hostname client.example.com
[root@rever ~]# reboot
2.安需求完成项目
172.25.254.200 在远程登录172.25.254.100的root用户时需要免密连接
并确保只有root用户和timinglee用户可以被登录
(1)首先 主机172.25.254.100 为服务器端
开启远程连接ssh
[root@server .ssh]# ssh -l root 172.25.254.100 -p 22
root@172.25.254.100's password:
Permission denied, please try again.
root@172.25.254.100's password:
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Sat Apr 20 13:21:33 2024 from 172.25.254.100
断开ssh连接:
[root@server ~]# exit
注销
Connection to 172.25.254.100 closed.
(1)设置交互式秘钥:(任选一种)
[root@server ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Q687FBN7kfNNsBHI5t4R2UTcY6hHtaqK4Nhll6nLwfw root@server.example.com
The key's randomart image is:
+---[RSA 3072]----+
| . o+O=o |
| . B o=+oo|
| .= +++...|
| .+.o.o.o |
| S=...o |
| o .o+ o |
| . B.+ . |
| + = B.. |
| . o =oE |
+----[SHA256]-----+
(2)设置非交互式秘钥:(任选一种)
[root@server .ssh]# ssh-keygen -f /root/.ssh/id_rsa -P ""
Generating public/private rsa key pair.
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/UdpZ+wzQLlbAhS33sZBgI1wmbL6pO6cbZcU7jH+Im0 root@server.example.com
The key's randomart image is:
+---[RSA 3072]----+
| ..+Bo.. |
| .o=..+ |
| o. + . |
| o .+ +o.|
| S o .=+=+|
| . . * o*+ |
| + = =..o.|
| ..o+ E . o|
| o=..+ o. |
+----[SHA256]-----+
上传密钥到服务器
[root@server .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ED25519 key fingerprint is SHA256:tZ4VZB8seVa5KudOoZW1WhacpbI9wp9bRdQhy0pheyg.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: 172.252.254.128
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.254.100's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.
root用户测试结果:
[root@server .ssh]# ssh -l root 172.25.254.100
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Sat Apr 20 13:23:53 2024 from 172.25.254.100
[root@server .ssh]# vim /etc/ssh/sshd_config
Port 2222
重启服务
[root@server .ssh]# systemctl restart sshd
更改端口后的root用户测试结果:
[root@server ~]# ssh -l root 172.25.254.100 -p 2222
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Sat Apr 20 13:42:22 2024 from 172.25.254.100
编写白名单:
[root@server .ssh]# vim /etc/ssh/sshd_config
36
37 # Authentication:
38
39 #LoginGraceTime 2m
40 #PermitRootLogin prohibit-password
41 PermitRootLogin yes
42 AllowUsers timinglee
43 #StrictModes yes
44 #MaxAuthTries 6
45 #MaxSessions 10
重启服务
[root@server .ssh]# systemctl restart sshd
测试白名单:
[root@server ~]# ssh -l timinglee 172.25.254.100 -p 2222
Activate the web console with: systemctl enable --now cockpit.socket
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Sat Apr 20 13:53:27 2024 from 172.25.254.100