sshd常用配置
[root@lotus sudoers.d]# vim /etc/ssh/sshd_config
LoginGraceTime 1m #登录限时
MaxAuthTries 6 #每连接最多认证次数
UseDNS no #不解析客户机地址
Port 3389 #端口
ListenAddress 192.168.88.105 #监听地址,客户机可通过此IP进行访问
PermitRootLogin no #禁止root用户登录
PasswordAuthentication yes #密码认证登录
PubkeyAuthentication yes #密钥认证登录
AuthorizedKeysFile .ssh/authorized_keys
黑白名单
#黑名单(在此列表中的用户不允许通过ssh登录服务器)
DenyUsers username1 username2 ...
DenyGroups group1 group2
#白名单(在此列表中的用户允许通过ssh登录服务器)
AllowUsers username1 username2 ...
AllowGroups group1 group2
#注:如DenyUsers和AllowUsers中用记都存在,则以DenyUsers为主
基于密钥的认证登录远程服务器
一台主机为客户端
- 生成一对密钥
ssh-keygen -t rsa - 将公钥传递到服务器用户家目录下.ssh/authorized_keys文件中
文件传输工具(ssh-copy-id,scp) - 测试登录
-
ssh-keygen
-t [rsa|dsa]
-f /path/to/somewhere
-N ‘password’ -
ssh-copy-id -i filepath username@remote_host 直接复制并将公钥信息追加至用户家目录authorized_keys文件中
-
scp:基于ssh的远程复制命令,实现主机之前传输数据
scp [options] SRC DST
-r 目录复制
REMOTE_MACHINE格式:USERNAME@REMOTE_MACHINE
#生成密钥对
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
3d:43:43:14:13:a3:3d:bc:49:36:0b:3b:4d:0a:b4:3f root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| . .Bo |
| . . = o |
| o o @ |
| o @ B |
| E O |
| o o |
| |
| |
| |
+-----------------+
[root@localhost ~]# scp .ssh/id_rsa.pub root@192.168.88.134:/root/.ssh/authorized_keys
The authenticity of host '192.168.88.134 (192.168.88.134)' can't be established.
RSA key fingerprint is 66:c7:ba:86:b0:23:d6:da:b1:06:30:ba:d5:1c:3a:80.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.88.134' (RSA) to the list of known hosts.
root@192.168.88.134's password:
id_rsa.pub 100% 408 0.4KB/s 00:00
[root@localhost ~]# cd .ssh
[root@localhost .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@localhost .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv+JKLWd5wj8WUiQ9BHI0mEgmSX8YwMoLk0ZFZlOnYim5ourvSuYFXkaqoI0LHJNvjhqnXKOd5/iRB8bw6dAvGbffW/GS3lRtQTlxO6VLxZJsjdow1go5055cypP1vSJkRrHKp3MQElJT6QxSHGU9rk+44h1qhzMRfEkPhE4PrUsKTAQv5TSfVLCE2LVhJCQL4p2Kas2ffB952ABJrEv/kswxTDbI7pCtP9fAxADZXhCOz9B65lhmWMADafxdLNm/lPdb3xiqkP7s7C/D7scf4byNHxH4sQ02ExViTlQ/UAaxfmLhPK74DdNnu/aPrUpGvXhiKpqUgIEjpabIJrK3Lw== root@localhost.localdomain
[root@localhost .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
[root@localhost .ssh]# ssh 192.168.88.134
Last login: Mon Mar 29 07:01:11 2021 from 192.168.88.1
[root@zabbix ~]# ls
bak inittab.des3 server1024.crt server1024.pub
inittab inittabnew server1024.key server.key