SSH远程管理与访问控制

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SSH远程管理与访问控制相关的知识,希望对你有一定的参考价值。

理论:

一、SSH远程管理

1、SSH作用和特点

1)SSH作用

管理员远程管理服务器的一种方式

2)SSH特点

安全性强

传输数据被加密

适合通过互联网远程使用

支持通过客户端或者命令远程管理服务器

2、SSH服务的组成

1)ssh服务器端

openssh-server 默认端口号是22

2)客户端

用于远程管理使用

支持命令或者第三方工具实现ssh远程管理


SSH远程管理与访问控制_服务器端

推荐步骤

  • 1.安装ssh服务器端和客户端设置服务开机自启动,配置身份验证的ssh,保证ssh服务器的安全性禁止为空密码访问,将ssh服务器端口修改为2222,在ssh服务器端创建bob和tom两个用户允许客户端192.168.100.30登录bob和root账户,禁止tom用户通过192.168.100.30登录
  • 2.配置免交互式身份验证ssh,允许Centos02使用root用户和alice用户免交互式访问ssh服务器端,配置访问控制阻止主机192.168.100.30访问ssh服务器

实验步骤:

一,安装ssh服务器配置身份验证ssh限制用户访问

1.挂载系统盘安装服务

1)

[root@centos01 ~]# mount /dev/sr0 /mnt/
mount: /dev/sr0 写保护,将以只读方式挂载
[root@centos01 ~]# ls /mnt/
CentOS_BuildTag EULA images LiveOS repodata RPM-GPG-KEY-CentOS-Testing-7
EFI GPL isolinux Packages RPM-GPG-KEY-CentOS-7 TRANS.TBL

2)安装服务器端和客户端

[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm 
警告:/mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
软件包 openssh-server-7.4p1-11.el7.x86_64 已经安装
[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm
警告:/mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
软件包 openssh-clients-7.4p1-11.el7.x86_64 已经安装

3)设置服务开机自启

[root@centos01 ~]# systemctl enable sshd
[root@centos01 ~]# systemctl start sshd

2.创建验证账户配置密码

1)创建验证账户bob,tom

[root@centos01 ~]# useradd tom
[root@centos01 ~]# useradd bob

2)设置密码

[root@centos01 ~]# passwd tom
更改用户 tom 的密码 。
新的 密码:
无效的密码: 密码未通过字典检查 - 过于简单化/系统化
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@centos01 ~]# passwd bob
更改用户 bob 的密码 。
新的 密码:
无效的密码: 密码未通过字典检查 - 过于简单化/系统化
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。

3.配置ssh服务器控制用户访问

1)修改ssh主配置文件

[root@centos01 ~]# vim /etc/ssh/sshd_config 
18 Port 2222 //修改监听端口为2222
22 ListenAddress 192.168.100.10 //修改监听IP192.168.100.10
40 LoginGraceTime 2m //验证登陆时间2分钟
42 PermitRootLogin yes //允许root用户0远程登陆
45 MaxAuthTries 6 //最大重试次数
47 MaxSessions 10 //最多允许10个终端远程
71 PermitEmptyPasswords yes //禁止空密码登录
72 PasswordAuthentication yes //开启账户密码验证
123 UseDNS no //禁用DNS反向解析
124 AllowUsers bob@192.168.100.20 //允许bob通过192.168.100.20登录
125 AllowUsers root@192.168.100.20 //允许root通过192.168.100.20登录
126 DenyUsers tom@192.168.100.20 //禁止tom通过192.168.100.20登录

2)重启服务监听端口

[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp 0 0 192.168.100.10:2222 0.0.0.0:* LISTEN 1882/sshd

4.验证配置账户远程ssh服务器端

  [root@centos02 ~]# ssh -p2222 root@192.168.100.10
root@192.168.100.10s password:
Last login: Thu Feb 9 00:35:13 2023 from 192.168.100.254
[root@centos01 ~]# exit
登出
[root@centos02 ~]# ssh -p2222 bob@192.168.100.10
bob@192.168.100.10s password:
Last login: Thu Feb 9 01:16:24 2023 from 192.168.100.20
[bob@centos01 ~]$ exit
登出
[root@centos02 ~]# ssh -p2222 tom@192.168.100.10
tom@192.168.100.10s password:
Permission denied, please try again.
tom@192.168.100.10s password:

二,配置免交互式身份验证ssh,允许Centos02使用root用户和alice用户免交互式访问ssh服务器端,配置访问控制阻止主机192.168.100.30访问ssh服务器

1.修改ssh服务器支持免交互式验证

1)修改主配置文件

[root@centos01 ~]# vim /etc/ssh/sshd_config 
50 PubkeyAuthentication yes //开启密钥对验证
54 AuthorizedKeysFile .ssh/authorized_keys //指定密钥对保存位置
55 AllowUsers alice root@192.168.100.30 //允许192.168.100.30主机使用rootalice登录

2)重启服务

[root@centos01 ~]# systemctl restart sshd

2.配置客户端root免交互验证

[root@centos03 ~]# ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory /root/.ssh.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:rxmf5ymnFDiZmQWUMkAVNIbJdhUIWyKaKSn0rhdsTIE root@centos03
The keys randomart image is:
+---[RSA 2048]----+
| .o+=BB==o |
|.E..*==... |
|B +.. o . |
|o = B |
| * S . |
| o . o . |
| . . . o |
| . *..o. |
| o +*o |
+----[SHA256]-----+

2)将公钥上传到远程访问服务器

[root@centos03 ~]# ssh-copy-id -i -p 2222 root@192.168.100.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host [192.168.100.10]:2222 ([192.168.100.10]:2222) cant be established.
ECDSA key fingerprint is SHA256:rKgVpzw5KPohC2OETKp6bquqDyuJjViDF/zXf2CgZ6Q.
ECDSA key fingerprint is MD5:e6:f4:46:bb:0d:43:9c:05:52:73:ee:35:47:3d:81:9b.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.10s password:
Permission denied, please try again.
root@192.168.100.10s password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p 2222 root@192.168.100.10"
and check to make sure that only the key(s) you wanted were added.

3)验证,使用root登录

[root@centos03 ~]# ssh -p2222 root@192.168.100.10
Last failed login: Thu Feb 9 01:28:34 CST 2023 from 192.168.100.30 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Feb 9 01:15:08 2023 from 192.168.100.20
[root@centos01 ~]# exit
登出

3.配置使用alice用户免交互式验证

1)创建alice用户并创建密码

[root@centos03 ~]# useradd alice
[root@centos03 ~]# passwd alice
更改用户 alice 的密码 。
新的 密码:
无效的密码: 密码未通过字典检查 - 过于简单化/系统化
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。

2)切换到alice用户生成密钥对

[root@centos03 ~]# su alice
[alice@centos03 root]$ ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/home/alice/.ssh/id_rsa):
Created directory /home/alice/.ssh.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/alice/.ssh/id_rsa.
Your public key has been saved in /home/alice/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UNkjJmUaWuNM7DgjxEtPCYAj9nppUAM49vOdI1jbE5M alice@centos03
The keys randomart image is:
+---[RSA 2048]----+
|++o. o=.+o |
|*o+oo*o*+ o |
|+=++oo=o.. . |
| .o+=..E |
| o.*o+ S |
| . = + * |
| o . o |
| |
| |
+----[SHA256]-----+

3)上传公钥

[alice@centos03 root]$ ssh-copy-id -i -p 2222 root@192.168.100.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alice/.ssh/id_rsa.pub"
The authenticity of host [192.168.100.10]:2222 ([192.168.100.10]:2222) cant be established.
ECDSA key fingerprint is SHA256:rKgVpzw5KPohC2OETKp6bquqDyuJjViDF/zXf2CgZ6Q.
ECDSA key fingerprint is MD5:e6:f4:46:bb:0d:43:9c:05:52:73:ee:35:47:3d:81:9b.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.10s password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh -p 2222 root@192.168.100.10"
and check to make sure that only the key(s) you wanted were added.

4)alice登录远程服务器

[alice@centos03 root]$ ssh -p 2222 root@192.168.100.10
Last login: Thu Feb 9 01:29:20 2023 from 192.168.100.30
[root@centos01 ~]# exit
登出

4。配置访问控制限制192.168.100.30主机访问ssh服务

1)配置访问控制

[root@centos01 ~]# vim /etc/hosts.deny 
sshd:192.168.100.30

2)验证远程服务器无法访问

[alice@centos03 root]$ ssh -p 2222 root@192.168.100.10
ssh_exchange_identification: read: Connection reset by peer
[alice@centos03 root]$ exit
exit
[root@centos03 ~]# ssh -p2222 root@192.168.100.10
ssh_exchange_identification: read: Connection reset by peer

以上是关于SSH远程管理与访问控制的主要内容,如果未能解决你的问题,请参考以下文章

TCP Wraapers控制与ssh远程访问

远程访问与控制

SSH远程控制及访问

Linux中远程访问及控制

LINUX 6——安装SSH远程访问控制

CentOS——SSH远程访问控制