SSH远程管理与访问控制
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了SSH远程管理与访问控制相关的知识,希望对你有一定的参考价值。
理论:
一、SSH远程管理
1、SSH作用和特点
1)SSH作用
管理员远程管理服务器的一种方式
2)SSH特点
安全性强
传输数据被加密
适合通过互联网远程使用
支持通过客户端或者命令远程管理服务器
2、SSH服务的组成
1)ssh服务器端
openssh-server 默认端口号是22
2)客户端
用于远程管理使用
支持命令或者第三方工具实现ssh远程管理
推荐步骤
- 1.安装ssh服务器端和客户端设置服务开机自启动,配置身份验证的ssh,保证ssh服务器的安全性禁止为空密码访问,将ssh服务器端口修改为2222,在ssh服务器端创建bob和tom两个用户允许客户端192.168.100.30登录bob和root账户,禁止tom用户通过192.168.100.30登录
- 2.配置免交互式身份验证ssh,允许Centos02使用root用户和alice用户免交互式访问ssh服务器端,配置访问控制阻止主机192.168.100.30访问ssh服务器
实验步骤:
一,安装ssh服务器配置身份验证ssh限制用户访问
1.挂载系统盘安装服务
1)
[root@centos01 ~]# mount /dev/sr0 /mnt/
mount: /dev/sr0 写保护,将以只读方式挂载
[root@centos01 ~]# ls /mnt/
CentOS_BuildTag EULA images LiveOS repodata RPM-GPG-KEY-CentOS-Testing-7
EFI GPL isolinux Packages RPM-GPG-KEY-CentOS-7 TRANS.TBL
2)安装服务器端和客户端
[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm
警告:/mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
软件包 openssh-server-7.4p1-11.el7.x86_64 已经安装
[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm
警告:/mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
软件包 openssh-clients-7.4p1-11.el7.x86_64 已经安装
3)设置服务开机自启
[root@centos01 ~]# systemctl enable sshd
[root@centos01 ~]# systemctl start sshd
2.创建验证账户配置密码
1)创建验证账户bob,tom
[root@centos01 ~]# useradd tom
[root@centos01 ~]# useradd bob
2)设置密码
[root@centos01 ~]# passwd tom
更改用户 tom 的密码 。
新的 密码:
无效的密码: 密码未通过字典检查 - 过于简单化/系统化
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@centos01 ~]# passwd bob
更改用户 bob 的密码 。
新的 密码:
无效的密码: 密码未通过字典检查 - 过于简单化/系统化
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
3.配置ssh服务器控制用户访问
1)修改ssh主配置文件
[root@centos01 ~]# vim /etc/ssh/sshd_config
18 Port 2222 //修改监听端口为2222
22 ListenAddress 192.168.100.10 //修改监听IP为192.168.100.10
40 LoginGraceTime 2m //验证登陆时间2分钟
42 PermitRootLogin yes //允许root用户0远程登陆
45 MaxAuthTries 6 //最大重试次数
47 MaxSessions 10 //最多允许10个终端远程
71 PermitEmptyPasswords yes //禁止空密码登录
72 PasswordAuthentication yes //开启账户密码验证
123 UseDNS no //禁用DNS反向解析
124 AllowUsers bob@192.168.100.20 //允许bob通过192.168.100.20登录
125 AllowUsers root@192.168.100.20 //允许root通过192.168.100.20登录
126 DenyUsers tom@192.168.100.20 //禁止tom通过192.168.100.20登录
2)重启服务监听端口
[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp 0 0 192.168.100.10:2222 0.0.0.0:* LISTEN 1882/sshd
4.验证配置账户远程ssh服务器端
[root@centos02 ~]# ssh -p2222 root@192.168.100.10
root@192.168.100.10s password:
Last login: Thu Feb 9 00:35:13 2023 from 192.168.100.254
[root@centos01 ~]# exit
登出
[root@centos02 ~]# ssh -p2222 bob@192.168.100.10
bob@192.168.100.10s password:
Last login: Thu Feb 9 01:16:24 2023 from 192.168.100.20
[bob@centos01 ~]$ exit
登出
[root@centos02 ~]# ssh -p2222 tom@192.168.100.10
tom@192.168.100.10s password:
Permission denied, please try again.
tom@192.168.100.10s password:
二,配置免交互式身份验证ssh,允许Centos02使用root用户和alice用户免交互式访问ssh服务器端,配置访问控制阻止主机192.168.100.30访问ssh服务器
1.修改ssh服务器支持免交互式验证
1)修改主配置文件
[root@centos01 ~]# vim /etc/ssh/sshd_config
50 PubkeyAuthentication yes //开启密钥对验证
54 AuthorizedKeysFile .ssh/authorized_keys //指定密钥对保存位置
55 AllowUsers alice root@192.168.100.30 //允许192.168.100.30主机使用root和alice登录
2)重启服务
[root@centos01 ~]# systemctl restart sshd
2.配置客户端root免交互验证
[root@centos03 ~]# ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory /root/.ssh.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:rxmf5ymnFDiZmQWUMkAVNIbJdhUIWyKaKSn0rhdsTIE root@centos03
The keys randomart image is:
+---[RSA 2048]----+
| .o+=BB==o |
|.E..*==... |
|B +.. o . |
|o = B |
| * S . |
| o . o . |
| . . . o |
| . *..o. |
| o +*o |
+----[SHA256]-----+
2)将公钥上传到远程访问服务器
[root@centos03 ~]# ssh-copy-id -i -p 2222 root@192.168.100.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host [192.168.100.10]:2222 ([192.168.100.10]:2222) cant be established.
ECDSA key fingerprint is SHA256:rKgVpzw5KPohC2OETKp6bquqDyuJjViDF/zXf2CgZ6Q.
ECDSA key fingerprint is MD5:e6:f4:46:bb:0d:43:9c:05:52:73:ee:35:47:3d:81:9b.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.10s password:
Permission denied, please try again.
root@192.168.100.10s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p 2222 root@192.168.100.10"
and check to make sure that only the key(s) you wanted were added.
3)验证,使用root登录
[root@centos03 ~]# ssh -p2222 root@192.168.100.10
Last failed login: Thu Feb 9 01:28:34 CST 2023 from 192.168.100.30 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Feb 9 01:15:08 2023 from 192.168.100.20
[root@centos01 ~]# exit
登出
3.配置使用alice用户免交互式验证
1)创建alice用户并创建密码
[root@centos03 ~]# useradd alice
[root@centos03 ~]# passwd alice
更改用户 alice 的密码 。
新的 密码:
无效的密码: 密码未通过字典检查 - 过于简单化/系统化
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
2)切换到alice用户生成密钥对
[root@centos03 ~]# su alice
[alice@centos03 root]$ ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/home/alice/.ssh/id_rsa):
Created directory /home/alice/.ssh.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/alice/.ssh/id_rsa.
Your public key has been saved in /home/alice/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UNkjJmUaWuNM7DgjxEtPCYAj9nppUAM49vOdI1jbE5M alice@centos03
The keys randomart image is:
+---[RSA 2048]----+
|++o. o=.+o |
|*o+oo*o*+ o |
|+=++oo=o.. . |
| .o+=..E |
| o.*o+ S |
| . = + * |
| o . o |
| |
| |
+----[SHA256]-----+
3)上传公钥
[alice@centos03 root]$ ssh-copy-id -i -p 2222 root@192.168.100.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alice/.ssh/id_rsa.pub"
The authenticity of host [192.168.100.10]:2222 ([192.168.100.10]:2222) cant be established.
ECDSA key fingerprint is SHA256:rKgVpzw5KPohC2OETKp6bquqDyuJjViDF/zXf2CgZ6Q.
ECDSA key fingerprint is MD5:e6:f4:46:bb:0d:43:9c:05:52:73:ee:35:47:3d:81:9b.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.10s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p 2222 root@192.168.100.10"
and check to make sure that only the key(s) you wanted were added.
4)alice登录远程服务器
[alice@centos03 root]$ ssh -p 2222 root@192.168.100.10
Last login: Thu Feb 9 01:29:20 2023 from 192.168.100.30
[root@centos01 ~]# exit
登出
4。配置访问控制限制192.168.100.30主机访问ssh服务
1)配置访问控制
[root@centos01 ~]# vim /etc/hosts.deny
sshd:192.168.100.30
2)验证远程服务器无法访问
[alice@centos03 root]$ ssh -p 2222 root@192.168.100.10
ssh_exchange_identification: read: Connection reset by peer
[alice@centos03 root]$ exit
exit
[root@centos03 ~]# ssh -p2222 root@192.168.100.10
ssh_exchange_identification: read: Connection reset by peer
以上是关于SSH远程管理与访问控制的主要内容,如果未能解决你的问题,请参考以下文章