RH124-09 OpenSSH服务配置与安全

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了RH124-09 OpenSSH服务配置与安全相关的知识,希望对你有一定的参考价值。

第九章 OpenSSH服务配置与安全


9.1 通过ssh访问远程命令

OpenSSH提供一个安全的远程shell,用于管理远程Linux、unix系统. 

OpenSSH使用非对称加密手段加密保护通信数据.


$ ssh remotehost

$ ssh [email protected] 或 ssh -l remoteuser remotehost

$ ssh [email protected] remote-command


$ w -f


相关文件:

客户端会首次登陆远程机器的时候,会把远程机器的公钥保存在~/.ssh/know_hosts,以后每次登陆到某服务器的时候,都会对比远程机器的公钥和存在在本机的该服务器公钥是否相同,如果不相同就会终止连接,防止黑客伪装服务器.


服务端把相关的公钥和私钥存在/etc/ssh/*key*中

 


9.2 配置ssh的密钥验证

默认情况下,通过ssh登陆到远程的系统,需要提供远程系统上的帐号与密码,但为了降低密码泄露的机率和提高登陆的方便性,可以使用基于密钥的验证.


1) 客户端生成密钥对


$ shh-keygen -t rsa

一路回车,不需要输入任何东西


2) 客户端把公钥发送给远程的系统

$ ssh-copy-id -i ~/.ssh/id_rsa.pub  server0

$ ssh-copy-id -i ~/.ssh/id_rsa.pub  [email protected]


3) 登陆

$  ssh server0

结果: 免去密码验证,直接登陆到远程的系统




9.3 自定义优化ssh的服务配置


如何找到sshd服务的配置文件?


需要了解的一些安全选项:

PermitRootLogin yes|no  是否允许root通过ssh登陆到本机

PermitRootLogin  without-password  只允许root通过密钥验证的手段ssh登陆到本机,对其他用户不生效

PasswordAuthentication yes|no  默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆,针对所有用户。




笔记:


9.1

方法1:  首次登陆要求保存远端发过来的公钥

[[email protected] ~]# ssh server0 用server0登陆

[email protected]‘s password: 

Last login: Sat Jun  3 10:43:43 2017 from desktop0.example.com

[[email protected] ~]# 


[[email protected] ~]# host server0  登陆前提是可以解析到这个IP地址

server0.example.com has address 172.25.0.11


[[email protected] ~]# ssh 172.25.0.11   也可以直接登陆IP地址

[email protected]‘s password: 

Last login: Sat Jun  3 10:44:08 2017 from desktop0.example.com

[[email protected] ~]# 

方法2:

[[email protected] ~]# ssh [email protected]

The authenticity of host ‘server0 (172.25.0.11)‘ can‘t be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘server0,172.25.0.11‘ (ECDSA) to the list of known hosts.

[email protected]‘s password: 

Last login: Thu May 11 11:57:56 2017

[[email protected] ~]$ 


[[email protected] ~]# ssh [email protected]

[email protected]‘s password: 

Last login: Sat Jun  3 10:45:43 2017 from desktop0.example.com

[[email protected] ~]# 


方法3:


[[email protected] ~]# ssh 172.25.0.11 -l root      -l就是-login

[email protected]‘s password: 

Last login: Sat Jun  3 10:49:27 2017 from server0.example.com

[[email protected] ~]# 



[[email protected] ~]# ssh server0 -l student

[email protected]‘s password: 

Last login: Sat Jun  3 10:48:49 2017 from server0.example.com

[[email protected] ~]$ 



只需要远程过去输出一条命令过来,如取名字,如关机

[[email protected] ~]# ssh [email protected] hostname

[email protected]‘s password: 

server0.example.com

[[email protected] ~]# 




[[email protected] ~]# w -f             可以看到哪些登陆到本机  :0代表是图形界面

 11:01:53 up 23 min,  3 users,  load average: 0.00, 0.02, 0.08

USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT

root     pts/0    desktop0.example 10:45    1.00s  0.24s  0.16s ssh [email protected]

root     pts/1    server0.example. 10:49    1.00s  0.15s  0.02s w -f

[[email protected] ~]# 









[[email protected] Desktop]$ ssh [email protected]

The authenticity of host ‘server0 (172.25.0.11)‘ can‘t be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘server0,172.25.0.11‘ (ECDSA) to the list of known hosts.

[email protected]‘s password: 

Last login: Sat Jun  3 10:50:21 2017 from server0.example.com

[[email protected] ~]# ls /etc/ssh/*key*                             server0存放的公钥

/etc/ssh/ssh_host_ecdsa_key      /etc/ssh/ssh_host_rsa_key

/etc/ssh/ssh_host_ecdsa_key.pub  /etc/ssh/ssh_host_rsa_key.pub

[[email protected] ~]# 

[[email protected] ~]# 

[[email protected] ~]# cat /etc/ssh/ssh_host_ecdsa_key.pub

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphpLzp/k= 

[[email protected] ~]# logout

Connection to server0 closed.

[[email protected] Desktop]$ grep server0 ~/.ssh/known_hosts                本机存放公钥的地方

server0,172.25.0.11 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHX+o9KAnlfw2dE7CsmM4hqfv1udM79a5NWC2BuWlmfKSwfYLptPQMJF8bnqaz0EjDlxCxRu/aito+GphPLzp/k=

[[email protected] Desktop]$ 





9.2   演示整个过程


[[email protected] Desktop]$ :> ~/.ssh/known_hosts  清空

[[email protected] Desktop]$ cat ~/.ssh/known_hosts


[[email protected] Desktop]$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/student/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /home/student/.ssh/id_rsa.

Your public key has been saved in /home/student/.ssh/id_rsa.pub.

The key fingerprint is:

65:09:74:d4:45:2b:86:7d:11:6e:96:0a:2d:b9:ce:81 [email protected]

The key‘s randomart image is:

+--[ RSA 2048]----+

|       .o.o. o=. |

|         o *.. + |

|          O = B  |

|         + = *   |

|        E o .    |

|         o .     |

|          o      |

|                 |

|                 |

+-----------------+

[[email protected] Desktop]$ 

[[email protected] Desktop]$ ls /home/student/.ssh/

authorized_keys  id_rsa  id_rsa.pub  known_hosts

[[email protected] Desktop]$ 



 ssh-copy-id -i ~/.ssh/id/id_rsa.pub server0   这样登陆就可以保存用户名和密码,下次就不用输入了



[[email protected] Desktop]$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]‘s password: 


Number of key(s) added: 1


Now try logging into the machine, with:   "ssh ‘[email protected]‘"

and check to make sure that only the key(s) you wanted were added.


[[email protected] Desktop]$ ssh [email protected]

Last login: Sat Jun  3 11:10:04 2017 from desktop0.example.com

[[email protected] ~]# 


[[email protected] ~]# cat /root/.ssh/authorized_keys   存放在这里!!




9.3

改SSH配置


[[email protected] Desktop]# vim /etc/ssh/sshd_config 

第48排,

#PermitRootLogin no

[[email protected] Desktop]# systemctl restart sshd   重启生效  /实验未做成功   生产中会把管理员用户名码禁掉。



清空后再次用desk登陆server,提示不行

[[email protected] Desktop]#  :> ~/.ssh/known_hosts

[[email protected] Desktop]# ssh [email protected]

The authenticity of host ‘server0 (172.25.0.11)‘ can‘t be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘server0,172.25.0.11‘ (ECDSA) to the list of known hosts.

Last login: Sat Jun  3 12:09:25 2017 from desktop0.example.com

[[email protected] ~]# 


9.3总结

改都是在这个文件内vim /etc/ssh/sshd_config 

PermitRootLogin yes|no  是否允许root通过ssh登陆到本机

PermitRootLogin  without-password  只允许root通过密钥验证的手段ssh登陆到本机,对其他用户不生效

PasswordAuthentication yes|no  默认是yes,允许通过ssh密码验证的方式登陆到本机.如果设定为no,那么只能通过密钥验证的手段登陆,针对所有用户。


本文出自 “HCIE_38xx” 博客,谢绝转载!

以上是关于RH124-09 OpenSSH服务配置与安全的主要内容,如果未能解决你的问题,请参考以下文章

远程连接服务器---openSSH黑白名单与root安全

openssh与openssl是啥关系

远程访问与控制

windows10安装openssh

Linux 124课程 9配置和安全OpenSSH服务

openssh服务