Linux SSH 服务
程序员文章站
2022-08-08 16:26:33
本篇写一些关于 Linux 网络中 SSH 服务的相关知识。 ......
本篇写一些关于linux
网络中ssh
服务的相关知识。
测试环境
名称 | ip地址 |
---|---|
host01 | 192.168.28.128 |
host02 | 192.168.28.129 |
host03 | 192.168.28.130 |
禁止 root 登录
- 查看
ssh
服务端口是否开启
[root@host01 ~]# netstat -ntuap | grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* listen 998/sshd tcp6 0 0 :::22 :::* listen 998/sshd
- 默认可以使用
root
用户登录
[root@host02 ~]# ssh root@192.168.28.128 the authenticity of host '192.168.28.128 (192.168.28.128)' can't be established. ecdsa key fingerprint is sha256:5ggc1rmzwwjf+ozz/pptylo2s6nmfhsxbzcnslazxhy. ecdsa key fingerprint is md5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61. are you sure you want to continue connecting (yes/no)? yes warning: permanently added '192.168.28.128' (ecdsa) to the list of known hosts. root@192.168.28.128's password: last login: thu sep 12 13:54:03 2019 [root@host01 ~]# logout connection to 192.168.28.128 closed.
- 编辑配置文件,禁止
root
用户登录
[root@host01 ~]# vim /etc/ssh/sshd_config permitrootlogin no
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 不可使用
root
用户登录
[root@host02 ~]# ssh root@192.168.28.128 root@192.168.28.128's password: permission denied, please try again. root@192.168.28.128's password:
- 添加普通用户
zhangsan
。
[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan changing password for user zhangsan. passwd: all authentication tokens updated successfully. [root@host01 ~]# id zhangsan uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
- 现在以
zhangsan
登录,发现可以切换至root
用户
[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: [zhangsan@host01 ~]$ su - root password: last login: thu sep 12 14:43:14 cst 2019 from 192.168.28.129 on pts/2 last failed login: thu sep 12 14:46:39 cst 2019 from 192.168.28.129 on ssh:notty there was 1 failed login attempt since the last successful login. [root@host01 ~]# logout [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
- 可以开启
pam
认证来禁止切换
[root@host01 ~]# vim /etc/pam.d/su auth required pam_wheel.so use_uid
- 现在不可以使用
zhangsan
做跳板切换至root
用户
[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: last login: thu sep 12 14:56:01 2019 from 192.168.28.129 [zhangsan@host01 ~]$ su - root password: su: permission denied [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
- 将
zhangsan
添加至wheel
组
[root@host01 ~]# gpasswd -a zhangsan wheel adding user zhangsan to group wheel [root@host01 ~]# id zhangsan uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
- 只有在
wheel
组中的用户才可以使用su
命令
[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: last login: thu sep 12 14:59:14 2019 from 192.168.28.129 [zhangsan@host01 ~]$ su - root password: last login: thu sep 12 14:56:13 cst 2019 on pts/2 last failed login: thu sep 12 14:59:25 cst 2019 on pts/2 there was 1 failed login attempt since the last successful login. [root@host01 ~]# logout [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
登录次数尝试
- 配置文件默认是
6
次,但尝试3
次就不可再尝试
[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
- 设置参数最大次数为
5
次
[root@host01 ~]# vim /etc/ssh/sshd_config maxauthtries 5
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 想要使配置能够有意义,需要使用
-o numberofpasswordprompts=8
参数,这里尝试8
次,发现5
次后被拒绝尝试。
[root@host02 ~]# ssh -o numberofpasswordprompts=8 zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: received disconnect from 192.168.28.128 port 22:2: too many authentication failures authentication failed.
黑白名单
- 添加
lisi
、wangwu
用户
[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi changing password for user lisi. passwd: all authentication tokens updated successfully. [root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu changing password for user wangwu. passwd: all authentication tokens updated successfully.
- 添加白名单配置,默认没有相关条目
zhangsan
只能从129
登录,lisi
可以从任何主机登录
[root@host01 ~]# vim /etc/ssh/sshd_config allowusers zhangsan@192.168.28.129 lisi
白名单:
allowusers
,黑名单:denyusers
,不要同时使用。
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 测试
zhangsan
可以从129
登录
[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: last login: thu sep 12 16:53:09 2019 from 192.168.28.129 [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
- 测试
lisi
可以从129
登录
[root@host02 ~]# ssh lisi@192.168.28.128 lisi@192.168.28.128's password: [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
- 测试
wangwu
不可从129
登录
[root@host02 ~]# ssh wangwu@192.168.28.128 wangwu@192.168.28.128's password: permission denied, please try again. wangwu@192.168.28.128's password:
- 测试
zhangsan
不可从130
登录
[root@host03 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password:
- 测试
lisi
可以从130
登录
[root@host03 ~]# ssh lisi@192.168.28.128 lisi@192.168.28.128's password: last login: thu sep 12 16:56:07 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
- 测试
wangwu
不可从130
登录
[root@host03 ~]# ssh wangwu@192.168.28.128 wangwu@192.168.28.128's password: permission denied, please try again. wangwu@192.168.28.128's password:
使用密钥对登录
- 开启密钥认证选项
[root@host01 ~]# vim /etc/ssh/sshd_config pubkeyauthentication yes
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 生成类型为
ecdsa
椭圆曲线数字签名加密的密钥,可以设置一个密码
[root@host02 ~]# ssh-keygen -t ecdsa generating public/private ecdsa key pair. enter file in which to save the key (/root/.ssh/id_ecdsa): enter passphrase (empty for no passphrase): enter same passphrase again: your identification has been saved in /root/.ssh/id_ecdsa. your public key has been saved in /root/.ssh/id_ecdsa.pub. the key fingerprint is: sha256:y4ajdpfbrwyap5exulv7obn08cvhszzasz6mwqt/cce root@host02 the key's randomart image is: +---[ecdsa 256]---+ |o.oo=o+ | | = o.x.. | | * o.o .. | | = . o +eo | | s =. | | . o.o.* . | | o oo= * | | o. + + | | .oo. = | +----[sha256]-----+
- 查看生成的私钥和公钥文件
[root@host02 ~]# ls .ssh/ id_ecdsa id_ecdsa.pub
- 推送公钥文件至
128
的lisi
用户
[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub lisi@192.168.28.128 /usr/bin/ssh-copy-id: info: source of key(s) to be installed: ".ssh/id_ecdsa.pub" /usr/bin/ssh-copy-id: info: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: info: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys lisi@192.168.28.128's password: number of key(s) added: 1 now try logging into the machine, with: "ssh 'lisi@192.168.28.128'" and check to make sure that only the key(s) you wanted were added.
- 本地会生成一个已知主机文件
[root@host02 ~]# ls .ssh/ id_ecdsa id_ecdsa.pub known_hosts
- 可以查看一下
[root@host02 ~]# cat .ssh/known_hosts 192.168.28.128 ecdsa-sha2-nistp256 aaaae2vjzhnhlxnoytitbmlzdhayntyaaaaibmlzdhayntyaaabbbg/clqc3iglkjnuys8mouhujjfnmt4v2cssj6gnfgblmanrik1slguesifypoeirgfyz0en3/aayi+sllpa/3lq=
-
128
的lisi
用户下生成了认证密钥
[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys ecdsa-sha2-nistp256 aaaae2vjzhnhlxnoytitbmlzdhayntyaaaaibmlzdhayntyaaabbbee/8t2xbto11fmju5sac43oyueluvl6ovceij4wrzxad9qr+pmjcxlzovd5+hwyt6pfmw7ezjmk8nogcndc9hi= root@host02
- 使用
128
的lisi
用户ssh
登录,提示输入先前设置的密码
[root@host02 ~]# ssh lisi@192.168.28.128 enter passphrase for key '/root/.ssh/id_ecdsa': last login: thu sep 12 17:09:37 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
- 可以设置免验证操作,并输入先前设置的密码
[root@host02 ~]# ssh-agent bash [root@host02 ~]# ssh-add enter passphrase for /root/.ssh/id_ecdsa: identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
- 现在可以免密码登录
[root@host02 ~]# ssh lisi@192.168.28.128 last login: tue sep 17 00:40:47 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
更改默认端口
- 关闭防火墙、
selinux
。
[root@host01 ~]# systemctl stop firewalld [root@host01 ~]# setenforce 0
- 更改默认端口
22
为2233
[root@host01 ~]# vim /etc/ssh/sshd_config port 2233
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd [root@host01 ~]# netstat -ntuap | grep sshd tcp 0 0 0.0.0.0:2233 0.0.0.0:* listen 41357/sshd tcp6 0 0 :::2233 :::* listen 41357/sshd
- 直接登录失败
[root@host02 ~]# ssh lisi@192.168.28.128 ssh: connect to host 192.168.28.128 port 22: connection refused
- 指定端口登录成功
[root@host02 ~]# ssh -p 2233 lisi@192.168.28.128 last login: tue sep 17 01:21:11 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
scp 远程复制
- 创建测试文件、文件夹
[root@host02 ~]# echo "this is testfile01" > testfile01.txt [root@host02 ~]# mkdir testdir01
- 远程复制文件
[root@host02 ~]# scp testfile01.txt root@192.168.28.128:/opt/ root@192.168.28.128's password: testfile01.txt 100% 19 11.4kb/s 00:00
- 远程复制文件夹
[root@host02 ~]# scp -r testdir01/ root@192.168.28.128:/opt/ root@192.168.28.128's password:
- 查看是否复制成功
[root@host01 ~]# ls /opt/ rh testdir01 testfile.txt
sftp 安全文件传输协议
- 登录
[root@host02 ~]# sftp root@192.168.28.128 root@192.168.28.128's password: connected to 192.168.28.128. sftp>
- 可以
cd
切换目录,ls
查看,put
上传
sftp> cd /home/zhangsan/ sftp> ls sftp> put /root/testfile01.txt uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt /root/testfile01.txt 100% 19 32.8kb/s 00:00 sftp> ls testfile01.txt
- 上传成功
[root@host01 ~]# ls /home/zhangsan/ testfile01.txt
-
get
下载
sftp> get /etc/passwd fetching /etc/passwd to passwd /etc/passwd 100% 2227 1.8mb/s 00:00 sftp> bye
- 下载成功
[root@host02 ~]# ls anaconda-ks.cfg passwd testdir01 testfile01.txt