本文详细介绍了Linux的远程登录服务OpenSSH,包括sshd服务的作用、安装、配置文件、默认端口和客户端命令。重点讲解了SSH的基本用法、认证问题的解决、非对称加密密钥的生成方法以及sshd的安全优化参数。
一.Openssh的功能
1.sshd服务的用途
(1)作用
可以实现通过网络在远程主机中开启安全shell的操作
Secure SHell ===>ssh ##客户端
Secure SHell daemon ===>sshd ##服务端
2.安装包
openssh-server
3.主配置文件
/etc/ssh/sshd_conf
4.默认端口
22
5.客户端命令
ssh
二.ssh
1.基本用法
ssh [-l 远程主机用户] <ip|hostname>
ssh -l root 172.25.254.105 ##通过ssh命令在105主机中以root身份开启远程shell
[lee@westos_lee ~]$ ssh -l root 172.25.254.105
The authenticity of host '172.25.254.105 (172.25.254.105)' can't be established.
ECDSA key fingerprint is SHA256:1uLJ3EuYzt16BrtDrGdbjOY6wxCZcfppTLSwTI3BuCs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes ##身份证明生成过程确认
2.作用
当收入后
105主机会向当前主机发送身份公钥,并保存此公钥到~/.ssh/know_hosts
105主机持有私钥当客户主机再次连接时会对客户主机进行身份验证
如果身份验证改变拒绝连接效果如下
[lee@westos_lee ~]$ ssh -l root 172.25.254.105
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:1uLJ3EuYzt16BrtDrGdbjOY6wxCZcfppTLSwTI3BuCs.
Please contact your system administrator.
Add correct host key in /home/lee/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/lee/.ssh/known_hosts:1
ECDSA host key for 172.25.254.105 has changed and you have requested strict checking.
Host key verification failed.
3.当连接因为认证问题被拒绝时解决方案
vim ~/.ssh/know_hosts ##在此文件中删除报错提示相应的行即可
4.ssh 常用参数
ssh
-l #指定登陆用户
-i #指定私钥
-X #开启图形
-f #后台运行
-o #指定连接参数
# ssh -l root@172.25.254.x -o "StrictHostKeyChecking=no" 首次连接不许要输入yes
-t #指定连接跳板
# ssh -l root 172.25.254.1 -t ssh -l root 172.25.254.105
三.sshd key认证
1.认证类型
(1)对称加密
加密和解密是同一串字符
容易泄漏
可暴力破解
容易遗忘
(2)非对称加密
加密用公钥,解密用私钥
不会被盗用
攻击者无法通过无密钥方式登陆服务器
2.生成非对称加密密钥
(1)方法1
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##输入保存密钥文件
Enter passphrase (empty for no passphrase): ##密钥密码
Enter same passphrase again: ##确认密码
Your identification has been saved in /root/.ssh/id_rsa. ##私钥
Your public key has been saved in /root/.ssh/id_rsa.pub. ##公钥
The key fingerprint is:
SHA256:OZVOK9g6NyZsaUIfbZMrfAGB31GQsJ3FyviO4/psVSg root@localhost.localdomain
The key's randomart image is:
+---[RSA 3072]----+
| .o..=o |
| . +oo.. |
| .o+o++ |
| E==*.. |
| . ooS.o |
| . + =o* |
| . %+* |
| =+B.. |
| .=+. |
+----[SHA256]-----+
(2)方法二
$ssh-keygen -f /root/.ssh/id_rsa -P ""
3.对服务器加密
ssh-copy-id -i /root/.ssh/id_rsa.pub username@serverip
ssh-copy-id -i /root/.ssh/id_rsa.pub lee@172.25.254.105
4.测试
ssh lee@172.25.254.105 ##登陆lee用户不需要输入密码
四.sshd 安全优化参数详解
setenforce 0
systemctl disable --now firewalld
Port 2222 #设定端口为2222
PermitRootLogin yes|no #对超级用户登陆是否禁止
PasswordAuthentication yes|no #是否开启原始密码认证方式
AllowUsers lee #用户白名单
DenyUsers lee #用户黑名单
扫一扫
1167
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
