文章介绍了如何在Linux系统中设置SSH,使客户端能免密登录到服务器,以及如何禁止root用户远程登录,并创建和管理sshuser1,sshuser2,sshuser3这三个用户,只允许sshuser3进行SSH登录。具体步骤包括生成SSH密钥对,复制公钥到服务器,编辑sshd_config配置文件限制用户访问,以及创建用户并设置密码。
ssh实验
1.两台机器:第一台机器作为客户端,第二台机器作为服务器,在第一台使用rhce用户免密登录第二台机器
2.禁止root用户远程登录和设置三个用户sshuser1, sshuser2, sshuser3, 只允许sshuser3登录,不允许sshuser1, sshuser2登录
1 第一步:在客户端,生成公钥和私钥
在Linux上使用的ssh-keygen的命令:ssh-key-generate: 生成ssh的密钥
在第一台机器上输入ssh-keygen -t rsa -b 2048命令
[root@liusiyuan.ssh]# ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:kixxOXbYSPdZPwAan77pMBMZ3ysZdYOMPckz+diz4kU root@lishulei
The key’s randomart image is:
±–[RSA 2048]----+
| . o …o |
| . * = O * |
| . B = * % = |
| = + = o O o |
| . + S + o E |
| . . . = o o |
| + = o o |
| = o o |
| . . |
±—[SHA256]-----+
用ls-l命令查看一下
[root@liusiyuan.ssh]# ls -l
total 12
-rw-r–r–. 1 root root 381 Jan 4 10:30 authorized_keys
-rw-------. 1 root root 1823 Jan 4 18:01 id_rsa
-rw-r–r–. 1 root root 395 Jan 4 18:01 id_rsa.pub在第一台机器中输入ssh-copy-id -i root@192.168.153.128(第二台机器的ip)
[root@liusiyuan.ssh]# ssh-copy-id -i root@192.168.153.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/root/.ssh/id_rsa.pub”
The authenticity of host ‘192.168.153.128 (192.168.243.128)’ can’t be established.
ECDSA key fingerprint is SHA256:d1gayCES7X7olV4BqCK50pxPgK+e/OT611bsTs2XI/w.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
root@192.168.153.128’s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘root@192.168.153.128’”
and check to make sure that only the key(s) you wanted were added.接着就可以在第一台机器中免密登录第二台机器
[root@liusiyuan.ssh]# ssh root@192.168.153.128
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
Last login: Wed Jan 4 17:47:51 2023 from 192.168.153.12
禁止root用户远程登录
#请保持服务器上至少有一个可以远程登陆的普通远程账号
#修改配置文件如下:
#打开该选项并修改参数为no
PermitRootLogin no
设置三个用户sshuser1, sshuser2, sshuser3, 只允许sshuser3登录,不允许sshuser1, sshuser2登录
进入 vim /etc/ssh/sshd_config 进行编辑
[root@liusiyuan ~]# vim /etc/ssh/sshd_config在最后添加一行
AllowUsers sshuser3
然后保存退出,重启服务
systemctl restart sshd创建三个用户sshuser1, sshuser2, sshuser3并设置密码
[root@liusiyuan ~]# useradd sshuser1
[root@liusiyuan ~]# useradd sshuser2
[root@liusiyuan ~]# useradd sshuser3
[root@liusiyuan ~]# echo “123456” | passwd --stdin sshuser1
Changing password for user sshuser1.
passwd: all authentication tokens updated successfully.
[root@liusiyuan ~]# echo “123456” | passwd --stdin sshuser2
Changing password for user sshuser2.
passwd: all authentication tokens updated successfully.
[root@liusiyuan ~]# echo “123456” | passwd --stdin sshuser3
Changing password for user sshuser3.
passwd: all authentication tokens updated successfully.然后在另一台机器上尝试连接
[root@lsy~]# ssh sshuser1@192.168.153.129 -p 2222
The authenticity of host ‘[192.168.153.129]:2222 ([192.168.153.129]:2222)’ can’t be established.
ECDSA key fingerprint is SHA256:d1gayCES7X7olV4BqCK50pxPgK+e/OT611bsTs2XI/w.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘[192.168.153.129]:2222’ (ECDSA) to the list of known hosts.
sshuser1@192.168.153.129’s password:
Permission denied, please try again.
用户sshuesr1不行
[root@lsy~]# ssh sshuser2@192.168.153.129 -p 2222
sshuser2@192.168.153.129’s password:
Permission denied, please try again.用户sshuser2也不行
[root@lsy ~]# ssh sshuser3@192.168.153.129 -p 2222
sshuser3@192.168.153.129’s password:
Activate the web console with: systemctl enable --now cockpit.socket
This system is not registered to Red Hat Insights. See https://cloud.redhat.com/
To register this system, run: insights-client --register
[sshuser3@liusiyuan~]$用户sshuser3可以
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
