本篇写一些关于Linux网络中SSH服务的相关知识。
测试环境
| host01 | 192.168.28.128 |
| host02 | 192.168.28.129 |
| host03 | 192.168.28.130 |
禁止 root 登录
- 查看
ssh服务端口是否开启
[root@host01 ~]# netstat -ntuap | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 998/sshd
tcp6 0 0 :::22 :::* LISTEN 998/sshd
- 默认可以使用
root用户登录
[root@host02 ~]# ssh [email protected]
The authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.
ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.
ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.28.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Thu Sep 12 13:54:03 2019
[root@host01 ~]# logout
Connection to 192.168.28.128 closed.
- 编辑配置文件,禁止
root用户登录
[root@host01 ~]# vim /etc/ssh/sshd_config
PermitRootLogin no
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 不可使用
root用户登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
- 添加普通用户
zhangsan。
[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan
Changing password for user zhangsan.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
- 现在以
zhangsan登录,发现可以切换至root用户
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
[zhangsan@host01 ~]$ su - root
Password:
Last login: Thu Sep 12 14:43:14 CST 2019 from 192.168.28.129 on pts/2
Last failed login: Thu Sep 12 14:46:39 CST 2019 from 192.168.28.129 on ssh:notty
There was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.
- 可以开启
pam认证来禁止切换
[root@host01 ~]# vim /etc/pam.d/su
auth required pam_wheel.so use_uid
- 现在不可以使用
zhangsan做跳板切换至root用户
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 14:56:01 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
Password:
su: Permission denied
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.
- 将
zhangsan添加至wheel组
[root@host01 ~]# gpasswd -a zhangsan wheel
Adding user zhangsan to group wheel
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
- 只有在
wheel组中的用户才可以使用su命令
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 14:59:14 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
Password:
Last login: Thu Sep 12 14:56:13 CST 2019 on pts/2
Last failed login: Thu Sep 12 14:59:25 CST 2019 on pts/2
There was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.
登录次数尝试
- 配置文件默认是
6次,但尝试3次就不可再尝试
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
- 设置参数最大次数为
5次
[root@host01 ~]# vim /etc/ssh/sshd_config
MaxAuthTries 5
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 想要使配置能够有意义,需要使用
-o NumberOfPasswordPrompts=8参数,这里尝试8次,发现5次后被拒绝尝试。
[root@host02 ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Received disconnect from 192.168.28.128 port 22:2: Too many authentication failures
Authentication failed.
黑白名单
- 添加
lisi、wangwu用户
[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi
Changing password for user lisi.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu
Changing password for user wangwu.
passwd: all authentication tokens updated successfully.
- 添加白名单配置,默认没有相关条目
zhangsan只能从129登录,lisi可以从任何主机登录
[root@host01 ~]# vim /etc/ssh/sshd_config
AllowUsers [email protected] lisi
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 测试
zhangsan可以从129登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 16:53:09 2019 from 192.168.28.129
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.
- 测试
lisi可以从129登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
- 测试
wangwu不可从129登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
- 测试
zhangsan不可从130登录
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
- 测试
lisi可以从130登录
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 16:56:07 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
- 测试
wangwu不可从130登录
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
使用密钥对登录
- 开启密钥认证选项
[root@host01 ~]# vim /etc/ssh/sshd_config
PubkeyAuthentication yes
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
- 生成类型为
ecdsa椭圆曲线数字签名加密的密钥,可以设置一个密码
[root@host02 ~]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:Y4AjDPfBRwYAP5exUlv7Obn08cvhSZzAsZ6Mwqt/ccE root@host02
The key's randomart image is:
+---[ECDSA 256]---+
|o.oo=o+ |
| = o.X.. |
| * O.o .. |
| = . o +Eo |
| S =. |
| . o.O.* . |
| o oo= * |
| o. + + |
| .oo. = |
+----[SHA256]-----+
- 查看生成的私钥和公钥文件
[root@host02 ~]# ls .ssh/
id_ecdsa id_ecdsa.pub
- 推送公钥文件至
128的lisi用户
[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
- 本地会生成一个已知主机文件
[root@host02 ~]# ls .ssh/
id_ecdsa id_ecdsa.pub known_hosts
- 可以查看一下
[root@host02 ~]# cat .ssh/known_hosts
192.168.28.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/cLQC3IgLKJnuYS8mOuhuJjfnMT4V2CsSJ6GNFgBlmANrik1sLgUeSIfyPOeirGfyz0En3/AAyI+slLpA/3lQ=
128的lisi用户下生成了认证密钥
[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEE/8T2xbTo11fmJu5sAc43OyUELuvl6OvcEiJ4WrZxaD9QR+PmJCxLZoVd5+HwyT6PFmW7EZjMk8NogcnDc9HI= root@host02
- 使用
128的lisi用户ssh登录,提示输入先前设置的密码
[root@host02 ~]# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_ecdsa':
Last login: Thu Sep 12 17:09:37 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
- 可以设置免验证操作,并输入先前设置的密码
[root@host02 ~]# ssh-agent bash
[root@host02 ~]# ssh-add
Enter passphrase for /root/.ssh/id_ecdsa:
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
- 现在可以免密码登录
[root@host02 ~]# ssh [email protected]
Last login: Tue Sep 17 00:40:47 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
更改默认端口
- 关闭防火墙、
SELinux。
[root@host01 ~]# systemctl stop firewalld
[root@host01 ~]# setenforce 0
- 更改默认端口
22为2233
[root@host01 ~]# vim /etc/ssh/sshd_config
Port 2233
- 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
[root@host01 ~]# netstat -ntuap | grep sshd
tcp 0 0 0.0.0.0:2233 0.0.0.0:* LISTEN 41357/sshd
tcp6 0 0 :::2233 :::* LISTEN 41357/sshd
- 直接登录失败
[root@host02 ~]# ssh [email protected]
ssh: connect to host 192.168.28.128 port 22: Connection refused
- 指定端口登录成功
[root@host02 ~]# ssh -p 2233 [email protected]
Last login: Tue Sep 17 01:21:11 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
scp 远程复制
- 创建测试文件、文件夹
[root@host02 ~]# echo "this is testfile01" > testfile01.txt
[root@host02 ~]# mkdir testdir01
- 远程复制文件
[root@host02 ~]# scp testfile01.txt [email protected]:/opt/
[email protected]'s password:
testfile01.txt 100% 19 11.4KB/s 00:00
- 远程复制文件夹
[root@host02 ~]# scp -r testdir01/ [email protected]:/opt/
[email protected]'s password:
- 查看是否复制成功
[root@host01 ~]# ls /opt/
rh testdir01 testfile.txt
sftp 安全文件传输协议
- 登录
[root@host02 ~]# sftp [email protected]
[email protected]'s password:
Connected to 192.168.28.128.
sftp>
- 可以
cd切换目录,ls查看,put上传
sftp> cd /home/zhangsan/
sftp> ls
sftp> put /root/testfile01.txt
Uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt
/root/testfile01.txt 100% 19 32.8KB/s 00:00
sftp> ls
testfile01.txt
- 上传成功
[root@host01 ~]# ls /home/zhangsan/
testfile01.txt
get下载
sftp> get /etc/passwd
Fetching /etc/passwd to passwd
/etc/passwd 100% 2227 1.8MB/s 00:00
sftp> bye
- 下载成功
[root@host02 ~]# ls
anaconda-ks.cfg passwd testdir01 testfile01.txt