Linux SSH 服务-LMLPHP

本篇写一些关于Linux网络中SSH服务的相关知识。


测试环境

host01192.168.28.128
host02192.168.28.129
host03192.168.28.130

禁止 root 登录

  • 查看ssh服务端口是否开启
[root@host01 ~]# netstat -ntuap | grep sshd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 998/sshd
tcp6 0 0 :::22 :::* LISTEN 998/sshd
  • 默认可以使用root用户登录
[root@host02 ~]# ssh [email protected]
The authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.
ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.
ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.28.128' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Thu Sep 12 13:54:03 2019
[root@host01 ~]# logout
Connection to 192.168.28.128 closed.
  • 编辑配置文件,禁止root用户登录
[root@host01 ~]# vim /etc/ssh/sshd_config
PermitRootLogin no
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 不可使用root用户登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
  • 添加普通用户zhangsan
[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan
Changing password for user zhangsan.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
  • 现在以zhangsan登录,发现可以切换至root用户
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
[zhangsan@host01 ~]$ su - root
Password:
Last login: Thu Sep 12 14:43:14 CST 2019 from 192.168.28.129 on pts/2
Last failed login: Thu Sep 12 14:46:39 CST 2019 from 192.168.28.129 on ssh:notty
There was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.
  • 可以开启pam认证来禁止切换
[root@host01 ~]# vim /etc/pam.d/su
auth required pam_wheel.so use_uid
  • 现在不可以使用zhangsan做跳板切换至root用户
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 14:56:01 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
Password:
su: Permission denied
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.
  • zhangsan添加至wheel
[root@host01 ~]# gpasswd -a zhangsan wheel
Adding user zhangsan to group wheel
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
  • 只有在wheel组中的用户才可以使用su命令
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 14:59:14 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
Password:
Last login: Thu Sep 12 14:56:13 CST 2019 on pts/2
Last failed login: Thu Sep 12 14:59:25 CST 2019 on pts/2
There was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.

登录次数尝试

  • 配置文件默认是6次,但尝试3次就不可再尝试
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
  • 设置参数最大次数为5
[root@host01 ~]# vim /etc/ssh/sshd_config
MaxAuthTries 5
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 想要使配置能够有意义,需要使用-o NumberOfPasswordPrompts=8参数,这里尝试8次,发现5次后被拒绝尝试。
[root@host02 ~]# ssh -o NumberOfPasswordPrompts=8 [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Received disconnect from 192.168.28.128 port 22:2: Too many authentication failures
Authentication failed.

黑白名单

  • 添加lisiwangwu用户
[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi
Changing password for user lisi.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu
Changing password for user wangwu.
passwd: all authentication tokens updated successfully.
  • 添加白名单配置,默认没有相关条目zhangsan只能从129登录,lisi可以从任何主机登录
[root@host01 ~]# vim /etc/ssh/sshd_config
AllowUsers [email protected] lisi
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 测试zhangsan可以从129登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 16:53:09 2019 from 192.168.28.129
[zhangsan@host01 ~]$ logout
Connection to 192.168.28.128 closed.
  • 测试lisi可以从129登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
  • 测试wangwu不可从129登录
[root@host02 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
  • 测试zhangsan不可从130登录
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
  • 测试lisi可以从130登录
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Sep 12 16:56:07 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
  • 测试wangwu不可从130登录
[root@host03 ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:

使用密钥对登录

  • 开启密钥认证选项
[root@host01 ~]# vim /etc/ssh/sshd_config
PubkeyAuthentication yes
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 生成类型为ecdsa椭圆曲线数字签名加密的密钥,可以设置一个密码
[root@host02 ~]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:Y4AjDPfBRwYAP5exUlv7Obn08cvhSZzAsZ6Mwqt/ccE root@host02
The key's randomart image is:
+---[ECDSA 256]---+
|o.oo=o+ |
| = o.X.. |
| * O.o .. |
| = . o +Eo |
| S =. |
| . o.O.* . |
| o oo= * |
| o. + + |
| .oo. = |
+----[SHA256]-----+
  • 查看生成的私钥和公钥文件
[root@host02 ~]# ls .ssh/
id_ecdsa id_ecdsa.pub
  • 推送公钥文件至128lisi用户
[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
  • 本地会生成一个已知主机文件
[root@host02 ~]# ls .ssh/
id_ecdsa id_ecdsa.pub known_hosts
  • 可以查看一下
[root@host02 ~]# cat .ssh/known_hosts
192.168.28.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/cLQC3IgLKJnuYS8mOuhuJjfnMT4V2CsSJ6GNFgBlmANrik1sLgUeSIfyPOeirGfyz0En3/AAyI+slLpA/3lQ=
  • 128lisi用户下生成了认证密钥
[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEE/8T2xbTo11fmJu5sAc43OyUELuvl6OvcEiJ4WrZxaD9QR+PmJCxLZoVd5+HwyT6PFmW7EZjMk8NogcnDc9HI= root@host02
  • 使用128lisi用户ssh登录,提示输入先前设置的密码
[root@host02 ~]# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_ecdsa':
Last login: Thu Sep 12 17:09:37 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.
  • 可以设置免验证操作,并输入先前设置的密码
[root@host02 ~]# ssh-agent bash
[root@host02 ~]# ssh-add
Enter passphrase for /root/.ssh/id_ecdsa:
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
  • 现在可以免密码登录
[root@host02 ~]# ssh [email protected]
Last login: Tue Sep 17 00:40:47 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.

更改默认端口

  • 关闭防火墙、SELinux
[root@host01 ~]# systemctl stop firewalld
[root@host01 ~]# setenforce 0
  • 更改默认端口222233
[root@host01 ~]# vim /etc/ssh/sshd_config
Port 2233
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
[root@host01 ~]# netstat -ntuap | grep sshd
tcp 0 0 0.0.0.0:2233 0.0.0.0:* LISTEN 41357/sshd
tcp6 0 0 :::2233 :::* LISTEN 41357/sshd
  • 直接登录失败
[root@host02 ~]# ssh [email protected]
ssh: connect to host 192.168.28.128 port 22: Connection refused
  • 指定端口登录成功
[root@host02 ~]# ssh -p 2233 [email protected]
Last login: Tue Sep 17 01:21:11 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
Connection to 192.168.28.128 closed.

scp 远程复制

  • 创建测试文件、文件夹
[root@host02 ~]# echo "this is testfile01" > testfile01.txt
[root@host02 ~]# mkdir testdir01
  • 远程复制文件
[root@host02 ~]# scp testfile01.txt [email protected]:/opt/
[email protected]'s password:
testfile01.txt 100% 19 11.4KB/s 00:00
  • 远程复制文件夹
[root@host02 ~]# scp -r testdir01/ [email protected]:/opt/
[email protected]'s password:
  • 查看是否复制成功
[root@host01 ~]# ls /opt/
rh testdir01 testfile.txt

sftp 安全文件传输协议

  • 登录
[root@host02 ~]# sftp [email protected]
[email protected]'s password:
Connected to 192.168.28.128.
sftp>
  • 可以cd切换目录,ls查看,put上传
sftp> cd /home/zhangsan/
sftp> ls
sftp> put /root/testfile01.txt
Uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt
/root/testfile01.txt 100% 19 32.8KB/s 00:00
sftp> ls
testfile01.txt
  • 上传成功
[root@host01 ~]# ls /home/zhangsan/
testfile01.txt
  • get下载
sftp> get /etc/passwd
Fetching /etc/passwd to passwd
/etc/passwd 100% 2227 1.8MB/s 00:00
sftp> bye
  • 下载成功
[root@host02 ~]# ls
anaconda-ks.cfg passwd testdir01 testfile01.txt
05-12 04:50