远程访问及控制
SSH 概述
SSH(secure shell)是一种安全通道协议,主要用来实现字符界面的远程登录,远程复制等功能,SSH协议对通信双方的数据传输进行了加密处理,其中包括用户登录时输入的用户口令,语RELNET(远程登录)等应用相比,SSH协议提供了更好的安全性。
服务名称 sshd
服务端主程序 /usr/sbin/sshd
服务端主配置文件 /etc/ssh/sshd_config
客户端配置文件 /etc/ssh/ssh_config
ssh的主配置文件/etc/ssh/sshd_config
1 # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
2
3 # This is the sshd server system-wide configuration file. See
4 # sshd_config(5) for more information.
5
6 # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
7
8 # The strategy used for options in the default sshd_config shipped with
9 # OpenSSH is to specify options with their default value where
10 # possible, but leave them commented. Uncommented options change a
11 # default value.
12
13 #Port 22 (服务端口,注解掉的时候默认是22端口,也可以取消注解自己配置,但要保证自己设置的端口未被其他服务使用)
14 #AddressFamily any
15 #ListenAddress 0.0.0.0(监听的ip地址,0.0.0.0代表监听所有ip地址,只要能ping通都能使用服务)
16 #ListenAddress ::(IPV6的监听地址)
17
18 # Disable legacy (protocol version 1) support in the server for new
19 # installations. In future the default will change to require explicit
20 # activation of protocol 1
21 Protocol 2(协议版本号 2 )
22
23 # HostKey for protocol version 1
24 #HostKey /etc/ssh/ssh_host_key
25 # HostKeys for protocol version 2
26 #HostKey /etc/ssh/ssh_host_rsa_key
27 #HostKey /etc/ssh/ssh_host_dsa_key
28
29 # Lifetime and size of ephemeral version 1 server key
30 #KeyRegenerationInterval 1h
31 #ServerKeyBits 1024
32
33 # Logging
34 # obsoletes QuietMode and FascistLogging
35 #SyslogFacility AUTH
36 SyslogFacility AUTHPRIV
37 #LogLevel INFO
38
39 # Authentication: (认证)
40
41 #LoginGraceTime 2m (输入账号后,等待输入密码的时间)
42 #PermitRootLogin yes(是否允许超户登录,默认允许,可以取消注解设置no,root就不能登陆了)
43 #StrictModes yes (接受连接请求前对用户的目录和相关配置文件进行宿主化和权限检查,权限大了还不行,要知道的,后面会提到)
44 #MaxAuthTries 6(最大认证次数,允许输错密码什么的的最大次数)
45 #MaxSessions 10
46
47 #RSAAuthentication yes
48 #PubkeyAuthentication yes (公钥)
49 #AuthorizedKeysFile .ssh/authorized_keys (公钥放置的位置,用户家目录/.ssh/authorized_keys )
50 #AuthorizedKeysCommand none
51 #AuthorizedKeysCommandRunAs nobody
52
53 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
54 #RhostsRSAAuthentication no
55 # similar for protocol version 2
56 #HostbasedAuthentication no
57 # Change to yes if you don't trust ~/.ssh/known_hosts for
58 # RhostsRSAAuthentication and HostbasedAuthentication
59 #IgnoreUserKnownHosts no
60 # Don't read the user's ~/.rhosts and ~/.shosts files
61 #IgnoreRhosts yes
62
63 # To disable tunneled clear text passwords, change to no here!
64 #PasswordAuthentication yes (密码验证)
65 #PermitEmptyPasswords no (是否允许空密码登录)
66 PasswordAuthentication yes (使用密码验证登录)
67
68 # Change to no to disable s/key passwords
69 #ChallengeResponseAuthentication yes
70 ChallengeResponseAuthentication no
71
72 # Kerberos options
73 #KerberosAuthentication no
74 #KerberosOrLocalPasswd yes
75 #KerberosTicketCleanup yes
76 #KerberosGetAFSToken no
77 #KerberosUseKuserok yes
78
79 # GSSAPI options
80 #GSSAPIAuthentication no
81 GSSAPIAuthentication yes (将此行改成no,然后将122行useDNS改为no可以加快登录速度)
82 #GSSAPICleanupCredentials yes
83 GSSAPICleanupCredentials yes
84 #GSSAPIStrictAcceptorCheck yes
85 #GSSAPIKeyExchange no
86
87 # Set this to 'yes' to enable PAM authentication, account processing,
88 # and session processing. If this is enabled, PAM authentication will
89 # be allowed through the ChallengeResponseAuthentication and
90 # PasswordAuthentication. Depending on your PAM configuration,
91 # PAM authentication via ChallengeResponseAuthentication may bypass
92 # the setting of "PermitRootLogin without-password".
93 # If you just want the PAM account and session checks to run without
94 # PAM authentication, then enable this but set PasswordAuthentication
95 # and ChallengeResponseAuthentication to 'no'.
96 #UsePAM no
97 UsePAM yes
98
99 # Accept locale-related environment variables
100 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
101 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
102 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
103 AcceptEnv XMODIFIERS
104
105 #AllowAgentForwarding yes
106 #AllowTcpForwarding yes
107 #GatewayPorts no
108 #X11Forwarding no
109 X11Forwarding yes
110 #X11DisplayOffset 10
111 #X11UseLocalhost yes
112 #PrintMotd yes
113 #PrintLastLog yes
114 #TCPKeepAlive yes
115 #UseLogin no
116 #UsePrivilegeSeparation yes
117 #PermitUserEnvironment no
118 #Compression delayed
119 #ClientAliveInterval 0
120 #ClientAliveCountMax 3
121 #ShowPatchLevel no
122 #UseDNS yes(禁用反向解析)
#我们也可以用man手册查看,用man 5 查看配置文件的相关帮助,例如 man 5 sshd_config
登录验证方式
sshd服务支持两种验证方式:密码验证和密钥对验证,可以设置只使用其中一种方式,也可以两种方式都启用。
密码验证:以服务器中本地系统用户的登录名称、密码进行验证。这种方式最为简便,但从客户机角度来看,正在连接的服务器有可能被假冒;从服务器的角度来看,当遭遇密码穷举(暴力破解)攻击的时候防御能力较弱
密钥对验证:要求提供相匹配的密钥信息才能通过验证,通常先在客户机中创建一对密钥文件(公钥、私钥),然后将公钥文件放到服务器中的指定位置。远程登录时,系统将使用公钥、私钥进行加密/解密关联验证,大大增强了远程管理的安全性。
使用SSH客户端程序
命令程序ssh(远程安全登录)、scp(远程安全复制)、sftp
图形工具Xshell
ssh
[root@DJ ~]# ssh root@192.168.10.129(格式是ssh 帐户名@远程登录的主机的ip地址)
root@192.168.10.129's password: (输入密码)
Last login: Sun Apr 16 16:01:25 2017 from 192.168.10.2
[root@circle ~]# (登录成功)
[root@circle ~]# exit(退出)
logout
Connection to 192.168.10.129 closed.
[root@DJ ~]#
scp 源文件 目标位置
两种格式:
[root@DJ ~]# touch 222(创建文件222)
[root@DJ home]# scp /root/222 root@192.168.10.129:/root(将本机/root/222文件复制到circle主机的/root中去)
root@192.168.10.129's password:
222 100% 0 0.0KB/s 00:00
[root@DJ home]# ssh root@192.168.10.129
root@192.168.10.129's password:
Last login: Sun Apr 16 16:02:32 2017 from 192.168.10.130
[root@circle ~]# ll | grep 222
-rw-r--r--. 1 root root 0 Apr 16 16:10 22
上面操作展示了将本机文件复制到远端主机,下面在演示一下如何将远端主机的文件复制到本机
[root@DJ home]# scp root@192.168.10.129:/root/789 /home/test1
root@192.168.10.129's password:
789 100% 0 0.0KB/s 00:00
[root@DJ home]# ls /home/test1 |grep 789
789
[root@DJ home]#
Sftp(不多解释了)
[root@DJ home]# sftp 192.168.10.129
Connecting to 192.168.10.129...
root@192.168.10.129's password:
sftp>
sftp> exit
[root@DJ home]# sftp root@192.168.10.129
Connecting to 192.168.10.129...
root@192.168.10.129's password:
sftp>
限制root使用远端服务的选项:在/etc/ssh/sshd_config中
#PermitRootLogin yes(改为no,取消注解)
或者添加DenyUser root这一行
构建密钥对验证的SSH体系
1.在客户端创建密钥对
2.将公钥文件上传至服务器
3.在服务器倒入公钥文本
4.在客户端使用密钥对验证
第二步和第三步可以采用另一种方法:
ssh-copyp-id -i 公钥文件 user@host
验证密码后,会将公钥自动添加到目标主机user用户的宿主目录下的 .ssh/authorized_keys文件末尾
第一步:
[root@DJ ~]#
[root@DJ ~]# su - test1
[test1@DJ ~]$ ssh-keygen -t rsa (创建密钥对,-t 选项指定算法)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test1/.ssh/id_rsa): (选择密钥保存的目录)
Created directory '/home/test1/.ssh'.
Enter passphrase (empty for no passphrase): (可以设置密钥短语,相当于密钥传输时的密码,可以为空)
Enter same passphrase again:
Your identification has been saved in /home/test1/.ssh/id_rsa.
Your public key has been saved in /home/test1/.ssh/id_rsa.pub.
The key fingerprint is:
6e:35:29:c3:7a:0d:2d:0d:62:a4:e1:51:9a:58:bf:6e test1@DJ
The key's randomart image is:
+--[ RSA 2048]----+
| +.o |
| + O |
| . = + . |
| . + + . |
| . S * |
| . o B . |
| E + . |
| . o |
| |
+-----------------+
[test1@DJ ~]$
[test1@DJ ~]$ cd /home/test1
[test1@DJ ~]$ ls -a
. 789 .bash_profile .gnome2 local_ftptest.dir .ssh
.. .bash_logout .bashrc local .mozilla
[test1@DJ ~]$ cd .ssh/
[test1@DJ .ssh]$ ll
total 8
-rw-------. 1 test1 test1 1679 Apr 17 11:50 id_rsa
-rw-r--r--. 1 test1 test1 390 Apr 17 11:50 id_rsa.pub(密钥对已经生成)
第二步将公钥上传服务器
方法一:(使用此方法时,在复制文件的过程中,公钥文件权限过多的话也会失效,所以要修改 .ssh/ 为700 目录里的文件权限都为600)
[test1@DJ ~]$ scp /home/test1/.ssh/id_rsa.pub circle@192.168.10.129:/tmp(开始上传)
The authenticity of host '192.168.10.129 (192.168.10.129)' can't be established.
RSA key fingerprint is d0:fc:47:10:81:b1:79:0c:18:69:16:c3:4d:28:40:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.129' (RSA) to the list of known hosts.
circle@192.168.10.129's password:
id_rsa.pub 100% 390 0.4KB/s 00:00
[test1@DJ ~]$ ssh circle@192.168.10.129
circle@192.168.10.129's password:
[circle@circle ~]$ ls /tmp/ |grep id_
id_rsa.pub
开始修改客户端权限
[test1@DJ ~]$ cd .ssh/
[test1@DJ .ssh]$ ll
total 12
-rw-------. 1 test1 test1 1679 Apr 17 11:50 id_rsa
-rw-r--r--. 1 test1 test1 390 Apr 17 11:50 id_rsa.pub
-rw-r--r--. 1 test1 test1 396 Apr 17 12:03 known_hosts
[test1@DJ .ssh]$ chmod 600 id_rsa id_rsa.pub known_hosts
[test1@DJ .ssh]$ ll
total 12
-rw-------. 1 test1 test1 1679 Apr 17 11:50 id_rsa
-rw-------. 1 test1 test1 390 Apr 17 11:50 id_rsa.pub
-rw-------. 1 test1 test1 396 Apr 17 12:03 known_hosts
[test1@DJ .ssh]$ ll -d /home/test1/.ssh/
drwx------. 2 test1 test1 4096 Apr 17 12:03 /home/test1/.ssh/ (设置好客户端的权限)
其实权限设置应该在文件上传之前就该修改,但是这因为是后期才解决的问题,下次做的时候要注意,在就是这次试验中两个主机名都是DJ不要因此而混淆。
第三步在服务器中导入公钥文本
[circle@circle ~]$ mkdir /home/circle/.ssh
[circle@circle ~]$ cat /tmp/id_rsa.pub > /home/circle/.ssh/authorized_keys
[circle@circle ~]$ cat /home/circle/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsVuQTGMrpIRfVRxFo5smw5nViZU1GXyKsBrmZmXw3lXo9Os/gNUTzDU/LOuFc9lzZNTniS8+VPmUKw/q+Jd7v9mX7OVOSaqr+h22+CTnqRjektDgsBZh25pDntVk/daafRo4ylWN8jONja+AYngBQAurL0yZhOLLCNoXhgKrVAUdxoH+B2V1cqWgEbULURYzkNycP/jLM9OkctsB9U9FZlqZ/ysTONvHo9PsATtBx0WDMW+pSbveuw848waf75L4+/PWZuwwP6dUjYdhBTQDi9s4/4BNV7Fz9AK2lkXbSvXs9v42uIoE3nuHxxoJMZ1e6V8aQyhALcBEZK/z66eGfw== test1@DJ
[circle@circle ~]$
[root@DJ .ssh]# ll
total 4
-rw-rw-r--. 1 circle circle 390 Apr 16 17:24 authorized_keys
[root@DJ .ssh]# chmod 600
chmod: missing operand after `600'
Try `chmod --help' for more information.
[root@DJ .ssh]# chmod 600 authorized_keys
[root@DJ .ssh]# ll -d /home/circle/.ssh/
drwxrwxr-x. 2 circle circle 4096 Apr 16 17:24 /home/circle/.ssh/
[root@DJ .ssh]# chmod 700 /home/circle/.ssh/
[root@DJ .ssh]# ll -d /home/circle/.ssh/
drwx------. 2 circle circle 4096 Apr 16 17:24 /home/circle/.ssh/
[root@DJ .ssh]# /etc/init.d/sshd restart(设置服务端文件权限,然后重启服务)
服务端权限也需要修改!!!
方法二:
其实方法一很麻烦,主要牵涉文件和目录的权限修改问题,因为权限过大也会导致公钥验证失败,所以我们可以使用一个命令
[test1@DJ .ssh]$ ssh-copy-id -i /home/test1/.ssh/id_rsa.pub circle@192.168.10.129
circle@192.168.10.129's password:
Now try logging into the machine, with "ssh 'circle@192.168.10.129'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
可以直接将公钥上传到服务端,而且权限都是改好的,下面我们可以查看一下
[root@DJ circle]# ll .ssh/
total 4
-rw-------. 1 circle circle 390 Apr 17 18:42 authorized_keys
[root@DJ circle]# ll -d .ssh/
drwx------. 2 circle circle 4096 Apr 17 18:42 .ssh/
[root@DJ circle]# (这就很舒服了)
第四步在客户端使用密钥对验证
[test1@DJ .ssh]$ ssh circle@192.168.10.129
Last login: Mon Apr 17 18:31:53 2017 from 192.168.10.130
[circle@DJ ~]$
TCP Wrappers简介
中文含义:TCP封套
Linux系统提供的一个访问控制工具
监听基于TCP协议的应用服务
保护机制的实现方式
1.通过tcpd主程序对其他服务程序进行包装
2.由其他服务程序调用libwrap.so.*链接库
访问控制策略的配置文件
/etc/hosts.allow(如果在此文件中有记录,那么不需再进行别的验证,直接通过,如果没有需要在查看hosts.deny)
/etc/hosts.deny(如果服务在此文件中有记录,那么将被拒绝,然两个配置文件都没有记录那么服务验证通过)
Allow的优先级高于deny
Iptables防火墙也能控制服务,为什么还要用TCPWrappers
因为TCPWrappers配置简单,但是也有局限性,只能控制TCP协议应用服务
并非所有的服务都能接受TCPWrappers的控制
用ldd命令可以查询服务主程序所以来的函数库,下图的例子中我们在sshd服务的函数库中过滤除了TCPWtappers的函数库,说明sshd这个服务支持TCPWtappers控制
[root@DJ ~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f87acfc9000)
[root@DJ ~]#
配置项的详细解释
服务列表:客户机列表(两种列表都可以多个中间用 ,隔开)
实验布置
服务器ip 192.168.10.130
客户机1 ip 192.168.10.129
客户机2 ip 192.168.10.131
需求描述:允许客户机2远程登录,禁止其他所有的客户机登录
1.编辑服务器的/etc/hosts.allow文件,添加允许192.168.10.131登录
[root@DJ ~]# vi /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:192.168.10.131
编辑/etc/hosts.deny,设置除了allow文件里的用户其他所有用户都不能远程登录
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
sshd:ALL
客户机1访问测试
[root@circle ~]# ssh root@192.168.10.130
ssh_exchange_identification: Connection closed by remote host
[root@circle ~]#
客户机2访问测试
[root@DJ ~]# ssh root@192.168.10.130
The authenticity of host '192.168.10.130 (192.168.10.130)' can't be established.
RSA key fingerprint is d0:fc:47:10:81:b1:79:0c:18:69:16:c3:4d:28:40:8a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.130' (RSA) to the list of known hosts.
root@192.168.10.130's password:
Last login: Mon Apr 17 15:15:13 2017 from 192.168.10.2
[root@DJ ~]# hostname -I
192.168.99.229 192.168.10.130
常用远程登录工具 xshell CRT putty xmanager