zoukankan      html  css  js  c++  java
  • Linux SSH 服务

    CentOS-Logo

    本篇写一些关于Linux网络中SSH服务的相关知识。


    测试环境

    名称 IP地址
    host01 192.168.28.128
    host02 192.168.28.129
    host03 192.168.28.130

    禁止 root 登录

    • 查看ssh服务端口是否开启
    [root@host01 ~]# netstat -ntuap | grep sshd
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      998/sshd            
    tcp6       0      0 :::22                   :::*                    LISTEN      998/sshd            
    
    • 默认可以使用root用户登录
    [root@host02 ~]# ssh root@192.168.28.128
    The authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.
    ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.
    ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.28.128' (ECDSA) to the list of known hosts.
    root@192.168.28.128's password: 
    Last login: Thu Sep 12 13:54:03 2019
    [root@host01 ~]# logout
    Connection to 192.168.28.128 closed.
    
    • 编辑配置文件,禁止root用户登录
    [root@host01 ~]# vim /etc/ssh/sshd_config
    PermitRootLogin no
    
    • 重新加载配置文件,使配置生效
    [root@host01 ~]# systemctl reload sshd
    
    • 不可使用root用户登录
    [root@host02 ~]# ssh root@192.168.28.128
    root@192.168.28.128's password: 
    Permission denied, please try again.
    root@192.168.28.128's password: 
    
    • 添加普通用户zhangsan
    [root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan
    Changing password for user zhangsan.
    passwd: all authentication tokens updated successfully.
    [root@host01 ~]# id zhangsan
    uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
    
    • 现在以zhangsan登录,发现可以切换至root用户
    [root@host02 ~]# ssh zhangsan@192.168.28.128
    zhangsan@192.168.28.128's password: 
    [zhangsan@host01 ~]$ su - root
    Password: 
    Last login: Thu Sep 12 14:43:14 CST 2019 from 192.168.28.129 on pts/2
    Last failed login: Thu Sep 12 14:46:39 CST 2019 from 192.168.28.129 on ssh:notty
    There was 1 failed login attempt since the last successful login.
    [root@host01 ~]# logout
    [zhangsan@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    
    • 可以开启pam认证来禁止切换
    [root@host01 ~]# vim /etc/pam.d/su
    auth            required        pam_wheel.so use_uid
    
    • 现在不可以使用zhangsan做跳板切换至root用户
    [root@host02 ~]# ssh zhangsan@192.168.28.128
    zhangsan@192.168.28.128's password: 
    Last login: Thu Sep 12 14:56:01 2019 from 192.168.28.129
    [zhangsan@host01 ~]$ su - root
    Password: 
    su: Permission denied
    [zhangsan@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    
    • zhangsan添加至wheel
    [root@host01 ~]# gpasswd -a zhangsan wheel
    Adding user zhangsan to group wheel
    [root@host01 ~]# id zhangsan
    uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
    
    • 只有在wheel组中的用户才可以使用su命令
    [root@host02 ~]# ssh zhangsan@192.168.28.128
    zhangsan@192.168.28.128's password: 
    Last login: Thu Sep 12 14:59:14 2019 from 192.168.28.129
    [zhangsan@host01 ~]$ su - root
    Password: 
    Last login: Thu Sep 12 14:56:13 CST 2019 on pts/2
    Last failed login: Thu Sep 12 14:59:25 CST 2019 on pts/2
    There was 1 failed login attempt since the last successful login.
    [root@host01 ~]# logout
    [zhangsan@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    

    登录次数尝试

    • 配置文件默认是6次,但尝试3次就不可再尝试
    [root@host02 ~]# ssh zhangsan@192.168.28.128
    zhangsan@192.168.28.128's password: 
    Permission denied, please try again.
    zhangsan@192.168.28.128's password: 
    Permission denied, please try again.
    zhangsan@192.168.28.128's password: 
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
    
    • 设置参数最大次数为5
    [root@host01 ~]# vim /etc/ssh/sshd_config
    MaxAuthTries 5
    
    • 重新加载配置文件,使配置生效
    [root@host01 ~]# systemctl reload sshd
    
    • 想要使配置能够有意义,需要使用-o NumberOfPasswordPrompts=8参数,这里尝试8次,发现5次后被拒绝尝试。
    [root@host02 ~]# ssh -o NumberOfPasswordPrompts=8 zhangsan@192.168.28.128
    zhangsan@192.168.28.128's password: 
    Permission denied, please try again.
    zhangsan@192.168.28.128's password: 
    Permission denied, please try again.
    zhangsan@192.168.28.128's password: 
    Permission denied, please try again.
    zhangsan@192.168.28.128's password: 
    Permission denied, please try again.
    zhangsan@192.168.28.128's password: 
    Received disconnect from 192.168.28.128 port 22:2: Too many authentication failures
    Authentication failed.
    

    黑白名单

    • 添加lisiwangwu用户
    [root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi
    Changing password for user lisi.
    passwd: all authentication tokens updated successfully.
    [root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu
    Changing password for user wangwu.
    passwd: all authentication tokens updated successfully.
    
    • 添加白名单配置,默认没有相关条目zhangsan只能从129登录,lisi可以从任何主机登录
    [root@host01 ~]# vim /etc/ssh/sshd_config
    AllowUsers zhangsan@192.168.28.129 lisi
    

    白名单:AllowUsers,黑名单:DenyUsers,不要同时使用。

    • 重新加载配置文件,使配置生效
    [root@host01 ~]# systemctl reload sshd
    
    • 测试zhangsan可以从129登录
    [root@host02 ~]# ssh zhangsan@192.168.28.128
    zhangsan@192.168.28.128's password: 
    Last login: Thu Sep 12 16:53:09 2019 from 192.168.28.129
    [zhangsan@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    
    • 测试lisi可以从129登录
    [root@host02 ~]# ssh lisi@192.168.28.128
    lisi@192.168.28.128's password: 
    [lisi@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    
    • 测试wangwu不可从129登录
    [root@host02 ~]# ssh wangwu@192.168.28.128
    wangwu@192.168.28.128's password: 
    Permission denied, please try again.
    wangwu@192.168.28.128's password: 
    
    • 测试zhangsan不可从130登录
    [root@host03 ~]# ssh zhangsan@192.168.28.128
    zhangsan@192.168.28.128's password: 
    Permission denied, please try again.
    zhangsan@192.168.28.128's password: 
    
    • 测试lisi可以从130登录
    [root@host03 ~]# ssh lisi@192.168.28.128
    lisi@192.168.28.128's password: 
    Last login: Thu Sep 12 16:56:07 2019 from 192.168.28.129
    [lisi@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    
    • 测试wangwu不可从130登录
    [root@host03 ~]# ssh wangwu@192.168.28.128
    wangwu@192.168.28.128's password: 
    Permission denied, please try again.
    wangwu@192.168.28.128's password: 
    

    使用密钥对登录

    • 开启密钥认证选项
    [root@host01 ~]# vim /etc/ssh/sshd_config
    PubkeyAuthentication yes
    
    • 重新加载配置文件,使配置生效
    [root@host01 ~]# systemctl reload sshd
    
    • 生成类型为ecdsa椭圆曲线数字签名加密的密钥,可以设置一个密码
    [root@host02 ~]# ssh-keygen -t ecdsa
    Generating public/private ecdsa key pair.
    Enter file in which to save the key (/root/.ssh/id_ecdsa): 
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /root/.ssh/id_ecdsa.
    Your public key has been saved in /root/.ssh/id_ecdsa.pub.
    The key fingerprint is:
    SHA256:Y4AjDPfBRwYAP5exUlv7Obn08cvhSZzAsZ6Mwqt/ccE root@host02
    The key's randomart image is:
    +---[ECDSA 256]---+
    |o.oo=o+          |
    | = o.X..         |
    |  * O.o  ..      |
    |   = . o +Eo     |
    |        S =.     |
    |     . o.O.* .   |
    |      o oo= *    |
    |       o.  + +   |
    |    .oo.    =    |
    +----[SHA256]-----+
    
    • 查看生成的私钥和公钥文件
    [root@host02 ~]# ls .ssh/
    id_ecdsa  id_ecdsa.pub
    
    • 推送公钥文件至128lisi用户
    [root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub lisi@192.168.28.128
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    lisi@192.168.28.128's password: 
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with:   "ssh 'lisi@192.168.28.128'"
    and check to make sure that only the key(s) you wanted were added.
    
    • 本地会生成一个已知主机文件
    [root@host02 ~]# ls .ssh/
    id_ecdsa  id_ecdsa.pub  known_hosts
    
    • 可以查看一下
    [root@host02 ~]# cat .ssh/known_hosts
    192.168.28.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/cLQC3IgLKJnuYS8mOuhuJjfnMT4V2CsSJ6GNFgBlmANrik1sLgUeSIfyPOeirGfyz0En3/AAyI+slLpA/3lQ=
    
    • 128lisi用户下生成了认证密钥
    [root@host01 ~]# cat /home/lisi/.ssh/authorized_keys 
    ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEE/8T2xbTo11fmJu5sAc43OyUELuvl6OvcEiJ4WrZxaD9QR+PmJCxLZoVd5+HwyT6PFmW7EZjMk8NogcnDc9HI= root@host02
    
    • 使用128lisi用户ssh登录,提示输入先前设置的密码
    [root@host02 ~]# ssh lisi@192.168.28.128
    Enter passphrase for key '/root/.ssh/id_ecdsa': 
    Last login: Thu Sep 12 17:09:37 2019 from 192.168.28.129
    [lisi@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    
    • 可以设置免验证操作,并输入先前设置的密码
    [root@host02 ~]# ssh-agent bash
    [root@host02 ~]# ssh-add
    Enter passphrase for /root/.ssh/id_ecdsa: 
    Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
    
    • 现在可以免密码登录
    [root@host02 ~]# ssh lisi@192.168.28.128
    Last login: Tue Sep 17 00:40:47 2019 from 192.168.28.129
    [lisi@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    

    更改默认端口

    • 关闭防火墙、SELinux
    [root@host01 ~]# systemctl stop firewalld
    [root@host01 ~]# setenforce 0
    
    • 更改默认端口222233
    [root@host01 ~]# vim /etc/ssh/sshd_config
    Port 2233
    
    • 重新加载配置文件,使配置生效
    [root@host01 ~]# systemctl reload sshd
    [root@host01 ~]# netstat -ntuap | grep sshd
    tcp        0      0 0.0.0.0:2233            0.0.0.0:*               LISTEN      41357/sshd          
    tcp6       0      0 :::2233                 :::*                    LISTEN      41357/sshd          
    
    • 直接登录失败
    [root@host02 ~]# ssh lisi@192.168.28.128
    ssh: connect to host 192.168.28.128 port 22: Connection refused
    
    • 指定端口登录成功
    [root@host02 ~]# ssh -p 2233 lisi@192.168.28.128
    Last login: Tue Sep 17 01:21:11 2019 from 192.168.28.129
    [lisi@host01 ~]$ logout
    Connection to 192.168.28.128 closed.
    

    scp 远程复制

    • 创建测试文件、文件夹
    [root@host02 ~]# echo "this is testfile01" > testfile01.txt 
    [root@host02 ~]# mkdir testdir01
    
    • 远程复制文件
    [root@host02 ~]# scp testfile01.txt root@192.168.28.128:/opt/
    root@192.168.28.128's password: 
    testfile01.txt                                                                                                                                             100%   19    11.4KB/s   00:00    
    
    • 远程复制文件夹
    [root@host02 ~]# scp -r testdir01/ root@192.168.28.128:/opt/
    root@192.168.28.128's password: 
    
    • 查看是否复制成功
    [root@host01 ~]# ls /opt/
    rh  testdir01  testfile.txt
    

    sftp 安全文件传输协议

    • 登录
    [root@host02 ~]# sftp root@192.168.28.128
    root@192.168.28.128's password: 
    Connected to 192.168.28.128.
    sftp> 
    
    • 可以cd切换目录,ls查看,put上传
    sftp> cd /home/zhangsan/
    sftp> ls
    sftp> put /root/testfile01.txt
    Uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt
    /root/testfile01.txt                                                                                                                                       100%   19    32.8KB/s   00:00    
    sftp> ls
    testfile01.txt   
    
    • 上传成功
    [root@host01 ~]# ls /home/zhangsan/
    testfile01.txt
    
    • get下载
    sftp> get /etc/passwd 
    Fetching /etc/passwd to passwd
    /etc/passwd                                                                                                                                                100% 2227     1.8MB/s   00:00    
    sftp> bye
    
    • 下载成功
    [root@host02 ~]# ls
    anaconda-ks.cfg  passwd  testdir01  testfile01.txt
    
  • 相关阅读:
    win10 uwp 依赖属性
    win10 uwp 依赖属性
    Java实现蓝桥杯VIP 算法训练 阶乘末尾
    PHP fileperms() 函数
    PHP fileowner() 函数
    PHP filemtime() 函数
    PHP fileinode() 函数
    PHP filegroup() 函数
    查看MySQL已经运行的时长
    [HNOI2016]矿区
  • 原文地址:https://www.cnblogs.com/llife/p/11632898.html
Copyright © 2011-2022 走看看