openssh-server 太过爱你忘了你带给我的痛 2022-06-07 08:24 172阅读 0赞 # openssh-server # ### 1.openssh-server ### 功能:让远程主机可以通过网络访问sshd服务,开始一个安全shell ### 2.客户端连接方式 ### #### 2.1 ssh 远程主机用户@远程主机ip #### [root@desktop0 ~]# ssh root@172.25.0.11 The authenticity of host '172.25.0.11 (172.25.0.11)' can't be established. ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08. Are you sure you want to continue connecting (yes/no)? yes ##连接陌生主机时需要建立认证关系 Warning: Permanently added '172.25.0.11' (ECDSA) to the list of known hosts. root@172.25.0.11's password: ##远程用户密码 Last login: Mon Oct 3 03:13:47 2016 [root@server0 ~]# ##登陆成功 ![这里写图片描述][SouthEast] #### 2.2 ssh 远程主机用户@远程主机ip -X \#\#调用远程主机图形工具 #### ![这里写图片描述][SouthEast 1] #### 2.3ssh 远程主机用户@远程主机ip command \#\#直接在远程主机运行某条命令 #### ![这里写图片描述][SouthEast 2] #### 图中的命令表示真机在虚拟机desktop的桌面上建了一个文件file #### ## 3.sshkey加密 ## ### 1.生成公钥私钥 ### [root@server0 ~]# ssh-keygen ##生成公钥私钥工具 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):[enter] ##加密字符保存文件(建议用默认) Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): [enter] ##密钥密码,必须>4个字符 Enter same passphrase again: [enter] ##确认密码 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: ab:3c:73:2e:c8:0b:75:c8:39:3a:46:a2:22:34:84:81 root@server0.example.com The key's randomart image is: +--[ RSA 2048]----+ |o | |E. | |.. | |. . o | |.o. * . S | |oo.o o . | |+ =. . . | |o. oo.+.. | | ..o*. | +-----------------+ ![这里写图片描述][SouthEast 3] [root@server0 ~]# ls /root/.ssh/ id_rsa id_rsa.pub id_rsa ##私钥,就是钥匙 id_rsa.pub ##公钥,就是锁 ### 2.添加key认证方式 ### [root@server0 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.0.11 #ssh-copy-id ##添加key认证方式的工具 #-i ##指定加密key文件 #/root/.ssh/id_rsa.pub ##加密key #root ##加密用户为root #172.25.0.11 ##被加密主机ip ![这里写图片描述][SouthEast 4] ### 3.分发钥匙给client主机 ### [root@server0 ~]#scp/root/.ssh/id_rsaroot@172.25.0.10:/root/.ssh/ ![这里写图片描述][SouthEast 5] ### 4.测试 ### [root@desktop0 ~]# ssh root@172.25.0.11 ##通过id_rsa直接连接不需要输入用户密码 Last login: Mon Oct 3 03:58:10 2016 from 172.25.0.250 [root@server0 ~]# ![这里写图片描述][SouthEast 6] ## 4.提升openssh的安全级别 ## ### 1.openssh-server配置文件 ### /etc/ssh/sshd\_config 配置文件 78 PasswordAuthentication yes|no \#\#是否开启用户密码认证,yes为支持no为关闭 ![SouthEast 7][] ‘’在配置文件中把用户开启密码认证关闭后,当真机拥有此前虚拟机所发送的钥匙的情况下,真机再次重新连接虚拟机的时候,就不需要输入密码;若没有密码,则连接不上虚拟机。因为真机必须拥有验证的一种方式,当它没有钥匙的情况下,又不能验证密码,那么就无法验证身份,也就不能登录到虚拟机中。‘’ 48 PermitRootLogin yes|no \#\#是否允许超级用户登陆 49 AllowUsers student westos \#\#用户白名单,只有在名单中出现的用户可以使用sshd建立shell 50 DenyUsers westos \#\#用户黑名单 ### 2.控制ssh客户端访问 ### vim /etc/hosts.deny sshd:ALL \#\#拒绝所有人链接sshd服务 vim /etc/hosts.allow sshd:172.25.254.250 \#\#允许250主机链接sshd sshd:172.25.254.250, 172.25.254.180 \#\#允许250和180链接 sshd:ALL EXCEPT 172.25.254.200 \#\#只不允许200链接sshd ![这里写图片描述][SouthEast 8] ![这里写图片描述][SouthEast 9] ‘’此次实验,在虚拟机的vim /etc/hosts.allow文件中输入如图所示,表示只不允许56链接sshd,当我们用真机去链接时,果然权限不允许。‘’ ### 3.ssh登陆提示修改该 ### vim /etc/motd \#\#显示登陆后字符 hello world \#\#在登陆后就会显示这个字符 ![这里写图片描述][SouthEast 10] ‘’在虚拟机的 /etc/motd这个配置文件中(此配置文件默认为空)输入图中信息,当我们用真机去登录虚拟机的时候就出现了我们此前编辑的东西。‘’ [SouthEast]: /images/20220607/aa2a185f3e694958866a4469f61b88fe.png [SouthEast 1]: /images/20220607/d603da61a1cc4dff8f8239c8aa7cee48.png [SouthEast 2]: /images/20220607/b21c68802b054a6d8f91f039061636a0.png [SouthEast 3]: /images/20220607/1e069f44e6044edc8d5b75231a50aae1.png [SouthEast 4]: /images/20220607/dc897d7e936d492b9bfbd41316fc3aaf.png [SouthEast 5]: /images/20220607/5996bc3fffd74f3a94c7b3ea0095eba0.png [SouthEast 6]: /images/20220607/580b436228484cf697da7465e7a3837e.png [SouthEast 7]: /images/20220607/9c64cee6d52b43bfb63affc196c3a855.png [SouthEast 8]: /images/20220607/2bc1c9241b6d48d88ca18dc6c8e77bc9.png [SouthEast 9]: /images/20220607/0f67206fb8e14e0aafde45f9823f20c1.png [SouthEast 10]: /images/20220607/8070b6aac4ff44b98a9cb3386e4ae751.png
还没有评论,来说两句吧...