openssh

openssh

一、環境說明

ip	主機名	環境
192.168.69.134	qy-server	cenos7
192.168.69.131	qy-clicent	centos7

二、openssh介紹

OpenSSH 這一術語指系統中使用的Secure Shell軟件的軟件實施。用於在遠程系統上安全運行shell。如果您在可提供ssh服務的遠程Linux系統中擁有用戶帳戶，則ssh是通常用來遠程登錄到該系統的命令。ssh命令也可用於在遠程系統中運行命令。

三、操作步驟

1.關閉防火牆和SELinux

[root@qy-server ~]# systemctl stop firewalld.service 
[root@qy-server ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# systemctl stop firewalld.service 
[root@qy-clicent ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# setenforce 0
[root@qy-server ~]# setenforce 0

2.安裝ssh

[root@qy-server ~]# yum -y install openssh-server
[root@qy-clicent ~]# yum -y install openssh-clicent

3.生成密鑰

[root@qy-clicent ~]# ssh-keygen -t rsa        //使用 ssh-keygen 創建公鑰-私鑰對
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:roUVEiCF9wH2YqxcjAVxadhXSEBpx0xAqSHHkqbd8Fg root@qy-clicent
The key's randomart image is:
+---[RSA 2048]----+
| o+X%&+o.        |
|+.BOE.B.         |
|o=.%*+o..        |
|..++o... .       |
|  o     S        |
|       +         |
|      . o        |
|       o         |
|      .          |
+----[SHA256]-----+
[root@qy-clicent ~]# ls .ssh/ 查看生成的公鑰
id_rsa  id_rsa.pub

[root@qy-clicent ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]  //將公鑰複製到遠程系統上的正確位置
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.69.134 (192.168.69.134)' can't be established.
ECDSA key fingerprint is SHA256:+QHBnIuUCWJcNRAaDYncL/7+fjLKQszXzjEhQdvjgL4.
ECDSA key fingerprint is MD5:fa:38:e6:82:20:60:6d:9f:78:cd:76:98:95:95:72:2e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@qy-clicent ~]# ssh [email protected]
Last login: Mon Jan  7 11:20:02 2019 from 192.168.69.1

[root@qy-server ~]# ip a               \\驗證ip遠程登錄成功
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:4a:d8:ba brd ff:ff:ff:ff:ff:ff
    inet 192.168.69.134/24 brd 192.168.69.255 scope global noprefixroute ens33
  [root@qy-clicent ~]# ssh [email protected] "touch /root/abc"   \\遠程操作動作等等
  [root@qy-server ~]# ls 
abc  anaconda-ks.cfg

注意在普通用戶遠程登陸中容易出現的一些問題會報錯
1.no route to host 防⽕火牆
把虛擬機中的防火牆給清了一下。
[root@localhost ~]# sudo iptables -F
2.Connection refused 防⽕火牆或服務未啓⽤
檢查服務重啓

4.scp的應用

Scp全量遠程拷貝命令
-r //遞歸複製
-p //保持權限
-P //端口
-q //靜默模式
-a //全部複製

推送文件
[root@qy-clicent ~]# scp -P22 -pr  /root/abc.sh [email protected]:/tmp \\用端口22屬性保持不變遞歸拷貝
abc.sh         
[root@qy-server ~]# ls /tmp/
abc.sh  systemd-private-694619a2b4ab4ae4b4c3b211c5865ac5-chronyd.service-k3Xwlk
拉取文件
[root@qy-server ~]# ls
anaconda-ks.cfg 
[root@qy-clicent ~]# scp -l 20 -P22 -pr [email protected]:/root/anaconda-ks.cfg    /root/  
anaconda-ks.cfg  

四、自定義 SSH 服務配置

以下爲常用配置

**
PermitRootLogin {yes|no} //是否允許root用戶遠程登錄系統
PermitRootLogin without-password //僅允許root用戶基於密鑰方式遠程登錄
PasswordAuthentication {yes|no} //是否啓用密碼身份驗證，默認開啓**

舉例說明修改sshd配置

[root@qy-server ~]# vi /etc/ssh/sshd_config 
添加一下配置
PasswordAuthentication yes  //是否允許root用戶遠程登錄系統
#PermitEmptyPasswords no  //僅允許root用戶基於密鑰方式遠程登錄
PasswordAuthentication yes  //啓用密碼身份驗證，默認開啓

五、ssh密碼生成密令

[root@qy-server ~]#  tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs  //生成30位的密碼
zR9b0CkqmmQXchzEkeFTJUGyAPWVvh
[root@qy-server ~]# openssl rand 20 -base64  //生成20位隨機密碼
OHjHKnDRJMlMI+I/Jke75n8a+A0=

關於防火牆設置管理

第一種只允許一個網段ip訪問服務端，其他不允許訪問

關閉ebtables和iptables
啓動firewalls
[root@qy-server ~]# systemctl disable ebtables
[root@qy-server ~]# systemctl mask ebtables.service  iptables
[root@qy-server ~]#systemctl mask iptables.service
[root@qy-server ~]# systemctl start firewalld.service
[root@qy-server ~]# systemctl starts firewalld.service
Unknown operation 'starts'.
[root@qy-server ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: active (running) since 二 2019-01-08 05:03:15 CST; 5s ago
     Docs: man:firewalld(1)
 Main PID: 5143 (firewalld)
    Tasks: 2
   CGroup: /system.slice/firewalld.service
           └─5143 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
[root@qy-clicent ~]#vi /etc/hosts.allow
sshd:192.168.69.0/255.255.255.0        #允許局域網內所有機器訪問服務器上的sshd進程
[root@qy-server ~]#vi /etc/hosts.deny
sshd:all      //禁止所有
[root@qy-clicent ~]# ssh [email protected]  \\在客戶端登錄驗證成功
[email protected]'s password: 
Last login: Mon Jan  7 21:58:53 2019 from 192.168.69.131

第二種、永久添加所有主機准許的規則

 firewall-cmd --add-service=ssh --permanent 
 firwall-cmd --reload

第三種、永久添加指定主機允許的規則

 firewall-cmd --add-rich-rules 'rule family=ipv4 source address=192.168.69.131/24 service name=ssh accept' --permanent
 firwall-cmd --reload
[root@qy-server ~]#  firewall-cmd  --get-services 查看哪些服務能夠被防火牆控制

第四種、准許指定IP拒絕其他用戶登錄
例如

主機	ip	環境
服務端	192.168.69.131	cenos7
客戶端1	192.168.69.134	centos7
客戶端2	192.168.69.133	redhat7

第一步服務端

[root@localhost ~]# vi /etc/hosts.allow 
sshd: 192.168.69.134/32      \\最後一行添加
[root@localhost ~]# vi /etc/hosts.deny
ALL: all             \\ \\最後一行添加

第二步驗證
客戶端1登陸驗證成功

[root@localhost ~]# ssh [email protected]    \\登陸成功
The authenticity of host '192.168.69.131 (192.168.69.131)' can't be established.
ECDSA key fingerprint is SHA256:PkvJs3SbQ+TiawuXQxrBkZ7EgZzjGxNQj61GeKcus+k.

客戶端2登陸失敗

[root@localhost ~]# ssh [email protected]
ssh_exchange_identification: read: Connection reset by peer