openssh
文章目錄
一、環境說明
ip | 主機名 | 環境 |
---|---|---|
192.168.69.134 | qy-server | cenos7 |
192.168.69.131 | qy-clicent | centos7 |
二、openssh介紹
OpenSSH 這一術語指系統中使用的Secure Shell軟件的軟件實施。用於在遠程系統上安全運行shell。如果您在可提供ssh服務的遠程Linux系統中擁有用戶帳戶,則ssh是通常用來遠程登錄到該系統的命令。ssh命令也可用於在遠程系統中運行命令。
三、操作步驟
1.關閉防火牆和SELinux
[root@qy-server ~]# systemctl stop firewalld.service
[root@qy-server ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# systemctl stop firewalld.service
[root@qy-clicent ~]# systemctl disable firewalld.service
[root@qy-clicent ~]# setenforce 0
[root@qy-server ~]# setenforce 0
2.安裝ssh
[root@qy-server ~]# yum -y install openssh-server
[root@qy-clicent ~]# yum -y install openssh-clicent
3.生成密鑰
[root@qy-clicent ~]# ssh-keygen -t rsa //使用 ssh-keygen 創建公鑰-私鑰對
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:roUVEiCF9wH2YqxcjAVxadhXSEBpx0xAqSHHkqbd8Fg root@qy-clicent
The key's randomart image is:
+---[RSA 2048]----+
| o+X%&+o. |
|+.BOE.B. |
|o=.%*+o.. |
|..++o... . |
| o S |
| + |
| . o |
| o |
| . |
+----[SHA256]-----+
[root@qy-clicent ~]# ls .ssh/ 查看生成的公鑰
id_rsa id_rsa.pub
[root@qy-clicent ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected] //將公鑰複製到遠程系統上的正確位置
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.69.134 (192.168.69.134)' can't be established.
ECDSA key fingerprint is SHA256:+QHBnIuUCWJcNRAaDYncL/7+fjLKQszXzjEhQdvjgL4.
ECDSA key fingerprint is MD5:fa:38:e6:82:20:60:6d:9f:78:cd:76:98:95:95:72:2e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@qy-clicent ~]# ssh [email protected]
Last login: Mon Jan 7 11:20:02 2019 from 192.168.69.1
[root@qy-server ~]# ip a \\驗證ip遠程登錄成功
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:4a:d8:ba brd ff:ff:ff:ff:ff:ff
inet 192.168.69.134/24 brd 192.168.69.255 scope global noprefixroute ens33
[root@qy-clicent ~]# ssh [email protected] "touch /root/abc" \\遠程操作動作等等
[root@qy-server ~]# ls
abc anaconda-ks.cfg
注意在普通用戶遠程登陸中容易出現的一些問題會報錯
1.no route to host 防⽕火牆
把虛擬機中的防火牆給清了一下。
[root@localhost ~]# sudo iptables -F
2.Connection refused 防⽕火牆或服務未啓⽤
檢查服務重啓
4.scp的應用
Scp全量遠程拷貝命令
-r //遞歸複製
-p //保持權限
-P //端口
-q //靜默模式
-a //全部複製
推送文件
[root@qy-clicent ~]# scp -P22 -pr /root/abc.sh [email protected]:/tmp \\用端口22屬性保持不變遞歸拷貝
abc.sh
[root@qy-server ~]# ls /tmp/
abc.sh systemd-private-694619a2b4ab4ae4b4c3b211c5865ac5-chronyd.service-k3Xwlk
拉取文件
[root@qy-server ~]# ls
anaconda-ks.cfg
[root@qy-clicent ~]# scp -l 20 -P22 -pr [email protected]:/root/anaconda-ks.cfg /root/
anaconda-ks.cfg
四、自定義 SSH 服務配置
以下爲常用配置
**
PermitRootLogin {yes|no} //是否允許root用戶遠程登錄系統
PermitRootLogin without-password //僅允許root用戶基於密鑰方式遠程登錄
PasswordAuthentication {yes|no} //是否啓用密碼身份驗證,默認開啓**
舉例說明修改sshd配置
[root@qy-server ~]# vi /etc/ssh/sshd_config
添加一下配置
PasswordAuthentication yes //是否允許root用戶遠程登錄系統
#PermitEmptyPasswords no //僅允許root用戶基於密鑰方式遠程登錄
PasswordAuthentication yes //啓用密碼身份驗證,默認開啓
五、ssh密碼生成密令
[root@qy-server ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs //生成30位的密碼
zR9b0CkqmmQXchzEkeFTJUGyAPWVvh
[root@qy-server ~]# openssl rand 20 -base64 //生成20位隨機密碼
OHjHKnDRJMlMI+I/Jke75n8a+A0=
關於防火牆設置管理
第一種只允許一個網段ip訪問服務端,其他不允許訪問
關閉ebtables和iptables
啓動firewalls
[root@qy-server ~]# systemctl disable ebtables
[root@qy-server ~]# systemctl mask ebtables.service iptables
[root@qy-server ~]#systemctl mask iptables.service
[root@qy-server ~]# systemctl start firewalld.service
[root@qy-server ~]# systemctl starts firewalld.service
Unknown operation 'starts'.
[root@qy-server ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since 二 2019-01-08 05:03:15 CST; 5s ago
Docs: man:firewalld(1)
Main PID: 5143 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─5143 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
[root@qy-clicent ~]#vi /etc/hosts.allow
sshd:192.168.69.0/255.255.255.0 #允許局域網內所有機器訪問服務器上的sshd進程
[root@qy-server ~]#vi /etc/hosts.deny
sshd:all //禁止所有
[root@qy-clicent ~]# ssh [email protected] \\在客戶端登錄驗證成功
[email protected]'s password:
Last login: Mon Jan 7 21:58:53 2019 from 192.168.69.131
第二種、永久添加所有主機准許的規則
firewall-cmd --add-service=ssh --permanent
firwall-cmd --reload
第三種、永久添加指定主機允許的規則
firewall-cmd --add-rich-rules 'rule family=ipv4 source address=192.168.69.131/24 service name=ssh accept' --permanent
firwall-cmd --reload
[root@qy-server ~]# firewall-cmd --get-services 查看哪些服務能夠被防火牆控制
第四種、准許指定IP拒絕其他用戶登錄
例如
主機 | ip | 環境 |
---|---|---|
服務端 | 192.168.69.131 | cenos7 |
客戶端1 | 192.168.69.134 | centos7 |
客戶端2 | 192.168.69.133 | redhat7 |
第一步服務端
[root@localhost ~]# vi /etc/hosts.allow
sshd: 192.168.69.134/32 \\最後一行添加
[root@localhost ~]# vi /etc/hosts.deny
ALL: all \\ \\最後一行添加
第二步驗證
客戶端1登陸驗證成功
[root@localhost ~]# ssh [email protected] \\登陸成功
The authenticity of host '192.168.69.131 (192.168.69.131)' can't be established.
ECDSA key fingerprint is SHA256:PkvJs3SbQ+TiawuXQxrBkZ7EgZzjGxNQj61GeKcus+k.
客戶端2登陸失敗
[root@localhost ~]# ssh [email protected]
ssh_exchange_identification: read: Connection reset by peer