当前位置：移动技术网 > 科技>操作系统>Linux > Linux SSH 服务

Linux SSH 服务

2019年10月08日 | 移动技术网科技 | 我要评论

centos-logo

本篇写一些关于linux网络中ssh服务的相关知识。

测试环境

名称	ip地址
host01	192.168.28.128
host02	192.168.28.129
host03	192.168.28.130

禁止 root 登录

查看ssh服务端口是否开启

[root@host01 ~]# netstat -ntuap | grep sshd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               listen      998/sshd            
tcp6       0      0 :::22                   :::*                    listen      998/sshd

默认可以使用root用户登录

[root@host02 ~]# ssh root@192.168.28.128
the authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.
ecdsa key fingerprint is sha256:5ggc1rmzwwjf+ozz/pptylo2s6nmfhsxbzcnslazxhy.
ecdsa key fingerprint is md5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.
are you sure you want to continue connecting (yes/no)? yes
warning: permanently added '192.168.28.128' (ecdsa) to the list of known hosts.
root@192.168.28.128's password: 
last login: thu sep 12 13:54:03 2019
[root@host01 ~]# logout
connection to 192.168.28.128 closed.

编辑配置文件，禁止root用户登录

[root@host01 ~]# vim /etc/ssh/sshd_config
permitrootlogin no

重新加载配置文件，使配置生效

[root@host01 ~]# systemctl reload sshd

不可使用root用户登录

[root@host02 ~]# ssh root@192.168.28.128
root@192.168.28.128's password: 
permission denied, please try again.
root@192.168.28.128's password:

添加普通用户zhangsan。

[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan
changing password for user zhangsan.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)

现在以zhangsan登录，发现可以切换至root用户

[root@host02 ~]# ssh zhangsan@192.168.28.128
zhangsan@192.168.28.128's password: 
[zhangsan@host01 ~]$ su - root
password: 
last login: thu sep 12 14:43:14 cst 2019 from 192.168.28.129 on pts/2
last failed login: thu sep 12 14:46:39 cst 2019 from 192.168.28.129 on ssh:notty
there was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
connection to 192.168.28.128 closed.

可以开启pam认证来禁止切换

[root@host01 ~]# vim /etc/pam.d/su
auth            required        pam_wheel.so use_uid

现在不可以使用zhangsan做跳板切换至root用户

[root@host02 ~]# ssh zhangsan@192.168.28.128
zhangsan@192.168.28.128's password: 
last login: thu sep 12 14:56:01 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
password: 
su: permission denied
[zhangsan@host01 ~]$ logout
connection to 192.168.28.128 closed.

将zhangsan添加至wheel组

[root@host01 ~]# gpasswd -a zhangsan wheel
adding user zhangsan to group wheel
[root@host01 ~]# id zhangsan
uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)

只有在wheel组中的用户才可以使用su命令

[root@host02 ~]# ssh zhangsan@192.168.28.128
zhangsan@192.168.28.128's password: 
last login: thu sep 12 14:59:14 2019 from 192.168.28.129
[zhangsan@host01 ~]$ su - root
password: 
last login: thu sep 12 14:56:13 cst 2019 on pts/2
last failed login: thu sep 12 14:59:25 cst 2019 on pts/2
there was 1 failed login attempt since the last successful login.
[root@host01 ~]# logout
[zhangsan@host01 ~]$ logout
connection to 192.168.28.128 closed.

登录次数尝试

配置文件默认是6次，但尝试3次就不可再尝试

[root@host02 ~]# ssh zhangsan@192.168.28.128
zhangsan@192.168.28.128's password: 
permission denied, please try again.
zhangsan@192.168.28.128's password: 
permission denied, please try again.
zhangsan@192.168.28.128's password: 
permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

设置参数最大次数为5次

[root@host01 ~]# vim /etc/ssh/sshd_config
maxauthtries 5

重新加载配置文件，使配置生效

[root@host01 ~]# systemctl reload sshd

想要使配置能够有意义，需要使用-o numberofpasswordprompts=8参数，这里尝试8次，发现5次后被拒绝尝试。

[root@host02 ~]# ssh -o numberofpasswordprompts=8 zhangsan@192.168.28.128
zhangsan@192.168.28.128's password: 
permission denied, please try again.
zhangsan@192.168.28.128's password: 
permission denied, please try again.
zhangsan@192.168.28.128's password: 
permission denied, please try again.
zhangsan@192.168.28.128's password: 
permission denied, please try again.
zhangsan@192.168.28.128's password: 
received disconnect from 192.168.28.128 port 22:2: too many authentication failures
authentication failed.

黑白名单

添加lisi、wangwu用户

[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi
changing password for user lisi.
passwd: all authentication tokens updated successfully.
[root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu
changing password for user wangwu.
passwd: all authentication tokens updated successfully.

添加白名单配置，默认没有相关条目zhangsan只能从129登录，lisi可以从任何主机登录

[root@host01 ~]# vim /etc/ssh/sshd_config
allowusers zhangsan@192.168.28.129 lisi

白名单：allowusers，黑名单：denyusers，不要同时使用。

重新加载配置文件，使配置生效

[root@host01 ~]# systemctl reload sshd

测试zhangsan可以从129登录

[root@host02 ~]# ssh zhangsan@192.168.28.128
zhangsan@192.168.28.128's password: 
last login: thu sep 12 16:53:09 2019 from 192.168.28.129
[zhangsan@host01 ~]$ logout
connection to 192.168.28.128 closed.

测试lisi可以从129登录

[root@host02 ~]# ssh lisi@192.168.28.128
lisi@192.168.28.128's password: 
[lisi@host01 ~]$ logout
connection to 192.168.28.128 closed.

测试wangwu不可从129登录

[root@host02 ~]# ssh wangwu@192.168.28.128
wangwu@192.168.28.128's password: 
permission denied, please try again.
wangwu@192.168.28.128's password:

测试zhangsan不可从130登录

[root@host03 ~]# ssh zhangsan@192.168.28.128
zhangsan@192.168.28.128's password: 
permission denied, please try again.
zhangsan@192.168.28.128's password:

测试lisi可以从130登录

[root@host03 ~]# ssh lisi@192.168.28.128
lisi@192.168.28.128's password: 
last login: thu sep 12 16:56:07 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
connection to 192.168.28.128 closed.

测试wangwu不可从130登录

[root@host03 ~]# ssh wangwu@192.168.28.128
wangwu@192.168.28.128's password: 
permission denied, please try again.
wangwu@192.168.28.128's password:

使用密钥对登录

开启密钥认证选项

[root@host01 ~]# vim /etc/ssh/sshd_config
pubkeyauthentication yes

重新加载配置文件，使配置生效

[root@host01 ~]# systemctl reload sshd

生成类型为ecdsa椭圆曲线数字签名加密的密钥，可以设置一个密码

[root@host02 ~]# ssh-keygen -t ecdsa
generating public/private ecdsa key pair.
enter file in which to save the key (/root/.ssh/id_ecdsa): 
enter passphrase (empty for no passphrase): 
enter same passphrase again: 
your identification has been saved in /root/.ssh/id_ecdsa.
your public key has been saved in /root/.ssh/id_ecdsa.pub.
the key fingerprint is:
sha256:y4ajdpfbrwyap5exulv7obn08cvhszzasz6mwqt/cce root@host02
the key's randomart image is:
+---[ecdsa 256]---+
|o.oo=o+          |
| = o.x..         |
|  * o.o  ..      |
|   = . o +eo     |
|        s =.     |
|     . o.o.* .   |
|      o oo= *    |
|       o.  + +   |
|    .oo.    =    |
+----[sha256]-----+

查看生成的私钥和公钥文件

[root@host02 ~]# ls .ssh/
id_ecdsa  id_ecdsa.pub

推送公钥文件至128的lisi用户

[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub lisi@192.168.28.128
/usr/bin/ssh-copy-id: info: source of key(s) to be installed: ".ssh/id_ecdsa.pub"
/usr/bin/ssh-copy-id: info: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: info: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
lisi@192.168.28.128's password: 

number of key(s) added: 1

now try logging into the machine, with:   "ssh 'lisi@192.168.28.128'"
and check to make sure that only the key(s) you wanted were added.

本地会生成一个已知主机文件

[root@host02 ~]# ls .ssh/
id_ecdsa  id_ecdsa.pub  known_hosts

可以查看一下

[root@host02 ~]# cat .ssh/known_hosts
192.168.28.128 ecdsa-sha2-nistp256 aaaae2vjzhnhlxnoytitbmlzdhayntyaaaaibmlzdhayntyaaabbbg/clqc3iglkjnuys8mouhujjfnmt4v2cssj6gnfgblmanrik1slguesifypoeirgfyz0en3/aayi+sllpa/3lq=

128的lisi用户下生成了认证密钥

[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys 
ecdsa-sha2-nistp256 aaaae2vjzhnhlxnoytitbmlzdhayntyaaaaibmlzdhayntyaaabbbee/8t2xbto11fmju5sac43oyueluvl6ovceij4wrzxad9qr+pmjcxlzovd5+hwyt6pfmw7ezjmk8nogcndc9hi= root@host02

使用128的lisi用户ssh登录，提示输入先前设置的密码

[root@host02 ~]# ssh lisi@192.168.28.128
enter passphrase for key '/root/.ssh/id_ecdsa': 
last login: thu sep 12 17:09:37 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
connection to 192.168.28.128 closed.

可以设置免验证操作，并输入先前设置的密码

[root@host02 ~]# ssh-agent bash
[root@host02 ~]# ssh-add
enter passphrase for /root/.ssh/id_ecdsa: 
identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)

现在可以免密码登录

[root@host02 ~]# ssh lisi@192.168.28.128
last login: tue sep 17 00:40:47 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
connection to 192.168.28.128 closed.

更改默认端口

关闭防火墙、selinux。

[root@host01 ~]# systemctl stop firewalld
[root@host01 ~]# setenforce 0

更改默认端口22为2233

[root@host01 ~]# vim /etc/ssh/sshd_config
port 2233

重新加载配置文件，使配置生效

[root@host01 ~]# systemctl reload sshd
[root@host01 ~]# netstat -ntuap | grep sshd
tcp        0      0 0.0.0.0:2233            0.0.0.0:*               listen      41357/sshd          
tcp6       0      0 :::2233                 :::*                    listen      41357/sshd

直接登录失败

[root@host02 ~]# ssh lisi@192.168.28.128
ssh: connect to host 192.168.28.128 port 22: connection refused

指定端口登录成功

[root@host02 ~]# ssh -p 2233 lisi@192.168.28.128
last login: tue sep 17 01:21:11 2019 from 192.168.28.129
[lisi@host01 ~]$ logout
connection to 192.168.28.128 closed.

scp 远程复制

创建测试文件、文件夹

[root@host02 ~]# echo "this is testfile01" > testfile01.txt 
[root@host02 ~]# mkdir testdir01

远程复制文件

[root@host02 ~]# scp testfile01.txt root@192.168.28.128:/opt/
root@192.168.28.128's password: 
testfile01.txt                                                                                                                                             100%   19    11.4kb/s   00:00

远程复制文件夹

[root@host02 ~]# scp -r testdir01/ root@192.168.28.128:/opt/
root@192.168.28.128's password:

查看是否复制成功

[root@host01 ~]# ls /opt/
rh  testdir01  testfile.txt

sftp 安全文件传输协议

[root@host02 ~]# sftp root@192.168.28.128
root@192.168.28.128's password: 
connected to 192.168.28.128.
sftp>

可以cd切换目录，ls查看，put上传

sftp> cd /home/zhangsan/
sftp> ls
sftp> put /root/testfile01.txt
uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt
/root/testfile01.txt                                                                                                                                       100%   19    32.8kb/s   00:00    
sftp> ls
testfile01.txt

上传成功

[root@host01 ~]# ls /home/zhangsan/
testfile01.txt

get下载

sftp> get /etc/passwd 
fetching /etc/passwd to passwd
/etc/passwd                                                                                                                                                100% 2227     1.8mb/s   00:00    
sftp> bye

下载成功

[root@host02 ~]# ls
anaconda-ks.cfg  passwd  testdir01  testfile01.txt

您可能感兴趣的文章:

如对本文有疑问，点击进行留言回复！！

linux系统怎么使用alias创建命令别名?

linux系统怎么使用alias创建命令别名？linux系统中有很多命令，今天我们就来看看alias命令的使用方法，详细请看下文介绍... 20-02-13 [阅读全文]
linux怎么快速创建创建一次性的计划任务?

linux怎么快速创建创建一次性的计划任务？linux系统总想要创建一次性任务，该怎么创建呢？下面我们就来看看详细的教程，需要的朋友可以参考下... 20-02... [阅读全文]
linux下文本编辑器vim的使用方法(复制、粘贴、替换、行号、撤销、多文件操作)

这篇文章主要介绍了linux下文本编辑器vim的使用方法，包括复制、粘贴、替换、行号、撤销、多文件操作,需要的朋友可以参考下... 20-02-16 [阅读全文]
Linux虚拟机怎么拍摄快照并管理?

Linux虚拟机怎么拍摄快照并管理？安装Linux虚拟机后，想要将操作步骤保存成快照，并管理，该怎么实现呢？下面我们就来看看详细的教程，需要的朋友可以参考下..... [阅读全文]
linux中crontab计划任务怎么删除?

linux中crontab计划任务怎么删除？linux中想要删除crontab计划任务，该怎么删除呢？下面我们就来看看详细的教程，需要的朋友可以参考下... 2... [阅读全文]
linux系统比windows系统声音小怎么办?

linux系统比windows系统声音小怎么办？电脑安装linux系统后，发现比windows系统的声音小，想要将声音变大，该怎么办呢？下面我们就来看看详细的教... [阅读全文]
linux怎么查看防火墙是否开启并清除防火墙规则?

linux怎么查看防火墙是否开启并清除防火墙规则？linux系统想要看看有没有开启防火墙，怎么删除防火墙规则？下面我们就来看看详细的教程，需要的朋友可以参考下.... [阅读全文]
centos7搭建wordpress博客

安装apache 启动apache 设置apache开机自启访问公网地址检测apache是否正常安装MySQL数据库启动MySQL数据库查看My... [阅读全文]
linux命令行,gcc,g++零基础

【上手由易到难，推荐wsl,虚拟机】 1、tdm gcc, mingw(dev c++) 2、wsl(Windows Subsystem for Lin... [阅读全文]
自动化运维工具Ansible之Roles测验详解

Ansible Roles 详解与实战案例主机规划添加用户账号说明： 1、运维人员使用的登录账号； 2、所有的业务都放在 /app/ 下「yu... [阅读全文]