本篇写一些关于linux
网络中ssh
服务的相关知识。
名称 | ip地址 |
---|---|
host01 | 192.168.28.128 |
host02 | 192.168.28.129 |
host03 | 192.168.28.130 |
ssh
服务端口是否开启[root@host01 ~]# netstat -ntuap | grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* listen 998/sshd tcp6 0 0 :::22 :::* listen 998/sshd
root
用户登录[root@host02 ~]# ssh root@192.168.28.128 the authenticity of host '192.168.28.128 (192.168.28.128)' can't be established. ecdsa key fingerprint is sha256:5ggc1rmzwwjf+ozz/pptylo2s6nmfhsxbzcnslazxhy. ecdsa key fingerprint is md5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61. are you sure you want to continue connecting (yes/no)? yes warning: permanently added '192.168.28.128' (ecdsa) to the list of known hosts. root@192.168.28.128's password: last login: thu sep 12 13:54:03 2019 [root@host01 ~]# logout connection to 192.168.28.128 closed.
root
用户登录[root@host01 ~]# vim /etc/ssh/sshd_config permitrootlogin no
[root@host01 ~]# systemctl reload sshd
root
用户登录[root@host02 ~]# ssh root@192.168.28.128 root@192.168.28.128's password: permission denied, please try again. root@192.168.28.128's password:
zhangsan
。[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan changing password for user zhangsan. passwd: all authentication tokens updated successfully. [root@host01 ~]# id zhangsan uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
zhangsan
登录,发现可以切换至root
用户[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: [zhangsan@host01 ~]$ su - root password: last login: thu sep 12 14:43:14 cst 2019 from 192.168.28.129 on pts/2 last failed login: thu sep 12 14:46:39 cst 2019 from 192.168.28.129 on ssh:notty there was 1 failed login attempt since the last successful login. [root@host01 ~]# logout [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
pam
认证来禁止切换[root@host01 ~]# vim /etc/pam.d/su auth required pam_wheel.so use_uid
zhangsan
做跳板切换至root
用户[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: last login: thu sep 12 14:56:01 2019 from 192.168.28.129 [zhangsan@host01 ~]$ su - root password: su: permission denied [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
zhangsan
添加至wheel
组[root@host01 ~]# gpasswd -a zhangsan wheel adding user zhangsan to group wheel [root@host01 ~]# id zhangsan uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
wheel
组中的用户才可以使用su
命令[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: last login: thu sep 12 14:59:14 2019 from 192.168.28.129 [zhangsan@host01 ~]$ su - root password: last login: thu sep 12 14:56:13 cst 2019 on pts/2 last failed login: thu sep 12 14:59:25 cst 2019 on pts/2 there was 1 failed login attempt since the last successful login. [root@host01 ~]# logout [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
6
次,但尝试3
次就不可再尝试[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
5
次[root@host01 ~]# vim /etc/ssh/sshd_config maxauthtries 5
[root@host01 ~]# systemctl reload sshd
-o numberofpasswordprompts=8
参数,这里尝试8
次,发现5
次后被拒绝尝试。[root@host02 ~]# ssh -o numberofpasswordprompts=8 zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password: received disconnect from 192.168.28.128 port 22:2: too many authentication failures authentication failed.
lisi
、wangwu
用户[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi changing password for user lisi. passwd: all authentication tokens updated successfully. [root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu changing password for user wangwu. passwd: all authentication tokens updated successfully.
zhangsan
只能从129
登录,lisi
可以从任何主机登录[root@host01 ~]# vim /etc/ssh/sshd_config allowusers zhangsan@192.168.28.129 lisi
白名单:
allowusers
,黑名单:denyusers
,不要同时使用。
[root@host01 ~]# systemctl reload sshd
zhangsan
可以从129
登录[root@host02 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: last login: thu sep 12 16:53:09 2019 from 192.168.28.129 [zhangsan@host01 ~]$ logout connection to 192.168.28.128 closed.
lisi
可以从129
登录[root@host02 ~]# ssh lisi@192.168.28.128 lisi@192.168.28.128's password: [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
wangwu
不可从129
登录[root@host02 ~]# ssh wangwu@192.168.28.128 wangwu@192.168.28.128's password: permission denied, please try again. wangwu@192.168.28.128's password:
zhangsan
不可从130
登录[root@host03 ~]# ssh zhangsan@192.168.28.128 zhangsan@192.168.28.128's password: permission denied, please try again. zhangsan@192.168.28.128's password:
lisi
可以从130
登录[root@host03 ~]# ssh lisi@192.168.28.128 lisi@192.168.28.128's password: last login: thu sep 12 16:56:07 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
wangwu
不可从130
登录[root@host03 ~]# ssh wangwu@192.168.28.128 wangwu@192.168.28.128's password: permission denied, please try again. wangwu@192.168.28.128's password:
[root@host01 ~]# vim /etc/ssh/sshd_config pubkeyauthentication yes
[root@host01 ~]# systemctl reload sshd
ecdsa
椭圆曲线数字签名加密的密钥,可以设置一个密码[root@host02 ~]# ssh-keygen -t ecdsa generating public/private ecdsa key pair. enter file in which to save the key (/root/.ssh/id_ecdsa): enter passphrase (empty for no passphrase): enter same passphrase again: your identification has been saved in /root/.ssh/id_ecdsa. your public key has been saved in /root/.ssh/id_ecdsa.pub. the key fingerprint is: sha256:y4ajdpfbrwyap5exulv7obn08cvhszzasz6mwqt/cce root@host02 the key's randomart image is: +---[ecdsa 256]---+ |o.oo=o+ | | = o.x.. | | * o.o .. | | = . o +eo | | s =. | | . o.o.* . | | o oo= * | | o. + + | | .oo. = | +----[sha256]-----+
[root@host02 ~]# ls .ssh/ id_ecdsa id_ecdsa.pub
128
的lisi
用户[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub lisi@192.168.28.128 /usr/bin/ssh-copy-id: info: source of key(s) to be installed: ".ssh/id_ecdsa.pub" /usr/bin/ssh-copy-id: info: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: info: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys lisi@192.168.28.128's password: number of key(s) added: 1 now try logging into the machine, with: "ssh 'lisi@192.168.28.128'" and check to make sure that only the key(s) you wanted were added.
[root@host02 ~]# ls .ssh/ id_ecdsa id_ecdsa.pub known_hosts
[root@host02 ~]# cat .ssh/known_hosts 192.168.28.128 ecdsa-sha2-nistp256 aaaae2vjzhnhlxnoytitbmlzdhayntyaaaaibmlzdhayntyaaabbbg/clqc3iglkjnuys8mouhujjfnmt4v2cssj6gnfgblmanrik1slguesifypoeirgfyz0en3/aayi+sllpa/3lq=
128
的lisi
用户下生成了认证密钥[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys ecdsa-sha2-nistp256 aaaae2vjzhnhlxnoytitbmlzdhayntyaaaaibmlzdhayntyaaabbbee/8t2xbto11fmju5sac43oyueluvl6ovceij4wrzxad9qr+pmjcxlzovd5+hwyt6pfmw7ezjmk8nogcndc9hi= root@host02
128
的lisi
用户ssh
登录,提示输入先前设置的密码[root@host02 ~]# ssh lisi@192.168.28.128 enter passphrase for key '/root/.ssh/id_ecdsa': last login: thu sep 12 17:09:37 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
[root@host02 ~]# ssh-agent bash [root@host02 ~]# ssh-add enter passphrase for /root/.ssh/id_ecdsa: identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
[root@host02 ~]# ssh lisi@192.168.28.128 last login: tue sep 17 00:40:47 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
selinux
。[root@host01 ~]# systemctl stop firewalld [root@host01 ~]# setenforce 0
22
为2233
[root@host01 ~]# vim /etc/ssh/sshd_config port 2233
[root@host01 ~]# systemctl reload sshd [root@host01 ~]# netstat -ntuap | grep sshd tcp 0 0 0.0.0.0:2233 0.0.0.0:* listen 41357/sshd tcp6 0 0 :::2233 :::* listen 41357/sshd
[root@host02 ~]# ssh lisi@192.168.28.128 ssh: connect to host 192.168.28.128 port 22: connection refused
[root@host02 ~]# ssh -p 2233 lisi@192.168.28.128 last login: tue sep 17 01:21:11 2019 from 192.168.28.129 [lisi@host01 ~]$ logout connection to 192.168.28.128 closed.
[root@host02 ~]# echo "this is testfile01" > testfile01.txt [root@host02 ~]# mkdir testdir01
[root@host02 ~]# scp testfile01.txt root@192.168.28.128:/opt/ root@192.168.28.128's password: testfile01.txt 100% 19 11.4kb/s 00:00
[root@host02 ~]# scp -r testdir01/ root@192.168.28.128:/opt/ root@192.168.28.128's password:
[root@host01 ~]# ls /opt/ rh testdir01 testfile.txt
[root@host02 ~]# sftp root@192.168.28.128 root@192.168.28.128's password: connected to 192.168.28.128. sftp>
cd
切换目录,ls
查看,put
上传sftp> cd /home/zhangsan/ sftp> ls sftp> put /root/testfile01.txt uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt /root/testfile01.txt 100% 19 32.8kb/s 00:00 sftp> ls testfile01.txt
[root@host01 ~]# ls /home/zhangsan/ testfile01.txt
get
下载sftp> get /etc/passwd fetching /etc/passwd to passwd /etc/passwd 100% 2227 1.8mb/s 00:00 sftp> bye
[root@host02 ~]# ls anaconda-ks.cfg passwd testdir01 testfile01.txt
如对本文有疑问, 点击进行留言回复!!
linux下文本编辑器vim的使用方法(复制、粘贴、替换、行号、撤销、多文件操作)
网友评论