远程访问及控制

一：SSH远程管理

1.1**：配置Open SSH服务端**

1.1.1：SSH协议

默认端口：TCP 22

是一种安全通道协议

对通信数据惊醒了加密处理，用于远程管理

1.1.2：OpenSSH服务

1.1.2.1 OpenSSH

服务名称：sshd

服务端主程序：/usr/sbin/sshd

服务端配置文件：/etc/ssh/sshd_config
ssh_config：客户端配置文件
sshd_config：服务端配置文件

1.1.2.2服务监听选项

端口号，协议版本，监听IP地址

禁用反向解析

[root@server ~]# vim /etc/ssh/sshd_config
#Port 22
#AddressFamily any   '端口号可以修改,只要不冲突，但不建议改‘
#ListenAddress 0.0.0.0      监听地址可修改    
#ListenAddress ::

二：用户登录控制

2.1普通的口令登录方式

下面看一下默认的的22端口，普通的口令登录方式，本服务器IP20.0.0.42
在客户机上远程登录主机IP20.0.0.41

[root@client ~]# ssh root@20.0.0.41
root@20.0.0.41's password: 
Permission denied, please try again.
root@20.0.0.41's password: 
Last failed login: Mon Jul 13 08:52:16 CST 2020 from 20.0.0.42 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Jul 13 08:01:46 2020 from 20.0.0.1
[root@server ~]# 已切换到服务端

远程创建文件夹

[root@server ~]# cd /opt
[root@server opt]# touch 123.txt

到主机端查看在远程上创建的文件夹

2.2限制账号登录

2.2.1不允许对方远程root账号登录

vim /etc/ssh/sshd_config

Authentication:

#LoginGraceTime 2m   登录验证时间2分钟
PermitRootLogin no     不允许远程root账号登录
#StrictModes yes       
#MaxAuthTries 6        最大尝试次数6次
#MaxSessions 10      最大会话窗口10个

重启服务

systemctl restart sshd

测试

2.2.2在客户端用roo账号尝试登录服务端

[root@server opt]# ssh root@20.0.0.41
The authenticity of host '20.0.0.41 (20.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:X/subAZrjeEGTOEQ8wxYrsYnE5Ug2Wbg8V0jeiRBVW0.
ECDSA key fingerprint is MD5:e2:49:48:9c:89:35:ac:73:a5:bb:52:3a:f5:f5:36:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.41' (ECDSA) to the list of known hosts.
root@20.0.0.41's password: 
Permission denied, please try again.
root@20.0.0.41's password: 
Permission denied, please try again.
root@20.0.0.41's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

root账号登录不了，但能尝试三次登录三次，因为默认是三次

2.2.3创建三个测试账号，并面交互设置密码

[root@server ~]# useradd test01
[root@server ~]# echo "123123"|passwd --stdin test01
更改用户 test01 的密码 。
passwd：所有的身份验证令牌已经成功更新。
[root@server ~]# useradd test02
[root@server ~]# echo "123123"|passwd --stdin test02
更改用户 test02 的密码 。
passwd：所有的身份验证令牌已经成功更新。
[root@server ~]# useradd test03
[root@server ~]# echo "123123"|passwd --stdin test03
更改用户 test03 的密码 。
passwd：所有的身份验证令牌已经成功更新。

在客户端用test01连接服务端，然后在切换root账号

root@server opt]# ssh test01@20.0.0.41
test01@20.0.0.41's password: 
[test01@server ~]$ su - root
密码：
上一次登录：一 7月 13 08:52:24 CST 2020从 20.0.0.42pts/1 上
最后一次失败的登录：一 7月 13 09:27:51 CST 2020从 serverssh:notty 上
最有一次成功登录后有 3 次失败的登录尝试。
[root@server ~]#
上一次登录：一 7月 13 09:40:20 CST 2020pts/2 上
[root@server ~]# 

发现虽然设置了进制远程登录root账号，但是可以通过登录其他被允许的账号在切换到root账号。在生产环境中不安全，故需要PAM模块。

解决方案:启用PAM验证

[root@server ~]# vim /etc/pam.d/su

2.3测试最大密码重试次数

[root@server ~]# vim /etc/ssh/sshd_config

[root@server ~]# systemctl restart sshd 重启服务

远程登录服务器root账号

[root@server opt]# ssh root@20.0.0.41
root@20.0.0.41's password: 
Permission denied, please try again.
root@20.0.0.41's password: 
Permission denied, please try again.
root@20.0.0.41's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

发现只可以尝试三次

设置最大尝试次数为7次

2.4设置黑白名单

AllowUsers（白名单，仅允许，只有这些可以登录）

DenyUsers（黑名单，仅拒绝，只有这些不行）

AllowUsers不可与DenyUsers同时使用

[root@server ~]# vim /etc/ssh/sshd_config
[root@server ~]# systemctl restart sshd

2.4.1白名单

在20.0.0.42上登录test02 能登录

[root@client ~]# ssh test02@20.0.0.41
test02@20.0.0.41's password: 
Last login: Mon Jul 13 10:28:46 2020 from 20.0.0.42
[test02@client ~]$ 

在20.0.0.42上登录test03 能登录

[root@client ~]# ssh test03@20.0.0.41
test03@20.0.0.41's password: 
Last login: Mon Jul 13 10:41:31 2020 from 20.0.0.43
[test03@client ~]$ ^C

在20.0.0.43上登录test02 结果登不上

[root@localhost ~]# ssh test02@20.0.0.41
test02@20.0.0.41's password: 
Permission denied, please try again.
test02@20.0.0.41's password: 
Permission denied, please try again.
test02@20.0.0.41's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@localhost ~]# 

在20.0.0.43上登录test03 能登录

[root@localhost ~]# ssh test03@20.0.0.41
The authenticity of host '20.0.0.41 (20.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:X/subAZrjeEGTOEQ8wxYrsYnE5Ug2Wbg8V0jeiRBVW0.
ECDSA key fingerprint is MD5:e2:49:48:9c:89:35:ac:73:a5:bb:52:3a:f5:f5:36:8d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.41' (ECDSA) to the list of known hosts.
test03@20.0.0.41's password: 
Last failed login: Mon Jul 13 10:41:23 CST 2020 from 20.0.0.43 on ssh:notty
There was 1 failed login attempt since the last successful login.
[test03@client ~]$ 

test02只能做20.0.0.42上访问服务端， test03没有限制，在所有设备上都能连接服务端

三：远程配对密钥验证

开启密钥对功能

vi /etc/ssh/sshd_config

3.1客户端

创建密钥对

ssh-keygen -t ecdsa

[liu@client root]$ ssh-keygen -t ecdsa    椭圆曲线数字签名加密
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/liu/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 输入liuzhangsan  自己设置
Enter same passphrase again: 
Your identification has been saved in /home/liu/.ssh/id_ecdsa.
Your public key has been saved in /home/liu/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:PgVtDB1OhMPgm4uRRVbodiIXZw6JQj5BB3C4QmQz8ac liu@client
The key's randomart image is:
+---[ECDSA 256]---+
|o@B...+*o++.     |
|o+=o.+= **.      |
|..oo oo*..=      |
|o  .+o=ooo       |
|.  Eo+ooS .      |
|     o o .       |
|    . . o        |
|         .       |
|                 |
+----[SHA256]-----+

将公钥推给主服务器的TEST3 ，并输入TEST3的密码

[liu@client .ssh]$  ssh-copy-id -i id_ecdsa.pub test03@20.0.0.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '20.0.0.41 (20.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:X/subAZrjeEGTOEQ8wxYrsYnE5Ug2Wbg8V0jeiRBVW0.
ECDSA key fingerprint is MD5:e2:49:48:9c:89:35:ac:73:a5:bb:52:3a:f5:f5:36:8d.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
test03@20.0.0.41's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'test03@20.0.0.41'"
and check to make sure that only the key(s) you wanted were added.

用tefst03登录服务端

[liu@client .ssh]$ ssh test03@20.0.41
The authenticity of host '20.0.41 (20.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:X/subAZrjeEGTOEQ8wxYrsYnE5Ug2Wbg8V0jeiRBVW0.
ECDSA key fingerprint is MD5:e2:49:48:9c:89:35:ac:73:a5:bb:52:3a:f5:f5:36:8d.
Are you sure you want to continue connecting (yes/no)? yse
Please type 'yes' or 'no': yes
Warning: Permanently added '20.0.41' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/liu/.ssh/id_ecdsa': 
Last login: Mon Jul 13 10:46:18 2020 from 20.0.0.42

[test03@client ~]$ 

切换到服务端test03家目录

3.2 开启bash代理，免去重复输入秘钥的麻烦

[liu@client .ssh]$ ssh-agent bash  启动代理bash 功能
[liu@client .ssh]$ ssh-add   添加秘钥口令
Enter passphrase for /home/liu/.ssh/id_ecdsa:    输入秘钥对秘钥 
Identity added: /home/liu/.ssh/id_ecdsa (/home/liu/.ssh/id_ecdsa)

再次远程登录----不再需要秘钥

[liu@client .ssh]$ ssh test03@20.0.0.41
Last login: Mon Jul 13 11:45:45 2020
[test03@client ~]$

3.3scp远程安全复制

通过scp命令可以利用SSH安全连接与远程主机相互复制。使用scp命令时，除了必须指定复制源、目标之外，还应指定目标主机地址、登录用户、执行后提示验证口令即可

客户端创建文件

[liu@client opt]$ touch 123.txt
[liu@client opt]$ echo “123456789” > 123.txt

3.3.1 拷贝文件到主服务器

scp 123.txt root@20.0.0.41:/home/

[liu@client opt]$ scp 123.txt root@20.0.0.41:/home/ 
root@20.0.0.41's password: 
123.txt                  100%   10     7.8KB/s   00:00    
[liu@client opt]$ 

3.3.2查看拷贝过去的文件

[root@server ~]# cd /home/
[root@server home]# ls
123.txt  johnsoon  test01  test02  test03
[root@server home]# cat 123.txt
123456789

3.4sftp安全FTP 上下载**

通过scp命令可以利用SSH安全连接与远程主机相互复制。使用scp命令时，除了必须指令复制源、目标之外，还应指定目标主机地址、登录用户、执行后提示验证口令即可

1）先远程连接到服务端

[root@client ~]# sftp root@20.0.0.41   
root@20.0.0.41's password: 
Connected to 20.0.0.41.
sftp> ls
1.txt                        aa                           
anaconda-ks.cfg              bb                           
cc                           initial-setup-ks.cfg         
下载                       公共                       
图片                       文档                       
桌面                       模板                       
视频                       音乐                       
sftp> cd /home
You must specify a path after a cd command.
sftp> ls
123.txt    abc.txt    johnsoon   test01     test02     
test03     
sftp> get abc.txt    下载abc.txt文件
Fetching /home/abc.txt to abc.txt
/home/abc.txt            100%    9     6.6KB/s   00:00    
sftp> bye   退出登录
[root@client ~]# ls
abc.txt               公共  图片  音乐
anaconda-ks.cfg       模板  文档  桌面
initial-setup-ks.cfg  视频  下载
[root@client ~]# cat abc.txt   文件下载到客户端了
aabbccdd

sftp> ls
123.txt abc.txt johnsoon test01 test02
test03
sftp> get abc.txt 下载abc.txt文件
Fetching /home/abc.txt to abc.txt
/home/abc.txt 100% 9 6.6KB/s 00:00
sftp> bye 退出登录
[root@client ~]# ls
abc.txt 公共 图片 音乐
anaconda-ks.cfg 模板 文档 桌面
initial-setup-ks.cfg 视频 下载
[root@client ~]# cat abc.txt 文件下载到客户端了
aabbccdd

get是下载，put 是上传

本文地址：https://blog.csdn.net/m0_46476544/article/details/107318450

如对本文有疑问， 点击进行留言回复！！