1.SSH远程登陆协议
作用:通过协议去连接远程的服务器
所有的linux基本上都有ssh服务
1.1.SSH公钥传输原理
公钥传输原理
-
客户端发起链接请求
-
服务端返回自己的公钥,以及一个会话ID(这一步客户端得到服务端公钥)
-
客户端生成密钥对
-
客户端用自己的公钥异或会话ID,计算出一个值Res,并用服务端的公钥加密
-
客户端发送加密值到服务端,服务端用私钥解密,得到Res
-
服务端用解密后的值Res异或会话ID,计算出客户端的公钥(这一步服务端得到客户端公钥)
-
最终:双方各自持有三个秘钥,分别为自己的一对公、私钥,以及对方的公钥,之后的所有通讯都会被加密
2.telent和ssh
telent 明文
ssh 密文 22端口 连接字符 linux用
3.ssh客户端和服务端
linux中
| 服务名 | 主程序 | 配置文件 |
|---|---|---|
| openssh-server | /usr/sbin/sshd | /etc/ssh/sshd_config |
| openssh-clients | /usr/bin/ssh | /etc/ssh/ssh_config |
密钥存放位置:
自己的密钥:/etc/ssh/
服务器密钥(存放其他用户密钥):家目录下/.ssh/know_host
4.ssh命令
| ssh | 选项 | ip地址/域名解析(dns) | -p |
|---|---|---|---|
| -p 指定端口号 | |||
| -l 指定用户 | |||
| -t 跳 |
ssh -l root 192.168... =ssh root@192.168...
5.实验
1.修改默认端口(默认端口22)
#c7-1配置
[root@localhost ~]# vim /etc/ssh/sshd_config #ssh服务 服务端配置文件位置
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22 #默认22端口会被注释,想要修改端口需要自己写。
Port 9527 #编辑配置文件修改端口为9527
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
.
.
.
[root@localhost ~]systemctl restart ssh #配置文件写后要重启ssh服务才能生效
[root@localhost system]# systemctl stop firewalld.service #关闭防火墙
[root@localhost system]# setenforce 0
#切换至c7-2
[root@localhost system]# ssh 192.168.21.10 -p 9527
root@192.168.21.10's password: #输入c7-1 root用户的密码
Last login: Mon Apr 29 15:33:50 2024 from 192.168.21.10
[root@localhost ~]# ll
总用量 8
-rw-------. 1 root root 1758 3月 21 04:56 anaconda-ks.cfg
-rw-r--r--. 1 root root 1806 3月 21 04:58 initial-setup-ks.cfg
drwxr-xr-x. 2 root root 6 4月 10 09:41 ljg
drwxr-xr-x. 2 root root 6 3月 21 04:59 公共
drwxr-xr-x. 2 root root 6 3月 21 04:59 模板
drwxr-xr-x. 2 root root 6 3月 21 04:59 视频
drwxr-xr-x. 2 root root 6 3月 21 04:59 图片
drwxr-xr-x. 2 root root 6 3月 21 04:59 文档
drwxr-xr-x. 2 root root 6 3月 21 04:59 下载
drwxr-xr-x. 2 root root 6 3月 21 04:59 音乐
drwxr-xr-x. 2 root root 6 3月 21 04:59 桌面
2.禁止root用户登录
#c7-1
[root@localhost ~]# vim /etc/ssh/sshd_config
.
.
.
37 #LoginGraceTime 2m
38 #PermitRootLogin yes #在配置文件38行中 有禁止root用户登录的配置,默认允许root登录,删除注释并将yes改为no即不允许root用户登录
39 #StrictModes yes
40 #MaxAuthTries 6
41 #MaxSessions 10
.
.
.
#切换至c7-2
[root@localhost ~]systemctl restart ssh #重启ssh服务
[root@localhost system]# ssh 192.168.21.10
root@192.168.21.10's password:
Permission denied, please try again. #拒绝登录
root@192.168.21.10's password:
[root@localhost system]# ssh zy@192.168.21.10 #远程登录c7-1上的zy用户
zy@192.168.21.10's password:
Last login: Mon Apr 29 15:58:12 2024 #登录成功
#虽然此时不能登录c7-1的root用户 但是c7-1的zy用户有su权限,依旧可以通过先登录zy用户再切换至root登录至c7-1的root用户。
[zy@localhost ~]$ su root
密码:
[root@localhost zy]# ll
总用量 0
-rw-rw-r--. 1 zy zy 0 3月 29 17:12 123
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 公共
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 模板
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 视频
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 图片
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 文档
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 下载
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 音乐
drwxr-xr-x. 2 zy zy 6 3月 29 17:11 桌面
#要解决这个问题,就需要修改pam认证
[root@localhost zy]# vim /etc/pam.d/su
1 #%PAM-1.0
2 auth sufficient pam_rootok.so
3 # Uncomment the following line to implicitly trust users in the "wheel" group.
4 #auth sufficient pam_wheel.so trust use_uid
5 # Uncomment the following line to require a user to be in the "wheel" group.
6 #auth required pam_wheel.so use_uid #只允许wheel组的用户可以使用wheel
auth required pam_wheel.so use_uid #开启第6行,
7 auth substack system-auth
8 auth include postlogin
9 account sufficient pam_succeed_if.so uid = 0 use_uid quiet
10 account include system-auth
11 password include system-auth
12 session include system-auth
13 session include postlogin
14 session optional pam_xauth.so
~
[root@localhost zy]# su zy
[zy@localhost ~]$ su root
密码:
su: 拒绝权限
3.白名单黑名单列表
#白名单黑名单需要手动输入添加
白名单:只允许上面的用户登录 其余拒绝
黑名单:只拒绝上面的用户登录 其余允许
白名单>黑名单
c7-1
[root@localhost ssh]#vim /etc/ssh/sshd_config
AllowUsers zy@192.168.21.20 zs #只允许192.168.21.10登录我的zy用户,允许所有用户登录我的zs用户
DenyUsers zy@192.168.21.20 zs #只拒绝192.168.21.10登录我的zy用户,拒绝所有用户登录我的zs用户
6.免密码ssh登录
c7-1
[root@localhost ~]# ssh-keygen #生成本机密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #选择密钥文件存储位置,默认:/root/.ssh/id_rsa
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): #设置密钥文件的密码,无密码则回车
Enter same passphrase again: #确认密钥文件的密码,无密码则回车
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:77rXGngy5NjtheRAo3qFSzwe92i+uAj2si46a97xjWE root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| |
| |
| o |
| . + . |
| B S . |
| + @ X . |
| o..E= O O.. |
|oooo+o++ *.o. |
|**o+oooo==+. |
+----[SHA256]-----+
[root@localhost ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.21.20 #将主机密钥文件中的公钥发送给服务端,注意文件位置要用绝对路径
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.21.20's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.21.20'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost ~]# ssh 192.168.21.20 #登入c7-2
Last login: Mon Apr 29 22:31:43 2024 from 192.168.21.10
[root@localhost ~]# #无密码登录成功
