[root@localhost ~]# vi /etc/ssh/sshd_config ===>修改配置文件
......
Port 22 ===>端口22
ListenAddress 172.16.16.22 ===>监听地址 172.16.16.22
Protocal 2 ===>协议 2
UseDNS no ===>不使用DNS
1
2
3
4
5
6
7
8
9
10
11
用户登录控制
禁用root用户、空密码用户
闲置登录验证时间、重试次数
AllowUsers、DenyUsers
[root@localhost ~]# vi /etc/ssh/sshd_config ===>修改配置文件
LoginGraceTime 2m ===>会话时间 2分钟
PermitRootLogin no ===>不允许root用户登录
MaxAuthTries 6 ===>最大的验证尝试次数为6次---默认是三次
PermitEmptyPasswords no ===>不允许空密码登录
......
AllowUsers jerry admin@61.23.24.25 ===>AllowUsers不要与DenyUsers同时用{加了@IP ---只允许你从固定的终端登录}
1
2
3
4
5
6
7
8
9
10
11
12
13
登录验证方式
密码验证:核对用户名、密码是否匹配
密钥对验证:核对客户的私钥、服务端公钥是否匹配
[root@localhost ~]# vi /etc/ssh/sshd_config
......
PasswordAuthentication yes #私钥开启
PubkeyAuthentication yes #公钥开启
AuthorizedKeysFile .ssh/authorized_keys 生成到当前用户的家目录里面是隐藏文件===>ls -a
1
2
3
4
5
6
7
8
9
模拟实验
不允许root账户登录
[root@localhost ~]# ssh root@20.0.0.60 ===>当前CentOS主机的IP是20.0.0.110
The authenticity of host '20.0.0.60 (20.0.0.60)' can't be established.
ECDSA key fingerprint is SHA256:rFf1qtIIiP3JlW/y+EhTkaOtV76DNoZX5MMrHDOzwzY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '20.0.0.60' (ECDSA) to the list of known hosts.
root@20.0.0.60's password:
Last failed login: Thu Jul 9 17:16:57 CST 2020 from :0 on :0
There was 1 failed login attempt since the last successful login.
Last login: Thu Jul 9 10:46:42 2020
[root@localhost ~]# ===>以root身份就连接到了另一台20.0.0.60的CentOS主机
[root@localhost ~]# vi /etc/ssh/sshd_config ===>配置文件
......
PermitRootLogin no ===>不允许root账户登录 把这一行改成no 把注释符号"#"去掉
......
[root@localhost ~]# systemctl restart sshd ===>重启一下服务
[root@localhost ~]# ssh root@20.0.0.60 ===>重新连接一下
The authenticity of host '20.0.0.60 (20.0.0.60)' can't be established.
ECDSA key fingerprint is SHA256:rFf1qtIIiP3JlW/y+EhTkaOtV76DNoZX5MMrHDOzwzY.
ECDSA key fingerprint is MD5:35:39:f1:63:73:74:3c:a7:64:38:3e:80:a6:e8:9c:a6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.60' (ECDSA) to the list of known hosts.
root@20.0.0.60's password:
Permission denied, please try again.
root@20.0.0.60's password: ===>重新连接已经连接不上了 说明修改的配置已生效
[root@localhost ~]# ssh zhangsan@20.0.0.60 ===>不使用root账户连接
zhangsan@20.0.0.60's password:
[zhangsan@localhost ~]$ ===>连接成功
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
禁用root账户远程连接的时候必须要禁用su命令切换root的权限利用pam认证
[root@zhaobin ~]# vi /etc/pam.d/su ===>修改配置文件
......
auth required pam_wheel.so use_uid ===>把这一行前面的"#"去掉就可以了
......
[root@localhost ~]# ssh wangwu@20.0.0.60 ===>远程连接
wangwu@20.0.0.60's password:
Last login: Thu Jul 9 11:15:39 2020 from 20.0.0.60
[wangwu@zhaobin ~]$ su - root
密码:
su: 拒绝权限
[wangwu@zhaobin ~]$ ===>可以看到su切换root账户失败
不操作这一步的话可以利用su切换到root账户
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
添加黑白名单===>不能同时存在存在了白名单就不允许黑名单存在只能选其一
AllowUsers ===>白名单:仅允许某些用户,拒绝所有人---安全性场合高
DenyUsers ===>黑名单:近拒绝某些用户,允许所有人---安全性场合低
[root@zhaobin ~]# vi /etc/ssh/sshd_config ===>修改配置文件
AllowUsers zhangsan wangwu@20.0.0.110 ===>需要自行写入 白名单允许zhangsan在任意终端登录
只允许wangwu在20.0.0.110终端登录
[root@zhaobin ~]# systemctl restart sshd ===>服务重启一下才会生效
在20.0.0.110终端操作
[root@localhost ~]# ssh zhangsan@20.0.0.60
zhangsan@20.0.0.60's password:
Last login: Thu Jul 9 11:17:48 2020 from 20.0.0.60
[zhangsan@zhaobin ~]$ exit
登出
Connection to 20.0.0.60 closed.
[root@localhost ~]# ssh wangwu@20.0.0.60
wangwu@20.0.0.60's password:
Last login: Thu Jul 9 11:20:07 2020 from 20.0.0.60
[wangwu@zhaobin ~]$ exit
登出
Connection to 20.0.0.60 closed.
[root@localhost ~]#
在20.0.0.50终端操作
[root@localhost ~]# ssh zhangsan@20.0.0.60
The authenticity of host '20.0.0.60 (20.0.0.60)' can't be established.
ECDSA key fingerprint is SHA256:rFf1qtIIiP3JlW/y+EhTkaOtV76DNoZX5MMrHDOzwzY.
ECDSA key fingerprint is MD5:35:39:f1:63:73:74:3c:a7:64:38:3e:80:a6:e8:9c:a6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.60' (ECDSA) to the list of known hosts.
zhangsan@20.0.0.60's password:
Last login: Thu Jul 9 11:25:57 2020 from 20.0.0.110
[zhangsan@zhaobin ~]$ exit
登出
Connection to 20.0.0.60 closed.
[root@localhost ~]# ssh wangwu@20.0.0.60 ===>可以发现wangwu不能从这个终端登录
wangwu@20.0.0.60's password:
Permission denied, please try again.
wangwu@20.0.0.60's password:
[zhangsan@localhost ~]$ ssh-keygen -t ecdsa ===>-t 指定密钥类型
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_ecdsa):
Created directiry '/home/zhangsan/.ssh'.
Enter same passphrase again: ===>设置密钥短语
Your identification has been saved in /home/zhangsan/.ssh/id_ecdsa. ===>私钥文件位置
Your public key has been saved in /home/zhangsan/.ssh/id_ecdsa.pub. ===>公钥文件位置
......
[zhangsan@zhaobin root]$ ssh lisi@20.0.0.50
Enter passphrase for key '/home/zhangsan/.ssh/id_ecdsa': ===>输入私钥
Last failed login: Thu Jul 9 12:04:15 CST 2020 from 20.0.0.60 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Jul 9 12:02:06 2020 from 20.0.0.60
[lisi@localhost ~]$ whoani
lisi
在20.0.0.60终端操作
[root@zhaobin ~]# vi /etc/ssh/sshd_config ===>修改配置文件
......
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
......
[root@zhaobin ~]# systemctl restart sshd ===>启动服务
[root@zhaobin ~]# su zhangsan ===>切换到zhangsan用户
[zhangsan@zhaobin root]$ ssh-keygen -t ecdsa ===>创建密钥对
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_ecdsa):
/home/zhangsan/.ssh/id_ecdsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/zhangsan/.ssh/id_ecdsa.
Your public key has been saved in /home/zhangsan/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:aCYS4cBJr4Tk5l57YPgywVHsKlGVHGwRj39yy9Tb4mI zhangsan@zhaobin
The key's randomart image is:
+---[ECDSA 256]---+
|+o+=== |
|+=+o=o |
|.*+o. . |
|* +o . . . |
| Bo+. * S . |
|o.=.o+ * . o |
|.+ o . o o . |
| o . E. . |
| . .. |
+----[SHA256]-----+
[zhangsan@zhaobin root]$ scp ~/.ssh/id_ecdsa.pub root@20.0.0.50:/opt ===>上传公钥文件
在20.0.0.50终端操作
[root@localhost lisi]# mkdir /home/lisi/.ssh/ ===>创建目录
[root@localhost lisi]# cat /opt/id_ecdsa.pub >> /home/lisi/.ssh/authorized_keys
在20.0.0.60终端操作
[zhangsan@zhaobin root]$ ssh lisi@20.0.0.50 ===>远程访问20.0.0.50终端 使用lisi账号
Enter passphrase for key '/home/zhangsan/.ssh/id_ecdsa':
Last login: Thu Jul 9 13:18:55 2020 from 20.0.0.60
[lisi@localhost ~]$ ===>登录成功
添加免密登录
[zhangsan@zhaobin root]$ ssh-agent bash ===>使用代理终端
[zhangsan@zhaobin root]$ ssh-add ===>添加免密登录的密码
Enter passphrase for /home/zhangsan/.ssh/id_ecdsa:
Identity added: /home/zhangsan/.ssh/id_ecdsa (/home/zhangsan/.ssh/id_ecdsa)
[zhangsan@zhaobin root]$ ssh lisi@20.0.0.50 ===>登录不需要输入密码
Last login: Thu Jul 9 13:32:32 2020 from 20.0.0.50
[lisi@localhost ~]$