1. 添加普通账号
众所周知,linux下的root拥有最高权限,可以执行任何命令。在使用root身份操作时,有时的一个不注意就可能将非常重要的删除(最可怕的是 rm -rf /)。而linux不像windows有可以撤销的回收箱,。所以建议建立普通用户账号,在平时的时候以普通用户身份登录,只在需要root权限时才通过sudo 临时提高普通用户的权限或是通过su - 切换到root用户,执行完任务后立刻exit。
新建普通用户,用户名以example_user 为例
useradd example_user && passwd example_user # 将对应的用户加入wheel组,wheel组用于sudo权限 usermod -aG wheel example_user
2. 创建ssh登录时进行身份验证的密钥对
假设有以下情景,有3台主机:
- node3 ip: 192.168.35.120
- node4 ip: 192.168.35.130
- node5 ip: 192.168.35.140
node3上的用户root 想通过私钥 有密码登录node4,无密码登录node5
# 配置密码登录 node4 # 产生4096位的rsa密钥对 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. # 指定存储路径 Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node4_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node4_id_rsa. Your public key has been saved in /root/.ssh/node4_id_rsa.pub. # 将公钥发给node4主机,追加在 root用户的~/.ssh/authorized_keys文件末尾 [root@node3 .ssh]# ssh-copy-id -i /root/.ssh/node4_id_rsa.pub root@node4 The authenticity of host 'node4 (192.168.35.130)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node4's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@node4'" and check to make sure that only the key(s) you wanted were added. # 远程登录 [root@node3 .ssh]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Last login: Fri Sep 14 23:21:48 2017 from 192.168.35.1 # 配置无密码登录node5 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node5_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node5_id_rsa. Your public key has been saved in /root/.ssh/node5_id_rsa.pub. The key fingerprint is: 05:ef:46:a2:21:f1:26:28:af:bf:81:36:a7:7d:ed:2b root@node3 [root@node3 .ssh]# ssh-copy-id -i ~/.ssh/node5_id_rsa.pub root@node5 The authenticity of host 'node5 (192.168.35.140)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node5's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@node5'" and check to make sure that only the key(s) you wanted were added. [root@node3 .ssh]# ssh -i ~/.ssh/node5_id_rsa root@node5 Last login: Fri Sep 14 22:45:22 2017 from 192.168.35.1
除了ssh-copy-id,还可以通过下面的方法进行公钥的上传
Step1: 通过ssh远程登录
ssh 用户名@ip地址远程登录
Step 2: 通过文件上传工具如filezilla,或是直接通过命令rz(通过yum install lrzsz安装)上传公钥 xxx.pub
Step 3: 将公钥以追加的形式写入authorized_keys文件中(该文件可以记录多个公钥信息)
cat xxx.pub >> ~/.ssh/authorized_keys
Step4 : 文件权设置
# chmod 700 ~/.ssh # chdmo 600 ~/.ssh/authorized_keys
注意,此时仍能通过密码进行登录
[root@node3 .ssh]# ssh root@node4 root@node4's password: Last login: Fri Sep 14 23:30:26 2017 from node3 [root@node4 ~]#
3. 修改配置文件,禁止密码登录
修改配置文件 /etc/ssh/sshd_config
# 禁止使用root身份进行远程登录,建议使用普通用户身份登录[可根据实际情况]
PermitRootLogin no
# 取消密码验证登录
PasswordAuthentication no
然后重启服务即可
sudo service sshd restart
测试效果如下:
# 普通用户可以通过私钥登录 [alex@node3 ~]$ ssh alex@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [alex@node3 ~]$ ssh -i ~/.ssh/node4_id_rsa alex@node4 Last login: Sat Sep 15 00:38:53 2017 [alex@node4 ~]$ exit logout Connection to node4 closed. [alex@node3 ~]$ su - Password: Last login: Sat Sep 15 00:33:16 CST 2017 on pts/0 # root无法登录 [root@node3 ~]# ssh root@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [root@node3 ~]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
参考:
