第十四节
SSH服务
SSH(Secure Shell)是一种能够以安全的方式提供远程登录的协议,也是目前远程管理Linux系统的首选方式。
sshd是基于SSH协议开发的一款远程管理服务程序,不仅使用起来方便快捷,而且能够提供两种安全验证的方法:
基于密码的验证—用账户和密码来验证登录;
基于密钥的验证—需要在本地生成密钥对,然后把密钥对中的公钥上传至服务器,并与服务器中的公钥进行比较;该方式相较来说更安全。
sshd服务的配置信息保存在/etc/ssh/sshd_config文件中,配置文件中包含的重要参数如表所示。
| 参数 | 作用 |
| Port 22 | 默认的sshd服务端口 |
| ListenAddress 0.0.0.0 | 设定sshd服务器监听的IP地址 |
| Protocol 2 | SSH协议的版本号 |
| HostKey /tc/ssh/ssh_host_key | SSH协议版本为1时,DES私钥存放的位置 |
| HostKey /etc/ssh/ssh_host_rsa_key | SSH协议版本为2时,RSA私钥存放的位置 |
| HostKey /etc/ssh/ssh_host_dsa_key | SSH协议版本为2时,DSA私钥存放的位置 |
| PermitRootLogin yes | 设定是否允许root管理员直接登录 |
| StrictModes yes | 当远程用户的私钥改变时直接拒绝连接 |
| MaxAuthTries 6 | 最大密码尝试次数 |
| MaxSessions 10 | 最大终端数 |
| PasswordAuthentication yes | 是否允许密码验证 |
| PermitEmptyPasswords no | 是否允许空密码登录(很不安全) |
在RHEL 8系统中,已经默认安装并启用了sshd服务程序,如果禁止以root管理员的身份远程登录到服务器,则可以大大降低被黑客暴力破解密码的概率。
密码验证登录
[root@Client ~]# ssh 192.168.10.10 The authenticity of host '192.168.10.10 (192.168.10.10)' can't be established. ECDSA key fingerprint is SHA256:5d52kZi1la/FJK4v4jibLBZhLqzGqbJAskZiME6ZXpQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.10' (ECDSA) to the list of known hosts. root@192.168.10.10's password: 此处输入服务器管理员密码 Activate the web console with: systemctl enable --now cockpit.socket Last login: Fri Jul 24 06:26:58 2020 [root@Server ~]# [root@Server ~]# exit logout Connection to 192.168.10.10 closed. [root@superwu ~]# ssh zhangsan@192.168.10.10 //指定登录时使用的账号 zhangsan@192.168.10.10's password: 输入zhangsan用户的密码 Activate the web console with: systemctl enable --now cockpit.socket Last login: Thu Feb 17 16:46:10 2022 from 192.168.10.10 [zhangsan@superwu ~]$
安全密钥验证登录
密钥即是密文的钥匙,有私钥和公钥之分。
第1步:在客户端主机中生成“密钥对”。
[root@Client ~]# ssh-keygen //ssh-keygen命令会直接生成密钥对 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): 按回车键或设置密钥的存储路径 Enter passphrase (empty for no passphrase): 直接按回车键或设置密钥的密码 Enter same passphrase again: 再次按回车键或设置密钥的密码 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:kHa7B8V0nk63evABRrfZhxUpLM5Hx0I6gb7isNG9Hkg root@linuxprobe.com The key's randomart image is: +---[RSA 2048]----+ | o.=.o.+| | . + =oB X | | + o =oO O o| | . o + *.+ ..| | .ES . + o | | o.o.= + . | | =.o.o . o | | . . o. . | | .. | +----[SHA256]-----+
第2步:把客户端主机中生成的公钥文件传送至远程服务器。
[root@Client ~]# ssh-copy-id 192.168.10.20 The authenticity of host '192.168.10.20 (192.168.10.20)' can't be established. ECDSA key fingerprint is SHA256:DiybWDMoHM8vzLTyBl2rzCr2q6hKHTYFOSubYDOhrno. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.10.20's password: 此处输入服务器管理员密码 Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.10.20'" and check to make sure that only the key(s) you wanted were added.
[root@server ~ ]# ls -l /root/.ssh/ //此时目标主机authorized_keys文件中已经存储了id_rsa.pub total 8 -rw-------. 1 root root 802 Dec 3 18:48 authorized_keys -rw-r--r--. 1 root root 525 Dec 3 18:53 known_hosts
第3步:登录
[root@Client ~]# ssh 192.168.10.20 Activate the web console with: systemctl enable --now cockpit.socket Last login: Thu Feb 17 17:12:55 2022 [root@server ~]#
