sshd服务篇
sshd服务
1.sshd简介
sshd = secure shell daemon
可以通过网络在主机中开启一个远程主机的shell环境的服务
服务端软件:sshd
连接方式:
ssh [email protected] ##文本模式连接全程主机
ssh -X USERNAME ##可以在连接成功后打开图形
注意:
第一次连接陌生主机是要建立认证文件,需要输入yes
远程复制:
scp FILENAME [email protected]:dir ##上传(dir为绝对路径)
scp [email protected]:dir dir ##下载(dir为绝对路径)
注意:远程复制目录时,需要加-r参数
2.sshd的key认证
[[email protected] ~]# ssh-****** ##生成**的命令
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ##指定保存加密字符的文件(使用默认)
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase): ##设定密码(空密码
Enter same passphrase again: ##确认密码
Your identification has been saved in /root/.ssh/id_rsa. ##私钥(钥匙)
Your public key has been saved in /root/.ssh/id_rsa.pub. ##公钥(锁)
The key fingerprint is:
3f:dd:83:7f:c6:51:36:c3:8b:d1:45:44:20:8d:d5:35 [email protected]
The key’s randomart image is:
+–[ RSA 2048]—-+
| .+oE*|
| … +|
| o .|
| . =o|
| S o.=|
| . . + o |
| o o o..|
| …+|
| .o |
+—————–+
2.加密服务
[[email protected] .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host ‘172.25.254.113 (172.25.254.113)’ can’t be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
[email protected]’s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘[email protected]’”
and check to make sure that only the key(s) you wanted were added.
[[email protected] .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts
^
此文件出现表示加密成功
3.分发**(发钥匙)
scp /root/.ssh/id_rsa [email protected]:/root/.ssh/
4.测试登陆
在客户端中(desktop)
[[email protected] ~]# ssh [email protected]
Last login: Fri Aug 10 00:52:50 2018 from foundation13.ilt.example.com
[[email protected] ~]#
连接时登陆发现不需要密码
3.sshd的安全设定
78 PasswordAuthentication yes|no ##是否允许用户通过登陆系统的密码做sshd的认证
48 PermitRootLogin yes ##是否允许root用户通过sshd服务登陆系统
Allowusers student westos ##设定用户白名单,白名单中出现的用户可以通过sshd登陆系统
Denyusers student westos ##设定用户黑名单,黑名单中出现的用户不能通过sshd登陆系统
4.添加sshd登陆信息
vim /etc/motd ##文件内容就是登陆后显示的信息
5.用户的登录审计
1.w ##查看正在使用当前系统的用户
w -f ##查看使用来源
w -i ##显示ip
2.last ##查看使用过并退出的用户信息
3.lastd ##查看试图登录但没有成功的用户