ssh服务

一、控制服务
1、控制服务
系统初始化进程可以对服务进行相应的控制
2、当前系统初始化i进程
systemd ##系统初始化进程
pastree ##显示系统中的进程树
3、控制服务
(1)服务控制
系统初始化进程可以对服务进行控制
(2)当前系统初始化进程
systemd ##系统初始化进程
pstree ##显示系统中的进程树
(3)系统控制命令
从客户端到服务端
ssh---------sshd
client server
systemctl ##服务控制命令
systemctl status sshd ##查看服务状态
ststus值为inactive时表示服务不可用，ststus值为active时表示服务可用

[[email protected] ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-10-05 14:51:30 CST; 1h 30min ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 1084 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCES)
Main PID: 1094 (sshd)
CGroup: /system.slice/sshd.service
└─1094 /usr/sbin/sshd
Oct 05 14:51:30 foundation68.ilt.example.com systemd[1]: Starting OpenSSH server daemon…
Oct 05 14:51:30 foundation68.ilt.example.com sshd[1094]: Server listening on 0.0.0.0 port 22.
Oct 05 14:51:30 foundation68.ilt.example.com sshd[1094]: Server listening on :: port 22.
Oct 05 14:51:30 foundation68.ilt.example.com systemd[1]: Started OpenSSH server daemon.

systemctl start sshd ##开启服务
systemctl stop sshd ##关闭服务

systenctl restart sshd ##重启服务
systemctl reload sshd ##重新加载服务配置
systemctl enable sshd ##设置服务开机启动
systemctl disable sshd ##设置服务开机不启动
systemctl list-units ##列出已经开启服务当前状态
systemctl list-unit-files ##列出所有服务开机启动的状态 （disadle–不可用,enable—可用,static–不可控）

ult multi-user.target ##设定系统启动级别为多用户
systemctl set-defate graphical.target ##设定系统启动级别为图形模式。

二、ssh
1、ssh简介
sshd= secure shell
可以通过网络在主机中开机shell的服务
客户端软件
sshd

连接方式：
ssh [email protected] ##文本模式的链接
ssh -X [email protected] ##可以在链接成功后开机图形
注意：
第一次链接陌生主机是要建立认证文件
所以会询问是否建立，需要树入yes
在次链接此台主机时，因为已经生成~/.ssh/know_hosts 文件所以不需要再次输入yes

例如：真机连接虚拟机
使用虚拟机及真机实验
(1).查看真机ip

[[email protected] ~]$ ifconfig
collisions 0
查看到真机ip为：192.168.122.1

(2).设置虚拟机ip
进入虚拟机ip设置图形界面
nm-connection-editor

进入图形设置界面后删除之前创建的所有信息
设置Ethernet
Device MAC address:52:54:00:00:44:OAeth0
设置IPv4 Settings
Method:Manual
添加Addresses
注意，Netmask填写24或255.255.255.0 Gateway不填写但必须鼠标点击方可save
在虚拟机ifconfig验证是否配置成功

(3).真机连接虚拟机

[[email protected] ~]# ssh [email protected]
The authenticity of host ‘172.25.254.11 (172.25.254.11)’ can’t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.254.11’ (ECDSA) to the list of known hosts.
[email protected]’s password:

连接虚拟机之前在真机中ping一下虚拟机地址查看是否可以ping通

(4).真机连接虚拟机后在虚拟机创建文件

注意，为防止操作时混淆真机与虚拟机，使用完后exit立即释放。

3、远程复制：
(1)上传
格式： scp file [email protected]:dir

例如：将真机kiosk用户桌面的unit7文件上传到172.25.254.11虚拟机的桌面

[[email protected] /]$ scp /home/kiosk/Desktop/unit7 [email protected]:/root/Desktop
The authenticity of host ‘172.25.254.11 (172.25.254.11)’ can’t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.254.11’ (ECDSA) to the list of known hosts.
[email protected]’s password:
Permission denied, please try again.
[email protected]’s password:
unit7 100% 3358 3.3KB/s 00:00

(2) 下载
格式：scp [email protected]:file dir
例如将虚拟机桌面的文件下载到真机上

[[email protected] /]$ scp [email protected]:/root/Desktop/time.txt /home/kiosk/Desktop
[email protected]’s password:
time.txt 100% 20 0.0KB/s 00:00
##1.sshd简介###
sshd= secure shell

三、sshd 的key认证
1.生成认证KEY

[[email protected] ~]# ssh-******
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
c2:31:82:62:dd:da:b8:24:02:51:93:78:04:3d:ff:53 [email protected]
The key’s randomart image is:
±-[ RSA 2048]----+
|o*+. |
|…*o. |
|oo.+…o |
|o. =o oE |
|… + oo.S |
|. o . o. |
| . . |
| |
| |
±----------------+

这一步也可使用脚本代替

[[email protected] ~]# vim create_ssh_key.sh

[[email protected] ~]# sh create_ssh_key.sh
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ssh_askpass: exec(/usr/libexec/openssh/ssh-askpass): No such file or directory
ssh_askpass: exec(/usr/libexec/openssh/ssh-askpass): No such file or directory
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
66:3c:e8:69:a4:c6:3f:41:37:a0:76:c7:c8:0e:01:00 [email protected]
The key’s randomart image is:
±-[ RSA 2048]----+
|E… |
| . . |
| + + |
| + =o= |
| . =ooS. |
| . +o+ . |
| + +. |
| . o. |
| … |
±----------------+
[[email protected] ~]#

2.加密服务

[[email protected] ~]# cd /root/.ssh
[[email protected] .ssh]# ls
id_rsa id_rsa.pub
[[email protected] .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected] ##加密sshd服务（将公钥作为锁在服务端）
The authenticity of host ‘172.25.254.11 (172.25.254.11)’ can’t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys
[email protected]’s password: ##root用户密码
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘[email protected]’”
and check to make sure that only the key(s) you wanted were added.
[[email protected] .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts ##出现authorized_keys文件即加密成功

3.向客户端分发钥匙(将私钥作为钥匙上传给客户端)

[[email protected] .ssh]# scp /root/.ssh/id_rsa [email protected]:/root/.ssh/
The authenticity of host ‘172.25.254.21 (172.25.254.21)’ can’t be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘172.25.254.21’ (ECDSA) to the list of known hosts.
[email protected]’s password:
id_rsa 100% 1679 1.6KB/s 00:00 ##上传成功

4、测试
测试1：正常登陆客户端登陆服务端时不需用密码
测试2：服务端删除钥匙文件（authorized_keys）客户端登陆时需密码认证

四、 sshd的安全设定
进入文件：vim /etc/ssh/sshd_config
设置文件/etc/ssh/sshd_config内容
PasswordAuthentication yes/no ##是否允许用户通过登陆系统的密码做sshd的认证（默认值为yes）(78行)
设置on前

设置为no后

现在服务端删除锁文件的同时将PasswordAuthentication的值设置为no(注意：设置完保存后需重启服务 systemctl restart sshd.service)，在客户端连接服务端时将不会提示密码输入
PermitRootLogin yes/ no 是否允许root用户通过sshd服务认证（48行）
将PermitRootLogin 值改为no

Allowusers 用户名 密码 ##设定用户白名单，白名单出现的用户默认可以sshd认证，否则不允许sshd认证
测试，白名单设置student用户

####3.sshd的安全设定####
78 PasswordAuthentication yes|no ##是否允许用户通过登陆系统的密码做sshd的认证
48 PermitRootLogin yes|no ##是否允许root用户通过sshd服务的认证

测试：经测试，不允许root用户使用ssh

52 Allowusers student westos ##设定用户白名单，白名单出现默认不再名单中的用户不能使用sshd
53 Denyusers westos ##设定用户黑名单，黑名单出现默认不再名单中的用户可以使用sshd

五、添加sshd登陆登陆信息
vim /etc/motd ##文件内容就是登陆后显示的信息

六、用户的登陆审计

1.w ##查看正在使用当前系统的用户
-f ##查看使用来源
-i ##显示IP
/var/run/utmp
2.last ##查看使用过并退出的用户信息
/var/log/wtmp
3.lastb ##试图登陆但没成功的用户
/var/log/btmp