linux基础(八)openssh-server
[客户端station:172.25.254.48,
服务端redhat(被远程):172.25.254.148]
一、功能
让远程主机可以通过网络访问sshd服务,开始一个安全shell二、客户端连接方式
1.ssh 远程主机用户@远程主机ip[[email protected] Desktop]# ssh [email protected]
The authenticity of host '172.25.254.148 (172.25.254.148)' can't be established.
ECDSA key fingerprint is a5:b4:2c:dd:e6:9c:2f:b4:9e:26:0a:7e:8c:5f:75:e6.
Are you sure you want to continue connecting (yes/no)? yes ##连接陌生主机时需要建立认证关系
Warning: Permanently added '172.25.254.148' (ECDSA) to the list of known hosts.
[email protected]'s password: ##远程用户密码
Last login: Tue Nov 14 17:17:20 2017 from 172.25.254.48
[[email protected] ~]# ##登陆成功
2.ssh 远程主机用户@远程主机ip -X ##调用远程主机图形工具
3.ssh 远程主机用户@远程主机ip command ##直接在远程主机运行某条命令
[[email protected] Desktop]# ssh [email protected] touch /root/Desktop/file
[email protected]'s password:
##远程创建文件,成功了
三、sshkey加密
服务端:
1.生成公钥私钥
[[email protected] ~]# ssh-****** ##生成公钥私钥的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):[enter] ##加密字符保存文件(建议用默认)
Enter passphrase (empty for no passphrase):[enter] ##**密码,必须>4个字符(建议不设,否则一会远程连接还需要输入这个密码)
Enter same passphrase again:[enter] ##确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
df:7d:d0:d4:63:76:45:da:57:cc:a5:ff:5f:ba:88:bc [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| +*|
| +*|
| o+*|
| o++|
| S . o|
| . . . ..|
| . . . +|
| . . . oo|
| E.. o..|
+-----------------+
[[email protected] ~]# ls /root/.ssh/
id_rsa id_rsa.pub
###id_rsa.pub ##公钥,就是锁
2.添加key认证方式
[[email protected] ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
The authenticity of host '172.25.254.148 (172.25.254.148)' can't be established.
ECDSA key fingerprint is a5:b4:2c:dd:e6:9c:2f:b4:9e:26:0a:7e:8c:5f:75:e6.
Are you sure you want to continue connecting (yes/no)? yes ##确认
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: ##输入root用户密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
####这条命可以生成authorized_keys将id_rsa.pub中的内容加到/root/.ssh/authorized_keys文件中
[[email protected] ~]#
参数说明:
ssh-copy-id ##添加key认证方式的工具
-i ##指定加密key文件/root/.ssh/id_rsa.pub ##加密key
root ##加密用户为root
172.25.254.148 ##被加密主机ip
3.分发钥匙给client主机
[[email protected] ~]# scp /root/.ssh/id_rsa [email protected]:/root/.ssh/
tip:如果172.25.254.48这台主机通常需要ssh多台电脑,可以将来自不同电脑的私钥文件id_rsa改成不同的名字即可保证多个私钥都存在并且全部可以正常使用
4.测试
[[email protected] Desktop]# ssh [email protected] ##通过id_rsa直接连接不需要输入用户密码
Last login: Tue Nov 14 18:17:41 2017 from 172.25.254.48
[[email protected] ~]#
四、提升openssh的安全级别
1.openssh-server配置文件
/etc/ssh/sshd_config
78 PasswordAuthentication yes|no ##是否开启用户密码认证,yes为支持no为关闭
48 PermitRootLogin yes|no ##是否允许超级用户登陆
49 AllowUsers student redhat ##用户白名单,只有在名单中出现的用户可以使用sshd建立shell
50 DenyUsers linux ##用户黑名单
2.控制ssh客户端访问
vim /etc/hosts.deny
sshd:ALL ##拒绝所有人链接sshd服务
vim /etc/hosts.allow
sshd:172.25.254.250 ##允许250主机链接sshd
sshd:172.25.254.250, 172.25.254.180 ##允许250和180链接
sshd:ALL EXCEPT 172.25.254.200 ##只不允许200链接sshd
3.ssh登陆提示修改该
vim /etc/motd ##显示登陆后字符
hello world ##在登陆后就会显示这个字符