本篇写一些关于Linux网络中SSH服务的相关知识。

测试环境

名称 IP地址
host01 192.168.28.128
host02 192.168.28.129
host03 192.168.28.130

禁止 root 登录

  • 查看ssh服务端口是否开启
[root@host01 ~]# netstat -ntuap | grep sshd

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      998/sshd

tcp6       0      0 :::22                   :::*                    LISTEN      998/sshd
  • 默认可以使用root用户登录
[root@host02 ~]# ssh root@192.168.28.128

The authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.

ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.

ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.28.128' (ECDSA) to the list of known hosts.

root@192.168.28.128's password:

Last login: Thu Sep 12 13:54:03 2019

[root@host01 ~]# logout

Connection to 192.168.28.128 closed.
  • 编辑配置文件,禁止root用户登录
[root@host01 ~]# vim /etc/ssh/sshd_config

PermitRootLogin no
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 不可使用root用户登录
[root@host02 ~]# ssh root@192.168.28.128

root@192.168.28.128's password:

Permission denied, please try again.

root@192.168.28.128's password:
  • 添加普通用户zhangsan
[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan

Changing password for user zhangsan.

passwd: all authentication tokens updated successfully.

[root@host01 ~]# id zhangsan

uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
  • 现在以zhangsan登录,发现可以切换至root用户
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

[zhangsan@host01 ~]$ su - root

Password:

Last login: Thu Sep 12 14:43:14 CST 2019 from 192.168.28.129 on pts/2

Last failed login: Thu Sep 12 14:46:39 CST 2019 from 192.168.28.129 on ssh:notty

There was 1 failed login attempt since the last successful login.

[root@host01 ~]# logout

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 可以开启pam认证来禁止切换
[root@host01 ~]# vim /etc/pam.d/su

auth            required        pam_wheel.so use_uid
  • 现在不可以使用zhangsan做跳板切换至root用户
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 14:56:01 2019 from 192.168.28.129

[zhangsan@host01 ~]$ su - root

Password:

su: Permission denied

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • zhangsan添加至wheel
[root@host01 ~]# gpasswd -a zhangsan wheel

Adding user zhangsan to group wheel

[root@host01 ~]# id zhangsan

uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
  • 只有在wheel组中的用户才可以使用su命令
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 14:59:14 2019 from 192.168.28.129

[zhangsan@host01 ~]$ su - root

Password:

Last login: Thu Sep 12 14:56:13 CST 2019 on pts/2

Last failed login: Thu Sep 12 14:59:25 CST 2019 on pts/2

There was 1 failed login attempt since the last successful login.

[root@host01 ~]# logout

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.

登录次数尝试

  • 配置文件默认是6次,但尝试3次就不可再尝试
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
  • 设置参数最大次数为5
[root@host01 ~]# vim /etc/ssh/sshd_config

MaxAuthTries 5
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 想要使配置能够有意义,需要使用-o NumberOfPasswordPrompts=8参数,这里尝试8次,发现5次后被拒绝尝试。
[root@host02 ~]# ssh -o NumberOfPasswordPrompts=8 zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Received disconnect from 192.168.28.128 port 22:2: Too many authentication failures

Authentication failed.

黑白名单

  • 添加lisiwangwu用户
[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi

Changing password for user lisi.

passwd: all authentication tokens updated successfully.

[root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu

Changing password for user wangwu.

passwd: all authentication tokens updated successfully.
  • 添加白名单配置,默认没有相关条目zhangsan只能从129登录,lisi可以从任何主机登录
[root@host01 ~]# vim /etc/ssh/sshd_config

AllowUsers zhangsan@192.168.28.129 lisi

白名单:AllowUsers,黑名单:DenyUsers,不要同时使用。

  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 测试zhangsan可以从129登录
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 16:53:09 2019 from 192.168.28.129

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试lisi可以从129登录
[root@host02 ~]# ssh lisi@192.168.28.128

lisi@192.168.28.128's password:

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试wangwu不可从129登录
[root@host02 ~]# ssh wangwu@192.168.28.128

wangwu@192.168.28.128's password:

Permission denied, please try again.

wangwu@192.168.28.128's password:
  • 测试zhangsan不可从130登录
[root@host03 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:
  • 测试lisi可以从130登录
[root@host03 ~]# ssh lisi@192.168.28.128

lisi@192.168.28.128's password:

Last login: Thu Sep 12 16:56:07 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试wangwu不可从130登录
[root@host03 ~]# ssh wangwu@192.168.28.128

wangwu@192.168.28.128's password:

Permission denied, please try again.

wangwu@192.168.28.128's password:

使用密钥对登录

  • 开启密钥认证选项
[root@host01 ~]# vim /etc/ssh/sshd_config

PubkeyAuthentication yes
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 生成类型为ecdsa椭圆曲线数字签名加密的密钥,可以设置一个密码
[root@host02 ~]# ssh-keygen -t ecdsa

Generating public/private ecdsa key pair.

Enter file in which to save the key (/root/.ssh/id_ecdsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_ecdsa.

Your public key has been saved in /root/.ssh/id_ecdsa.pub.

The key fingerprint is:

SHA256:Y4AjDPfBRwYAP5exUlv7Obn08cvhSZzAsZ6Mwqt/ccE root@host02

The key's randomart image is:

+---[ECDSA 256]---+

|o.oo=o+          |

| = o.X..         |

|  * O.o  ..      |

|   = . o +Eo     |

|        S =.     |

|     . o.O.* .   |

|      o oo= *    |

|       o.  + +   |

|    .oo.    =    |

+----[SHA256]-----+
  • 查看生成的私钥和公钥文件
[root@host02 ~]# ls .ssh/

id_ecdsa  id_ecdsa.pub
  • 推送公钥文件至128lisi用户
[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub lisi@192.168.28.128

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

lisi@192.168.28.128's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'lisi@192.168.28.128'"

and check to make sure that only the key(s) you wanted were added.
  • 本地会生成一个已知主机文件
[root@host02 ~]# ls .ssh/

id_ecdsa  id_ecdsa.pub  known_hosts
  • 可以查看一下
[root@host02 ~]# cat .ssh/known_hosts

192.168.28.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/cLQC3IgLKJnuYS8mOuhuJjfnMT4V2CsSJ6GNFgBlmANrik1sLgUeSIfyPOeirGfyz0En3/AAyI+slLpA/3lQ=
  • 128lisi用户下生成了认证密钥
[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEE/8T2xbTo11fmJu5sAc43OyUELuvl6OvcEiJ4WrZxaD9QR+PmJCxLZoVd5+HwyT6PFmW7EZjMk8NogcnDc9HI= root@host02
  • 使用128lisi用户ssh登录,提示输入先前设置的密码
[root@host02 ~]# ssh lisi@192.168.28.128

Enter passphrase for key '/root/.ssh/id_ecdsa':

Last login: Thu Sep 12 17:09:37 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 可以设置免验证操作,并输入先前设置的密码
[root@host02 ~]# ssh-agent bash

[root@host02 ~]# ssh-add

Enter passphrase for /root/.ssh/id_ecdsa:

Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
  • 现在可以免密码登录
[root@host02 ~]# ssh lisi@192.168.28.128

Last login: Tue Sep 17 00:40:47 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.

更改默认端口

  • 关闭防火墙、SELinux
[root@host01 ~]# systemctl stop firewalld

[root@host01 ~]# setenforce 0
  • 更改默认端口222233
[root@host01 ~]# vim /etc/ssh/sshd_config

Port 2233
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd

[root@host01 ~]# netstat -ntuap | grep sshd

tcp        0      0 0.0.0.0:2233            0.0.0.0:*               LISTEN      41357/sshd

tcp6       0      0 :::2233                 :::*                    LISTEN      41357/sshd
  • 直接登录失败
[root@host02 ~]# ssh lisi@192.168.28.128

ssh: connect to host 192.168.28.128 port 22: Connection refused
  • 指定端口登录成功
[root@host02 ~]# ssh -p 2233 lisi@192.168.28.128

Last login: Tue Sep 17 01:21:11 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.

scp 远程复制

  • 创建测试文件、文件夹
[root@host02 ~]# echo "this is testfile01" > testfile01.txt

[root@host02 ~]# mkdir testdir01
  • 远程复制文件
[root@host02 ~]# scp testfile01.txt root@192.168.28.128:/opt/

root@192.168.28.128's password:

testfile01.txt                                                                                                                                             100%   19    11.4KB/s   00:00
  • 远程复制文件夹
[root@host02 ~]# scp -r testdir01/ root@192.168.28.128:/opt/

root@192.168.28.128's password:
  • 查看是否复制成功
[root@host01 ~]# ls /opt/

rh  testdir01  testfile.txt

sftp 安全文件传输协议

  • 登录
[root@host02 ~]# sftp root@192.168.28.128

root@192.168.28.128's password:

Connected to 192.168.28.128.

sftp>
  • 可以cd切换目录,ls查看,put上传
sftp> cd /home/zhangsan/

sftp> ls

sftp> put /root/testfile01.txt

Uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt

/root/testfile01.txt                                                                                                                                       100%   19    32.8KB/s   00:00

sftp> ls

testfile01.txt
  • 上传成功
[root@host01 ~]# ls /home/zhangsan/

testfile01.txt
  • get下载
sftp> get /etc/passwd

Fetching /etc/passwd to passwd

/etc/passwd                                                                                                                                                100% 2227     1.8MB/s   00:00

sftp> bye
  • 下载成功
[root@host02 ~]# ls

anaconda-ks.cfg  passwd  testdir01  testfile01.txt

Linux SSH 服务的更多相关文章

  1. linux——ssh服务

    SSH服务(TCP端口号22):安全的命令解释器 为客户机提供安全的Shell 环境,用于远程管理 SSH基于公钥加密(非对称加密)技术: 数据加密传输: 客户端和服务器的身份验证: 公钥 和 私钥 ...

  2. Linux ssh服务

    关于ssh服务不多说就提几句,1,机房的服务器一般都是通过远程连接登录的,远程登录就必然少不了ssh客户端.2,虚拟机每次都要点击进去,每次退出来也需要按Ctrl+Alt+Enter,也比较麻烦,有时 ...

  3. 查看linux ssh服务信息及运行状态

    关于ssh服务端配置有不少文章,例如 linux下ssh服务配置,这里仅列举出一些查看ssh服务相关信息的常用命令. rpm -qa | grep ssh 可以看到系统中ssh安装包 rpm -ql ...

  4. linux ssh 服务优化

    linux 默认管理员 root,port 端口号是 22,为了安全,我们要改掉默认的管理员和端口 配置文件/etc/ssh/sshd_config [root@oldboy ~]# vi /etc/ ...

  5. 记一次 java 连接 linux ssh服务 权限验证失败的原因和解决过程

    下面的问题我是通过之前的ssh测试类找出原因的,因为我的测试类跑通了,但是程序跑不通,看了一下源码发现还有一处没有进行解密,所以才会权限验证失败. // 出现权限验证失败的原因就在这里,因为老板要求对 ...

  6. Linux ssh服务开启秘钥和密码认证

    问题描述: 实现Linux秘钥和密码同时认证 解决方案: vim /etc/ssh/sshd_config 基本参数: PermitRootLogin yes #允许root认证登录 Password ...

  7. ssh服务、密钥登陆配置

    环境内核信息: [root@zabbix-01 ~]# uname -a Linux lodboyedu-01 2.6.32-696.el6.x86_64 #1 SMP Tue Mar 21 19:2 ...

  8. SSH服务及其扩展(sshpass和expect)

    SSH服务及其扩展(sshpass和expect) Linux SSH服务一共包含三个工具:ssh.scp.sftp [远程连接及执行命令] 语法:ssh -p端口 账号@IP 命令 参数说明:-o ...

  9. Linux mint 18版本开启SSH服务

    linux mint 18版本默认是没有安装ssh server的 需要手动安装 安装ssh server: 此命令需要联网,会自动下载安装 安装之后看是否开始了ssh, 看到ssh-agent 和s ...

随机推荐

  1. 给kali的Metasploit下添加一个新的exploit

    转载:https://blog.csdn.net/SilverMagic/article/details/40978081 首先在/usr/share/metasploit-framework/mod ...

  2. 自动生成LR脚本且运行

    背景:作为一个测试,特别是性能测试,尤其在活动的测试,时间紧,有很多要测的,我们的LR11因为浏览器兼容问题全录制不了脚本了,用浏览器加代理或手机加代理录制,我感觉好麻烦 ,所以就想如果能用脚本把所有 ...

  3. iOS - 截取数组前几个元素放入新的数组,剩余的放入另外一个数组

    NSArray *array = [NSArray arrayWithObjects:@"Crystal",@"Maisie",@"Lukas&quo ...

  4. Python正则简单实例分析

    Python正则简单实例分析 本文实例讲述了Python正则简单用法.分享给大家供大家参考,具体如下: 悄悄打入公司内部UED的一个Python爱好者小众群,前两天一位牛人发了条消息: 小的测试题:  ...

  5. LeetCode_482. License Key Formatting

    482. License Key Formatting Easy You are given a license key represented as a string S which consist ...

  6. Win732位DotNetCore部署IIS错误记录

    部署环境为:Win7专业版32位,数据库Mysql5.7.27-win32 1.先启用IIS功能 2.安装Mysql5.7.27-win32,使用解压版安装 安装步骤: mysql的解压根目录下新建m ...

  7. 百度SMS发送短信C#

    /// <summary> /// 百度接口签名帮助类 /// </summary> public class BaiduApiHelper { #region 构造函数 // ...

  8. Redis Sentinel 高可用部署实践集群

    一.Redis Sentinel 介绍    1.Sentinel     数据库环境搭建,从单机版到主备.再到多数据库集群,我们需要一个高可用的监控:比如Mysql中,我们可能会采用MHA来搭建我们 ...

  9. LeetCode70——爬楼梯

    题目描述 假设你正在爬楼梯.需要 n 阶你才能到达楼顶. 每次你可以爬 1 或 2 个台阶.你有多少种不同的方法可以爬到楼顶呢? 注意:给定 n 是一个正整数. 示例 1: 输入: 2 输出: 2 解 ...

  10. 解决vue项目在ie浏览器缓存问题。

    ie浏览器一直是程序员的噩梦.项目在谷歌浏览器上完美运行.在ie浏览器上,缓存问题真心恶心.后台查看了资料说在接口上加上时间戳或随机数就行了.要是这样干,工作量真心大啊.后来我对我们公司大神封装的ax ...