本篇写一些关于Linux网络中SSH服务的相关知识。

测试环境

名称 IP地址
host01 192.168.28.128
host02 192.168.28.129
host03 192.168.28.130

禁止 root 登录

  • 查看ssh服务端口是否开启
[root@host01 ~]# netstat -ntuap | grep sshd

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      998/sshd

tcp6       0      0 :::22                   :::*                    LISTEN      998/sshd
  • 默认可以使用root用户登录
[root@host02 ~]# ssh root@192.168.28.128

The authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.

ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.

ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.28.128' (ECDSA) to the list of known hosts.

root@192.168.28.128's password:

Last login: Thu Sep 12 13:54:03 2019

[root@host01 ~]# logout

Connection to 192.168.28.128 closed.
  • 编辑配置文件,禁止root用户登录
[root@host01 ~]# vim /etc/ssh/sshd_config

PermitRootLogin no
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 不可使用root用户登录
[root@host02 ~]# ssh root@192.168.28.128

root@192.168.28.128's password:

Permission denied, please try again.

root@192.168.28.128's password:
  • 添加普通用户zhangsan
[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan

Changing password for user zhangsan.

passwd: all authentication tokens updated successfully.

[root@host01 ~]# id zhangsan

uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
  • 现在以zhangsan登录,发现可以切换至root用户
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

[zhangsan@host01 ~]$ su - root

Password:

Last login: Thu Sep 12 14:43:14 CST 2019 from 192.168.28.129 on pts/2

Last failed login: Thu Sep 12 14:46:39 CST 2019 from 192.168.28.129 on ssh:notty

There was 1 failed login attempt since the last successful login.

[root@host01 ~]# logout

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 可以开启pam认证来禁止切换
[root@host01 ~]# vim /etc/pam.d/su

auth            required        pam_wheel.so use_uid
  • 现在不可以使用zhangsan做跳板切换至root用户
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 14:56:01 2019 from 192.168.28.129

[zhangsan@host01 ~]$ su - root

Password:

su: Permission denied

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • zhangsan添加至wheel
[root@host01 ~]# gpasswd -a zhangsan wheel

Adding user zhangsan to group wheel

[root@host01 ~]# id zhangsan

uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
  • 只有在wheel组中的用户才可以使用su命令
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 14:59:14 2019 from 192.168.28.129

[zhangsan@host01 ~]$ su - root

Password:

Last login: Thu Sep 12 14:56:13 CST 2019 on pts/2

Last failed login: Thu Sep 12 14:59:25 CST 2019 on pts/2

There was 1 failed login attempt since the last successful login.

[root@host01 ~]# logout

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.

登录次数尝试

  • 配置文件默认是6次,但尝试3次就不可再尝试
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
  • 设置参数最大次数为5
[root@host01 ~]# vim /etc/ssh/sshd_config

MaxAuthTries 5
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 想要使配置能够有意义,需要使用-o NumberOfPasswordPrompts=8参数,这里尝试8次,发现5次后被拒绝尝试。
[root@host02 ~]# ssh -o NumberOfPasswordPrompts=8 zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Received disconnect from 192.168.28.128 port 22:2: Too many authentication failures

Authentication failed.

黑白名单

  • 添加lisiwangwu用户
[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi

Changing password for user lisi.

passwd: all authentication tokens updated successfully.

[root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu

Changing password for user wangwu.

passwd: all authentication tokens updated successfully.
  • 添加白名单配置,默认没有相关条目zhangsan只能从129登录,lisi可以从任何主机登录
[root@host01 ~]# vim /etc/ssh/sshd_config

AllowUsers zhangsan@192.168.28.129 lisi

白名单:AllowUsers,黑名单:DenyUsers,不要同时使用。

  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 测试zhangsan可以从129登录
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 16:53:09 2019 from 192.168.28.129

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试lisi可以从129登录
[root@host02 ~]# ssh lisi@192.168.28.128

lisi@192.168.28.128's password:

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试wangwu不可从129登录
[root@host02 ~]# ssh wangwu@192.168.28.128

wangwu@192.168.28.128's password:

Permission denied, please try again.

wangwu@192.168.28.128's password:
  • 测试zhangsan不可从130登录
[root@host03 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:
  • 测试lisi可以从130登录
[root@host03 ~]# ssh lisi@192.168.28.128

lisi@192.168.28.128's password:

Last login: Thu Sep 12 16:56:07 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试wangwu不可从130登录
[root@host03 ~]# ssh wangwu@192.168.28.128

wangwu@192.168.28.128's password:

Permission denied, please try again.

wangwu@192.168.28.128's password:

使用密钥对登录

  • 开启密钥认证选项
[root@host01 ~]# vim /etc/ssh/sshd_config

PubkeyAuthentication yes
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 生成类型为ecdsa椭圆曲线数字签名加密的密钥,可以设置一个密码
[root@host02 ~]# ssh-keygen -t ecdsa

Generating public/private ecdsa key pair.

Enter file in which to save the key (/root/.ssh/id_ecdsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_ecdsa.

Your public key has been saved in /root/.ssh/id_ecdsa.pub.

The key fingerprint is:

SHA256:Y4AjDPfBRwYAP5exUlv7Obn08cvhSZzAsZ6Mwqt/ccE root@host02

The key's randomart image is:

+---[ECDSA 256]---+

|o.oo=o+          |

| = o.X..         |

|  * O.o  ..      |

|   = . o +Eo     |

|        S =.     |

|     . o.O.* .   |

|      o oo= *    |

|       o.  + +   |

|    .oo.    =    |

+----[SHA256]-----+
  • 查看生成的私钥和公钥文件
[root@host02 ~]# ls .ssh/

id_ecdsa  id_ecdsa.pub
  • 推送公钥文件至128lisi用户
[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub lisi@192.168.28.128

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

lisi@192.168.28.128's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'lisi@192.168.28.128'"

and check to make sure that only the key(s) you wanted were added.
  • 本地会生成一个已知主机文件
[root@host02 ~]# ls .ssh/

id_ecdsa  id_ecdsa.pub  known_hosts
  • 可以查看一下
[root@host02 ~]# cat .ssh/known_hosts

192.168.28.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/cLQC3IgLKJnuYS8mOuhuJjfnMT4V2CsSJ6GNFgBlmANrik1sLgUeSIfyPOeirGfyz0En3/AAyI+slLpA/3lQ=
  • 128lisi用户下生成了认证密钥
[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEE/8T2xbTo11fmJu5sAc43OyUELuvl6OvcEiJ4WrZxaD9QR+PmJCxLZoVd5+HwyT6PFmW7EZjMk8NogcnDc9HI= root@host02
  • 使用128lisi用户ssh登录,提示输入先前设置的密码
[root@host02 ~]# ssh lisi@192.168.28.128

Enter passphrase for key '/root/.ssh/id_ecdsa':

Last login: Thu Sep 12 17:09:37 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 可以设置免验证操作,并输入先前设置的密码
[root@host02 ~]# ssh-agent bash

[root@host02 ~]# ssh-add

Enter passphrase for /root/.ssh/id_ecdsa:

Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
  • 现在可以免密码登录
[root@host02 ~]# ssh lisi@192.168.28.128

Last login: Tue Sep 17 00:40:47 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.

更改默认端口

  • 关闭防火墙、SELinux
[root@host01 ~]# systemctl stop firewalld

[root@host01 ~]# setenforce 0
  • 更改默认端口222233
[root@host01 ~]# vim /etc/ssh/sshd_config

Port 2233
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd

[root@host01 ~]# netstat -ntuap | grep sshd

tcp        0      0 0.0.0.0:2233            0.0.0.0:*               LISTEN      41357/sshd

tcp6       0      0 :::2233                 :::*                    LISTEN      41357/sshd
  • 直接登录失败
[root@host02 ~]# ssh lisi@192.168.28.128

ssh: connect to host 192.168.28.128 port 22: Connection refused
  • 指定端口登录成功
[root@host02 ~]# ssh -p 2233 lisi@192.168.28.128

Last login: Tue Sep 17 01:21:11 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.

scp 远程复制

  • 创建测试文件、文件夹
[root@host02 ~]# echo "this is testfile01" > testfile01.txt

[root@host02 ~]# mkdir testdir01
  • 远程复制文件
[root@host02 ~]# scp testfile01.txt root@192.168.28.128:/opt/

root@192.168.28.128's password:

testfile01.txt                                                                                                                                             100%   19    11.4KB/s   00:00
  • 远程复制文件夹
[root@host02 ~]# scp -r testdir01/ root@192.168.28.128:/opt/

root@192.168.28.128's password:
  • 查看是否复制成功
[root@host01 ~]# ls /opt/

rh  testdir01  testfile.txt

sftp 安全文件传输协议

  • 登录
[root@host02 ~]# sftp root@192.168.28.128

root@192.168.28.128's password:

Connected to 192.168.28.128.

sftp>
  • 可以cd切换目录,ls查看,put上传
sftp> cd /home/zhangsan/

sftp> ls

sftp> put /root/testfile01.txt

Uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt

/root/testfile01.txt                                                                                                                                       100%   19    32.8KB/s   00:00

sftp> ls

testfile01.txt
  • 上传成功
[root@host01 ~]# ls /home/zhangsan/

testfile01.txt
  • get下载
sftp> get /etc/passwd

Fetching /etc/passwd to passwd

/etc/passwd                                                                                                                                                100% 2227     1.8MB/s   00:00

sftp> bye
  • 下载成功
[root@host02 ~]# ls

anaconda-ks.cfg  passwd  testdir01  testfile01.txt

Linux SSH 服务的更多相关文章

  1. linux——ssh服务

    SSH服务(TCP端口号22):安全的命令解释器 为客户机提供安全的Shell 环境,用于远程管理 SSH基于公钥加密(非对称加密)技术: 数据加密传输: 客户端和服务器的身份验证: 公钥 和 私钥 ...

  2. Linux ssh服务

    关于ssh服务不多说就提几句,1,机房的服务器一般都是通过远程连接登录的,远程登录就必然少不了ssh客户端.2,虚拟机每次都要点击进去,每次退出来也需要按Ctrl+Alt+Enter,也比较麻烦,有时 ...

  3. 查看linux ssh服务信息及运行状态

    关于ssh服务端配置有不少文章,例如 linux下ssh服务配置,这里仅列举出一些查看ssh服务相关信息的常用命令. rpm -qa | grep ssh 可以看到系统中ssh安装包 rpm -ql ...

  4. linux ssh 服务优化

    linux 默认管理员 root,port 端口号是 22,为了安全,我们要改掉默认的管理员和端口 配置文件/etc/ssh/sshd_config [root@oldboy ~]# vi /etc/ ...

  5. 记一次 java 连接 linux ssh服务 权限验证失败的原因和解决过程

    下面的问题我是通过之前的ssh测试类找出原因的,因为我的测试类跑通了,但是程序跑不通,看了一下源码发现还有一处没有进行解密,所以才会权限验证失败. // 出现权限验证失败的原因就在这里,因为老板要求对 ...

  6. Linux ssh服务开启秘钥和密码认证

    问题描述: 实现Linux秘钥和密码同时认证 解决方案: vim /etc/ssh/sshd_config 基本参数: PermitRootLogin yes #允许root认证登录 Password ...

  7. ssh服务、密钥登陆配置

    环境内核信息: [root@zabbix-01 ~]# uname -a Linux lodboyedu-01 2.6.32-696.el6.x86_64 #1 SMP Tue Mar 21 19:2 ...

  8. SSH服务及其扩展(sshpass和expect)

    SSH服务及其扩展(sshpass和expect) Linux SSH服务一共包含三个工具:ssh.scp.sftp [远程连接及执行命令] 语法:ssh -p端口 账号@IP 命令 参数说明:-o ...

  9. Linux mint 18版本开启SSH服务

    linux mint 18版本默认是没有安装ssh server的 需要手动安装 安装ssh server: 此命令需要联网,会自动下载安装 安装之后看是否开始了ssh, 看到ssh-agent 和s ...

随机推荐

  1. WebGL学习笔记(十):雾化

    雾化是指距离我们较远的物体看不清晰的情况,比如模拟大雾环境,或者模拟水下环境时会用到. 实现雾化的方式有很多种,我们这里使用的是线性雾化的方式: 线性雾化 线性雾化比较简单,我们算出每个像素点到摄像机 ...

  2. 【GMT43智能液晶模块】例程十九:LAN_DHCP实验——动态分配IP地址

    源代码下载链接: 链接:https://pan.baidu.com/s/19Euul9LYFKYdKdXTRBfx5w 提取码:p6k8 复制这段内容后打开百度网盘手机App,操作更方便哦 GMT43 ...

  3. exe4j 打包jar包程序,inno setup complier打包所有

    关于库: jar包中对于引用第三方库的话,需要再exe4j中引用. rxtx http://rxtx.qbang.org/wiki/index.php/Download

  4. 上传下载execl

    ajax上传execl + easyexecl解析execl <!DOCTYPE html> <html> <head> <meta charset=&quo ...

  5. python os.popen('xxx.py') 遇到的坑 (No Child Processes)

    1.调用系统库 platform.system() 报错: 2.os.popen() 打开的文件流未关闭也会出现这种错误. f = os.popen() f.read() f.close() 问题复现 ...

  6. LeetCode_476. Number Complement

    476. Number Complement Easy Given a positive integer, output its complement number. The complement s ...

  7. 微信小程序tabBar底部导航 不显示问题解析

    2019年十月八号 转藏: 版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明. 本文链接:https://blog.csdn.net/wy_Blo ...

  8. kubernetes-dashboard获取令牌登陆

    前言:kubernetes核心组件服务启动正常 一.在kubernetes-dashboard.yaml父级文件夹下创建account.yaml文件用于访问kubernetes-dashboard,添 ...

  9. zuul 熔断后重试

    <dependency> <groupId>org.springframework.retry</groupId> <artifactId>spring ...

  10. 更改ubuntu桌面环境

    1.修改桌面环境 update-alternatives --config x-session-manager 2.卸载某一种ppa源下面的软件 sudo apt-get install ppa-pu ...