Linux Centos7 —sshd远程登录,密钥对登录,TCPWrappers访问控
发布时间:2020-12-14 00:37:06 所属栏目:Linux 来源:网络整理
导读:本章环境:VM虚拟机,一台服务器作为服务端,一台服务器作为客户端 本章目的:了解sshd远程登录管理,密钥对验证,Tcp wappers访问控制 一.sshd远程登录 1.查看sshd服务 [[email?protected] ~]# netstat -ntap | grep 22tcp 0 0 192.168.122.1:53 0.0.0.0:*
|
本章环境:VM虚拟机,一台服务器作为服务端,一台服务器作为客户端本章目的:了解sshd远程登录管理,密钥对验证,Tcp wappers访问控制一.sshd远程登录1.查看sshd服务[[email?protected] ~]# netstat -ntap | grep 22 tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 3252/dnsm tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 968/sshd //默认我们的SSHD是开启的 tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 16227/[email?protected] tcp 0 0 192.168.17.128:49342 180.97.251.226:80 TIME_WAIT - tcp 0 0 192.168.17.128:42522 202.141.176.110:80 2.了解SSHD服务端配置文件
17 #Port 22 //端口 37#LoginGraceTime 2m //2分钟会话时间 38 #PermitRootLogin yes //允许ROOT登录 39 #StrictModes yes //验证你的访问权限 40 #MaxAuthTries 6 //验证次数 41 #MaxSessions 10 // 访问最大连接数10个 #PubkeyAuthentication yes //公钥验证开启 3.使用客户端去远程登录服务端的ROOT用户[[email?protected] ~]# ssh [email?protected] The authenticity of host ‘192.168.17.128 (192.168.17.128)‘ can‘t be established. ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8. ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.17.128‘ (ECDSA) to the list of known hosts. [email?protected]‘s password: Last login: Mon Sep 16 12:07:36 2019 4.把服务端的远程登录ROOT用户关掉37 #LoginGraceTime 2m 38 #PermitRootLogin no //禁止远程用户用ROOT登录 39 #StrictModes yes 40 #MaxAuthTries 6 41 #MaxSessions 10 5.去服务端验证是否能登录ROOT用户[[email?protected] ~]# ssh [email?protected] [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: 6.客户端切换到普通用户lisi,再切到ROOT用户也行(不安全)[[email?protected] ~]# ssh [email?protected] [email?protected]‘s password: [[email?protected] ~]$ su - root 密码: 上一次登录:一 9月 16 12:17:31 CST 2019pts/2 上 最后一次失败的登录:一 9月 16 12:25:59 CST 2019pts/2 上 最有一次成功登录后有 1 次失败的登录尝试。 [[email?protected] ~]# 7.把服务端开启PAM认证vim /etc/pam.d/su //把“#”号去掉auth required pam_wheel.so use_uid auth substack system-auth auth include postlogin 8.再去客户端去验证一下[[email?protected] ~]$ su - root 密码: su: 拒绝权限 9.在客户端尝试输错三次密码,发现就退出来了,我们原本服务端设置的是验证次数是6次[[email?protected] ~]# ssh [email?protected] [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: Permission denied,please try again. [[email?protected] ~]# 10.在客户端切到ROOT用户,设置验证次数为8次[[email?protected] ~]# ssh -o NumberOfPasswordPrompts=8 [email?protected] The authenticity of host ‘192.168.17.128 (192.168.17.128)‘ can‘t be established. ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8. ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.17.128‘ (ECDSA) to the list of known hosts. [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: Permission denied,please try again. [email?protected]‘s password: Received disconnect from 192.168.17.128 port 22:2: Too many authentication failures Authentication failed. [[email?protected] ~]# 11.设置SSH远程登录的黑白名单37 #LoginGraceTime 2m 38 #PermitRootLogin no 39 #StrictModes yes 40 #MaxAuthTries 6 41 #MaxSessions 10 42 Allow Users [email?protected] //只允许chen这个用户用192.168.17.130地址登录 [[email?protected] ~]# systemctl restart sshd 12.了解三种远程管理scp 远程复制 sftp get 远程下载文件 sftp put 远程上传文件 二.密钥对验证登录1.服务端开启公私钥验证登录
43 PubkeyAuthentication yes 把“#”去掉开启公私钥验证登录
44
45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys 2
46 # but this is overridden so installations will only check .ssh/authorized_ke ys
47 AuthorizedKeysFile .ssh/authorized_keys
//生成的公私密钥会在这个目录底下
2.客户端,给chen用户生成密钥[[email?protected] ~]# ls /home/ chen [[email?protected] ~]# ssh-keygen -t ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/root/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ecdsa. Your public key has been saved in /root/.ssh/id_ecdsa.pub. The key fingerprint is: SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo [email?protected] The key‘s randomart image is: +---[ECDSA 256]---+ |B*.+ooo.. o... | |*=+.o... o . | |oo. =o. .. o | | +.+o..+o o | | . =+o=S.... | | . + .=.+. . | |E . . +. | | . . | | | +----[SHA256]-----+ 3.查看chen用户当中的公私钥目录[[email?protected] ~]# ls -a . .bash_logout .dbus .mozilla 模板 .. .bash_profile .esd_auth .ssh 视频 .1234.txt.swp .bashrc .ICEauthority .tcshrc 图片 abc .cache initial-setup-ks.cfg test 文档 abc.txt chen is this 下载 anaconda-ks.cfg chenchen .lesshst .viminfo 音乐 .anacond-ks.cfg.swp .config .local .Xauthority 桌面 .bash_history .cshrc lshelp1.txt 公共 [[email?protected] ~]# cd .ssh/ [[email?protected] .ssh]# ls id_ecdsa id_ecdsa.pub known_hosts 4.把chen公钥发送给服务端的公钥目录中[[email?protected] .ssh]# ssh-copy-id -i id_ecdsa.pub [email?protected] /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub" The authenticity of host ‘192.168.17.128 (192.168.17.128)‘ can‘t be established. ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8. ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s),to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email?protected]‘s password: Number of key(s) added: 1 Now try logging into the machine,with: "ssh ‘[email?protected]‘" and check to make sure that only the key(s) you wanted were added. 5.去服务端查看有没有chen用户的公钥[[email?protected] chen]# cd .ssh/ [[email?protected] .ssh]# ls authorized_keys [[email?protected] .ssh]# cat authorized_keys ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h1tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= [email?protected] 6.客户端远程密钥对登录验证[[email?protected] .ssh]# ssh [email?protected] Enter passphrase for key ‘/root/.ssh/id_ecdsa‘: Last login: Sat Aug 10 00:32:52 2019 7.免交互,免去密钥对登录验证[[email?protected] ~]$ exit 登出 Connection to 192.168.17.128 closed. [[email?protected] .ssh]# ssh-agent bash //代理bash环境 [[email?protected] .ssh]# ssh-add //添加我们密钥对的密码 Enter passphrase for /root/.ssh/id_ecdsa: Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa) [[email?protected] .ssh]# ssh [email?protected] Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134 [[email?protected] ~]$ 三.Tcp wappers 访问控制
1.到服务端设置访问控制
hosts.allow This file contains access rules which are used to
allow or deny connections to network services that
either use the tcp_wrappers library or that have been
started through a tcp_wrappers-enabled xinetd.
See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘
for information on rule syntax.
See ‘man tcpd‘ for information on tcp_wrappers
sshd:192.168.17.130 //添加只允许访问的地址
~
hosts.deny This file contains access rules which are used to
deny connections to network services that either use
the tcp_wrappers library or that have been
started through a tcp_wrappers-enabled xinetd.
The rules in this file can also be set up in
/etc/hosts.allow with a ‘deny‘ option instead.
See ‘man 5 hosts_options‘ and ‘man 5 hosts_access‘
for information on rule syntax.
See ‘man tcpd‘ for information on tcp_wrappers
sshd:192.168.17.128
~
~
~
以上就是我们的所有内容了(编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
