2023-03-24配置和保護SSH

SSH是一種加密協(xié)議,它為網(wǎng)絡連接提供了安全性。在Linux系統(tǒng)中,可以使用SSH連接到其它服務器或遠程設備,并執(zhí)行CLI命令或通過它們進行文件傳輸。

使用SSH訪問遠程命令行

  • 使用當前用戶身份登錄
    -- ssh remotehost
  • 使用指定用戶身份登錄
    -- ssh username@remotehost
  • 使用指定用戶身份,在遠程系統(tǒng)執(zhí)行命令
    -- ssh username@remotehost command
#使用當前用戶登錄
[root@myhost ~]# ssh 192.168.2.102
root@192.168.2.102's password:
Last login: Wed Apr 26 02:06:39 2023 from desktop-up0o41n.lan
[root@serverb ~]#

#使用指定用戶登錄
[root@myhost ~]# ssh user@192.168.2.102
user@192.168.2.102's password:
Last login: Wed Apr 26 01:21:48 2023
[user@serverb ~]$

#使用指定用戶,在遠程系統(tǒng)執(zhí)行命令
[root@myhost ~]# ssh user@192.168.2.102 pwd
user@192.168.2.102's password:
/home/user
  • 識別遠程用戶
    -- 使用w命令可以顯示當前登錄到計算機的用戶列表
    -- grep sshd /var/log/secure 查看遠程用戶登錄的日志
[user@serverb ~]$ w
 19:37:13 up 5 days, 18:55,  3 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    desktop-up0o41n. 二01   17:53   0.10s  0.10s -bash
root     pts/1    desktop-up0o41n. 02:06   59:21   0.10s  0.10s -bash
user     pts/2    gateway          19:29    1.00s  0.04s  0.01s w

[root@serverb ~]# tail -10 /var/log/secure
Apr 26 19:28:17 serverb sshd[14072]: Received disconnect from 192.168.2.100 port 35388:11: disconnected by user
Apr 26 19:28:17 serverb sshd[14072]: Disconnected from 192.168.2.100 port 35388
Apr 26 19:28:17 serverb sshd[14065]: pam_unix(sshd:session): session closed for user user
Apr 26 19:29:04 serverb sshd[14118]: Accepted password for user from 192.168.2.100 port 35390 ssh2
Apr 26 19:29:04 serverb sshd[14118]: pam_unix(sshd:session): session opened for user user by (uid=0)
Apr 26 19:30:38 serverb sudo:    user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/bin/bash
Apr 26 19:30:38 serverb sudo: pam_unix(sudo-i:session): session opened for user root by user(uid=0)
Apr 26 19:36:50 serverb sudo: pam_unix(sudo-i:session): session closed for user root
Apr 26 19:37:48 serverb sudo:    user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/bin/bash
Apr 26 19:37:48 serverb sudo: pam_unix(sudo-i:session): session opened for user root by user(uid=0)
  • SSH主機密鑰
    -- SSH通過公鑰加密的方式保持通信安全
    -- 當客戶端連接到SSH服務器時,在客戶端登錄之前,服務器會向其發(fā)送公鑰副本,這可用于設置通信渠道安全加密,并可驗證客戶端的服務器
    -- 當用戶使用ssh命令連接到ssh服務器時,該命令會檢測本地已知主機列表中是否有該服務的公鑰副本。
  • 無公鑰副本遠程提示
[user@serverb ~]$ ssh user01@192.168.2.102
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.102' (ECDSA) to the list of known hosts.
user01@192.168.2.102's password:
Last login: Tue Apr 25 22:10:04 2023
  • 有公鑰副本遠程提示(直接輸入密碼即可)
[user@serverb ~]$ ssh user01@192.168.2.102
user01@192.168.2.102's password:
Last login: Wed Apr 26 20:22:52 2023 from serverb
[user01@serverb ~]$
  • 本地存放的公鑰副本
    -- /etc/ssh/ssh_known_hosts
    -- ~/.ssh/known_hosts
  • 公鑰的位置
    -- 服務端:/etc/ssh/ssh_host_*key.pub
    -- 客戶端使用ssh-keygen -R ip/hostname 移除該SSH服務器公鑰副本
[root@myhost ssh]# ssh root@192.168.2.102
root@192.168.2.102's password:
Last login: Wed Apr 26 21:35:17 2023 from gateway
[root@serverb ~]# 登出
Connection to 192.168.2.102 closed.
[root@myhost ssh]# cat ~/.ssh/known_hosts | grep 192.168.2.102
192.168.2.102 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlyynAx1JDpiqXoxj5wkpALP885QtsBjDDpFtPM/vceefTxbbxEmtTqATPqGhUlBX/dg8/N97xZxvxLhRtFTPw=
[root@myhost ssh]# ssh-keygen -R 192.168.2.102
# Host 192.168.2.102 found: line 4
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
[root@myhost ssh]# cat ~/.ssh/known_hosts | grep 192.168.2.102
[root@myhost ssh]# ssh root@192.168.2.102
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.102' (ECDSA) to the list of known hosts.
root@192.168.2.102's password:
Last login: Wed Apr 26 21:36:01 2023 from gateway
[root@serverb ~]#

配置基于SSH密鑰的身份驗證

  • 基于SSH的密鑰驗證
    -- 可以配置SSH服務器,以便能通過基于密鑰的身份驗證在不適用密碼的情況下進行身份驗證。這種身份驗證基于私鑰-公鑰方案
    -- 因此,要先生成一個密鑰對,私鑰用于身份驗證憑證,公鑰復制到期望連接的服務器
  • 生成SSH密鑰對
    -- ssh-keygen默認生成的密鑰對存放在/.ssh/id_rsa和/.ssh/id_rsa.pub中
    -- 自定義密鑰對ssh-keygen -t rsa -b 2048 -f -N "my_passwd" ~/.ssh/my_rsa_key(生成指定類型為rsa,長度為2048,文件名叫my_rsa_key,口令為my_passwd的密鑰)
  • 共享公鑰
    在使用基于密鑰身份驗證之前,需要將公鑰復制到目標系統(tǒng)用戶的家目錄中
    -- ssh-copy-id -i ~/.ssh/my_rsa_key.pub
    -- 共享過后,在目標系統(tǒng)的用戶的家目錄中authorized_keys文件中有一段內(nèi)容和my_rsa_key.pub中內(nèi)容一致,該文件就是公鑰
[user@myhost ~]$ ssh-keygen -t rsa -b 2048 -N "hello" -f ~/.ssh/test_rsa_key
Generating public/private rsa key pair.
Created directory '/home/user/.ssh'.
Your identification has been saved in /home/user/.ssh/test_rsa_key.
Your public key has been saved in /home/user/.ssh/test_rsa_key.pub.
The key fingerprint is:
SHA256:qAcSiJqUzrNzRG8ADVi5YuLRebADTPHa7WMFHCGDtwI user@myhost
The key's randomart image is:
+---[RSA 2048]----+
|+**+ o.          |
|E==++ .          |
|+o===o           |
|B==B+...         |
|**+o++..S        |
| .+.oo.          |
| o ..+.          |
|  o ...          |
|                 |
+----[SHA256]-----+
[user@myhost ~]$ ls ~/.ssh
test_rsa_key  test_rsa_key.pub
[user@myhost ~]$ ssh-copy-id -i ~/.ssh/test_rsa_key.pub user@192.168.2.102
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/test_rsa_key.pub"
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@192.168.2.102's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@192.168.2.102'"
and check to make sure that only the key(s) you wanted were added.
[user@serverb ~]$ ls ~/.ssh
authorized_keys
  • 使用ssh-agent進行非交互式身份驗證
[user@myhost ~]$ eval $(ssh-agent)
Agent pid 2335
[user@myhost ~]$ ssh-add ~/.ssh/test_rsa_key
Enter passphrase for /home/user/.ssh/test_rsa_key:hello  #創(chuàng)建密鑰時的密語
Identity added: /home/user/.ssh/test_rsa_key (/home/user/.ssh/test_rsa_key)
#使用指定私鑰文件
[user@myhost ~]$ ssh -i ~/.ssh/test_rsa_key user@192.168.2.102
Last login: Thu Apr 27 01:26:23 2023 from gateway
[user@serverb ~]$

自定義OPENSSH服務配置

  • 配置openssh服務
    openssh服務是由一個名為sshd的守護進程提供。它的主配置文件為/etc/ssh/sshd_config
  • 禁止超級用戶使用ssh登錄
    最好禁止從遠程系統(tǒng)直接登錄root用戶賬戶。允許以root用戶身份直接登錄的一些風險:
    -- 所有Linux系統(tǒng)都默認有root用戶,因此潛在的攻擊者只需要猜測其密碼,而不必猜測
    -- root用戶不受限制會有風險
]# vim /etc/ssh/sshd_config
... ...
PermitRootLogin no  #改為no
... ...
]# systemctl reload sshd
#客戶端就無法使用root用戶ssh
[root@myhost ~]# ssh root@192.168.2.102
root@192.168.2.102's password:
Permission denied, please try again.
  • 禁止對SSH進行基于密碼的身份驗證
]# vim /etc/ssh/sshd_config
... ...
PasswordAuthentication no  #禁用ssh連接時使用密碼驗證,只允許使用公鑰認證,減少了密碼在網(wǎng)絡中傳輸?shù)娘L險
PubkeyAuthentication yes  #指定是否啟用公鑰認證。當設置為yes時,客戶端將通過將其公鑰放置在服務器的authorized_keys文件中,來進行身份驗證,而不是使用傳統(tǒng)的用戶名和密碼。這大大增加了安全性。
... ...
]# systemctl reload sshd
?著作權歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

相關閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容