文章目录


SSH - Secure Shell 安全外壳协议:SSH 为建立在应用层基础上的安全协议。SSH 是较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用 SSH 协议可以有效防止远程管理过程中的信息泄露问题;
​​​服务端口:TCP 22;​​ 此服务默认安装并开启,此处我们只研究其使用方法!

1、配置文件内容详解

SSH服务配置路径:/etc/ssh/sshd_config

[root@redhat8 ~]# cat /etc/ssh/sshd_config
#Port 22                /监听端口;
#AddressFamily any                  /兼用IPv4和IPv6;
#ListenAddress 0.0.0.0          /监听地址,0.0.0.0表示所有IPv4地址;
#ListenAddress ::           /监听地址,0.0.0.0表示所有IPv6地址;
HostKey /etc/ssh/ssh_host_rsa_key   /rsa私钥认证;
HostKey /etc/ssh/ssh_host_ecdsa_key   /ecdsa私钥认证;
HostKey /etc/ssh/ssh_host_ed25519_key /ed25519私钥认证;
#SyslogFacility AUTH
SyslogFacility AUTHPRIV              /当被登录时会记录登录信息;
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes           /允许root用户直接登录;
#StrictModes yes            /允许sshd检查用户主目录或相关文件的权限数据;
#MaxAuthTries 6             /最大登录尝试次数,全部失败需要等待;
#MaxSessions 10             /最大会话数;
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys  /服务器生成一对公私钥之后,会将公钥放到.ssh/authorized_keys里面,将公钥发给客户端;
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no                   /是否反解DNS;
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp  /usr/libexec/openssh/sftp-server  /支持sftp连接;
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

2、服务配置

(1)修改登录端口号

root@redhat8 ~]# cat /etc/ssh/sshd_config | grep Port
Port 2222
[root@redhat8 ~]# systemctl restart sshd
[root@redhat8 ~]# systemctl stop firewalld

验证结果:

[D:\~]$ ssh root@192.168.58.134:2222

(2)限制root账户直接登录

[root@redhat8 ~]# useradd redhat
useradd: user 'redhat' already exists
[root@redhat8 ~]# id redhat
uid=1000(redhat) gid=1000(redhat) groups=1000(redhat)
root@redhat8 ~]# cat /etc/ssh/sshd_config | grep PermitRootLogin
PermitRootLogin no
[root@redhat8 ~]# systemctl restart sshd

验证结果:root不能主动登录,redhat可以主动登录
Linux ❀ RHCE自研教学笔记 - Redhat 8.2 SSH服务教研笔记_配置文件

[D:\~]$ ssh redhat@192.168.58.134:2222
[redhat@redhat8 ~]$ pwd
/home/redhat
[redhat@redhat8 ~]$ pwd
/home/redhat
[redhat@redhat8 ~]$ su - root
Password: redhat
[root@redhat8 ~]# pwd
/root

(3)限制登录账户信息

root@redhat8 ~]# cat /etc/ssh/sshd_config | grep AllowUsers
AllowUsers root
#本配置sshd主配置文件没有相关语句,需要在后面自行添加,若多个账户需要被限制用空格隔开
[root@redhat8 ~]# systemctl restart sshd

验证结果:redhat不能主动登录,root可以主动登录
Linux ❀ RHCE自研教学笔记 - Redhat 8.2 SSH服务教研笔记_配置文件_02

[root@redhat8 ~]# pwd
/root

(4)虚拟机之间免密登录ssh

[root@redhat8 ~]# ssh-keygenu -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): (回车)
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): redhat  
Enter same passphrase again: redhat
#默认的证书目录:/root/.ssh
#默认创建的公钥文件:/root/.ssh/id_rsa.pub 
[root@redhat8 ~]# scp /root/.ssh/id_rsa.pub root@192.168.58.134:/root/.ssh/authorized_keys

结果验证:

[root@redhat8 ~]# ssh 192.168.58.134

(5)使用秘钥文件登录ssh

打开Xshell,【工具】-【新建用户秘钥生成向导】-【秘钥类型】-【秘钥长度】-【下一步】-【等待秘钥生成结束,下一步】-【秘钥名称】-【密码】-【确认密码】-【下一步】-【公钥格式】-【保存为文件】-【完成】

将生成的文件【id_rsa_2048】上传到linux服务器上

[root@localhost ~]# cd /root/.ssh/
[root@localhost .ssh]# rz
#选择文件后上传
[root@localhost .ssh]# mv id_rsa_2048 authorized_keys 
[root@localhost .ssh]# ll
total 8
-rw-r--r--. 1 root root 380 Aug 28 11:27 authorized_keys
-rw-r--r--. 1 root root 176 Aug 28 13:46 known_hosts

结果验证:

[D:\~]$ ssh root@192.168.14.131 22

Linux ❀ RHCE自研教学笔记 - Redhat 8.2 SSH服务教研笔记_端口号_03