0%

9.Configuring and Securing OpenSSH Service

Posted on In Views: Valine:
Symbols count in article: 2.9k Reading time ≈ 3 mins.

1. Red Hat Enterprise Linux 7

1.1. 什么是openssh?

OpenSSH 是 SSH (Secure SHell) 协议的免费开源实现,是一个提供远程访问控制的软件。

1.2. 如何实现远程访问?

ssh 远程主机用户@远程主机ip地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@foundation ~]# ssh root@172.25.254.215
The authenticity of host '172.25.254.215 (172.25.254.215)' can't be established.
ECDSA key fingerprint is 92:eb:ee:74:e9:5a:9d:68:90:25:bd:1f:aa:bb:b1:e0.
Are you sure you want to continue connecting (yes/no)? yes ##建立安全传输key
Warning: Permanently added '172.25.254.215' (ECDSA) to the list of known hosts.
root@172.25.254.215's password:  ##密码输入没有回显
Last login: Tue Feb  9 16:43:03 2016 from foundation.ilt.example.com
[root@localhost ~]# vim /etc/motd  ##设定登陆显示字符
wellcome to login !
[root@localhost ~]# logout
Connection to 172.25.254.215 closed.
[root@foundation ~]# ssh root@172.25.254.215
root@172.25.254.215's password:
Last login: Tue Feb  9 16:59:38 2016 from foundation.ilt.example.com
wellcome to login !
[root@localhost ~]#     ##登陆成功
ctrl +d	| logout        ##退出

1.3. ssh的key认证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@foundation ~]# ssh-keygen     ##生成公钥和私钥的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  『enter』   ##指定加密字符保存文件,使用默认
Enter passphrase (empty for no passphrase):      ##密码,必须大于4位,可以为空
Enter same passphrase again:                     ##确认密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
25:04:85:e5:cd:dd:cf:ac:e4:70:ec:3f:5e:4e:59:7d root@foundation.ilt.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|      .=+        |
|      .o o . .   |
|        o + . .  |
|         o   . +.|
|        S   . + E|
|             * .+|
|              +.o|
|               =.|
|              ..+|
+-----------------+
[root@foundation ~]# cd ~/.ssh/
[root@foundation .ssh]# ll
total 12
-rw------- 1 root root 1679 Feb  9 17:23 id_rsa       ##私钥
-rw-r--r-- 1 root root  413 Feb  9 17:23 id_rsa.pub   ##公钥
-rw-r--r-- 1 root root  757 Feb  9 16:59 known_hosts  ##此文件记录了ssh所连接过的主机信息。
[root@foundation .ssh]# pwd   ##生成密钥的存放位置
/root/.ssh

1.4. 使用key加密目标主机的目标用户

1
2
3
4
5
ssh-copy-id             ##上传key的工具
-i                      ##指定使用的公钥
/root/.ssh/id_rsa.pub   ##使用公钥的名称,必须使用绝对路径
root                    ##被管理的目标用户
172.25.254.215          ##被管理用户所在主机的ip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@foundation ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.215
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.254.215's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.25.254.215'"
and check to make sure that only the key(s) you wanted were added.

[root@foundation ~]# ssh root@172.25.254.215
Last login: Tue Feb  9 18:08:24 2016 from foundation.ilt.example.com
wellcome to login !
[root@localhost ~]# ll .ssh/
total 4
-rw-------. 1 root root 413 Feb  9 18:11 authorized_keys ##此文件在目标用户加目录的.ssh中,这个文件就是目标用户被加密的标识,文件内容为公钥内容

1.5. sshd服务的简单配置

1
2
3
4
vim /etc/ssh/sshd_config	  ##sshd服务的配置文件
48 PermitRootLogin yes|no	  ##是否允许root用户通过sshd的认证,默认是yes
78 PasswordAuthentication yes|no  ##开启或关闭用户密码认证
AllowUsers student westos	  ##用户白名单,只允许在名单中出现的用户使用sshd服务(用户名使用多个空格隔开)

systemctl restart sshd ##重启服务,重新加载配置