CentOS7下SSH服务学习笔记

测试环境：

[root@nmserver-7 ~]# uname -a
Linux nmserver-7.test.com 3.10.0-514.el7.centos.plus.i686 #1 SMP Wed Jan 25 12:55:04 UTC 2017 i686 i686 i386 GNU/Linux
[root@nmserver-7 ~]# cat /etc/redhat-release
CentOS release 7.3.1611 (AltArch)
[root@nmserver-7 ~]#

1、SSH服务安装

linux系统安装后默认已经开启ssh服务，并且包含ssh所有需要的软件了，但是还是有必要了解下已经安装的ssh是那个包提供的，

[root@nmserver-7 ~]# whereis sshd
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz
[root@nmserver-7 ~]# rpm -qf /usr/sbin/sshd
openssh-server-6.6.1p1-31.el7.i686
[root@nmserver-7 ~]#

也就是说假如没有ssh服务的话我们可以通过yum安装openssh-server来重新启动ssh服务
那么openssh-server都在系统中安装了什么文件？
[root@nmserver-7 ~]# rpm -ql  openssh-server
/etc/pam.d/sshd                                                        
/etc/ssh/sshd_config                     #配置文件位置
/etc/sysconfig/sshd
/usr/lib/fipscheck/sshd.hmac
/usr/lib/systemd/system/sshd-keygen.service
/usr/lib/systemd/system/sshd.service
/usr/lib/systemd/system/sshd.socket
/usr/lib/systemd/system/sshd@.service
/usr/libexec/openssh/sftp-server
/usr/sbin/sshd
/usr/sbin/sshd-keygen
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd

2、SSH服务启动

CentOS7.3下SSH服务的启动
[root@nmserver-7 ~]# systemctl stop    sshd  #停止
[root@nmserver-7 ~]# systemctl start   sshd  #开始
[root@nmserver-7 ~]# systemctl restart  sshd  #重启
[root@nmserver-7 ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 四 2017-08-24 16:32:52 CST; 1s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 2863 ExecStart=/usr/sbin/sshd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 2864 (sshd)
   CGroup: /system.slice/sshd.service
           └─2864 /usr/sbin/sshd

8月 24 16:32:51 nmserver-7.test.com systemd[1]: Starting OpenSSH server d...
8月 24 16:32:52 nmserver-7.test.com systemd[1]: PID file /var/run/sshd.pi...
8月 24 16:32:52 nmserver-7.test.com sshd[2864]: Server listening on 0.0.0...
8月 24 16:32:52 nmserver-7.test.com sshd[2864]: Server listening on :: po...
8月 24 16:32:52 nmserver-7.test.com systemd[1]: Started OpenSSH server da...
Hint: Some lines were ellipsized, use -l to show in full.

查看ssd服务端口是否正常，
[root@nms ~]# netstat -tlnp |grep ssh
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1207/sshd           
tcp        0      0 :::22                       :::*                        LISTEN      1207/sshd

3、SSH原理（SSH服务器端与客户端的连接步骤）

step1:服务器建立公钥文件
      每一次启动sshd服务时，该服务会主动去找/etc/ssh/ssh_host*文件，若系统刚安装完成，会没有公钥文件，
      sshd会主动计算出这些需要的公钥文件，同时也会计算出服务器自己需要的私钥文件。
step2:客户端主动连接要求
    若客户端想要连接到ssh服务器，则需要使用适当的客户端程序来连接，linux系统默认已经安装openssh-clients，包含SSH客户端；
    windows下常用的客户端连接工具有xShell、SecureCart、Putty等
step3:服务器传送公钥文件给客户端
    接收到客户端的要求后，服务器便将第一个步骤取的公钥文件以明码的形式传送给客户端；
step4:客户端记录/比对服务器的公钥数据及随机计算自己的公私钥；
    客户端将接收到的公钥数据记录到客户端的用户主目录内的 ~/.ssh/known_hosts文件里，之后则开始计算客户端自己的公私钥数据；
step5:返回客户端的公私钥数据到服务器端
    用户将自己的公钥传送给服务器，此时服务器具有服务器的私钥和客户端的公钥，而客户端具有服务器的公钥及客户端自己的私钥，你会看到，
    在此次连接的服务器与客户端的密钥系统（公钥+私钥）并不一样，因此，才称为非对称密钥系统；
step6：服务器接收客户端的公钥开始双向加解密
    （1）服务器到客户端：服务器传送数据时，使用客户端的公钥加密后进行发送，客户端接收后，用自己的私钥解密；
    （2）客户端到服务器：客户端传送数据时，使用服务器的公钥进行加密数据然后发送给服务器，服务器接收后用服务器的私钥解密数据；

4、SSHD服务器配置

SSHD服务器的详细设置都放在/etc/ssh/sshd_config配置文件中，在配置文件中，只要是未被注释的设置值即为“默认值”

[root@nmserver-7 ssh]# cat /etc/ssh/sshd_config
#    $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#ssh默认使用22端口，也可以使用多个Port,例如想要开放sshd在22和2200，则多加一行内容为：Port 2200 然后重启SSHD服务即可；

#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#监听的主机网卡，默认值是监听所有接口的SSH要求
# The default requires explicit activation of protocol 1
#Protocol 2
#选择SSH协议版本，默认支持V2  如要支持旧版本V1，则改为“Protocol 2，1”
# HostKey for protocol version 1       
#HostKey /etc/ssh/ssh_host_key             #ssh 版本使用的私钥
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key          #ssh 版本2使用的RSA私钥
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key         #ssh 版本2使用的ECDSA私钥
HostKey /etc/ssh/ssh_host_ed25519_key
#说明主机Private Key 放置的位置，默认使用上面文件
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024          #设置生产密钥的位数

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH           #当有人使用SSH登录系统的时候，SSH会记录信息；
SyslogFacility AUTHPRIV
#LogLevel INFO                  #设置日志等级

# Authentication: # 以下是安全设置项目

#LoginGraceTime 2m
#PermitRootLogin yes      #是否允许root登录。默认是允许的，建议设置成no
#StrictModes yes          #是否让SSDH去检查用户主目录或相关文件的权限数据；
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes   #是否允许用户自行使用成对的密钥系统进行登录；

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile    .ssh/authorized_keys    #自定义的公钥数据放置于用户主目录下 .ssh/authorized_keys内

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox        # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem    sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    PermitTTY no
#    ForceCommand cvs server

4、SSH简易安全设置

4.1 服务器软件本身的设置强化
    SSHD服务器配置文件/etc/ssh/sshd_config默认项目已经很完备了，出于安全考虑需要设置：禁止root这个账号使用sshd服务；
    [root@db2017 ~]# vi /etc/ssh/sshd_config

# Authentication:

#LoginGraceTime 2m
    #PermitRootLogin yes  #去掉注释且修改成PermitRootLogin no
     PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10
    4.2、TCP Wrapper使用：/etc/hosts.allow  /etc/hosts.deny
    假如只想让本机以及局域网192.168.1.0/24、192.168.0.0/24及192.168.100.0/24网段内的主机能够登录的话，可以这样设置：
    [root@db2017 ~]# vi /etc/hosts.allow
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd:127.0.0.1  192.168.0.0/255.255.255.0   192.168.1.0/255.255.255.0   192.168.100.0/255.255.255.0       #新添加的SSHD规则！

[root@db2017 ~]# vi /etc/hosts.deny

#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers

sshd:ALL
    4.3、iptables数据包过滤防火墙
    [root@db2017 sysconfig]# vi /etc/sysconfig/iptables
    增加规则：
    iptables -A INPUT -i EXTIF -s 192.168.0.0/24  -p tcp --dport 22  -j ACCEPT
    iptables -A INPUT -i EXTIF -s 192.168.1.0/24  -p tcp --dport 22  -j ACCEPT