本篇写一些关于Linux网络中SSH服务的相关知识。

测试环境

名称 IP地址
host01 192.168.28.128
host02 192.168.28.129
host03 192.168.28.130

禁止 root 登录

  • 查看ssh服务端口是否开启
[root@host01 ~]# netstat -ntuap | grep sshd

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      998/sshd

tcp6       0      0 :::22                   :::*                    LISTEN      998/sshd
  • 默认可以使用root用户登录
[root@host02 ~]# ssh root@192.168.28.128

The authenticity of host '192.168.28.128 (192.168.28.128)' can't be established.

ECDSA key fingerprint is SHA256:5GGc1rmzWwjF+ozz/PPTyLO2s6NmFHSxbzCNsLazXhY.

ECDSA key fingerprint is MD5:0b:f5:62:d7:a4:1f:05:64:0b:7f:22:62:11:64:07:61.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.28.128' (ECDSA) to the list of known hosts.

root@192.168.28.128's password:

Last login: Thu Sep 12 13:54:03 2019

[root@host01 ~]# logout

Connection to 192.168.28.128 closed.
  • 编辑配置文件,禁止root用户登录
[root@host01 ~]# vim /etc/ssh/sshd_config

PermitRootLogin no
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 不可使用root用户登录
[root@host02 ~]# ssh root@192.168.28.128

root@192.168.28.128's password:

Permission denied, please try again.

root@192.168.28.128's password:
  • 添加普通用户zhangsan
[root@host01 ~]# useradd zhangsan && echo "000000" | passwd --stdin zhangsan

Changing password for user zhangsan.

passwd: all authentication tokens updated successfully.

[root@host01 ~]# id zhangsan

uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan)
  • 现在以zhangsan登录,发现可以切换至root用户
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

[zhangsan@host01 ~]$ su - root

Password:

Last login: Thu Sep 12 14:43:14 CST 2019 from 192.168.28.129 on pts/2

Last failed login: Thu Sep 12 14:46:39 CST 2019 from 192.168.28.129 on ssh:notty

There was 1 failed login attempt since the last successful login.

[root@host01 ~]# logout

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 可以开启pam认证来禁止切换
[root@host01 ~]# vim /etc/pam.d/su

auth            required        pam_wheel.so use_uid
  • 现在不可以使用zhangsan做跳板切换至root用户
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 14:56:01 2019 from 192.168.28.129

[zhangsan@host01 ~]$ su - root

Password:

su: Permission denied

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • zhangsan添加至wheel
[root@host01 ~]# gpasswd -a zhangsan wheel

Adding user zhangsan to group wheel

[root@host01 ~]# id zhangsan

uid=1001(zhangsan) gid=1001(zhangsan) groups=1001(zhangsan),10(wheel)
  • 只有在wheel组中的用户才可以使用su命令
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 14:59:14 2019 from 192.168.28.129

[zhangsan@host01 ~]$ su - root

Password:

Last login: Thu Sep 12 14:56:13 CST 2019 on pts/2

Last failed login: Thu Sep 12 14:59:25 CST 2019 on pts/2

There was 1 failed login attempt since the last successful login.

[root@host01 ~]# logout

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.

登录次数尝试

  • 配置文件默认是6次,但尝试3次就不可再尝试
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
  • 设置参数最大次数为5
[root@host01 ~]# vim /etc/ssh/sshd_config

MaxAuthTries 5
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 想要使配置能够有意义,需要使用-o NumberOfPasswordPrompts=8参数,这里尝试8次,发现5次后被拒绝尝试。
[root@host02 ~]# ssh -o NumberOfPasswordPrompts=8 zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:

Received disconnect from 192.168.28.128 port 22:2: Too many authentication failures

Authentication failed.

黑白名单

  • 添加lisiwangwu用户
[root@host01 ~]# useradd lisi && echo "000000" | passwd --stdin lisi

Changing password for user lisi.

passwd: all authentication tokens updated successfully.

[root@host01 ~]# useradd wangwu && echo "000000" | passwd --stdin wangwu

Changing password for user wangwu.

passwd: all authentication tokens updated successfully.
  • 添加白名单配置,默认没有相关条目zhangsan只能从129登录,lisi可以从任何主机登录
[root@host01 ~]# vim /etc/ssh/sshd_config

AllowUsers zhangsan@192.168.28.129 lisi

白名单:AllowUsers,黑名单:DenyUsers,不要同时使用。

  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 测试zhangsan可以从129登录
[root@host02 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Last login: Thu Sep 12 16:53:09 2019 from 192.168.28.129

[zhangsan@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试lisi可以从129登录
[root@host02 ~]# ssh lisi@192.168.28.128

lisi@192.168.28.128's password:

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试wangwu不可从129登录
[root@host02 ~]# ssh wangwu@192.168.28.128

wangwu@192.168.28.128's password:

Permission denied, please try again.

wangwu@192.168.28.128's password:
  • 测试zhangsan不可从130登录
[root@host03 ~]# ssh zhangsan@192.168.28.128

zhangsan@192.168.28.128's password:

Permission denied, please try again.

zhangsan@192.168.28.128's password:
  • 测试lisi可以从130登录
[root@host03 ~]# ssh lisi@192.168.28.128

lisi@192.168.28.128's password:

Last login: Thu Sep 12 16:56:07 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 测试wangwu不可从130登录
[root@host03 ~]# ssh wangwu@192.168.28.128

wangwu@192.168.28.128's password:

Permission denied, please try again.

wangwu@192.168.28.128's password:

使用密钥对登录

  • 开启密钥认证选项
[root@host01 ~]# vim /etc/ssh/sshd_config

PubkeyAuthentication yes
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd
  • 生成类型为ecdsa椭圆曲线数字签名加密的密钥,可以设置一个密码
[root@host02 ~]# ssh-keygen -t ecdsa

Generating public/private ecdsa key pair.

Enter file in which to save the key (/root/.ssh/id_ecdsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_ecdsa.

Your public key has been saved in /root/.ssh/id_ecdsa.pub.

The key fingerprint is:

SHA256:Y4AjDPfBRwYAP5exUlv7Obn08cvhSZzAsZ6Mwqt/ccE root@host02

The key's randomart image is:

+---[ECDSA 256]---+

|o.oo=o+          |

| = o.X..         |

|  * O.o  ..      |

|   = . o +Eo     |

|        S =.     |

|     . o.O.* .   |

|      o oo= *    |

|       o.  + +   |

|    .oo.    =    |

+----[SHA256]-----+
  • 查看生成的私钥和公钥文件
[root@host02 ~]# ls .ssh/

id_ecdsa  id_ecdsa.pub
  • 推送公钥文件至128lisi用户
[root@host02 ~]# ssh-copy-id -i .ssh/id_ecdsa.pub lisi@192.168.28.128

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

lisi@192.168.28.128's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'lisi@192.168.28.128'"

and check to make sure that only the key(s) you wanted were added.
  • 本地会生成一个已知主机文件
[root@host02 ~]# ls .ssh/

id_ecdsa  id_ecdsa.pub  known_hosts
  • 可以查看一下
[root@host02 ~]# cat .ssh/known_hosts

192.168.28.128 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/cLQC3IgLKJnuYS8mOuhuJjfnMT4V2CsSJ6GNFgBlmANrik1sLgUeSIfyPOeirGfyz0En3/AAyI+slLpA/3lQ=
  • 128lisi用户下生成了认证密钥
[root@host01 ~]# cat /home/lisi/.ssh/authorized_keys

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEE/8T2xbTo11fmJu5sAc43OyUELuvl6OvcEiJ4WrZxaD9QR+PmJCxLZoVd5+HwyT6PFmW7EZjMk8NogcnDc9HI= root@host02
  • 使用128lisi用户ssh登录,提示输入先前设置的密码
[root@host02 ~]# ssh lisi@192.168.28.128

Enter passphrase for key '/root/.ssh/id_ecdsa':

Last login: Thu Sep 12 17:09:37 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.
  • 可以设置免验证操作,并输入先前设置的密码
[root@host02 ~]# ssh-agent bash

[root@host02 ~]# ssh-add

Enter passphrase for /root/.ssh/id_ecdsa:

Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
  • 现在可以免密码登录
[root@host02 ~]# ssh lisi@192.168.28.128

Last login: Tue Sep 17 00:40:47 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.

更改默认端口

  • 关闭防火墙、SELinux
[root@host01 ~]# systemctl stop firewalld

[root@host01 ~]# setenforce 0
  • 更改默认端口222233
[root@host01 ~]# vim /etc/ssh/sshd_config

Port 2233
  • 重新加载配置文件,使配置生效
[root@host01 ~]# systemctl reload sshd

[root@host01 ~]# netstat -ntuap | grep sshd

tcp        0      0 0.0.0.0:2233            0.0.0.0:*               LISTEN      41357/sshd

tcp6       0      0 :::2233                 :::*                    LISTEN      41357/sshd
  • 直接登录失败
[root@host02 ~]# ssh lisi@192.168.28.128

ssh: connect to host 192.168.28.128 port 22: Connection refused
  • 指定端口登录成功
[root@host02 ~]# ssh -p 2233 lisi@192.168.28.128

Last login: Tue Sep 17 01:21:11 2019 from 192.168.28.129

[lisi@host01 ~]$ logout

Connection to 192.168.28.128 closed.

scp 远程复制

  • 创建测试文件、文件夹
[root@host02 ~]# echo "this is testfile01" > testfile01.txt

[root@host02 ~]# mkdir testdir01
  • 远程复制文件
[root@host02 ~]# scp testfile01.txt root@192.168.28.128:/opt/

root@192.168.28.128's password:

testfile01.txt                                                                                                                                             100%   19    11.4KB/s   00:00
  • 远程复制文件夹
[root@host02 ~]# scp -r testdir01/ root@192.168.28.128:/opt/

root@192.168.28.128's password:
  • 查看是否复制成功
[root@host01 ~]# ls /opt/

rh  testdir01  testfile.txt

sftp 安全文件传输协议

  • 登录
[root@host02 ~]# sftp root@192.168.28.128

root@192.168.28.128's password:

Connected to 192.168.28.128.

sftp>
  • 可以cd切换目录,ls查看,put上传
sftp> cd /home/zhangsan/

sftp> ls

sftp> put /root/testfile01.txt

Uploading /root/testfile01.txt to /home/zhangsan/testfile01.txt

/root/testfile01.txt                                                                                                                                       100%   19    32.8KB/s   00:00

sftp> ls

testfile01.txt
  • 上传成功
[root@host01 ~]# ls /home/zhangsan/

testfile01.txt
  • get下载
sftp> get /etc/passwd

Fetching /etc/passwd to passwd

/etc/passwd                                                                                                                                                100% 2227     1.8MB/s   00:00

sftp> bye
  • 下载成功
[root@host02 ~]# ls

anaconda-ks.cfg  passwd  testdir01  testfile01.txt

Linux SSH 服务的更多相关文章

  1. linux——ssh服务

    SSH服务(TCP端口号22):安全的命令解释器 为客户机提供安全的Shell 环境,用于远程管理 SSH基于公钥加密(非对称加密)技术: 数据加密传输: 客户端和服务器的身份验证: 公钥 和 私钥 ...

  2. Linux ssh服务

    关于ssh服务不多说就提几句,1,机房的服务器一般都是通过远程连接登录的,远程登录就必然少不了ssh客户端.2,虚拟机每次都要点击进去,每次退出来也需要按Ctrl+Alt+Enter,也比较麻烦,有时 ...

  3. 查看linux ssh服务信息及运行状态

    关于ssh服务端配置有不少文章,例如 linux下ssh服务配置,这里仅列举出一些查看ssh服务相关信息的常用命令. rpm -qa | grep ssh 可以看到系统中ssh安装包 rpm -ql ...

  4. linux ssh 服务优化

    linux 默认管理员 root,port 端口号是 22,为了安全,我们要改掉默认的管理员和端口 配置文件/etc/ssh/sshd_config [root@oldboy ~]# vi /etc/ ...

  5. 记一次 java 连接 linux ssh服务 权限验证失败的原因和解决过程

    下面的问题我是通过之前的ssh测试类找出原因的,因为我的测试类跑通了,但是程序跑不通,看了一下源码发现还有一处没有进行解密,所以才会权限验证失败. // 出现权限验证失败的原因就在这里,因为老板要求对 ...

  6. Linux ssh服务开启秘钥和密码认证

    问题描述: 实现Linux秘钥和密码同时认证 解决方案: vim /etc/ssh/sshd_config 基本参数: PermitRootLogin yes #允许root认证登录 Password ...

  7. ssh服务、密钥登陆配置

    环境内核信息: [root@zabbix-01 ~]# uname -a Linux lodboyedu-01 2.6.32-696.el6.x86_64 #1 SMP Tue Mar 21 19:2 ...

  8. SSH服务及其扩展(sshpass和expect)

    SSH服务及其扩展(sshpass和expect) Linux SSH服务一共包含三个工具:ssh.scp.sftp [远程连接及执行命令] 语法:ssh -p端口 账号@IP 命令 参数说明:-o ...

  9. Linux mint 18版本开启SSH服务

    linux mint 18版本默认是没有安装ssh server的 需要手动安装 安装ssh server: 此命令需要联网,会自动下载安装 安装之后看是否开始了ssh, 看到ssh-agent 和s ...

随机推荐

  1. 解决ImportError: No module named utils

    转载:https://blog.csdn.net/weixin_43979572/article/details/86159265 在Python中遇到了导包错误,其实包已经有了.原因是我再B文件的a ...

  2. https://www.jianshu.com/p/1038c6170775

    import os # 方法一: os.walk实现 def items_dir(rootname): l = [] for main_dir, dirs, file_name_list in os. ...

  3. 测试面试题集锦----liunx与网络

    国庆完后就回深圳了,所以也要参加面试了,我大概收集了一些感觉可能会面试到的一些笔试题,给大家参考,答案不一定全对,分为liunx ,网络,mysql,编程题,我分别按分类补充,以后在继续补充 liun ...

  4. linux驱动开发学习二:创建一个阻塞型的字符设备

    在Linux 驱动程序中,可以使用等待队列来实现阻塞进程的唤醒.等待队列的头部定义如下,是一个双向列表. struct list_head { struct list_head *next, *pre ...

  5. SQL Server ---- 创建好的表修改不了字段

    注意这个  是  sqlserver  2008  R2 当修改字段后出现来这个错误 解决方法 1.点击工具   选择选项 2.选择 designers     把阻止更改点掉就行了 建议,改好之后最 ...

  6. aspnetcore identity result.Succeeded SignInManager.IsSignedIn(User) false?

    登陆返回的是 result.Succeeded 为什么跳转到其他页面SignInManager.IsSignedIn(User)为false呢? result.Succeeded _signInMan ...

  7. 手撕面试官系列(五):Tomcat+Mysql+设计模式面试专题

    Tomcat (面试题+答案领取方式见侧边栏) Tomcat 的缺省端口是多少,怎么修改? tomcat 有哪几种 Connector 运行模式(优化)? Tomcat 有几种部署方式? tomcat ...

  8. 在DCEF3中使用较少的dll文件?

    您可以使用以下属性: GlobalCEFApp.CheckCEFFiles:设置为FALSE以跳过所有CEF二进制文件检查功能. GlobalCEFApp.LocalesRequired:一个逗号分隔 ...

  9. Stack实现

    栈的三种操作算法很简单 STACK-EMPTY(S) 1 if S.top == 0 2    return TRUE 3 else return FALSE PUSH(S, x) 1 S.top = ...

  10. 如何获取图片上传OSS后的缩略图 超简单

    OSS是使用通过URL尾部的参数指定图片的缩放大小 图片路径后面拼接如下路径:     ?x-oss-process=image/[处理类型],x_100,y_50[宽高等参数] ?x-oss-pro ...