ssh用户登录控制
通过命令ssh命令可以远程登录sshd服务,为用户提供一个安全的shell环境,以便对服务器进行管理和维护。使用时应指定登录用户、目标主机地址作为参数。
第一台主机名为shuai01 第二台名字为shuai02
[root@shuai02 ~]# ssh [email protected] ##ssh远程登录+对方账户@+ip
The authenticity of host '20.0.0.41 (20.0.0.41)' can't be established.
ECDSA key fingerprint is SHA256:O2GaSp2f99ksS9OCQDtLMg2J4NH1hI9GUJKRG6s44B0.
ECDSA key fingerprint is MD5:3f:c7:a8:37:e8:26:7f:be:e6:07:bf:96:76:5a:d0:84.
Are you sure you want to continue connecting (yes/no)? yes ##这边确认登录
Warning: Permanently added '20.0.0.41' (ECDSA) to the list of known hosts.
[email protected]'s password: ##输入登录主机密码
Last failed login: Sat Jul 11 15:44:02 CST 2020 from 20.0.0.42 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sat Jul 11 15:42:14 2020
[root@tom01 ~]# exit ##退出登录
登出
不允许对方远程root账户登录
[root@tom01 ~]# vim /etc/ssh/sshd_config
37 #LoginGraceTime 2m ##登录验证时间为2分钟
38 PermitRootLogin no ##把yes改为no 注释去掉(禁止root登录)
39 #StrictModes yes
40 #MaxAuthTries 6 ##最大重试次数为6次
41 #MaxSessions 10
42
43 #PubkeyAuthentication yes
[root@tom01 ~]# systemctl restart sshd ##重启服务
[root@tom01 ~]# useradd liu2 ##在tom01中创建账户liu2
[root@tom01 ~]# echo "123123" | passwd --stdin liu2
更改用户 liu2 的密码 。 ##设置密码
passwd:所有的身份验证令牌已经成功更新。
[root@tom01 ~]# grep "bash$" /etc/passwd ##查看登录账户 有三个账户
root:x:0:0:root:/root:/bin/bash
liu:x:1000:1000:liu:/home/liu:/bin/bash
liu2:x:1001:1001::/home/liu2:/bin/bash
测试
[tom@tom02 ~]$ ssh [email protected] ##登录liu用户
[email protected]'s password:
[liu@tom02~]$
[root@tom01 ~]# ssh [email protected] ##在远程登录
[email protected]'s password:
Permission denied, please try again.
##3发现已经限制登录了 说明禁止root登录是成功的
[root@tom02 ~]$ ssh [email protected] ##登录liu用户
[email protected]'s password:
[liu2@tom01~]$
[liu2@tom01 root]$ su - root
密码:
上一次登录:六 7月 11 16:56:46 CST 2020从 20.0.0.3pts/4 上
最后一次失败的登录:六 7月 11 16:58:27 CST 2020pts/4 上
最有一次成功登录后有 1 次失败的登录尝试。
[root@tom01 ~]#
你会发现虽然静止了tom1的禁止root账户登录还是不安全的 可以用主机的其他账户作为跳板登录
解决方法
[root@tom01 ~]# vim /etc/pam.d/su
开启pam验证
测试最大密码重试次数
[root@tom01 ~]# vim /etc/ssh/sshd_config
37#LoginGraceTime 2m
38 PermitRootLogin no
39 #StrictModes yes
40 MaxAuthTries 6 ##开启最大重试次数6
41 #MaxSessions 10
[root@tom01 ~]# systemctl restart sshd ##重启服务
我们进入主机02进行远程连接
[root@tom02 ~]# ssh [email protected]
[email protected]'s password:
44^H^H^HPermission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
###这边提示最大重试3次
##设置密码尝试次数为7次
[root@tom02 ~]# ssh -o NumberOfPasswordPrompts=7 [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
22
22Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Received disconnect from 20.0.0.41 port 22:2: Too many authentication failures
Authentication failed.
###现在就可以验证最大尝试次数为6次
设置黑白名单
##现在我们用tom02主机测试
AllowUsers [email protected] tom2 ##添加允许tom tom2用户只在20.0.0.41主机登录
[root@tom02 ~]# systemctl restart sshd ##重启服务
##我们用20.0.0.41测试
[root@tom01 ~]# ssh [email protected] ##
[email protected]'s password:
[tom@tom02 ~]$
[root@tom01 ~]# ssh [email protected] ##远程进tom2
[email protected]'s password:
[tom2@tom02 ~]$
##现在换个主机 IP地址20.0.0.43
[root@tom03 ~]# ssh [email protected]
The authenticity of host '20.0.0.42 (20.0.0.42)' can't be established.
ECDSA key fingerprint is SHA256:994P3GorLV3Zd0S6MMmz0zSCAetPoGuP5Bn93qkvJjM.
ECDSA key fingerprint is MD5:52:1b:62:6f:6c:ee:36:23:4e:66:4a:7c:67:4b:22:4d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.42' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
###可以看的出给限制了
远程配对密钥验证
[tom2@tom02 ~]$ ssh-keygen -t ecdsa ##上传公钥
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/tom2/.ssh/id_ecdsa): ##回车
Created directory '/home/tom2/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again: ##输入密码
Your identification has been saved in /home/tom2/.ssh/id_ecdsa.
Your public key has been saved in /home/tom2/.ssh/id_ecdsa.pub.
The key fingerprint is: ##再输入
SHA256:7FWtWjVjt6QY6NqCrv0rQ3Zffu5ss1WnCrfCx8WRS8o tom2@tom02
The key's randomart image is:
+---[ECDSA 256]---+
| |
| . . |
| . .. *o.|
| .. .o+*+.|
| S..oo= +o|
| o.oo. +E +.o|
| o..ooo=..... |
| oo ..o++*. |
| ..o+o. oB=o |
+----[SHA256]-----+
[tom2@tom02 ~]$ ls -a ##列出根目录列表
. .bash_logout .bashrc .config .ssh
.. .bash_profile .cache .mozilla
[tom2@tom02 ~]$ ls .ssh/ ##可以看到已经有个公钥跟私钥
id_ecdsa id_ecdsa.pub
[tom2@tom02 ~]$ cd .ssh ##进入.ssh目录
[tom2@tom02 .ssh]$ ls
id_ecdsa id_ecdsa.pub
[tom2@tom02 .ssh]$ ssh-copy-id -i id_ecdsa.pub [email protected] ##把公钥推给tom2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '20.0.0.42 (20.0.0.42)' can't be established.
ECDSA key fingerprint is SHA256:994P3GorLV3Zd0S6MMmz0zSCAetPoGuP5Bn93qkvJjM.
ECDSA key fingerprint is MD5:52:1b:62:6f:6c:ee:36:23:4e:66:4a:7c:67:4b:22:4d.
Are you sure you want to continue connecting (yes/no)? yes ##输入yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: ##输入登录密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
##切换到tom2设备
[root@tom02 tom2]# cd /home/tom2
[root@tom02 tom2]# ls
[root@tom02 tom2]# ls -a ##查看列表 可以看到.ssh已经有了
. .bash_logout .bashrc .config .ssh
.. .bash_profile .cache .mozilla
[root@tom02 tom2]# cd .ssh
[root@tom02 .ssh]# ls ##authorized_keys公钥了
authorized_keys id_ecdsa id_ecdsa.pub known_hosts
[root@tom02 .ssh]# cat authorized_keys ##查看公钥是来自tom2@tom02
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIAObuXm/QCEOkewr5rIi5mTpqIBPVQLH4vjzIbQLCsitbKiKx0Jg22Y/gADzVh6TiF2K0lzyzFXJNHkd4i0Vcw= tom2@tom02
##在切回设备
[tom2@tom02 .ssh]$ cd
[tom2@tom02 ~]$ ssh [email protected]
Enter passphrase for key '/home/tom2/.ssh/id_ecdsa': ##这边输入密钥密码
Last failed login: Sat Jul 11 23:35:44 CST 2020 from tom02 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sat Jul 11 19:53:07 2020 from 20.0.0.41
[tom2@tom02 ~]$ ##已经登录进来了
[tom2@tom02 ~]$ ssh [email protected]
Enter passphrase for key '/home/tom2/.ssh/id_ecdsa':
##这个每次登录都需要密钥比较麻烦
免交互直接登录
[tom2@tom02 ~]$ ssh-agent bash ##快速添加bash
[tom2@tom02 ~]$ ssh-add ##添加密钥口令
Enter passphrase for /home/tom2/.ssh/id_ecdsa: ##输入密码
[tom2@tom02 ~]$ ssh [email protected]
Last login: Sat Jul 11 23:51:30 2020 from tom02
[tom2@tom02 ~]$
##这样就可以免交互登录
scp远程安全复制
通过scp命令可以利用SSH安全连接与远程主机相互复制。使用scp命令时,除了必须指令复制源、目标之外,还应指定目标主机地址、登录用户、执行后提示验证口令即可
##我们在tom02主机中 查看
[root@tom02 ~]# ls /opt
rh ssh.hua.txt test
[root@tom02 opt]# scp ssh.hua.txt [email protected]:/home ##通过scp命令命令利用ssh安全连接复制ssh.hua.txt到tom01中
[email protected]'s password:
ssh.hua.txt 100% 16 25.4KB/s 00:00
##切换到tom01看到home目录
[root@tom02 ~]# ls /home
liu ssh.hua.txt tom tom2 ##可以看到已经复制过来了
[root@tom02 ~]# cd /opt
[root@tom02 opt]# scp -r test/ [email protected]:/home
[email protected]'s password:
##切换01主机
[root@tom02 ~]# ls /home
liu ssh.hua.txt test tom tom2
###也复制过了 -r表示递归目录
sftp安全FTP 上下载
通过sftp命令可以利用SSH安全连接与远程主机上传,下载文件,采用了与FTP类似的登录过程和交互环境,便于目录资源管理
##你已经到了对方的家目录里面
[root@tom02 ~]# sftp [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Connected to 20.0.0.42.
sftp> ls
anaconda-ks.cfg initial-setup-ks.cfg
下载 公共
图片 文档
桌面 模板
视频 音乐
sftp> cd /home
sftp> ls
liu ssh.hua.txt test tom
tom2
sftp> get ssh.hua.txt ##下载文件
Fetching /home/ssh.hua.txt to ssh.hua.txt
/home/ssh.hua.txt 100% 16 11.9KB/s 00:00
sftp> bye ##退出登录
[root@tom02 ~]# ls ##查看本地列表 已经下载好了
anaconda-ks.cfg ssh.hua.txt 模板 图片 下载 桌面
initial-setup-ks.cfg 公共 视频 文档 音乐
[root@tom02 ~]# mv ssh.hua.txt /opt ##移动到opt目录
[root@tom02 ~]# ls /opt
rh ssh.hua.txt
[root@tom02 ~]# cd /opt
##移动当前目录并重命名为ssh.shuai.txt
[root@tom02 opt]# mv ssh.hua.txt ssh.shuai.txt
[root@tom02 opt]# ls
rh ssh.shuai.txt
##开启远程登录
[root@tom02 opt]# sftp [email protected]
[email protected]'s password:
Connected to 20.0.0.42.
sftp> ls
anaconda-ks.cfg initial-setup-ks.cfg
下载 公共
图片 文档
桌面 模板
视频 音乐
sftp> cd /home
sftp> ls
liu ssh.hua.txt test tom
tom2
sftp> put ssh.shuai.txt ##上传文件
Uploading ssh.shuai.txt to /home/ssh.shuai.txt
ssh.shuai.txt 100% 16 22.0KB/s 00:00
###切换到被登录设备
[root@tom02 ~]# ls /home ##查看家目录 文件已经传过来了
liu ssh.hua.txt ssh.shuai.txt test tom tom2
TCP Wrappers访问概述
TCP_Wrappers有一个TCP的守护进程叫作tcpd。以ssh为例,每当有ssh的连接请求时,tcpd即会截获请求,先读取系统管理员所设置的访问控制文件,符合要求,则会把这次连接原封不动的转给真正的ssh进程,由ssh完成后续工作;如果这次连接发起的ip不符合访问控制文件中的设置,则会中断连接请求,拒绝提供ssh服务
访问控制策略的配置文件:
-
etc/hosts.allow
-
etc/hosts.deny
示例:
我们在tom02 IP为20.0.0.42主机配置hosts.allow,允许的IP地址为20.0.0.41访问s,其他的都是不可以访问的
[root@tom02 etc]# vim hosts.allow
##拒绝其他访问
[root@tom02 etc]# vim hosts.deny
测试
IP地址为20.0.0.41的主机可以访问 这边我们远程登录的是他的tom2用户
[root@tom01 ~]# ssh [email protected]
[email protected]'s password:
Last login: Sun Jul 12 00:07:07 2020 from tom02
[tom2@tom02 ~]$
我们换个其他主机测试一下 IP地址为20.0.0.43
这边就比较强横了 ,直接拒绝访问,密码都不给输入
[root@tom03 ~]# ssh [email protected]
ssh_exchange_identification: read: Connection reset by peer
[root@tom03 ~]#
示例2:如果我们把hosts.allow文件和hosts.deny都同时设置同一个IP地址会出现什么结果呢?
访问还是成功的
[root@tom01 ~]# ssh [email protected]
[email protected]'s password:
Last login: Sun Jul 12 10:08:52 2020 from 20.0.0.41
[tom2@tom02 ~]$
示例3:要是只想IP地址为192.168.20.100或者位于20.0.10.0/24网段的主机访问sshd服务,拒绝其他的地址访问可以这样操作
示例2:如果我们把hosts.allow文件和hosts.deny都同时设置同一个IP地址会出现什么结果呢?
[外链图片转存中…(img-0CvA2Mo7-1594521003349)]
访问还是成功的
[root@tom01 ~]# ssh [email protected]
[email protected]'s password:
Last login: Sun Jul 12 10:08:52 2020 from 20.0.0.41
[tom2@tom02 ~]$
示例3:要是只想IP地址为192.168.20.100或者位于20.0.10.0/24网段的主机访问sshd服务,拒绝其他的地址访问可以这样操作
[外链图片转存中…(img-bvIoAO94-1594521003349)]