第四章 远程访问及控制
文章目录
OpenSSH服务器 ===>yum -y install openssh
SSH(Secure SHell)协议
是一种安全通道协议
对通信数据进行了加密处理,用于远程管理 ===>对称密钥跟非对称密钥
OpenSHH
服务名称:sshd
服务端主程序:/usr/sbin/sshd
服务端配置文件:/etc/ssh/sshd_config
对称密钥:加密和解密用同一个密钥.
例如:AES、DES、3DES
加密速度快但是不安全
非对称密钥:加密和解密使用不同密钥.分为公钥和私钥.不可以从其中一种密钥推导出另一个密钥
例如: rsa
加密速度慢但是安全
Hash===>哈希算法 用来验证数据完整性
私钥:验证身份,保密的
公钥:所有人都知道,公开的
服务监听选项
端口号、协议版本、监听IP地址
禁用反向解析
[root@localhost ~]# vi /etc/ssh/sshd_config ===>修改配置文件
......
Port 22 ===>端口22
ListenAddress 172.16.16.22 ===>监听地址 172.16.16.22
Protocal 2 ===>协议 2
UseDNS no ===>不使用DNS
用户登录控制
禁用root用户、空密码用户
闲置登录验证时间、重试次数
AllowUsers、DenyUsers
[root@localhost ~]# vi /etc/ssh/sshd_config ===>修改配置文件
LoginGraceTime 2m ===>会话时间 2分钟
PermitRootLogin no ===>不允许root用户登录
MaxAuthTries 6 ===>最大的验证尝试次数为6次---默认是三次
PermitEmptyPasswords no ===>不允许空密码登录
......
AllowUsers jerry [email protected] ===>AllowUsers不要与DenyUsers同时用{加了@IP ---只允许你从固定的终端登录}
登录验证方式
密码验证:核对用户名、密码是否匹配
密钥对验证:核对客户的私钥、服务端公钥是否匹配
[root@localhost ~]# vi /etc/ssh/sshd_config
......
PasswordAuthentication yes #私钥开启
PubkeyAuthentication yes #公钥开启
AuthorizedKeysFile .ssh/authorized_keys 生成到当前用户的家目录里面是隐藏文件===>ls -a
模拟实验
不允许root账户登录
[root@localhost ~]# ssh [email protected] ===>当前CentOS主机的IP是20.0.0.110
The authenticity of host '20.0.0.60 (20.0.0.60)' can't be established.
ECDSA key fingerprint is SHA256:rFf1qtIIiP3JlW/y+EhTkaOtV76DNoZX5MMrHDOzwzY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '20.0.0.60' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last failed login: Thu Jul 9 17:16:57 CST 2020 from :0 on :0
There was 1 failed login attempt since the last successful login.
Last login: Thu Jul 9 10:46:42 2020
[root@localhost ~]# ===>以root身份就连接到了另一台20.0.0.60的CentOS主机
[root@localhost ~]# vi /etc/ssh/sshd_config ===>配置文件
......
PermitRootLogin no ===>不允许root账户登录 把这一行改成no 把注释符号"#"去掉
......
[root@localhost ~]# systemctl restart sshd ===>重启一下服务
[root@localhost ~]# ssh [email protected] ===>重新连接一下
The authenticity of host '20.0.0.60 (20.0.0.60)' can't be established.
ECDSA key fingerprint is SHA256:rFf1qtIIiP3JlW/y+EhTkaOtV76DNoZX5MMrHDOzwzY.
ECDSA key fingerprint is MD5:35:39:f1:63:73:74:3c:a7:64:38:3e:80:a6:e8:9c:a6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.60' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password: ===>重新连接已经连接不上了 说明修改的配置已生效
[root@localhost ~]# ssh [email protected] ===>不使用root账户连接
[email protected]'s password:
[zhangsan@localhost ~]$ ===>连接成功
禁用root账户远程连接的时候必须要禁用su命令切换root的权限利用pam认证
[root@zhaobin ~]# vi /etc/pam.d/su ===>修改配置文件
......
auth required pam_wheel.so use_uid ===>把这一行前面的"#"去掉就可以了
......
[root@localhost ~]# ssh [email protected] ===>远程连接
[email protected]'s password:
Last login: Thu Jul 9 11:15:39 2020 from 20.0.0.60
[wangwu@zhaobin ~]$ su - root
密码:
su: 拒绝权限
[wangwu@zhaobin ~]$ ===>可以看到su切换root账户失败
不操作这一步的话可以利用su切换到root账户
添加黑白名单===>不能同时存在存在了白名单就不允许黑名单存在只能选其一
AllowUsers ===>白名单:仅允许某些用户,拒绝所有人---安全性场合高
DenyUsers ===>黑名单:近拒绝某些用户,允许所有人---安全性场合低
[root@zhaobin ~]# vi /etc/ssh/sshd_config ===>修改配置文件
AllowUsers zhangsan [email protected] ===>需要自行写入 白名单允许zhangsan在任意终端登录
只允许wangwu在20.0.0.110终端登录
[root@zhaobin ~]# systemctl restart sshd ===>服务重启一下才会生效
在20.0.0.110终端操作
[root@localhost ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Jul 9 11:17:48 2020 from 20.0.0.60
[zhangsan@zhaobin ~]$ exit
登出
Connection to 20.0.0.60 closed.
[root@localhost ~]# ssh [email protected]
[email protected]'s password:
Last login: Thu Jul 9 11:20:07 2020 from 20.0.0.60
[wangwu@zhaobin ~]$ exit
登出
Connection to 20.0.0.60 closed.
[root@localhost ~]#
在20.0.0.50终端操作
[root@localhost ~]# ssh [email protected]
The authenticity of host '20.0.0.60 (20.0.0.60)' can't be established.
ECDSA key fingerprint is SHA256:rFf1qtIIiP3JlW/y+EhTkaOtV76DNoZX5MMrHDOzwzY.
ECDSA key fingerprint is MD5:35:39:f1:63:73:74:3c:a7:64:38:3e:80:a6:e8:9c:a6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '20.0.0.60' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Thu Jul 9 11:25:57 2020 from 20.0.0.110
[zhangsan@zhaobin ~]$ exit
登出
Connection to 20.0.0.60 closed.
[root@localhost ~]# ssh [email protected] ===>可以发现wangwu不能从这个终端登录
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
ssh -o NumberOfPasswordPrompts=8 [email protected]允许尝试连接次数8次
系统默认输错三次
构建密钥对验证的SSH体系
整体实现过程
第一步:创建密钥对 ===>由客户端的用户zhangsan再本地创建密钥对
公钥文件:id_rsa
公钥文件:id_rsa.pub
第二步:上传公钥文件id_rsa.pub
第三步:导入公钥信息 ===>导入到服务端用户lisi的公钥数据库
公钥库文件:~/.ssh/authorized_keys
第四步:使用密钥对验证方式 ===>以服务端的用户lisi的身份进行登录
再客户机中创建密钥对
ssh-keygen命令
可用的加密算法:RSA、ECDSA或DSA
[zhangsan@localhost ~]$ ssh-keygen -t ecdsa ===>-t 指定密钥类型
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_ecdsa):
Created directiry '/home/zhangsan/.ssh'.
Enter same passphrase again: ===>设置密钥短语
Your identification has been saved in /home/zhangsan/.ssh/id_ecdsa. ===>私钥文件位置
Your public key has been saved in /home/zhangsan/.ssh/id_ecdsa.pub. ===>公钥文件位置
......
将公钥文件上传至服务器
任何方式均可(FTP、Email、SCP、HTTP…)
[zhangsan@localhost ~]# scp ~/.ssh/id_ecdsa.pub [email protected]:/tmp ===>安全性复制
再服务器中导入公钥文本
将公钥文本添加至目标用户的公钥库
默认公钥库位置:~/.ssh/authorized_keys
[root@localhost ~]# mkdir /home/lisi/.ssh/
[root@localhost ~]# cat /tmp/id_ecdsa.pub >> /home/lisi/.ssh/authorized_keys
[root@localhost ~]# tail -1 /home/lisi/.ssh/authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOBYobmq32SjDwcnTiazunm2xaTrq/dJhrGcTEEGsr8/VqLgKPb8ySB4zExG417TOI3FluCnWKfBBsPQQhtaxU8= zhangsan@zhaobin
(mailto:zhangsan@localhost)
客户端使用密钥对验证登录
验证用户:服务端的用户lisi
验证密码:客户端的用户zhangsan的私钥短语
[zhangsan@zhaobin root]$ ssh [email protected]
Enter passphrase for key '/home/zhangsan/.ssh/id_ecdsa': ===>输入私钥
Last failed login: Thu Jul 9 12:04:15 CST 2020 from 20.0.0.60 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Jul 9 12:02:06 2020 from 20.0.0.60
[lisi@localhost ~]$ whoani
lisi
第二步和第三步可以采用另外一种方法
ssh-copy-id -i 公钥文件 user@host
验证密码后,会将公钥自动添加到目标主机user宿主目录下的.ssh/authorized_keys文件结尾
[zhangsan@localhost ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i 公钥文件
实验
利用公钥私钥登录连接
在20.0.0.60终端操作
[root@zhaobin ~]# vi /etc/ssh/sshd_config ===>修改配置文件
......
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
......
[root@zhaobin ~]# systemctl restart sshd ===>启动服务
[root@zhaobin ~]# su zhangsan ===>切换到zhangsan用户
[zhangsan@zhaobin root]$ ssh-keygen -t ecdsa ===>创建密钥对
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_ecdsa):
/home/zhangsan/.ssh/id_ecdsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/zhangsan/.ssh/id_ecdsa.
Your public key has been saved in /home/zhangsan/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:aCYS4cBJr4Tk5l57YPgywVHsKlGVHGwRj39yy9Tb4mI zhangsan@zhaobin
The key's randomart image is:
+---[ECDSA 256]---+
|+o+=== |
|+=+o=o |
|.*+o. . |
|* +o . . . |
| Bo+. * S . |
|o.=.o+ * . o |
|.+ o . o o . |
| o . E. . |
| . .. |
+----[SHA256]-----+
[zhangsan@zhaobin root]$ scp ~/.ssh/id_ecdsa.pub [email protected]:/opt ===>上传公钥文件
在20.0.0.50终端操作
[root@localhost lisi]# mkdir /home/lisi/.ssh/ ===>创建目录
[root@localhost lisi]# cat /opt/id_ecdsa.pub >> /home/lisi/.ssh/authorized_keys
在20.0.0.60终端操作
[zhangsan@zhaobin root]$ ssh [email protected] ===>远程访问20.0.0.50终端 使用lisi账号
Enter passphrase for key '/home/zhangsan/.ssh/id_ecdsa':
Last login: Thu Jul 9 13:18:55 2020 from 20.0.0.60
[lisi@localhost ~]$ ===>登录成功
添加免密登录
[zhangsan@zhaobin root]$ ssh-agent bash ===>使用代理终端
[zhangsan@zhaobin root]$ ssh-add ===>添加免密登录的密码
Enter passphrase for /home/zhangsan/.ssh/id_ecdsa:
Identity added: /home/zhangsan/.ssh/id_ecdsa (/home/zhangsan/.ssh/id_ecdsa)
[zhangsan@zhaobin root]$ ssh [email protected] ===>登录不需要输入密码
Last login: Thu Jul 9 13:32:32 2020 from 20.0.0.50
[lisi@localhost ~]$
使用SSH客户端程序
ssh命令===>远程安全登录
ssh user@host ===>端口选项: -p 22
scp命令===>远程安全复制===>目录的话需要加 -r
格式1:scp user@host:file1 file2 把本地的复制给对方
格式2:scp file1 user@host:file2 把对方的复制到我账号里面 目录的话需要加-r
sftp命令===>安全FTP上下载
sftp [user@host](mailto:user@host)
get ===>下载
put ===>上传
bye ===>退出
TCP Wrappers概述
保护原理
在服务器向外提供的tcp服务商包装一层安全检测机制。外来连接请求首先通过这个安全检测,获得安全认证后才可被系统服务接受。
保护机制的实现方式
方式1:通过rcpd程序对其他服务程序进行包装
方式2:由其他服务器调用libwrap.so.*链接库
访问控制策略的配置文件===>两个文件可以同时存在
/etc/hosts.allow
/etc/hosts.deny
TCP Wrappers策略应用
设置访问控制策略
策略格式:服务程序列表:客户端地址列表
服务程序列表
多个服务以逗号分隔,ALL表示所有服务
客户端地址列表
多个地址以逗号隔开,ALL表示所有地址
允许使用通配符?和*
网段地址,如 192.168.4. 或者 192.168.4.0/255.255.255.0
区域地址,如 .benet.com
策略的应用顺序
1、检查hosts.allow,找到匹配则允许访问
2、再检查hosts.deny,找到则拒绝访问
3、若两个文件中均无匹配策略,则默认允许访问
策略应用示例
仅允许从以下地址访问sshd服务
主机61.63.65.67
网段192.168.2.0/24
禁止其他所有地址访问受保护的服务
[root@localhost ~]# vi /etc/hosts.allow ===>允许访问 相当于白名单
sshd:61.63.65.67,192.168.2.* ===>允许61.63.65.67 跟192.168.2网段的用户访问
[root@localhost ~]# vi /etc/hosts.deny ===>拒绝访问 相当于黑名单
sshd:ALL ===>所有