#######Turning off the firewall is very important########
setenfore 0
systemctl disable --now firewalld.service
ssh remote service
Features of Openssh
1. Purpose of the sshd service
Function: It can realize the operation of opening the secure shell in the remote host through the network
Secure SHell =====>ssh ##Client
Secure SHell =====>sshd ##Server
2. Installation Package
openssh-server
3. Main configuration file
/etc/ssh/sshd_config
4. Default port
22
5. Client command
ssh
ssh
1.ssh [-l remote host user] <ip | hostname>
#通过ssg命令在44主机中以root用户身份开启远程shell
ssh -l root@192.168.43.213
#或者
ssh root@192.168.43.213
The identity certificate generation process is confirmed and used. When the user enters yes, the 213 host will send the identity public key to the current host and save it to ~/.ssh/know_hosts. The 213 host holds the private key and will authenticate the client when the client connects again. Machine identity, if the authentication is changed, the connection is refused.
If the identity verification changes (change the identity by yourself), the effect of refusing the connection is as follows:
When a connection error occurs due to an authentication problem, you only need to delete the corresponding line of the error message:
vim ~/.ssh/know_hosts #如上图
Return to normal state when connected
2. Common ssh parameters
- l ##指定登录用户
- X ##开启图形
- i ##指定私钥
- f ##后台运行
- o ##指定连接参数
- ##ssh -l root 192.168.43.213 -o "StrictHostKeyChecking=no" ##首次连接不需要输入yes
- t ##指定跳板连接,即在另一台服务器上登录其他服务器
- ##ssh -l root 192.168.43.213 -t ssh -l root 172.25.254.10
sshd key authentication
-
Symmetric encryption, that is, the login method of entering the password above.
Encryption and decryption are the same string of stringsEasy to leak, brute-force cracking, easy to forget
-
Asymmetric encryption The
public key is used for encryption and the private key is used for decryption. It
will not be stolen.
Attackers cannot log in to the server in a keyless way.
Asymmetric encryption steps:1.ssh-keygen 或者直接指定参数ssh-keygen -f /root/.ssh/id_rsa -P ""
2. 查看生成的密钥
3. 对服务器加密`ssh-copy-id /root/.ssh/id_rsa.pub [email protected]`
4.测试`ssh -l root 192.168.43.213`
Detailed explanation of sshd security optimization parameters
vim /etc/ssh/sshd_config file
- Port 22 ##默认端口22,可以修改
- PermitRootLogin yes | no ##对超级用户登录是否禁止
- AllowUsers lee,westos ##用户白名单
- DenyUsers lee ##用户黑名单
- PasswordAuthentication yes | no ##是否开启原始密码认证方式