Overview ----------------------- ----------------------
SSH is a secure channel protocol, mainly used for remote login character interface, remote replication and other functions. SSH protocol for communication data transmission processing both encrypted, wherein the input comprises a user password when a user logs. , Rsh (Remote Shell, remote execution of commands), rcp (Remote File Copy, remote file copy) the earlier telnet (remote login) compared to other applications, SSH protocol offers better security.
·
SH Service: sshd allow remote access login service (transfer ciphertext) corresponding to the port number of TCP port 22
-------------------- --------------------- system environment
centOS7 as a server (SSH server), as a client, and the host name are changed to 01 and 02
--------------------experiment procedure-------------------
Modify the configuration file
1, the main configuration file to modify SSH, SSH main configuration file: "/ etc / ssh / ssh_config" (Client Profile), "/ etc / ssh / sshd_config" (server configuration file), the "#" can be deleted open service, remember do not forget to save and exit
vim /etc/ssh/sshd_configPort 22 监听端口,默认监听22端口 #AddressFamily any 可以选择IPV4和IPV6协议,any表示都使用 #ListenAddress 0.0.0.0 指明监听的地址(IPV4) #ListenAddress :: 指明监听的地址(IPV6)
#LoginGraceTime 2m ---- session time (the default time of 2 minutes)
#PermitRootLogin yes ---- whether to allow root users to remotely log on (yes Permits)
#StrictModes yes ------ verify access
#MaxAuthTries 6- ----- password authentication number (the default is 6)
#MaxSessions 10 ------ visit maximum number of connections
·
2, need to restart the service after completing modify the configuration file
systemctl restart sshd
·
3, followed by the client host to remote access servers, when we use the current root user login
ssh [email protected]
·
4, we all know the root user is the administrator of the system, have relatively higher authority, if other people can easily remote login, then would not be secure, you can modify the permissions in the configuration file so that others can not be used when the remote root login users log in, be sure to restart after changes to your service
·
5, this time we'll use the root user remote login, enter the password to refuse permission to display when switching landing ordinary users can access
·
6, this time if we could use as a springboard for the average user to root users? The answer is definitely yes
·
7, you encounter such a situation can use secure authentication using PAM, will allow the use "su" user to the "wheel" group can
vim /etc/pam.d/su
·
8, using the "id" command to see "akg" the user has to add "wheel" in the group, and the "boss" user does not add the "wheel" group, the time you use "boss' the user can switch the root user display, refused permission, but added "wheel" group where the user can still switch
·
9, before we maximum password attempts in the configuration file six times to enter the configuration file is open, test now, we can also use the "-o NumberOfPasswordPrompts = 8" test (input 8)
can see the default input attempt enter the password will quit three times, but if you try to set more than six times, then you can find on the set limit value is six times
·
10, also can restrict user login by adding black and white lists in the configuration file, now users can only log boss, lisi can log on any host in 192.168.100.55, complete configuration and reboot service
11, when we use the host 192.168.100.55 login, since the white list, the user "akg" and can not log on, only "lisi" and "boss" can log
