1 Openssh Features
2 ssh command
3 Openssh service key authentication
security services optimized 4 Openssh
1.Openssh Functional Overview
Openssh
OpenSSH is the SSH (Secure SHell) protocol of open source software is free
software installation name
• Openssh-server
configuration file
• / etc / ssh / sshd_conf
default port (IP interface is used to distinguish the different functions only open )
• 22
client commands
• ssh
among viewing system opessh-server
[root@workstation Desktop]# rpm -qa | grep ope
2.ssh command
ssh command remote USER @ remoteIP
| parameter | use |
|---|---|
| -l | Login user specified |
| -x | Open Graphics |
| -i | Specify the key |
| -p | Designated port |
| -f | Background process |
| -O | Specifying connection parameters |
| -t | Specify the connection springboard |
View 2.1 virtual machine firewall whether to allow real machine connected
display allows results
2.2 specify user login:
[kiosk@foundation66 Desktop]$ ssh -l root 172.25.254.111
Real machine connected to the virtual machine is a virtual machine must enter the password
2.2.1 IP connection to see who's in a virtual machine
[root@workstation Desktop]# w -i
2.3 open Graphics:
currently logged in real machine virtual machine is unable to open gedit graphical interface, because -l is connected text, image command to open the last used parameters need -X command is available in the open gedit
Real machine kiosk running process has gedit
virtual machine does not
specify a port designated port ssh 2.4-p 22
2.5-f后台运行
不占用终端
2.6指定参数登陆
如下在登录时会被询问yes或no,
2.7使用-o参数可以忽略直接输入密码登录
2.8跳板连接
-t参数
ssh -t root@172.25.254.66 ssh 172.25.254.111
当某台主机不能直接连接workstation则先连接IP:172.25.254.66的真机在连接workstation
3.Openssh服务的key认证
3.1 Op en ssh认 证 方 式
| 密码认证 | 密钥认证 |
|---|---|
| 至少6个字符 | 新型认证方式,分为公钥及私钥 |
| 包含数字,字母,下划线特殊符号等 | 不用记住密码 |
| 易泄漏 | 公钥上传服务器 |
| 可被暴力破解 | 私钥配对认证,不会被盗用 |
| 密码容易丢失 | 攻击者一般无法通过密钥登录服务器 |
3.2 Openssh KEY
支持rsa及dsa加密
加密方法
关于 Openssh的文件
• 内容
文件 功能
~/.ssh/authorized_keys 用于保存用户的公钥文件
~/.ssh/known_hosts 辨别服务器的唯一散列码
~/.ssh/id_dsa 用户的私钥文件
~/.ssh/id_rsa.pub 用户的公钥文件
• 生成密钥 ssh-keygen
• 上传密钥 ssh-copy-id –i keyfile remoteUSER@remote IP
3.3保持实验环境纯洁(.ssh/目录会在第一次登录服务器时生成,里面也会生成一个文件know_hostos)删除该目录文件
3.4生成公钥和私钥
密钥的生成位置客户端和主机都可以
使用默认文件目录和名称,密码忽略输入
密钥成功生成:
3.4.1.ssh/会生成以下文件如下:
解锁——私钥:/root/.ssh/id_rsa 上锁——公钥:/root/.ssh/id_rsa.pub
3.4.2上锁:
.ssh/会生成一个authorized_keys文件也就是锁,此文件内容与id_rsa.pub的内容一样
3.5免密登录:
未持有私钥的用户每次登录都会显示要输入密码,有安全因患。可暴力破解
3.5.1关闭显示密码登录,直接拒绝未拥有私钥的用户
[root@workstation ~]# vim /etc/ssh/sshd_config 编辑此文件
73行的yes改成no
3.5.2并且重启该程序[root@workstation ~]# systemctl reload sshd
此时再次登录直接拒绝访问
3.6把私钥给所需要连接的主机
[root@workstation ~]# scp /root/.ssh/id_rsa [email protected]:/home/kiosk/.ssh
3.6.1拥有私钥的状态下不需要输入密码直接登录服务端
3.7更改密钥让所有拥有密钥的用户都无法登录
3.7.1取消限制则需恢复文件原始名称
3.7.2更改为authorized_keys则可登录
4 Openssh服务的安全优化
sshd服务常用相关配置参数
主配置文件
• /etc/ssh/sshd_config
配置参数
• Port 22 监听端口
• Protocol 2 指定协议版本
• ListenAddress 绑定IP
• HostKey 设定HostKey密钥路径
• PermitRootLogin 设定超级用户是否能登录
• PubkeyAuthentication 公钥认证开关
• PasswordAuthentication 密码认证开关
• AllowUsers 用户白名单
• DenyUsers 用户黑名单
4.1端口更改:编辑/etc/ssh/sshd_config文件
prot 22 改为prot 8888
查看端口命令:netsata
a:所有
l:活跃开启的端口
t:tpp协议
u:upp协议
p:显示进程名称
n:之显示端口值
4.1.1注意:为了保证服务能够正常运行需先执行此命令setenforce 0 ,防止程序无法启动
4.2 ListenAddress 绑定IP 指定连接某一IP其他IP不能连接
listenAddress 0.0.0.0.表示所以IP都可连接成功
指定连接:#IPlistenAddress 172.25.254.111
下方#listenAddress ::为IPV6
listenAddress 172.25.254.111即只能连接此IP登录
4.3HostKey set HostKey key path is generally used to set the path
4.4 PermitRootLogin set whether super user can log
set super user can log in
the current super-user can log:
not super user Log 4.4.1 set up, but Log normal user
settings / etc / ssh / 46 line yes sshd_config was changed to no
4.4.2 complete results are as follows: after three attempts to exit the password can not log in
Ordinary users can log 4.4.3:
4.5 black list
PermitRootLogin yes 超级用户的黑白名单即:yes白名单no黑名单
All users can log in the current
4.5.1 Blacklist: Set westos user can not log in
| Setting method | DenyUsers user |
|---|
4.5.2 Service to reload the configuration:
4.5.3 log in again as follows: In addition to the user other users can log westos
4.5.4 whitelist: Set whitelist westos
| Setting method | AllowUsers user |
|---|
4.5.6 Service Configuration reload
4.5.7 log on again as follows:
In addition to all other users are westos user can not log in
