SSHD服務
阿新 • • 發佈:2020-08-19
SSH原理
SSH是什麼
- SSH(Secure Shell) 是一個建立在應用層基礎上的安全遠端管理協議。SSH 是較可靠、專為遠端登入會話和其他網路服務提供安全性的協議。利用 SSH 協議可以有效防止遠端管理過程中的資訊洩露問題。SSH就是一種用於計算機之間的加密登入的網路協議。
- SSH預設採用TCP/22埠,採用密文形式在網路中傳輸資料,相較於通過明文傳輸的Telnet協議具有更高的安全性。
SSH登入驗證模式
賬戶密碼
- 中間人攻擊:SSH雖然採用公鑰加密保證了傳輸資訊的安全,但是由於SSH的公鑰是伺服器自己生成的,並沒有證書中心(CA)的公證,如果中途公鑰被截獲,並冒充伺服器將偽造的公鑰發給使用者,使用者通過偽造的公鑰加密密碼再發送給冒充主機,此時冒充主機就可以獲取使用者的登入密碼。
- SSH通過使用$HOME/.ssh/known_hosts檔案來解決中間人攻擊問題 : ssh 192.168.75.100
The authenticity of host '192.168.75.100 (192.168.75.100)' can't be established. ECDSA key fingerprint is SHA256:9euc3RILMQhtc77XPKdnTYkGuFqEtpNovieUecCdjUY. ECDSA key fingerprint is MD5:8d:d2:cc:e7:9d:20:07:b8:1a:56:ad:42:3f:82:29:e0. Are you sure you want to
Warning: Permanently added '192.168.75.100' (ECDSA) to the list of known hosts. root@192.168.75.100's password:
使用者輸入yes表示接收這個遠端主機的公鑰,Warning提示表示遠端主機已經得到認可,當伺服器的公鑰被接收後,它會被儲存在$HOME/.ssh/known_hosts檔案中,下次連線該伺服器將跳過警告部分,直接輸入密碼即可known_hosts也會帶來一些問題,當伺服器端的公鑰更新時,由於本地的known_hosts檔案記錄了原本的公鑰會導致指紋認證失敗,只需要刪除known_hosts檔案即可解決。
金鑰對登入
- ssh-genkey是生成金鑰的工具,執行完成後生成公鑰和私鑰,這兩個檔案會預設儲存在~/.ssh/路徑下,常用選項:
-t:指定生成金鑰型別(rsa、dsa,預設為rsa)
-f:指定存放私鑰的檔案,公鑰檔名=私鑰檔名.pub字尾(預設為id_rsa)
-P:指定私鑰密碼,用於確保私鑰的安全(預設為空)
-C:備註(預設為user@hostname) - ~/.ssh/目錄下會有的檔案
id_rsa:私鑰檔案
id_rsa.pub:公鑰檔案
authorized_keys:存放客戶端公鑰的檔案
known_hosts:確認過公鑰指紋的可信伺服器列表檔案
config:指定不同域名使用哪個金鑰的配置檔案 - 注意1:由於一臺機器既可以是客戶端,也可以是服務端,因此同時存在authorized_keys(服務端使用)和known_hosts(客戶端使用)兩個檔案。
- 注意2:Linux是多使用者系統,若所有使用者都使用同一份金鑰可能會無法劃分許可權或區分使用者,可以通過config配置檔案來配置針對不同伺服器的配置,這樣在連線伺服器的時候就可以使用不同的金鑰檔案來登入。在客戶端生成金鑰對之後,將公鑰追加到伺服器的authorized_keys即可。
SSH配置檔案/etc/ssh/sshd_[root@server Desktop]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 56565 # 修改預設埠,使用預設埠很容易遭到攻擊 #AddressFamily any ListenAddress 192.168.75.110 # 限制ssh監聽ip #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no # 遠端登入禁止直接使用root使用者登入 #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication no # 生產環境中建議將密碼驗證關閉 # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no
SSH配置實驗
實驗環境準備
兩臺Linux作業系統的主機,配置不同的主機名:
- 設定客戶端主機名為client,伺服器端主機名為server。
- hostnamectl set-hostname client/server
臨時關閉防護功能:
- 臨時關閉防火牆:systemctl stop firewalld.service
- 臨時關閉SELinux:setenforce 0
永久關閉防護功能:
- 防火牆不自啟:systemctl disable firewalld.service
- SELinux永久關閉:sed -i '7s/enforcing/disabled/' /etc/selinux/config
金鑰對登入實驗
Linux主機之間的金鑰對登入實驗
- 客戶端生成金鑰對(伺服器端金鑰對自動生成):ssh-keygen
[root@client ~]# ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): # 詢問儲存位置 Enter passphrase (empty for no passphrase): # 是否對金鑰檔案進行加密 Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:UG8+3mI5mgGGqZTeJ9lb23jXaDRW6n2jNVAqOq/gGFE root@client The key's randomart image is: +---[RSA 2048]----+ | . | | . . | | .E o . | | . o.. o + | | o o.o S o. = | | o o +.. ..+* . | | o +.o.oo*+.= o | | o+o.O+o= +.o| | ...=oo+ ....| +----[SHA256]-----+
- 將公鑰檔案上傳至伺服器端:ssh-copy-id 使用者名稱@IP地址 (該使用者名稱要與用來登入伺服器的使用者名稱一致)
ssh-copy-id [email protected] 將公鑰檔案上傳至伺服器並追加到伺服器端的authorized_keys檔案中,通過對比客戶端和服務端發現公鑰檔案是一致的。
[letty@server ~]$ cd .ssh/ [letty@server .ssh]$ ll total 4 -rw------- 1 letty letty 393 Aug 19 20:45 authorized_keys [letty@server .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Kz71FY5uTNlf1lMTdJ9IE5XIml7e6oU7+RaybGXkfFUHtz9aLMDmKn6Ozl5uEuXUs/9g1QHtxLAthn7tEPeWzR6fvHjOUOG6q6CHV41/2eu1iY4JVm3Sk1bkAcU8Ups0gn5wW6a9Rz0iMZwi6AfhQiRBUAsELxuM5OLM5ahmGXJMnkzbxNYN+DMEMmeC7Q7+nr98g/J6bmnftTMvAu7RBlFXw6ZaY9jpcm8xyeW6VqJZHFGl0uRfGT0Y8q0GrBuAj58PDd4MWavF+bJisf3OMwUYMwL0+Lv9RNbjFG8603Yen3iQZBWEvJmg9+mkzzACMzDslutfQ1OQfwwoFQ2p root@client [root@client .ssh]# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Kz71FY5uTNlf1lMTdJ9IE5XIml7e6oU7+RaybGXkfFUHtz9aLMDmKn6Ozl5uEuXUs/9g1QHtxLAthn7tEPeWzR6fvHjOUOG6q6CHV41/2eu1iY4JVm3Sk1bkAcU8Ups0gn5wW6a9Rz0iMZwi6AfhQiRBUAsELxuM5OLM5ahmGXJMnkzbxNYN+DMEMmeC7Q7+nr98g/J6bmnftTMvAu7RBlFXw6ZaY9jpcm8xyeW6VqJZHFGl0uRfGT0Y8q0GrBuAj58PDd4MWavF+bJisf3OMwUYMwL0+Lv9RNbjFG8603Yen3iQZBWEvJmg9+mkzzACMzDslutfQ1OQfwwoFQ2p root@client
- 客戶端嘗試登入伺服器:ssh 使用者名稱@IP地址
[root@client .ssh]# ssh letty@192.168.75.100 Last login: Wed Aug 19 20:47:54 2020 from 192.168.75.197 [letty@server ~]$
注意:金鑰對驗證優先順序大於賬戶密碼驗證的優先順序
Windows和Linux之間金鑰對登入實驗
- 使用Xshell自帶的金鑰對生成嚮導生成金鑰對:工具——新建使用者金鑰生成嚮導
- 複製生成的公鑰到伺服器使用者名稱家目錄下的.ssh/authorized_keys檔案中
- 客戶端嘗試登入伺服器:ssh 使用者名稱@IP地址
參考部落格:
https://blog.csdn.net/ch717828/article/details/49824591
https://blog.csdn.net/weixin_42616506/article/details/97262632