一、SSH简介
SSH(Secure Shell)是一种网络协议,用于在不安全的网络上进行安全的数据传输。它通常用于远程登录和远程管理服务器,以及执行命令、上传和下载文件等操作,最常用的是SSHv2版本,SSHv2对算法进行了修复和升级,解决了SSHv1中已知的安全漏洞。SSHv2采用了更强有力的加密算法,如AES(高级加密标准)和SHA-2,从而更好地保护了数据传输过程中的隐私和完整
二、SSH认证方式
SSH提供密码认证和密钥认证两种认证方式,无论是哪一种认证,都采用非对称加密,即公钥加密,私钥解密
2.1 密码认证
在RHEL系列的Linux发行版操作系统中,系统安装时默认安装了SSH服务端和客户端,本文以RockyLinux8.9版本为例
[redhat@server1 ~]$ rpm -qa | grep ssh
libssh-config-0.9.6-10.el8_8.noarch
libssh-0.9.6-10.el8_8.x86_64
openssh-8.0p1-19.el8_8.x86_64
qemu-kvm-block-ssh-6.2.0-40.module+el8.9.0+1567+092638a5.1.x86_64
openssh-clients-8.0p1-19.el8_8.x86_64
openssh-server-8.0p1-19.el8_8.x86_64
openssh-askpass-8.0p1-19.el8_8.x86_64配置文件/etc/ssh/sshd_config来自“openssh-server”软件包,/etc/ssh/ssh_config来自“openssh-client”软件包
[redhat@server1 ~]$ rpm -qf /etc/ssh/sshd_config
openssh-server-8.0p1-19.el8_8.x86_64
[redhat@server1 ~]$ rpm -qf /etc/ssh/ssh_config
openssh-clients-8.0p1-19.el8_8.x86_64服务端默认监听“22/tcp”端口与远程客户端通信
[root@server1 ~]# ss -tulnp | grep ssh
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1087,fd=3))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1087,fd=4))当server1以客户端的角色连接到服务端server2时,客户端发送连接请求,服务端发送主机公钥(主机指纹信息)给到客户端(默认发送的是ECDSA的公钥),在server1的当前用户家目录下会生成一个隐藏文件夹“.ssh”,并生成一个“known_hosts”的文件,记录了服务端的主机公钥信息,第一次连接该服务端时会询问是否建立连接,输入“yes”即将主机公钥添加到“known_hosts”文件中,每一行都是一个主机公钥
ECDSA(Elliptic Curve Digital Signature Algorithm)是一种基于椭圆曲线密码学的数字签名算法,使用ECDSA公钥可以验证消息的完整性和来源,并且无法伪造。在加密通信、数字签名、身份验证等领域,ECDSA公钥发挥着重要的作用
[redhat@server1 ~]$ ssh redhat@server2 # 使用redhat用户登录server2
The authenticity of host 'server2 (10.0.0.20)' can't be established.
ECDSA key fingerprint is SHA256:ZsEAsnZhJfrxWP+sm8tpgJ9SLeMYsfth1QFZfWWM4DM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes # 确定建立连接
Warning: Permanently added 'server2,10.0.0.20' (ECDSA) to the list of known hosts.
redhat@server2's password: # 输入redhat用户的密码
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jan 7 21:20:38 2024
[redhat@server2 ~]$
[redhat@server2 ~]$ exit # 退出登录
logout
Connection to server2 closed.
[redhat@server1 ~]$ ls -a
. .. .bash_history .bash_logout .bash_profile .bashrc .cache .config Desktop Documents Downloads .esd_auth .ICEauthority .local Music Pictures .pki Public .ssh Templates Videos .viminfo
[redhat@server1 ~]$ cd .ssh
[redhat@server1 .ssh]$ ls
known_hosts
[redhat@server1 .ssh]$ cat known_hosts # 查看主机公钥
server2,10.0.0.20 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPM9RVD8+MWIZaPI9k1oGFRzRDLI7VVTT6VWfikF55HlsvUPiVqJ9JQNNedM8n76+PLfqcv2OTp5dr5p8eyJ26s=主机公钥在服务端的/etc/ssh/ssh_host_ecdsa_key.pub文件中,与server1记录的一致
[redhat@server2 ssh]$ pwd
/etc/ssh
[redhat@server2 ssh]$ ls
moduli ssh_config ssh_config.d sshd_config ssh_host_ecdsa_key ssh_host_ecdsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub
[redhat@server2 ssh]$ cat ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPM9RVD8+MWIZaPI9k1oGFRzRDLI7VVTT6VWfikF55HlsvUPiVqJ9JQNNedM8n76+PLfqcv2OTp5dr5p8eyJ26s=2.2 密钥认证
客户端使用“ssh-keygen”命令生成一组公私钥,默认保存在当前用户的家目录“.ssh”目录中,“id_rsa”是私钥,“id_rsa.pub”是公钥
[redhat@server1 .ssh]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/redhat/.ssh/id_rsa): # 直接回车保存至默认目录
Enter passphrase (empty for no passphrase): # 不对私钥加密,直接回车
Enter same passphrase again: # 直接回车
Your identification has been saved in /home/redhat/.ssh/id_rsa.
Your public key has been saved in /home/redhat/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4doch1q1RJTZA0+fDoSC8lBjdUraDGi8Kqur0l3QD2M redhat@server1
The key's randomart image is:
+---[RSA 3072]----+
| . o=oo.=*o |
| *..B.+++o. . |
| . *. =.o o.o |
| o E. = . o |
| . o +S o . |
|. . .*.o |
| + . .o o |
|o . . |
|B. |
+----[SHA256]-----+
[redhat@server1 .ssh]$ ls
id_rsa id_rsa.pub known_hosts客户端发送生成的公钥给到服务器端 (可以使用“ssh-copy-id” 命令发送公钥给到服务器端的指定用户,切记公钥发给哪一个用户,就只有该用户无需密码登录,并非机器上所有的用户都可以免密登录) 默认保存在发送用户的家目录下“.ssh/authorized_keys ”文件中,每个公钥占一行
[redhat@server1 .ssh]$ ssh-copy-id -f -i id_rsa.pub redhat@server2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
redhat@server2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'redhat@server2'"
and check to make sure that only the key(s) you wanted were added.
[redhat@server1 .ssh]$ ssh redhat@server2 # 导入公钥至服务端后,就可以直接登录了,无需输入密码
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jan 7 22:10:43 2024 from 10.0.0.10
[redhat@server2 ~]$ cd .ssh
[redhat@server2 .ssh]$ ls
authorized_keys
[redhat@server2 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCniryheaNA6YQSn6aQqdg9nY3JMKp/ejyPJa2O0aeBobs6OKE2X4nfpsqpdxQC9k6VOzetFX7pHCgKFr56WBPbYAnaUz3EhkbP8HFY9YcGZ0cTpfAsVvTcadQlnAyNLLz/OG5oHDrAJ7fmKRcEf6jnEtsict45Iw1rlnCaUA1oWag4Ps/EthuuQb529l+yDIpxizRTsRvhbBKFn9mYdM+5CtV/cV/rmpDqYMIR2dkDom0UBowXdkiMk78dSEsxC8y2/votFWF/e6Kxsf+brfFwIVxBCP8e+rrLCN4kyt08C3QVkaokoPa6ySuVMtRo4buVJwSFJmPbvvNo/AjHwNw2avU/I2eA8EA1k4MJ6wmO/QaAG9xR5a1PBwKtxNpxPjYlG0f1+yRJqocpbjbJcfMabyFIk5JVxRYpJVYE4JcubyBposfXOfOyUHC2dd4Gp0tGPX1g6OYNYZ+gtj8NngNHdgHLWc2JiQSPNmpEPw+aDTMpgwsvG19AD1Icc+rt6Os= redhat@server1
[redhat@server2 .ssh]$ exit
logout
Connection to server2 closed.
[redhat@server1 .ssh]$ ls
id_rsa id_rsa.pub known_hosts
[redhat@server1 .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCniryheaNA6YQSn6aQqdg9nY3JMKp/ejyPJa2O0aeBobs6OKE2X4nfpsqpdxQC9k6VOzetFX7pHCgKFr56WBPbYAnaUz3EhkbP8HFY9YcGZ0cTpfAsVvTcadQlnAyNLLz/OG5oHDrAJ7fmKRcEf6jnEtsict45Iw1rlnCaUA1oWag4Ps/EthuuQb529l+yDIpxizRTsRvhbBKFn9mYdM+5CtV/cV/rmpDqYMIR2dkDom0UBowXdkiMk78dSEsxC8y2/votFWF/e6Kxsf+brfFwIVxBCP8e+rrLCN4kyt08C3QVkaokoPa6ySuVMtRo4buVJwSFJmPbvvNo/AjHwNw2avU/I2eA8EA1k4MJ6wmO/QaAG9xR5a1PBwKtxNpxPjYlG0f1+yRJqocpbjbJcfMabyFIk5JVxRYpJVYE4JcubyBposfXOfOyUHC2dd4Gp0tGPX1g6OYNYZ+gtj8NngNHdgHLWc2JiQSPNmpEPw+aDTMpgwsvG19AD1Icc+rt6Os= redhat@server1密钥认证过程:
- 客户端发送连接请求
- 服务端收到连接请求后查找用户家目录下“.ssh/authorized_keys ”文件是否有公钥存储,如果有公钥存储,服务端使用客户端公钥加密随机字符串发送给客户端
- 客户端使用自己私钥解密后得到随机字符串明文,然后使用服务端公钥加密,发送给服务端验证
- 服务端收到客户端密文后,使用服务端私钥解密,解密后和生成的随机字符串对比,如果一致则登录成功,反之登录失败
注意:私钥的权限不能过大(私钥默认权限600,谁生成谁保管),除了生成密钥的用户,其他任何人包括该用户的拥有组都不能有查看权限
三、私钥加密方式认证
还是以server1作为客户端,删除2.2节生成的密钥对,重新生成,对私钥加密
[redhat@server1 .ssh]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/redhat/.ssh/id_rsa): # 直接回车
Enter passphrase (empty for no passphrase): # 输入密码redhat
Enter same passphrase again: # 再次输入密码
Your identification has been saved in /home/redhat/.ssh/id_rsa.
Your public key has been saved in /home/redhat/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Qv3GypmjNlrCIZhy6sTwFfHBwIraF6AeQ7wgvoLovRI redhat@server1
The key's randomart image is:
+---[RSA 3072]----+
|. .oo. |
|oo. .o.o |
|=o.o. o . |
|oB. .o o |
|X.* o.. S + |
|OE.+.. o = |
|+o+.o . * |
|oo . oo. . |
| ...oo.. |
+----[SHA256]-----+
[redhat@server1 .ssh]$ ls
id_rsa id_rsa.pub known_hosts服务端server2删除2.2节导入的公钥,可直接删除文件
[redhat@server2 ssh]$ cd ~/.ssh
[redhat@server2 .ssh]$ ls
authorized_keys
[redhat@server2 .ssh]$ rm authorized_keys再次导入公钥至服务端
[redhat@server1 .ssh]$ ssh-copy-id -f -i id_rsa.pub redhat@server2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
redhat@server2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'redhat@server2'"
and check to make sure that only the key(s) you wanted were added.登录server2时,需要输入加密密钥时的密码“redhat”
[redhat@server1 .ssh]$ ssh redhat@server2
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jan 7 22:40:06 2024 from 10.0.0.10
[redhat@server2 ~]$如果私钥不在默认目录下,可以使用“-i”选项指定
[redhat@server1 .ssh]$ mv id_rsa /tmp/
[redhat@server1 .ssh]$ ssh -i /tmp/id_rsa redhat@server2
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jan 7 23:00:41 2024 from 10.0.0.10
[redhat@server2 ~]$四、Windows客户端连接
我们可以在windows系统的客户端上,使用powershell生成密钥对
将公钥发送给服务端
在服务端上将公钥导入
[redhat@server2 ~]$ ls
Desktop Documents Downloads id_rsa.pub Music Pictures Public Templates Videos
[redhat@server2 ~]$ ssh-copy-id -f -i id_rsa.pub redhat@localhost
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:ZsEAsnZhJfrxWP+sm8tpgJ9SLeMYsfth1QFZfWWM4DM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
redhat@localhost's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'redhat@localhost'"
and check to make sure that only the key(s) you wanted were added.在Windows客户端上,打开Xshell软件,点击“工具”--> “用户密钥管理者”-->“导入”,选择刚刚生成的私钥
连接到服务端,选择“接收并保存”或者“一次性接受”
用户密钥选择导入的密钥,如果没有对私钥加密,则无需输入密码
点击“确定”后,就登录成功了
如果是SecureCRT软件,同理
五、SSH密钥托管
SSH密钥托管功能,是临时将加密的私钥导入到一个shell中,让其他用户临时使用这个shell,从这个shell的发起的ssh连接将不会受到私钥密码的限制
例如:你们公司的机房有服务器出现了故障,需要联系运维到现场来进行维护,但是你作为机房管理员,不希望把ssh的私钥密码泄露出去,可以使用ssh密钥托管功能来实现
我们先在server1使用加密的私钥文件登录一次server2,需要输入私钥的密码
[redhat@server1 ~]$ ps -aux | grep ssh # 查看系统中有关ssh的进程
root 1087 0.0 0.1 76652 7072 ? Ss 21:19 0:00 /usr/sbin/sshd -D [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
redhat 5926 0.0 0.0 221940 1204 pts/0 S+ 23:42 0:00 grep --color=auto ssh
[redhat@server1 ~]$ ssh -i /tmp/id_rsa redhat@server2
sign_and_send_pubkey: signing failed: agent refused operation
Enter passphrase for key '/tmp/id_rsa': # 输入私钥的密码
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jan 7 23:25:27 2024 from 10.0.0.1
[redhat@server2 ~]$ exit
logout
Connection to server2 closed.
[redhat@server1 ~]$ ps -aux | grep ssh # 可以看到系统中增加一个PID为5984的进程
root 1087 0.0 0.1 76652 7072 ? Ss 21:19 0:00 /usr/sbin/sshd -D [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
redhat 5984 0.0 0.1 27460 4448 ? S 23:43 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh
redhat 6010 0.0 0.0 221940 1188 pts/0 S+ 23:44 0:00 grep --color=auto ssh指定开启ssh代理的shell程序为bash,并导入私钥的密码
[redhat@server1 ~]$ ssh-agent bash
[redhat@server1 ~]$ ssh-add /tmp/id_rsa # 如果私钥保存在默认的路径下,则不用写文件路径和文件名
Enter passphrase for /tmp/id_rsa: # 输入私钥的密码
Identity added: /tmp/id_rsa (redhat@server1)
[redhat@server1 ~]$ ps -aux | grep ssh
root 1087 0.0 0.1 76652 7072 ? Ss 21:19 0:00 /usr/sbin/sshd -D [email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa
redhat 5984 0.0 0.1 27460 4448 ? S 23:43 0:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh
redhat 6052 0.0 0.0 27460 520 ? Ss 23:46 0:00 ssh-agent bash
redhat 6109 0.0 0.0 221940 1140 pts/0 S+ 23:48 0:00 grep --color=auto ssh在这个shell中,再次连接服务端server2,不需要输入私钥的密码,仅在当前shell中有效
~]$ ssh redhat@server2
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Sun Jan 7 23:43:45 2024 from 10.0.0.10而私钥的密码就保存在环境变量中
[redhat@server1 ~]$ set | grep SSH_AUTH
SSH_AUTH_SOCK=/tmp/ssh-DHAuNDxwFFp4/agent.2714
redhat@server1 ~]$ su -
Password:
Last login: Sun Jan 7 23:31:33 CST 2024 on pts/0
[root@server1 ~]# cat /tmp/ssh-DHAuNDxwFFp4/agent.2714 # 连root用户都无法读取这个文件的内容
cat: /tmp/ssh-DHAuNDxwFFp4/agent.2714: No such device or address
[root@server1 ~]# ls -l /tmp/ssh-DHAuNDxwFFp4/agent.2714
srw-------. 1 redhat redhat 0 Jan 8 00:06 /tmp/ssh-DHAuNDxwFFp4/agent.2714
[root@server1 ~]# file /tmp/ssh-DHAuNDxwFFp4/agent.2714
/tmp/ssh-DHAuNDxwFFp4/agent.2714: socket
[root@server1 ~]# exit # 退出root用户登录
logout
[redhat@server1 ~]$ exit # 退出ssh-agent
exit
[redhat@server1 ~]$
[redhat@server1 ~]$ ssh redhat@server2 # 再次登录server2则需要输入密码了
redhat@server2's password:
[redhat@server1 ~]$ ssh -i /tmp/id_rsa redhat@server2
Enter passphrase for key '/tmp/id_rsa':六、SSH的安全配置
6.1 调整服务监听的远程端口
ssh的配置文件存在于“/etc/ssh”目录中,其中 “sshd_config”是服务端的配置文件,“ssh_config”是客户端配置文件,调整默认的远程端口,默认是22,建议修改为其他不常用的端口,例如修改为7322,编辑“/etc/ssh/sshd_config”配置文件,找到如下这一行,取消注释,将默认的22改为7322
配置SELinux策略允许ssh服务监听7322端口
er2 ~]# semanage port -l | grep ssh
ssh_port_t tcp 22
[root@server2 ~]# semanage port -d -t ssh_port_t -p tcp 7233
[root@server2 ~]# semanage port -l | grep ssh
ssh_port_t tcp 7322, 22重启ssh服务生效
[root@server2 ~]# systemctl restart sshd.service
[root@server2 ~]# ss -tulnp | grep ssh
tcp LISTEN 0 128 0.0.0.0:7322 0.0.0.0:* users:(("sshd",pid=3169,fd=3))
tcp LISTEN 0 128 [::]:7322 [::]:* users:(("sshd",pid=3169,fd=4)) 配置firewalld防火墙放行“tcp/7322”端口
[root@server2 ~]# firewall-cmd --add-port=7322/tcp
success
[root@server2 ~]# firewall-cmd --runtime-to-permanent
success客户端使用“ssh”命令连接测试,使用“-p”参数指定端口
[redhat@server1 ~]$ ssh -p 7322 redhat@server2
redhat@server2's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Jan 8 11:19:32 2024
[redhat@server2 ~]$ # 登录成功6.2 调整服务监听的IP地址
在生产环境上,服务器往往会使用多块网卡,为实现业务流量与管控流量分离,可以配置ssh服务只监听管理网卡的ip地址,编辑“/etc/ssh/sshd_config”配置文件,调整默认监听的ip地址“0.0.0.0(任意网卡的ip都匹配)”,修改为server2管理网卡的ip地址“10.0.0.20”,找到如下这一行,取消注释,修改默认的ip地址“0.0.0.0”为“10.0.0.20”
重启服务生效
[root@server2 ~]# systemctl restart sshd.service
[root@server2 ~]# ss -tulnp | grep ssh
tcp LISTEN 0 128 10.0.0.20:7322 0.0.0.0:* users:(("sshd",pid=3413,fd=3))客户端连接测试
[redhat@server1 ~]$ ssh -p 7322 [email protected]
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Jan 8 11:42:12 2024 from 10.0.0.10
[redhat@server2 ~]$ # 登录成功6.3 禁止root用户登录
编辑“/etc/ssh/sshd_config”配置文件,找到如下这一行,默认值为“yes”,修改为“no”,在“Ubuntu”发行版的Linux系统中,这一项默认值是“no”
重启服务生效
[root@server2 ~]# systemctl restart sshd.service客户端连接测试,先使用root用户登录,再使用普通用户登录
[redhat@server1 ~]$ ssh -p 7322 [email protected]
[email protected]'s password: # 输入root用户的密码
Permission denied, please try again. # 权限拒绝
[email protected]'s password:
[redhat@server1 ~]$ ssh -p 7322 [email protected]
[email protected]'s password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Jan 8 11:54:39 2024 from 10.0.0.10
[redhat@server2 ~]$ su - # 普通用户登录成功,虽然不可以直接用root用户登录,但是可以通过普通用户切换到root用户登录
Password:
Last login: Mon Jan 8 11:27:56 CST 2024 on pts/0
Last failed login: Mon Jan 8 11:59:51 CST 2024 from 10.0.0.10 on ssh:notty
There was 1 failed login attempt since the last successful login.
[root@server2 ~]# 6.4 启用仅允许密钥登录
编辑“/etc/ssh/sshd_config”配置文件,找到如下这一行,默认值为“yes”,修改为“no”
重启服务生效
[root@server2 ~]# systemctl restart sshd.service客户端连接测试,先使用密码方式认证,再使用密钥方式认证
[redhat@server1 ~]$ ssh -p 7322 [email protected]
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). # 权限拒绝
[redhat@server1 ~]$
[redhat@server1 ~]$ ssh -p 7322 -i /tmp/id_rsa [email protected]
Enter passphrase for key '/tmp/id_rsa': # 输入密钥的密码
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Jan 8 12:00:06 2024 from 10.0.0.10
[redhat@server2 ~]$ # 登录成功6.5 允许空密码登录
我们先把6.4节的配置项恢复,允许密码认证,再找到如下这一行,取消注释,默认值为“no”,修改为“yes”
重启服务生效
[root@server2 ~]# systemctl restart sshd.service客户端连接测试,连接时不输入密码
[redhat@server1 ~]$ ssh -p 7322 [email protected]
[email protected]'s password:
Permission denied, please try again. # 权限拒绝,登录失败
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password: 因为服务端server2的redhat用户本身设有密码, 我们再创建一个lisi用户
[root@server2 ~]# useradd lisi客户端server1重新发起连接测试
[redhat@server1 ~]$ ssh -p 7322 [email protected]
[email protected]'s password:
Permission denied, please try again. # 仍然是登录失败
[email protected]'s password: 虽然lisi用户在创建时没有配置密码,但在RHEL8系统中,该用户的密码实质是处于锁定状态,而非空密码
我们直接编辑“/etc/shadow”文件,将lisi用户的密码去掉,保存并退出,使用vim编辑时使用“:wq!”强制保存
客户端再次连接测试
[redhat@server1 ~]$ ssh -p 7322 [email protected]
Activate the web console with: systemctl enable --now cockpit.socket
Last failed login: Mon Jan 8 12:17:40 CST 2024 from 10.0.0.10 on ssh:notty
There was 1 failed login attempt since the last successful login.
[lisi@server2 ~]$ # 无需输入密码,直接登录成功了6.6 设置最大重试或失败次数以及最大的会话数
编辑“/etc/ssh/sshd_config”配置文件,找到如下两行配置项,按需配置,可提高ssh服务的安全性,增加crack开销
配置项 | 作用 |
MaxAuthTries 6 | 默认最大重试次数或者失败的次数 |
MaxSessions 10 | 默认最大会话终端数 |
6.7 设置服务器上的所有用户使用同一把公钥来进行验证
编辑“/etc/ssh/sshd_config”配置文件,修改AuthorizedKeysFile指向具体的公钥文件,则服务器上所有用户使用该秘钥验证
[root@server2 ~]# mkdir /opt/ssh
[root@server2 ~]# mv ~redhat/.ssh/authorized_keys /opt/ssh/
[root@server2 ~]# systemctl restart sshd.service客户端使用两个不同的用户连接测试, 指定同一把私钥
[redhat@server1 ~]$ ssh -i /tmp/id_rsa [email protected]
ssh: connect to host 10.0.0.20 port 22: Connection refused
[redhat@server1 ~]$ ssh -p 7322 -i /tmp/id_rsa [email protected]
Enter passphrase for key '/tmp/id_rsa':
Activate the web console with: systemctl enable --now cockpit.socket
Last failed login: Mon Jan 8 12:13:52 CST 2024 from 10.0.0.10 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Mon Jan 8 12:08:05 2024 from 10.0.0.10
[redhat@server2 ~]$ exit
logout
Connection to 10.0.0.20 closed.
[redhat@server1 ~]$
[redhat@server1 ~]$ ssh -p 7322 -i /tmp/id_rsa [email protected]
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Jan 8 12:24:04 2024 from 10.0.0.10
[lisi@server2 ~]$ exit
logout
Connection to 10.0.0.20 closed.