首页 > 其他分享 >SSH远程管理和访问控制

SSH远程管理和访问控制

时间:2023-04-22 23:03:48浏览次数:36  
标签:key 访问控制 100.10 alice 192.168 SSH 远程管理 root ssh

拓补图:

SSH远程管理和访问控制_身份验证

推荐步骤:

  • 安装ssh服务器端和客户端设置服务开机自动启动,配置身份验证的ssh,保证ssh服务器的安全性禁止为空密码访问,将ssh服务器端口修改为2222,在ssh服务器端创建bob和tom两个用户允许客户端192.168.100.20登录bob和root账户,禁止tom用户通过192.168.100.20登录
  • 配置免交互式身份验证ssh,允许Centos03使用root用户和alice用户免交互式访问ssh服务器端,配置访问控制阻止主机192.168.100.30访问ssh服务器

实验步骤:

一、安装ssh服务器配置身份验证ssh限制用户访问

1、挂载系统光盘安装服务

(1)挂载系统光盘

[root@centos01 ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 写保护,将以只读方式挂载
[root@centos01 ~]# ls /mnt
CentOS_BuildTag  EULA  images    LiveOS    repodata              RPM-GPG-KEY-CentOS-Testing-7
EFI              GPL   isolinux  Packages  RPM-GPG-KEY-CentOS-7  TRANS.TBL

(2)安装服务器端和客户端

[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm 
警告:/mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中...                          ################################# [100%]
	软件包 openssh-server-7.4p1-11.el7.x86_64 已经安装
[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm 
警告:/mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中...                          ################################# [100%]
	软件包 openssh-clients-7.4p1-11.el7.x86_64 已经安装

(3)设置服务开机自动启动

[root@centos01 ~]# systemctl enable sshd
[root@centos01 ~]# systemctl start sshd
2、创建验证账户配置密码

(1)创建验证账户bob、tom

[root@centos01 ~]# useradd bob
[root@centos01 ~]# useradd tom

(2)设置密码

[root@centos01 ~]# passwd bob
更改用户 bob 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@centos01 ~]# passwd tom
更改用户 tom 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
3、配置ssh服务器控制用户访问

(1)修改ssh主配置文件

[root@centos01 ~]# vim /etc/ssh/sshd_config
17行 Port 2222
19行 ListenAddress 192.168.100.10
37行 LoginGraceTime 2m
38行 PermitRootLogin no
40行 MaxAuthxiTries 6
41行 MaxSessions 10
64行 PermitEmptyPasswords yes
65行 PasswordAuthentication yes
115行 UseDNS no
116行 AllowUsers [email protected]
117行 DenyUsers [email protected]

(2)重新启动服务监听端口

[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp        0      0 192.168.100.10:2222     0.0.0.0:*               LISTEN      1979/sshd
4、验证配置账户密码ssh服务器端

(1)允许root通过192.168.100.20登录

[root@centos02 ~]# ssh -p2222 [email protected]
[email protected]'s password: 
Last failed login: Sun Apr 23 06:01:58 CST 2023 from 192.168.100.20 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Sun Apr 23 05:56:57 2023
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.

(2)允许bob通过192.168.100.20登录

[root@centos02 ~]# ssh -p2222 [email protected]
[email protected]'s password: 
[bob@centos01 ~]$ exit
登出
Connection to 192.168.100.10 closed.

(3)禁止tom通过192.168.100.20登录

[root@centos02 ~]# ssh -p2222 [email protected]
[email protected]'s password: 
Permission denied, please try again.

二、配置免交互式身份验证ssh,允许Centos03使用root用户和alice用户免交互式访问ssh服务器,配置访问控制拒绝192.168.100.30访问ssh服务

1、修改ssh服务器支持免交互式验证

(1)修改主配置文件

[root@centos01 ~]# vim /etc/ssh/sshd_config
43行 PubkeyAuthentication yes
47行 AuthorizedKeysFile      .ssh/authorized_keys
48行 AllowUsers alice [email protected]

(2)重新启动服务

[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp        0      0 192.168.100.10:2222     0.0.0.0:*               LISTEN      2364/sshd
2、配置客户端root用户免交互式验证

(1)生成密钥对

[root@centos03 ~]# ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:n8nuUjQDy12LgT9Qksoqm/qcdcGHckUynoehWJxmWVQ root@centos03
The key's randomart image is:
+---[RSA 2048]----+
|   ..=*.E+.      |
|   o*o B=.. .    |
|  .o..+oo* + .   |
|     .o+o O .    |
|    ..= S. +     |
|  . .o o o.o     |
|   +. .  .=      |
| .oo .  ..       |
|.o+      oo      |
+----[SHA256]-----+

(2)上传公钥到远程服务器

[root@centos03 ~]# ssh-copy-id -i -p 2222 [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '[192.168.100.10]:2222 ([192.168.100.10]:2222)' can't be established.
ECDSA key fingerprint is SHA256:LuSDHJRzMptzroGB1eYCvj9Qqpf3wy4MV7184jNU2nA.
ECDSA key fingerprint is MD5:b6:4f:7b:03:8d:34:d0:f5:9c:bb:2a:de:cd:1c:ff:6a.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '2222' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

(3)验证使用root登录

[root@centos03 ~]# ssh -p 2222 [email protected]
Last login: Sun Apr 23 06:03:54 2023 from 192.168.100.20
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.
3、配置使用alice用户身份验证免交互验证

(1)创建alice用户设置密码

[root@centos03 ~]# useradd alice
[root@centos03 ~]# passwd alice
更改用户 alice 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。

(2)切换到alice用户生成密钥对

[root@centos03 ~]# su - alice
[alice@centos03 ~]$ ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/home/alice/.ssh/id_rsa): 
Created directory '/home/alice/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/alice/.ssh/id_rsa.
Your public key has been saved in /home/alice/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nF4SQCw26qCpvhYXnjRKu0hVuWmgmIHnZqm3QrRdnzw alice@centos03
The key's randomart image is:
+---[RSA 2048]----+
|.    o+          |
|o ..+o..         |
|.=.+ooo .        |
|++*= = . o       |
|+BO * o S .      |
|+Bo=   E o       |
|=.+.    o        |
|+o.              |
|o+.              |
+----[SHA256]-----+

(3)上传公钥

[alice@centos03 ~]$ ssh-copy-id - i -p 2222 [email protected]

/bin/ssh-copy-id: ERROR: invalid option (-)

Usage: /bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
	-f: force mode -- copy keys without trying to check if they are already installed
	-n: dry run    -- no keys are actually copied
	-h|-?: print this help
[alice@centos03 ~]$ ssh-copy-id -i -p 2222 [email protected]
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alice/.ssh/id_rsa.pub"
The authenticity of host '[192.168.100.10]:2222 ([192.168.100.10]:2222)' can't be established.
ECDSA key fingerprint is SHA256:LuSDHJRzMptzroGB1eYCvj9Qqpf3wy4MV7184jNU2nA.
ECDSA key fingerprint is MD5:b6:4f:7b:03:8d:34:d0:f5:9c:bb:2a:de:cd:1c:ff:6a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '2222' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

(4)alice登录远程服务器

[alice@centos03 ~]$ ssh -p 2222 [email protected]
Last login: Sun Apr 23 06:26:43 2023 from 192.168.100.30
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.
4、配置访问控制限制192.168.100.30主机访问ssh服务

(1)配置访问控制

[root@centos01 ~]# vim /etc/hosts.deny
sshd:192.168.100.30

(2)验证远程管理无法访问

[alice@centos03 ~]$ ssh -p 2222 [email protected]
ssh_exchange_identification: read: Connection reset by peer


标签:key,访问控制,100.10,alice,192.168,SSH,远程管理,root,ssh
From: https://blog.51cto.com/u_15832728/6215699

相关文章

  • 在Ubuntu 22.04上使用Fail2Ban保护SSH
    一、安装Fail2bansudoaptupdatesudoaptinstallfail2ban 二、进行配置fail2ban服务将其配置文件保存在/etc/fail2ban目录中。有一个默认值为jail.conf的文件,但是建议不要直接修改次文件创建jail.local文件,并进行设置sudocpjail.confjail.local#复制jail.conf进行......
  • 又是浪费时间的一天-ssh的安装之路
     远程办公的运维工程师都知道有这么一个神器:putty,只有390k。别看他小,但他五脏俱全,很是强大。所以,今天特地在复习巩固数据库知识时想用它直接登陆服务器的数据库命令行,而要安全的使用这个工具就必须安装一个加密协议,也就是ssh或telnet,但发现服务器上没有安装ssh和telnet。于是......
  • Windterm-SSH/Sftp/Shell/Telnet/Serial 客户端
    如果图片查看不了的话,请关注公众号@生活处处有BUGWindTerm是一款开源免费、跨平台SSH/Sftp/Shell/Telnet/Serial客户端,即远程连接工具,还跨平台,支持Windows、Linux和macOS。特征实现了SSHv2、Telnet、RawTcp、Serial、Shell协议。会话认证时支持SSH自动执行。支......
  • 记一次手动将OpenSSH从7.4升级到9.3的过程
    前言收到通知说服务器组件存在漏洞服务器版本:CentOS7.9.2009x86_64目前SSH版本:OpenSSH_7.4p1,OpenSSL1.0.2k-fips26Jan2017使用yum升级yumupdate-yopenssh最新版本还是:OpenSSH_7.4p1,OpenSSL1.0.2k-fips26Jan2017接下来尝试手动升级前置操作为了避......
  • ssh-keygen 生成.ssh文件
    ssh-keygen-trsa-C"[email protected]":生成最新OPENSSH格式的密钥对。openssh格式 ssh-keygen-mPEM-trsa-b4096-C"[email protected]"生成老版本的rsa格式的密钥对。rsa格式 参数说明-m:参数指定密钥的格式,PEM(也就是RSA格式)是之前使用的旧格式-b:指定密钥长度;-e:......
  • SSHFS
    SSHFS(SSHFilesystem)是一种通过普通ssh连接来挂载和与远程服务器或工作站上的目录和文件交互的文件系统客户端。sshfs-p1822\[email protected]:/home/test/compile/slave/Project/images\/root/test/slave/\-ouid=0-ogid=0 ......
  • 服务器远程管理
    一、远程管理类型windows远程管理有2中类型:1、远程桌面(图形)2、telnet(命令行)二、远程桌面步骤1、首先将配置网络,并实现客户机与服务器可以互通。2、服务器开启允许被远程控制:我的电脑图标右键属性--远程设置--选择允许--确定。3、客户机上:开始--运行--输入mstsc打开......
  • Linux 编译安装 OpenSSH
    1.安装依赖yum-yinstallgccopenssl11openssl11-develpam-develzlib-devel2.设置编译FLAGexportCFLAGS=$(pkg-config--cflagslibssl11)exportLDFLAGS=$(pkg-config--libslibssl11)3.备份配置,删除系统自带软件包mv/etc/pam.d/sshd/etc/pam.d/sshd.bakrpm-e--n......
  • linux架构day04:ssh远程管理服务实践
    ssh远程管理服务实践linuxssh端口:22加密传输数据支持root用户telnet端口:23明文传输数据不支持root用户windowsrdp端口:3389remotedesttopprotoclssh基本概述SSH是一个安全协议,在进行数据传输时,会对数据包进行加密处理,加密后在进行数据传输。确......
  • JSch - 配置SFTP服务器SSH免密登录
    目录1.什么是SFTP2.什么是Jsch以及它的作用3.sftp服务器认证机制4.publickey和password两种方式登录sftp的API调用需求:做一个通过ssh免密登录的需求,是基于原先密码登录sftp服务器的代码上进行改造1.什么是SFTPSFTP是一个安全文件传送协议,可以为传输文件提供一种安全的加......