拓补图:
推荐步骤:
- 安装ssh服务器端和客户端设置服务开机自动启动,配置身份验证的ssh,保证ssh服务器的安全性禁止为空密码访问,将ssh服务器端口修改为2222,在ssh服务器端创建bob和tom两个用户允许客户端192.168.100.20登录bob和root账户,禁止tom用户通过192.168.100.20登录
- 配置免交互式身份验证ssh,允许Centos03使用root用户和alice用户免交互式访问ssh服务器端,配置访问控制阻止主机192.168.100.30访问ssh服务器
实验步骤:
一、安装ssh服务器配置身份验证ssh限制用户访问
1、挂载系统光盘安装服务
(1)挂载系统光盘
[root@centos01 ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 写保护,将以只读方式挂载
[root@centos01 ~]# ls /mnt
CentOS_BuildTag EULA images LiveOS repodata RPM-GPG-KEY-CentOS-Testing-7
EFI GPL isolinux Packages RPM-GPG-KEY-CentOS-7 TRANS.TBL
(2)安装服务器端和客户端
[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm
警告:/mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
软件包 openssh-server-7.4p1-11.el7.x86_64 已经安装
[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm
警告:/mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
软件包 openssh-clients-7.4p1-11.el7.x86_64 已经安装
(3)设置服务开机自动启动
[root@centos01 ~]# systemctl enable sshd
[root@centos01 ~]# systemctl start sshd
2、创建验证账户配置密码
(1)创建验证账户bob、tom
[root@centos01 ~]# useradd bob
[root@centos01 ~]# useradd tom
(2)设置密码
[root@centos01 ~]# passwd bob
更改用户 bob 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
[root@centos01 ~]# passwd tom
更改用户 tom 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
3、配置ssh服务器控制用户访问
(1)修改ssh主配置文件
[root@centos01 ~]# vim /etc/ssh/sshd_config
17行 Port 2222
19行 ListenAddress 192.168.100.10
37行 LoginGraceTime 2m
38行 PermitRootLogin no
40行 MaxAuthxiTries 6
41行 MaxSessions 10
64行 PermitEmptyPasswords yes
65行 PasswordAuthentication yes
115行 UseDNS no
116行 AllowUsers [email protected]
117行 DenyUsers [email protected]
(2)重新启动服务监听端口
[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp 0 0 192.168.100.10:2222 0.0.0.0:* LISTEN 1979/sshd
4、验证配置账户密码ssh服务器端
(1)允许root通过192.168.100.20登录
[root@centos02 ~]# ssh -p2222 [email protected]
[email protected]'s password:
Last failed login: Sun Apr 23 06:01:58 CST 2023 from 192.168.100.20 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Sun Apr 23 05:56:57 2023
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.
(2)允许bob通过192.168.100.20登录
[root@centos02 ~]# ssh -p2222 [email protected]
[email protected]'s password:
[bob@centos01 ~]$ exit
登出
Connection to 192.168.100.10 closed.
(3)禁止tom通过192.168.100.20登录
[root@centos02 ~]# ssh -p2222 [email protected]
[email protected]'s password:
Permission denied, please try again.
二、配置免交互式身份验证ssh,允许Centos03使用root用户和alice用户免交互式访问ssh服务器,配置访问控制拒绝192.168.100.30访问ssh服务
1、修改ssh服务器支持免交互式验证
(1)修改主配置文件
[root@centos01 ~]# vim /etc/ssh/sshd_config
43行 PubkeyAuthentication yes
47行 AuthorizedKeysFile .ssh/authorized_keys
48行 AllowUsers alice [email protected]
(2)重新启动服务
[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp 0 0 192.168.100.10:2222 0.0.0.0:* LISTEN 2364/sshd
2、配置客户端root用户免交互式验证
(1)生成密钥对
[root@centos03 ~]# ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:n8nuUjQDy12LgT9Qksoqm/qcdcGHckUynoehWJxmWVQ root@centos03
The key's randomart image is:
+---[RSA 2048]----+
| ..=*.E+. |
| o*o B=.. . |
| .o..+oo* + . |
| .o+o O . |
| ..= S. + |
| . .o o o.o |
| +. . .= |
| .oo . .. |
|.o+ oo |
+----[SHA256]-----+
(2)上传公钥到远程服务器
[root@centos03 ~]# ssh-copy-id -i -p 2222 [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '[192.168.100.10]:2222 ([192.168.100.10]:2222)' can't be established.
ECDSA key fingerprint is SHA256:LuSDHJRzMptzroGB1eYCvj9Qqpf3wy4MV7184jNU2nA.
ECDSA key fingerprint is MD5:b6:4f:7b:03:8d:34:d0:f5:9c:bb:2a:de:cd:1c:ff:6a.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2222' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
(3)验证使用root登录
[root@centos03 ~]# ssh -p 2222 [email protected]
Last login: Sun Apr 23 06:03:54 2023 from 192.168.100.20
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.
3、配置使用alice用户身份验证免交互验证
(1)创建alice用户设置密码
[root@centos03 ~]# useradd alice
[root@centos03 ~]# passwd alice
更改用户 alice 的密码 。
新的 密码:
无效的密码: 密码少于 8 个字符
重新输入新的 密码:
passwd:所有的身份验证令牌已经成功更新。
(2)切换到alice用户生成密钥对
[root@centos03 ~]# su - alice
[alice@centos03 ~]$ ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/home/alice/.ssh/id_rsa):
Created directory '/home/alice/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/alice/.ssh/id_rsa.
Your public key has been saved in /home/alice/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nF4SQCw26qCpvhYXnjRKu0hVuWmgmIHnZqm3QrRdnzw alice@centos03
The key's randomart image is:
+---[RSA 2048]----+
|. o+ |
|o ..+o.. |
|.=.+ooo . |
|++*= = . o |
|+BO * o S . |
|+Bo= E o |
|=.+. o |
|+o. |
|o+. |
+----[SHA256]-----+
(3)上传公钥
[alice@centos03 ~]$ ssh-copy-id - i -p 2222 [email protected]
/bin/ssh-copy-id: ERROR: invalid option (-)
Usage: /bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
-f: force mode -- copy keys without trying to check if they are already installed
-n: dry run -- no keys are actually copied
-h|-?: print this help
[alice@centos03 ~]$ ssh-copy-id -i -p 2222 [email protected]
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alice/.ssh/id_rsa.pub"
The authenticity of host '[192.168.100.10]:2222 ([192.168.100.10]:2222)' can't be established.
ECDSA key fingerprint is SHA256:LuSDHJRzMptzroGB1eYCvj9Qqpf3wy4MV7184jNU2nA.
ECDSA key fingerprint is MD5:b6:4f:7b:03:8d:34:d0:f5:9c:bb:2a:de:cd:1c:ff:6a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2222' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
(4)alice登录远程服务器
[alice@centos03 ~]$ ssh -p 2222 [email protected]
Last login: Sun Apr 23 06:26:43 2023 from 192.168.100.30
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.
4、配置访问控制限制192.168.100.30主机访问ssh服务
(1)配置访问控制
[root@centos01 ~]# vim /etc/hosts.deny
sshd:192.168.100.30
(2)验证远程管理无法访问
[alice@centos03 ~]$ ssh -p 2222 [email protected]
ssh_exchange_identification: read: Connection reset by peer