sshd
sshd是基于ssh的远程管理服务程序,提供密码和密钥两种登录方式
sshd主配置文件/etc/ssh/sshd_config
| 参数 | 作用 |
|---|---|
| Port 22 | 默认的sshd服务端口 |
| ListenAddress 0.0.0.0 | 设定sshd服务器监听的IP地址 |
| Protocol 2 | SSH协议的版本号 |
| HostKey /etc/ssh/ssh_host_key | SSH协议版本为1时,DES私钥存放的位置 |
| HostKey /etc/ssh/ssh_host_rsa_key | SSH协议版本为2时,RSA私钥存放的位置 |
| HostKey /etc/ssh/ssh_host_dsa_key | SSH协议版本为2时,DSA私钥存放的位置 |
| PermitRootLogin yes | 设定是否允许root管理员直接登录 |
| StrictModes yes | 当远程用户的私钥改变时直接拒绝连接 |
| MaxAuthTries 6 | 最大密码尝试次数 |
| MaxSessions 10 | 最大终端数 |
| PasswordAuthentication yes | 是否允许密码验证 |
| PermitEmptyPasswords no | 是否允许空密码登录 |
密钥登录
客户机
生成密钥对
[root@server2 ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:PIZ39KXyUbYOsb8cweu1OVO4RyUn4oGTOnN0UhJfViw root@server2 The key's randomart image is: +---[RSA 2048]----+ | .. oo.| | ...oE .| | .=o +. | | o .*.+Oo.o| | . Soo=*o+=.| | o+o.o.=.oo| | + . =oo| | o.*+| | ++o| +----[SHA256]-----+2.把公钥发送给远程主机
[root@server2 ~]# ssh-copy-id 192.168.226.148 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.226.148 (192.168.226.148)' can't be established. ECDSA key fingerprint is SHA256:8Vsy9Dj0ckv15A6BLpaDmksbMZNCBm/RqR/angTli7g. ECDSA key fingerprint is MD5:07:00:65:99:1a:0c:00:b3:67:50:44:43:22:7a:c5:13. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.226.148'" and check to make sure that only the key(s) you wanted were added.
修改配置,只允许密钥登录
[root@server1 ~]# cat /etc/ssh/sshd_config | grep PasswordA
#PasswordAuthentication yes
PasswordAuthentication yes
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
尝试登录
[root@server2 ~]# ssh 192.168.226.148
Last login: Fri Mar 4 10:27:52 2022 from 192.168.226.1
非对称加密
非对称加密采用密钥对,公钥-私钥,私钥由用户自己保存,公钥可以公开,当A想向B发送信息,A使用B的公钥加密,这个密文只能由B的私钥来解密,这样可以提高安全性。代表非对称加密算法RSA
流程举例
(1) Alice需要在银行的网站做一笔交易,她的浏览器首先生成了一个随机数作为对称密钥。
(2) Alice的浏览器向银行的网站请求公钥。
(3) 银行将公钥发送给Alice。
(4) Alice的浏览器使用银行的公钥将自己的对称密钥加密。
(5) Alice的浏览器将加密后的对称密钥发送给银行。
(6) 银行使用私钥解密得到Alice浏览器的对称密钥。
(7) Alice与银行可以使用对称密钥来对沟通的内容进行加密与解密了。非对称加密用于数字签名:A对于一段信息的hash用他的私钥加密一下,B收到后,用A的公钥解密,如果能解开,那可以证明这个是由A发出的,并且通过比对hash可以得出信息没有被篡改
常用方法
cat ~/.ssh/id_rsa.pub
ssh-keygen
vim /home/admin/.ssh/authorized_keys
vi /etc/sudoers
xxxx ALL=(ALL) ALL
免密sudo
username ALL=(ALL)NOPASSWD:ALL
清理know_hosts
vi ~/.ssh/known_hosts
评论已关闭