理论:linux远程控制openssh详细讲解

前言:

创新互联网站建设提供从项目策划、软件开发,软件安全维护、网站优化(SEO)、网站分析、效果评估等整套的建站服务,主营业务为网站建设、成都网站建设,APP应用开发以传统方式定制建设网站,并提供域名空间备案等一条龙服务,秉承以专业、用心的态度为用户提供真诚的服务。创新互联深信只要达到每一位用户的要求,就会得到认可,从而选择与我们长期合作。这样,我们也可以走得更远!

  • SSH远程管理

    1.配置OpenSSH服务端

    2.使用SSH客户端程序

    3.密钥对验证的SSH体系

  • TCP Wrappers概述 (针对程序的管理机制)

    1.TCP Wrappers 概述

    2.TCP Wrappers访问策略

一 :openSSH服务器远程访问

1.1 ssh协议

  • 为客户机提供安全的shell环境,用于远程管理
  • 默认端口:TCP 22

1.2 openssh

  • 服务名称 :sshd
  • 服务端主程序: /usr/sbin/sshd
  • 服务端配置文件: /etc/ssh/sshd_config

第二种远程访问:telnet 也是远程访问,是不会经过加密的明文传输,可以用抓包工具直接获取其中的消息 23 tcp 端口;而ssh 是典型的密文访问

因此tlelent 主要应用于局域网;ssh皆可

第三种远程访问是远程桌面,3389端口号,带有图形化访问

例:mstsc命令 windows 中的远程桌面访问形式

通过远程访问的用户必须给其设置密码

vnc软件可以跨微软系统和linux系统之间连接

teamviewer软件 手机连接电脑

被远程方可以手动关闭拒绝远程

ssh_config 是针对客户端的

shhd_config是服务端

1.2 服务监听选项

  • 端口号、协议版本、监听IP地址
  • 禁用反向解析
[root@localhost ~]# vim /etc/ssh/sshd_config
......
#Port 22    '端口号(可以修改)'
#ListenAddress 0.0.0.0      '监听地址'
Protocol 2      '版本'
#UseDNS no      'DNS反向解析 否'

控制

  • 禁止ROOt用户、空密码用户 ————用户层面的控制
  • 登录时间、重试次数 ————用户属性的控制
  • AllowUsers、DenyUsers ————使用白黑名单控制

AllowUsers 白名单 :仅允许登陆

DenyUsers 黑名单 :仅拒绝登陆

[root@localhost ~]# vim /etc/ssh/sshd_config

#LoginGraceTime 2m      '登录时间2min 超过2min自动注销'
#PermitRootLogin yes    '允许root登陆 是 前面有#符号注释则不可以使用'
#StrictModes yes        '严格遵循标准模式 是'
#MaxAuthTries 6     '最大尝试登陆次数为 6'
#MaxSessions 10     '最大创建会话为 10'
PermitEmptPasswords no      '允许空密码登陆 否'
······
AllowUsers jerry admin@61.23.24.25      
'白名单,只允许以下用从指定终端登录,用户与用户之间用空格隔开'

AllowUsers的权限比DenyUsers的权限大,AllowsUsers不要与DenyUsers同时用

1.3 登陆验证

1.3.1 登陆验证对象

  • 服务器中的本地用户账号

1.3.2 登陆验证方式

  • 密码验证: 核对用户名、密码是否匹配
  • 密钥对验证: 核对客户的私钥、服务端公钥是否匹配

密钥对的方式需要自己去创建

密钥对里面包含公钥和私钥,合在一起叫密钥对

公钥给对方,私钥自己保留,这种方式叫做非对称密钥 rsa 相当于虎符

des 或aex或3des模式 是对称密钥,相当于门钥匙

[root@localhost ~]# vim /etc/ssh/sshd_config
······

#PubkeyAuthentication yes   '密钥对验证开启   是'
#PasswordAuthentication yes     '身份密码验证 是'
AuthorizedKeysFile      .ssh/authorized_keys    '密钥对公钥库文件路径'

启用密码密码验证、密钥对验证、指定公钥库位置

二 : 使用SSH客户端程序

2.1 ssh命令 ————远程安全登录

ssh user@host

ssh 被连接的主机的本地用户名@主机名

选项 -p 即 指定端口号

2.2 scp命令 ———— 远程安全复制

scp user@host:file 1 file2

复制目标主机下面的file文件到自己的file2下

scp file1 user@host:file2

复制自己的file1下的文件到目标主机的file1下

2.3 sftp命令 ————安全FTP上下载

sftp user@host

进入到目标主机的sftp模式

2.4.1 ssh命令 远程安全登录

test01 的ip地址为192.168.139.128

test02的ip地址为192.168.139.129

[root@test01 ~]# cd /etc/ssh    '切换到/etc/ssh目录下'
[root@test01 ssh]# ls
moduli       ssh_host_ecdsa_key      ssh_host_ed25519_key.pub
ssh_config   ssh_host_ecdsa_key.pub  ssh_host_rsa_key
sshd_config  ssh_host_ed25519_key    ssh_host_rsa_key.pub
[root@test01 ssh]# vim sshd_config  '编辑服务端配置文件'

    # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 16 #
 17 Port 22 '端口号22,去掉#启用'
 18 #AddressFamily any
 19 #ListenAddress 0.0.0.0
 20 #ListenAddress ::
 21 
 22 HostKey /etc/ssh/ssh_host_rsa_key
 23 #HostKey /etc/ssh/ssh_host_dsa_key
 24 HostKey /etc/ssh/ssh_host_ecdsa_key
 25 HostKey /etc/ssh/ssh_host_ed25519_key
 26 
[root@test01 ssh]# systemctl restart sshd   '重启sshd服务'
[root@test02 ~]# ssh root@192.168.139.128   '连接开启远程服务的主机,以root身份登陆'
The authenticity of host '192.168.139.128 (192.168.139.128)' can't be established.
ECDSA'指密钥对' key fingerprint is SHA256:dXWxtS2ShXQgfb7R672V7+l3i7rGqHBbIB5MTcFnAws.
ECDSA'指密钥对' key fingerprint is MD5:59:fb:20:f0:28:96:5e:14:90:82:63:c9:ae:67:d6:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.139.128' (ECDSA) to the list of known hosts.
root@192.168.139.128's password: 
Last login: Wed Nov 20 17:13:57 2019
[root@test01 ~]#    '注意主机名,此时已经远程登陆成功'
[root@test01 ~]# ifconfig       '查看自身的i网卡(此时已经远程到test01上)'
ens33: flags=4163  mtu 1500
        inet 192.168.139.128  netmask 255.255.255.0  broadcast 192.168.139.255
[root@test01 ~]# exit       '退出'
logout
Connection to 192.168.139.128 closed.
[root@test02 ~]# ifconfig       '查看自身的主机名,test02的主机名'
ens33: flags=4163  mtu 1500
        inet 192.168.139.129  netmask 255.255.255.0  broadcast 192.168.139.255

[root@test02 ~]# ssh gsy@192.168.139.128    ''用gsy的身份去登陆,也可以
gsy@192.168.139.128's password: 
Last login: Wed Nov 20 18:07:37 2019    
[gsy@test01 ~]$ exit    '退出'
logout
Connection to 192.168.139.128 closed.

远程连接目标主机时,使用root或普通用户都可以

[root@test01 ssh]# vim /etc/ssh/sshd_config '配置28的sshd的服务端配置文件'

 38 PermitRootLogin no  '第38行取消注释符,root登陆否'

[root@test01 ssh]# systemctl restart sshd   '重启ssh服务以生效配置'
[root@test02 ~]# ssh root@192.168.139.128   '去连28,使用root身份,'
The authenticity of host '192.168.139.128 (192.168.139.128)' can't be established.
ECDSA key fingerprint is SHA256:dXWxtS2ShXQgfb7R672V7+l3i7rGqHBbIB5MTcFnAws.
ECDSA key fingerprint is MD5:59:fb:20:f0:28:96:5e:14:90:82:63:c9:ae:67:d6:e9.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.139.128' (ECDSA) to the list of known hosts.
root@192.168.139.128's password: 
Permission denied, please try again.    '拒绝权限,请重试'
root@192.168.139.128's password: 
[root@test02 ~]#
[root@test02 ~]# ssh gsy@192.168.139.128    '使用gsy身份去连接,没问题'
gsy@192.168.139.128's password: 
Last login: Wed Nov 20 18:08:14 2019 from 192.168.139.129
[gsy@test01 ~]$ 
[gsy@test01 ~]$ su - root   '然后su切换到root'
Password: 
Last login: Wed Nov 20 18:30:29 CST 2019 on pts/5
Last failed login: Wed Nov 20 18:32:37 CST 2019 on pts/5
There was 1 failed login attempt since the last successful login.
[root@test01 ~]#    '成功'

permission denied 权限拒绝

为了不让普通用户与root之间随意切换,可以在服务端28 配置pam.d/su,启用pam.d/su后,不在wheel组内的用户无法

 [root@test01 ssh]# vim /etc/pam.d/su   '编辑对应的配置文件'

 6 auth           required        pam_wheel.so use_uid  '取消注释,启用pam.d的su功能'

[root@test01 ssh]# useradd lisi     '新创建用户lisi,该用户不在wheel组内'
[root@test01 ssh]# passwd lisi
Changing password for user lisi.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@test02 ~]# ssh lisi@192.168.139.128       '用29去链接28'
lisi@192.168.139.128's password: 
[lisi@test02 ~]$        'lisi登陆成功'
[lisi@test02 ~]$ su - root      'su 切换root'
密码:
su: 拒绝权限            '失败'
[root@test01 ssh]# vim /etc/ssh/sshd_config '给28配置sshd_config'

 21 AllowUsers gsy      '手动添加白名单,即只允许gsy登陆'
[root@test01 ssh]# systemctl restart sshd   '重启sshd服务'
[root@test02 ~]# ssh gsy@192.168.139.128    '以gsy身份,29远程28'
gsy@192.168.139.128's password: 
Last failed login: Wed Nov 20 18:51:43 CST 2019 from 192.168.139.129 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Nov 20 18:48:54 2019 from 192.168.139.128
[gsy@test01 ~]$ logout  '登陆成功,然后退出'
Connection to 192.168.139.128 closed.
[root@test02 ~]# ssh root@192.168.139.128       '以root身份29去远程28'
root@192.168.139.128's password:    '输入密码'
Permission denied, please try again.        '权限拒绝,请重试'
root@192.168.139.128's password: 
Permission denied, please try again.

2.4.2 scp 命令——远程安全复制

[root@test01 ssh]# vim /etc/hosts   '此时在28,以hosts文件为实验'

test01  192.168.139.128 '增加内容'
test02  192.168.139.129 '增加内容'
[root@test01 ssh]# vim /etc/ssh/sshd_config '去配置sshd'
#AllowUsers gsy         '取消白名单,即所有人都可登录'
PermitRootLogin no  '注释掉远程root登陆 否'

[root@test01 ssh]# systemctl restart sshd   '重启sshd服务'
[root@test02 ~]# ssh root@192.168.139.128   '以root身份29去远程28'
root@192.168.139.128's password: 
Last failed login: Wed Nov 20 19:05:55 CST 2019 from 192.168.139.129 on ssh:notty
There were 8 failed login attempts since the last successful login.
Last login: Wed Nov 20 18:41:42 2019    '登陆成功'
[root@test01 ssh]# scp /etc/hosts root@192.168.139.129:etc/hosts    
'此时在28上,scp复制 本地 /etc/hosts文件 到29:/etc/hosts'
The authenticity of host '192.168.139.129 (192.168.139.129)' can't be established.  
ECDSA key fingerprint is SHA256:+uy+1TNy69jB97B7+AoYqhNEaBi42DuOYb0oE4pJ8s0.
ECDSA key fingerprint is MD5:00:78:0c:c1:c2:7b:01:45:7c:31:c2:3b:53:4d:5c:10.
Are you sure you want to continue connecting (yes/no)? yes  '询问是否连接,选择是'
Warning: Permanently added '192.168.139.129' (ECDSA) to the list of known hosts.
root@192.168.139.129's password: 
hosts                                     100%  204    87.9KB/s   00:00    '显示进度'
[root@test01 ssh]# 
[root@test01 ssh]# ssh root@192.168.139.129     '以root身份28远程29'
root@192.168.139.129's password: 
Last login: Wed Nov 20 19:18:41 2019 from 192.168.139.129
[root@test02 ~]# cat /etc/hosts     '查看29下的/etc/hosts文件'
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
test01  192.168.139.128
test02  192.168.139.129
[root@test02 ~]# logout     '注销登陆'
Connection to 192.168.139.129 closed.
[root@test01 ssh]# cd /opt/
[root@test01 opt]# ls
rh
[root@test01 opt]# touch abc.txt    '在本地创建空文件'
[root@test01 opt]# scp /opt/abc.txt root@192.168.139.129:/home/
'把本地的/opt/abc.txt文件 以root身份 复制到192.168.139.129主机的/home/目录下'
root@192.168.139.129's password:    '密码确认'
abc.txt                                   100%    0     0.0KB/s   00:00    
[root@test01 opt]# 
[root@test02 ~]# cd /home
[root@test02 home]# ls
abc.txt  gsy
[root@test02 home]# vim /etc/ssh/sshd_config    '修改sshd_config服务端配置'
Port 22     '开启接口'
[root@test02 home]# systemctl restart sshd  '重启'
[root@test02 home]# mkdir abc
[root@test01 opt]# scp /opt/abc.txt gsy@192.168.139.129:/home/abc/
gsy@192.168.139.129's password: 
scp: /home/abc//abc.txt: Permission denied  '复制失败'
[root@test02 home]# ls -al
total 0
drwxr-xr-x.  4 root root  43 Nov 20 19:32 .
dr-xr-xr-x. 17 root root 224 Oct 24 15:42 ..
'drwxr-xr-x.  2 root root   6 Nov 20 19:32 abc  '权限不够'
-rw-r--r--.  1 root root   0 Nov 20 19:22 abc.txt
drwx------.  3 gsy  gsy   78 Oct 24 15:36 gsy
[root@test02 home]# chmod 777 abc
[root@test02 home]# ls -al
total 0
drwxr-xr-x.  4 root root  43 Nov 20 19:32 .
dr-xr-xr-x. 17 root root 224 Oct 24 15:42 ..
'drwxrwxrwx.  2 root root   6 Nov 20 19:32 abc
-rw-r--r--.  1 root root   0 Nov 20 19:22 abc.txt
drwx------.  3 gsy  gsy   78 Oct 24 15:36 gsy
[root@test02 home]# 
[root@test01 opt]# scp /opt/abc.txt gsy@192.168.139.129:/home/abc/
'重试'
gsy@192.168.139.129's password:     '可以了'
abc.txt                                   100%    0     0.0KB/s   00:00  

然后到29主机上查看验证

[root@test02 home]# ls -al abc  
total 0
drwxrwxrwx. 2 root root 21 Nov 20 19:38 .
drwxr-xr-x. 4 root root 43 Nov 20 19:32 ..
'-rw-r--r--. 1 gsy  gsy   0 Nov 20 19:38 abc.txt

以什么用户传过去的,就会以该用户的属主写入

[root@test01 opt]# scp root@192.168.139.129:/home/gsy.txt /opt
'在28上,从29主机上以root身份去复制/home/gsy.txt文件 到/opt下'
root@192.168.139.129's password:    
gsy.txt                     '成功'       100%    4     1.4KB/s   00:00  
[root@test01 opt]# ls -l
total 4
-rw-r--r--. 1 root root 0 Nov 20 19:21 abc.txt
'-rw-r--r--. 1 root root 4 Nov 20 19:46 gsy.txt'
drwxr-xr-x. 2 root root 6 Mar 26  2015 rh
[root@test01 opt]# cat gsy.txt 
gsy
[root@test01 opt]# 

想要ssh远程其他,就需要吧其他的的权限放开

2.4.3 sftp命令 ————安全FTP上下载

[root@test01 ~]# sftp root@192.168.139.129      'ftp上下载方式连接29'
root@192.168.139.129's password: 
Connected to 192.168.139.129.
sftp> 
sftp> ls -a
.                        ..                       .ICEauthority            
.Xauthority              .bash_history            .bash_logout             
.bash_profile            .bashrc                  .cache                   
.config                  .cshrc                   .dbus                    
.esd_auth                .local                   .mozilla                 
.ssh                     .tcshrc                  .viminfo                 
anaconda-ks.cfg          initial-setup-ks.cfg     下载                   
公共                   图片                   文档                   
桌面                   模板                   视频                   
音乐                   
sftp> cd /opt
sftp> ls
rh  
sftp> mkdir aaa
sftp> ls
aaa  rh   
sftp> rm -rf aaa
rm: Invalid flag -r
sftp> 
ls
aaa  rh   
sftp> 
sftp>  help
Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'
chgrp grp path                     Change group of file 'path' to 'grp'
chmod mode path                    Change permissions of file 'path' to 'mode'
chown own path                     Change owner of file 'path' to 'own'
df [-hi] [path]                    Display statistics for current directory or
                                   filesystem containing 'path'
exit                               Quit sftp
get [-afPpRr] remote [local]       Download file
reget [-fPpRr] remote [local]      Resume download file
reput [-fPpRr] [local] remote      Resume upload file
help                               Display this help text
lcd path                           Change local directory to 'path'
lls [ls-options [path]]            Display local directory listing
lmkdir path                        Create local directory
ln [-s] oldpath newpath            Link remote file (-s for symlink)
lpwd                               Print local working directory
ls [-1afhlnrSt] [path]             Display remote directory listing
lumask umask                       Set local umask to 'umask'
mkdir path                         Create remote directory
progress                           Toggle display of progress meter
put [-afPpRr] local [remote]       Upload file
pwd                                Display remote working directory
quit                               Quit sftp
rename oldpath newpath             Rename remote file
rm path                            Delete remote file
rmdir path                         Remove remote directory
symlink oldpath newpath            Symlink remote file
version                            Show SFTP version
!command                           Execute 'command' in local shell
!                                  Escape to local shell
?                                  Synonym for help
sftp> rmdir aaa
sftp> ls
rh  
sftp> 

在sftp模式下,命令跟linux的命令有些不一样

三 : 构建密钥对验证的SSH体系

理论 :linux远程控制 openssh详细讲解

理论 :linux远程控制 openssh详细讲解

理论 :linux远程控制 openssh详细讲解

理论 :linux远程控制 openssh详细讲解

理论 :linux远程控制 openssh详细讲解

理论 :linux远程控制 openssh详细讲解

[root@test02 ~]# ssh-keygen rsa     ‘创建密钥对的选项’
Too many arguments.
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
                  [-N new_passphrase] [-C comment] [-f output_keyfile]
       ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
       ssh-keygen -i [-m key_format] [-f input_keyfile]
       ssh-keygen -e [-m key_format] [-f input_keyfile]
       ssh-keygen -y [-f input_keyfile]
       ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
       ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
       ssh-keygen -B [-f input_keyfile]
       ssh-keygen -D pkcs11
       ssh-keygen -F hostname [-f known_hosts_file] [-l]
       ssh-keygen -H [-f known_hosts_file]
       ssh-keygen -R hostname [-f known_hosts_file]
       ssh-keygen -r hostname [-f input_keyfile] [-g]
       ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]
       ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]
                  [-j start_line] [-K checkpt] [-W generator]
       ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]
                  [-O option] [-V validity_interval] [-z serial_number] file ...
       ssh-keygen -L [-f input_keyfile]
       ssh-keygen -A
       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
                  file ...
       ssh-keygen -Q -f krl_file file ...
[root@test02 ~]# ssh-keygen -t rsa      '创建密钥对 -t '
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ZL4EmtVT8fXoCPScBgL7bldPv380zK93PQnA9kmORF8 root@test02
The key's randomart image is:
+---[RSA 2048]----+
|      ... =.  .  |
|       o + * o E |
|      + = + B o .|
|     + * . B =   |
|    o   S o O *  |
|       o . o B =.|
|        + .   o.*|
|       . .     oB|
|              .+*|
+----[SHA256]-----+
[root@test02 ~]# ls -a
.                .bash_logout   .dbus                 .ssh         图片
..               .bash_profile  .esd_auth             .tcshrc      文档
123123           .bashrc        .ICEauthority         .viminfo     桌面
123123.pub       .cache         initial-setup-ks.cfg  .Xauthority  模板
anaconda-ks.cfg  .config        .local                下载         视频
.bash_history    .cshrc         .mozilla              公共         音乐

[root@test02 ~]# cd .ssh
[root@test02 .ssh]# ls
id_rsa  id_rsa.pub  known_hosts
[root@test02 .ssh]# ssh-copy-id -i id_rsa.pub gsy@192.168.139.128       
'复制密钥对的公钥复制到28服务端,以gsy身份'
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
gsy@192.168.139.128's password:     '输入密码'

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'gsy@192.168.139.128'"
and check to make sure that only the key(s) you wanted were added.
[root@test01 ~]# cd /home/gsy
[root@test01 gsy]# ls
下载  公共  图片  文档  桌面  模板  视频  音乐
[root@test01 gsy]# ls -a
.              .bash_logout   .cache     .ICEauthority  .ssh  图片  模板
..             .bash_profile  .config    .local         下载  文档  视频
.bash_history  .bashrc        .esd_auth  .mozilla       公共  桌面  音乐
[root@test01 gsy]# cd .ssh
[root@test01 .ssh]# ls      '验证是否成功复制到28服务端'
authorized_keys
[root@test02 ~]# ssh gsy@192.168.139.128    '再次远程登陆服务端28'
Enter passphrase for key '/root/.ssh/id_rsa':   '输入之前输入的密码'
Last failed login: Wed Nov 20 20:17:55 CST 2019 from 192.168.139.129 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed Nov 20 18:51:51 2019 from 192.168.139.129
[gsy@test01 ~]$     '登陆成功'
[gsy@test01 ~]$ exit
logout
Connection to 192.168.139.128 closed.
[root@test02 ~]# ls -a
.                .bash_logout   .dbus                 .ssh         图片
..               .bash_profile  .esd_auth             .tcshrc      文档
123123           .bashrc        .ICEauthority         .viminfo     桌面
123123.pub       .cache         initial-setup-ks.cfg  .Xauthority  模板
anaconda-ks.cfg  .config        .local                下载         视频
.bash_history    .cshrc         .mozilla              公共         音乐
[root@test02 ~]# ls -a .ssh
.  ..  id_rsa  id_rsa.pub  known_hosts
[root@test02 ~]# ssh-agent bash     '创建自动代理功能'
[root@test02 ~]# ssh-add    '免交互'
Enter passphrase for /root/.ssh/id_rsa:     '输入密码确认'
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@test02 ~]# 
[root@test02 ~]# ssh gsy@192.168.139.128    '再次以gsy身份去登陆28服务端'
Last login: Wed Nov 20 21:33:22 2019 from 192.168.139.130   '网络被切换,客户机IP地址改变'

ssh-agent bash 创建自动代理功能

ssh-add 免交互

可以用于在shelle脚本远程

四 :TCP Wrappers 概述

理论 :linux远程控制 openssh详细讲解

4.1 保护机制的实现方式

  • 方式1 : 通过tcpd主程序对其他服务程序进行包装
  • 方式2 : 有其他服务程序调用libwrap.so.*链接库

4.2 访问控制策略的配置文件

  • /etc/hosts.allow
  • /etc/hosts.deny

其中,ssh就是能够被它管控的服务

[root@test01 .ssh]# ldd `which sshd`
        linux-vdso.so.1 =>  (0x00007ffd5eb16000)
        libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007f4e20f2b000)
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f4e20d20000)
        libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f4e20af7000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00007f4e208e8000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f4e206c1000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007f4e20698000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f4e20237000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f4e20033000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f4e1fdde000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f4e1fbcf000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00007f4e1f9cc000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f4e1f75000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f4e1f57e000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f4e1f364000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f4e1f116000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f4e1ee2e000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f4e1ebfb000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f4e1e9f6000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f4e1e633000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f4e1e41a000)
        libcap-ng.so.0 => /lib64/libcap-ng.so.0 (0x00007f4e1e213000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f4e1dfb1000)
        /lib64/ld-linux-x86-64.so.2 (0x0000562f68c55000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007f4e1ddac000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f4e1daa9000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f4e1d8a1000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f4e1d67b000)
        libgcrypt.so.11 => /lib64/libgcrypt.so.11 (0x00007f4e1d3f9000)
        libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007f4e1d1f4000)
        libdw.so.1 => /lib64/libdw.so.1 (0x00007f4e1cfad000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f4e1cd96000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4e1cb7a000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f4e1c95d000)
        libssl3.so => /lib64/libssl3.so (0x00007f4e1c710000)
        libsmime3.so => /lib64/libsmime3.so (0x00007f4e1c4e9000)
        libnss3.so => /lib64/libnss3.so (0x00007f4e1c1bf000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007f4e1bf91000)
        libplds4.so => /lib64/libplds4.so (0x00007f4e1bd8d000)
        libplc4.so => /lib64/libplc4.so (0x00007f4e1bb88000)
        libnspr4.so => /lib64/libnspr4.so (0x00007f4e1b949000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f4e1b746000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f4e1b537000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f4e1b333000)
        libattr.so.1 => /lib64/libattr.so.1 (0x00007f4e1b12d000)
        libelf.so.1 => /lib64/libelf.so.1 (0x00007f4e1af15000)
        libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f4e1ad04000)

查询功能模块 `后面接命令

五 : TCP Wrappers 策略应用

5.1 设置访问控制策略

  • 策略格式 : 服务列表:客户机地址列表
  • 服务列表
    • 多个服务以逗号分隔,ALL表示所有服务
  • 客户机地址列表
    • 多个地址以逗号分隔,ALL表示所有地址
    • 允许使用通配符?和*
    • 网段地址,如192.168.4. 或者192.168.4.0/255.255.255.0
    • 区域地址,如 .bennet,com

5.2 策略的应用顺序

  • 先检查hosts.allow,找到匹配则允许访问
  • 否则再检查hosts.deny,找到则拒绝访问
  • 若两个文件中均无匹配策略,则默认允许访问
  • 禁止其他所有地址访问受保护的服务
[root@localhost ~]# echo "sshd:61.63.65.67,192.168.2.*" > /etc/hosts.allow
[root@localhost ~]# vi /etc/hosts.allow
sshd:61.63.65.67,192.168.2.*

[root@localhost ~]# echo "sshd:ALL" > /etc/hosts.deny
[root@localhost ~]# vi /etc/hosts.deny
sshd:ALL

[root@localhost ~]# 

优先读取allow,然后再度deny

如果只想禁止某些主机登陆,则只做黑名单,白名单不写

小结:

ssh 22端口

服务端配置文件 /etc/ssh/sshd_config

Port 22     '端口号'
ListenAddress 192.168.155.155   '监听地址'
Protocol 2      '版本号'
UserDNS no      'DNS反向解析,否'
LoginGraceTime  2m      '登陆时间 2m'
PermitRootLogin no      '允许root登陆 否'
MaxAuthTries 6          '最大尝试登陆次数 6 次'
PermitEmptyPasswords no     '禁止空密码'
AllowUsers gsy  lisi@192.168.88.88  
'只允许gsy登陆,lisi从192.168.88.88登陆,别人都不行'
PasswordAuthentication yes  '需要密码验证 是'
PubkeyAuthentication yes    '开启密钥对验证 是'
AuthorizedKeyFile .ssh/authorized_keys '密钥对文件位置'

远程登陆

ssh 用户名@ip地址 -p 指定端口号

远程复制

scp 要复制的文件 复制到的目标位置

scp 用户名@ipdizhi:源文件路径 目标路径

远程上下载

sftp 用户名@ip地址

ssh中构建密钥对

ssh-keygen -t rsa(或dsa算法) 创建密钥对

ssh-copy -i 公钥文件路径 用户名@目标ip地址

ssh-copy -i ~/.ssh/id_rsa.pub gsy@192.168.88.88

ssh-agent bash 创建自动代理功能

ssh-add 免交互

TCP Wrappers 保护主程序

ldd ·which sshd·

访问控制策略的配置文件

/etc/hosts.allow

/etc/hosts.deny

如果做黑名单,白名单可以不写


网站栏目:理论:linux远程控制openssh详细讲解
URL分享:http://csdahua.cn/article/pdcghe.html
扫二维码与项目经理沟通

我们在微信上24小时期待你的声音

解答本文疑问/技术咨询/运营咨询/技术建议/互联网交流