RHCE中SSH的配置
上官高翰
SSH的配置
ssh这个软件,安装系统的时候摩恩已经安装了。对应的服务名为:sshd
ssh的配置文件:/etc/ssh/
[root@localhost ~]# cd /etc/ssh/ [root@localhost ssh]# ls moduli ssh_host_ecdsa_key ssh_host_rsa_key ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub ssh_config.d ssh_host_ed25519_key sshd_config ssh_host_ed25519_key.pub其中:
sshd_config:主配置文件
ssh_host_ecdsa_key:对应算法的私钥
ssh_host_ecdsa_key.pub:公钥
私钥和公钥在安装ssh软件之后就产生了。
客户端ssh协议链接ssh服务器,返回公钥。已经提前准备好了。
moduli:
因为启用了 diffie-hellman-group-exchange-sha256 这个密钥交换算法,还需要修改 /etc/ssh/moduli 以增强其安全性。如果有这个文件(一般安装时都会有的).
ssh_config.d:认为额外配置文件存放的目录
ssh_config: SSH client configueation files ssh客户端配置文件
服务器的sshd的配置:sshd_config
[root@localhost ssh]# vim sshd_config # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 默认端口号, 可以使用多个端口号 #Port 443 #AddressFamily any #协议家族, IPV4 or IPV6 #ListenAddress 0.0.0.0 #监听地址 #ListenAddress :: # 指明IPV6的所有地址格式 #当前版本支持的密钥认证方式 HostKey /etc/ssh/ssh_host_rsa_key #rsa私钥认证 HostKey /etc/ssh/ssh_host_ecdsa_key #ecdsa私钥认证 HostKey /etc/ssh/ssh_host_ed25519_key #ed25519私钥认证 # Ciphers and keying #RekeyLimit default none # System-wide Crypto policy: # This system is following system-wide crypto policy. The changes to # Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any # effect here. They will be overridden by command-line options passed on # the server start up. # To opt out, uncomment a line with redefinition of CRYPTO_POLICY= # variable in /etc/sysconfig/sshd to over write the policy. # For more information, see manual page for update-crypto-policies(8). # Logging #关于日志文件的信息数据放置与daemon的名称 #SyslogFacility AUTH # 有人使用SSH登录系统的时候,SSH会记录信息,记录在/var/log/secure SyslogFacility AUTHPRIV # 默认是以AUTH来设置的。 #LogLevel INFO # 日志等级 # Authentication: #认证 #LoginGraceTime 2m #出现输入密码画面,多长时间没有成功连接上SSH Server就断线。 PermitRootLogin yes # 是否允许管理员远程登录 #StrictModes yes # sshd去检查用户主目录或相关文件的权限数据, 当用户的host key改变之后,Server不接受联机 #MaxAuthTries 6 # 最大尝试次数 #MaxSessions 10 # 允许最大会话数 #PubkeyAuthentication yes #是否允许Public Key # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys # 选择基于密钥验证时,客户端生成一对公私钥后, # 公钥放到.ssh/authorized_keys, #AuthorizedPrincipalsFile none #发送欢迎词的文件,none表示不发送 #AuthorizedKeysCommand none #指定脚本查找用户的公钥文件做认证,在登录认证层面调用,可接受的参数有用户尝试登录时使用的私钥 #对应公钥,指纹、登录用户等变量;输出要求是 0 或多行 authorized_keys 格式的输出 #AuthorizedKeysCommandUser nobody #指定查找的用户 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no #是否信任~/.ssh/known_hosts文件 # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no #忽略用户known_hosts文件 # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes #是否取消使用~/.ssh/.rhosts来作为认证。 # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes # 是否需要密码验证 #PermitEmptyPasswords no # 是否允许空密码 PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # 是否允许质疑-应答(challenge-response)认证。 # 默认值是"yes",所有 login.conf中允许的认证方式都被支持。 # Kerberos options #Kerberos认证服务器的选项 #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #通用安全服务应用程序接口选项 GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. # PAM: Pluggable Authentication Modules 可插拔认证模块 UsePAM yes #使用PAM模块认证 #AllowAgentForwarding yes # 允许经过代理转发 #AllowTcpForwarding yes # 允许经过TCP转发 #GatewayPorts no # 转发路径端口 X11Forwarding yes #X-window的设置 #X11DisplayOffset 10 #x-window的设置 #X11UseLocalhost yes #x-window的设置 #PermitTTY yes #允许tty # It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, # as it is more configurable and versatile than the built-in version. PrintMotd no #登录后是否要显示信息,即使读取/etc/motd文件内容 #PrintLastLog yes #显示上次登录信息 #TCPKeepAlive yes #SSH Server会传送KeepAlive信息给Client,确保联机正常 #若有一方脱机后,SSh可以立即知道 #PermitUserEnvironment no #Compression delayed #压缩延迟 #ClientAliveInterval 0 #设置空闲登录的最大时长 #ClientAliveCountMax 3 #在没收到任何数据的时候,最多向3个客户端进行keepalive检测 #ShowPatchLevel no #显示补丁级别 #UseDNS no #开启DNS解析 #PidFile /var/run/sshd.pid #存储ssh的pid文件 #MaxStartups 10:30:100 #最大可以保持多少个未认证的连接 #PermitTunnel no #允许tun设备转发 #ChrootDirectory none #是否允许切换目录 #VersionAddendum none #配置附加版本 # no default banner path #Banner none #不设置欢迎词 # Accept locale-related environment variables 接受本地相关环境变量类型 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #是否开启sftp服务 # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no #是否开启X11转发 # AllowTcpForwarding no #是否允许TCP转发 # PermitTTY no #是否允许tty # ForceCommand cvs server #限制命令
练习
1.修改ssh'服务器端口
cd /etc/ssh/
vim sshd_config
# 配置文件带#号是被注释掉,还有有可能默认值。
增加了一行
Port 2222
修改完后保存并退出[root@localhost ~]# cd /etc/ssh/ [root@localhost ssh]# vim sshd_config # #默认端口号22 #Port 22 port 2222 #协议家族,ipv4 or ipv6 #AddressFamily any #监听地址 #ListenAddress 0.0.0.0 #指明ipv6的所有地址格式 #ListenAddress ::你只是修改了配置文件, 但配置文件并没有生效。要想让配置文件生效,重启服务。
重启服务:systemctl restart sshd[root@localhost ssh]# systemctl restart sshd Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details. [root@localhost ssh]#看到错误是selinux阻止了我们的2222端口
systemctl
# systemctl Control the systemd system and service manager 控制系统和服务的管理器
# restart: 重启的意思
# sshd: 服务名
systemctl status sshd: 查看当前这个服务的状态
journalctl -xe: 查看服务状态
# journalctl : Query the systemd journal: 查询系统日志
# -x: catalog 目录,一览表
# -e: 跳转到日志的最后的page修正的操作:切换selinux的模式:enforcing -》 permissive 强制模式-》宽容模式
[root@localhost ssh]# getenforce Enforcing [root@localhost ssh]# setenforce 0 [root@localhost ssh]# getenforce Permissive [root@localhost ssh]#getenforce查看selinux的工作模式
setenforce 0|1:切换selinux的工作模式, 0代表的宽容模式permissive,1代表的是强制模式:enforcing
关闭防火墙:[root@localhost ssh]# systemctl stop firewalld
查看ssh日志: /var/log/secure
查看系统的日志:/var/log/messages
2.禁止root用户远程登录
添加一个测试的普通用户:sshuser 密码:123456
[root@localhost ~]# useradd sshuser [root@localhost ~]# echo "123456" | passwd --stdin sshuser Changing password for user sshuser. passwd: all authentication tokens updated successfully. [root@localhost ~]#去修改配置文件
vim PermitRootLogin yes改为no[root@localhost ~]# cd /etc/ssh/ [root@localhost ssh]# ls moduli ssh_host_ecdsa_key ssh_host_rsa_key ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key.pub ssh_config.d ssh_host_ed25519_key sshd_config ssh_host_ed25519_key.pub [root@localhost ssh]# vim sshd_config # Authentication: #出现输入密码画面,多长时间没有成功连接SSH Server就断线 #LoginGraceTime 2m #是否允许管理员远程登录 PermitRootLogin no #sshd去检查用户主目录或相关文件的权限数据,当用户的host key改变之后,Server不接受联 机 #StrictModes yes #最大尝试次数 #MaxAuthTries 6 #允许最大会话数 #MaxSessions 10去重启sshd服务
systemctl restart sshd
3.允许特定用户登录
vim sshd_config
#本身配置项没有,需要手动添加
#在配置文件最底部添加 AllowUsers 多个用户用空格隔开
# 配置项所有单词首字母大写
AllowUsers sshuser1 sshuser2
#保存并退出
#重启服务
systemctl restart sshd[root@localhost ssh]# useradd sshuser1 [root@localhost ssh]# useradd sshuser2 [root@localhost ssh]# echo "123456" | passwd --stdin sshuser1 Changing password for user sshuser1. passwd: all authentication tokens updated successfully. [root@localhost ssh]# echo "123456" | passwd --stdin sshuser2 Changing password for user sshuser2. passwd: all authentication tokens updated successfully. [root@localhost ssh]# [root@localhost ssh]# vim sshd_config # Example of overriding settings on a per-user basis #Match User anoncvs #是否开启X11转发 # X11Forwarding no #是否允许TCP转发 # AllowTcpForwarding no #是否允许tty # PermitTTY no #限制命令 # ForceCommand cvs server AllowUsers sshuser1 sshuser2 "sshd_config" 209L, 6691C# 去测试
类似资料: