RHCE中SSH的配置

上官高翰
2023-12-01

SSH的配置

ssh这个软件,安装系统的时候摩恩已经安装了。对应的服务名为:sshd

ssh的配置文件:/etc/ssh/

[root@localhost ~]# cd /etc/ssh/
[root@localhost ssh]# ls
moduli        ssh_host_ecdsa_key        ssh_host_rsa_key
ssh_config    ssh_host_ecdsa_key.pub    ssh_host_rsa_key.pub
ssh_config.d  ssh_host_ed25519_key
sshd_config   ssh_host_ed25519_key.pub

其中:

        sshd_config:主配置文件

        ssh_host_ecdsa_key:对应算法的私钥

        ssh_host_ecdsa_key.pub:公钥

私钥和公钥在安装ssh软件之后就产生了。

客户端ssh协议链接ssh服务器,返回公钥。已经提前准备好了。

        moduli:

                因为启用了 diffie-hellman-group-exchange-sha256 这个密钥交换算法,还需要修改 /etc/ssh/moduli 以增强其安全性。如果有这个文件(一般安装时都会有的).

        ssh_config.d:认为额外配置文件存放的目录

        ssh_config: SSH client configueation files ssh客户端配置文件

 服务器的sshd的配置:sshd_config

[root@localhost ssh]# vim sshd_config 

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22    默认端口号, 可以使用多个端口号
#Port 443
#AddressFamily any   #协议家族, IPV4 or IPV6
#ListenAddress 0.0.0.0 #监听地址
#ListenAddress :: # 指明IPV6的所有地址格式
#当前版本支持的密钥认证方式
HostKey /etc/ssh/ssh_host_rsa_key #rsa私钥认证
HostKey /etc/ssh/ssh_host_ecdsa_key #ecdsa私钥认证
HostKey /etc/ssh/ssh_host_ed25519_key #ed25519私钥认证

# Ciphers and keying
#RekeyLimit default none

# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
# variable in  /etc/sysconfig/sshd  to over write the policy.
# For more information, see manual page for update-crypto-policies(8).

# Logging #关于日志文件的信息数据放置与daemon的名称
#SyslogFacility AUTH # 有人使用SSH登录系统的时候,SSH会记录信息,记录在/var/log/secure
SyslogFacility AUTHPRIV # 默认是以AUTH来设置的。
#LogLevel INFO  # 日志等级

# Authentication: #认证
#LoginGraceTime 2m  #出现输入密码画面,多长时间没有成功连接上SSH Server就断线。
PermitRootLogin yes  # 是否允许管理员远程登录
#StrictModes yes # sshd去检查用户主目录或相关文件的权限数据, 当用户的host key改变之后,Server不接受联机
                              
#MaxAuthTries 6  # 最大尝试次数
#MaxSessions 10  # 允许最大会话数

#PubkeyAuthentication yes #是否允许Public Key

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys # 选择基于密钥验证时,客户端生成一对公私钥后,
                                             # 公钥放到.ssh/authorized_keys, 
                                           

#AuthorizedPrincipalsFile none  #发送欢迎词的文件,none表示不发送

#AuthorizedKeysCommand none #指定脚本查找用户的公钥文件做认证,在登录认证层面调用,可接受的参数有用户尝试登录时使用的私钥
                            #对应公钥,指纹、登录用户等变量;输出要求是 0 或多行 authorized_keys 格式的输出
#AuthorizedKeysCommandUser nobody #指定查找的用户

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no #是否信任~/.ssh/known_hosts文件
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no #忽略用户known_hosts文件
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes #是否取消使用~/.ssh/.rhosts来作为认证。

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes # 是否需要密码验证
#PermitEmptyPasswords no   # 是否允许空密码
PasswordAuthentication yes 

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no # 是否允许质疑-应答(challenge-response)认证。
                                   # 默认值是"yes",所有 login.conf中允许的认证方式都被支持。

# Kerberos options #Kerberos认证服务器的选项
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options #通用安全服务应用程序接口选项
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
# PAM: Pluggable Authentication Modules 可插拔认证模块
UsePAM yes #使用PAM模块认证

#AllowAgentForwarding yes  # 允许经过代理转发
#AllowTcpForwarding yes    # 允许经过TCP转发
#GatewayPorts no           # 转发路径端口
X11Forwarding yes  #X-window的设置
#X11DisplayOffset 10 #x-window的设置
#X11UseLocalhost yes #x-window的设置
#PermitTTY yes  #允许tty
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no #登录后是否要显示信息,即使读取/etc/motd文件内容

#PrintLastLog yes #显示上次登录信息
#TCPKeepAlive yes #SSH Server会传送KeepAlive信息给Client,确保联机正常
                  #若有一方脱机后,SSh可以立即知道
#PermitUserEnvironment no
#Compression delayed #压缩延迟
#ClientAliveInterval 0 #设置空闲登录的最大时长
#ClientAliveCountMax 3 #在没收到任何数据的时候,最多向3个客户端进行keepalive检测
#ShowPatchLevel no #显示补丁级别
#UseDNS no  #开启DNS解析
#PidFile /var/run/sshd.pid #存储ssh的pid文件 
#MaxStartups 10:30:100  #最大可以保持多少个未认证的连接
#PermitTunnel no  #允许tun设备转发
#ChrootDirectory none #是否允许切换目录
#VersionAddendum none #配置附加版本

# no default banner path
#Banner none #不设置欢迎词

# Accept locale-related environment variables 接受本地相关环境变量类型
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#是否开启sftp服务
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no #是否开启X11转发
#       AllowTcpForwarding no #是否允许TCP转发
#       PermitTTY no #是否允许tty
#       ForceCommand cvs server #限制命令

练习

1.修改ssh'服务器端口

cd /etc/ssh/

vim sshd_config
# 配置文件带#号是被注释掉,还有有可能默认值。
增加了一行
Port 2222
修改完后保存并退出

[root@localhost ~]# cd /etc/ssh/
[root@localhost ssh]# vim sshd_config 



#
#默认端口号22
#Port 22
port 2222
#协议家族,ipv4 or ipv6 
#AddressFamily any
#监听地址
#ListenAddress 0.0.0.0
#指明ipv6的所有地址格式
#ListenAddress ::

你只是修改了配置文件, 但配置文件并没有生效。要想让配置文件生效,重启服务。
重启服务:systemctl restart sshd

[root@localhost ssh]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@localhost ssh]# 

看到错误是selinux阻止了我们的2222端口

systemctl

        # systemctl Control the systemd system and service manager 控制系统和服务的管理器
        # restart: 重启的意思
        # sshd: 服务名
        systemctl status sshd: 查看当前这个服务的状态
        journalctl -xe: 查看服务状态
        # journalctl : Query the systemd journal: 查询系统日志
        # -x: catalog 目录,一览表
        # -e: 跳转到日志的最后的page

修正的操作:切换selinux的模式:enforcing -》 permissive 强制模式-》宽容模式

[root@localhost ssh]# getenforce 
Enforcing
[root@localhost ssh]# setenforce 0
[root@localhost ssh]# getenforce 
Permissive
[root@localhost ssh]# 

getenforce查看selinux的工作模式
setenforce 0|1:切换selinux的工作模式, 0代表的宽容模式permissive,

                                                                1代表的是强制模式:enforcing

关闭防火墙:[root@localhost ssh]# systemctl stop firewalld 

查看ssh日志: /var/log/secure
查看系统的日志:/var/log/messages

2.禁止root用户远程登录

添加一个测试的普通用户:sshuser 密码:123456

[root@localhost ~]# useradd sshuser
[root@localhost ~]# echo "123456" | passwd --stdin sshuser
Changing password for user sshuser.
passwd: all authentication tokens updated successfully.
[root@localhost ~]# 

去修改配置文件
vim PermitRootLogin yes改为no

[root@localhost ~]# cd /etc/ssh/
[root@localhost ssh]# ls

moduli        ssh_host_ecdsa_key        ssh_host_rsa_key
ssh_config    ssh_host_ecdsa_key.pub    ssh_host_rsa_key.pub
ssh_config.d  ssh_host_ed25519_key
sshd_config   ssh_host_ed25519_key.pub
[root@localhost ssh]# vim sshd_config 



# Authentication:

#出现输入密码画面,多长时间没有成功连接SSH Server就断线
#LoginGraceTime 2m
#是否允许管理员远程登录
PermitRootLogin no
#sshd去检查用户主目录或相关文件的权限数据,当用户的host key改变之后,Server不接受联
机
#StrictModes yes
#最大尝试次数
#MaxAuthTries 6
#允许最大会话数
#MaxSessions 10

去重启sshd服务

systemctl restart sshd

3.允许特定用户登录 

vim sshd_config

#本身配置项没有,需要手动添加
#在配置文件最底部添加 AllowUsers 多个用户用空格隔开
# 配置项所有单词首字母大写
AllowUsers sshuser1 sshuser2
#保存并退出
#重启服务
systemctl restart sshd

[root@localhost ssh]# useradd sshuser1
[root@localhost ssh]# useradd sshuser2
[root@localhost ssh]# echo "123456" | passwd --stdin sshuser1
Changing password for user sshuser1.
passwd: all authentication tokens updated successfully.
[root@localhost ssh]# echo "123456" | passwd --stdin sshuser2
Changing password for user sshuser2.
passwd: all authentication tokens updated successfully.
[root@localhost ssh]# 
[root@localhost ssh]# vim sshd_config 



# Example of overriding settings on a per-user basis
#Match User anoncvs
#是否开启X11转发
#       X11Forwarding no
#是否允许TCP转发
#       AllowTcpForwarding no
#是否允许tty
#       PermitTTY no
#限制命令
#       ForceCommand cvs server
AllowUsers sshuser1 sshuser2
"sshd_config" 209L, 6691C                      

# 去测试

 类似资料: