Linux Centos7 —sshd远程登录，密钥对登录，TCPWrappers访问控制

本章环境：VM虚拟机，一台服务器作为服务端，一台服务器作为客户端

本章目的：了解sshd远程登录管理，密钥对验证，Tcp wappers访问控制

一.sshd远程登录

1.查看sshd服务

 [root@localhost ~]# netstat -ntap | grep 22tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      3252/dnsm      tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      968/sshd       //默认我们的SSHD是开启的tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      16227/sshot@pt tcp        0      0 192.168.17.128:49342    180.97.251.226:80       TIME_WAIT   -              tcp        0      0 192.168.17.128:42522    202.141.176.110:80   

2.了解SSHD服务端配置文件

[root@localhost ~]# vim /etc/ssh/sshd_config //服务端的SSHD配置文件

17 #Port 22 //端口
18 #AddressFamily any
19 #ListenAddress 0.0.0.0 //监听地址
20 #ListenAddress :: //IPV6地址

37#LoginGraceTime 2m  //2分钟会话时间  38 #PermitRootLogin yes  //允许ROOT登录 39 #StrictModes yes    //验证你的访问权限 40 #MaxAuthTries 6   //验证次数 41 #MaxSessions 10   // 访问最大连接数10个#PubkeyAuthentication yes  //公钥验证开启

3.使用客户端去远程登录服务端的ROOT用户

[root@test02 ~]# ssh root@192.168.17.128The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.root@192.168.17.128's password: Last login: Mon Sep 16 12:07:36 2019

4.把服务端的远程登录ROOT用户关掉

37 #LoginGraceTime 2m 38 #PermitRootLogin no  //禁止远程用户用ROOT登录 39 #StrictModes yes 40 #MaxAuthTries 6 41 #MaxSessions 10

5.去服务端验证是否能登录ROOT用户

[root@test02 ~]# ssh root@192.168.17.128root@192.168.17.128's password: Permission denied, please try again.root@192.168.17.128's password: 

6.客户端切换到普通用户lisi,再切到ROOT用户也行（不安全）

[root@test02 ~]# ssh lisi@192.168.17.128lisi@192.168.17.128's password: [lisi@test01 ~]$ su - root密码：上一次登录：一 9月 16 12:17:31 CST 2019pts/2 上最后一次失败的登录：一 9月 16 12:25:59 CST 2019pts/2 上最有一次成功登录后有 1 次失败的登录尝试。[root@test01 ~]# 

7.把服务端开启PAM认证

vim /etc/pam.d/su//把"#"号去掉auth            required        pam_wheel.so use_uidauth            substack        system-authauth            include         postlogin

8.再去客户端去验证一下

[lisi@test01 ~]$ su - root密码：su: 拒绝权限

9.在客户端尝试输错三次密码，发现就退出来了，我们原本服务端设置的是验证次数是6次

[root@test02 ~]# ssh chen@192.168.17.128chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.[root@test02 ~]# 

10.在客户端切到ROOT用户，设置验证次数为8次

[root@test01 ~]# ssh -o NumberOfPasswordPrompts=8 chen@192.168.17.128The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Permission denied, please try again.chen@192.168.17.128's password: Received disconnect from 192.168.17.128 port 22:2: Too many authentication failuresAuthentication failed.[root@test01 ~]# 

11.设置SSH远程登录的黑白名单

37 #LoginGraceTime 2m 38 #PermitRootLogin no 39 #StrictModes yes 40 #MaxAuthTries 6 41 #MaxSessions 10 42 Allow Users chen@192.168.17.130//只允许chen这个用户用192.168.17.130地址登录[root@test01 ~]# systemctl restart sshd

12.了解三种远程管理

scp 远程复制sftp  get 远程下载文件sftp put  远程上传文件

二.密钥对验证登录

1.服务端开启公私钥验证登录

[root@localhost ~]# vim /etc/ssh/sshd_config //服务端的SSHD配置文件

43 PubkeyAuthentication yes  把"#"去掉开启公私钥验证登录 44  45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys    2 46 # but this is overridden so installations will only check .ssh/authorized_ke    ys 47 AuthorizedKeysFile      .ssh/authorized_keys                                           //生成的公私密钥会在这个目录底下

2.客户端，给chen用户生成密钥

[root@client ~]# ls /home/chen[root@client ~]# ssh-keygen -t ecdsa Generating public/private ecdsa key pair.Enter file in which to save the key (/root/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ecdsa.Your public key has been saved in /root/.ssh/id_ecdsa.pub.The key fingerprint is:SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo root@clientThe key's randomart image is:+---[ECDSA 256]---+|B*.+ooo..  o...  ||*=+.o...  o  .   ||oo. =o.  .. o    ||   +.+o..+o  o   ||  . =+o=S....    || . + .=.+. .     ||E .  . +.        || .    .          ||                 |+----[SHA256]-----+

3.查看chen用户当中的公私钥目录

[root@client ~]# ls -a.                    .bash_logout   .dbus                 .mozilla     模板..                   .bash_profile  .esd_auth             .ssh         视频.1234.txt.swp        .bashrc        .ICEauthority         .tcshrc      图片abc                  .cache         initial-setup-ks.cfg  test         文档abc.txt              chen           is                    this         下载anaconda-ks.cfg      chenchen       .lesshst              .viminfo     音乐.anacond-ks.cfg.swp  .config        .local                .Xauthority  桌面.bash_history        .cshrc         lshelp1.txt           公共[root@client ~]# cd .ssh/[root@client .ssh]# lsid_ecdsa  id_ecdsa.pub  known_hosts

4.把chen公钥发送给服务端的公钥目录中

[root@client .ssh]# ssh-copy-id -i id_ecdsa.pub chen@192.168.17.128/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.Are you sure you want to continue connecting (yes/no)? yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keyschen@192.168.17.128's password: Number of key(s) added: 1Now try logging into the machine, with:   "ssh 'chen@192.168.17.128'"and check to make sure that only the key(s) you wanted were added.

5.去服务端查看有没有chen用户的公钥

[root@localhost chen]# cd .ssh/[root@localhost .ssh]# lsauthorized_keys[root@localhost .ssh]# cat authorized_keys ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h2tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= root@client

6.客户端远程密钥对登录验证

[root@client .ssh]# ssh chen@192.168.17.128Enter passphrase for key '/root/.ssh/id_ecdsa': Last login: Sat Aug 10 00:32:52 2019

7.免交互，免去密钥对登录验证

[chen@localhost ~]$ exit登出Connection to 192.168.17.128 closed.[root@client .ssh]# ssh-agent bash  //代理bash环境[root@client .ssh]# ssh-add             //添加我们密钥对的密码Enter passphrase for /root/.ssh/id_ecdsa: Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)[root@client .ssh]# ssh chen@192.168.17.128Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134[chen@localhost ~]$ 

三.Tcp wappers 访问控制

访问控制策略：
先检查hosts.allow，找到匹配则允许访问
否则再检查hosts.deny，找到则拒绝访问
若两个文件中均无匹配策略，则默认允许
访问

1.到服务端设置访问控制

[root@localhost ~]# vim /etc/hosts.allow

 hosts.allow   This file contains access rules which are used to               allow or deny connections to network services that               either use the tcp_wrappers library or that have been               started through a tcp_wrappers-enabled xinetd.               See 'man 5 hosts_options' and 'man 5 hosts_access'               for information on rule syntax.              See 'man tcpd' for information on tcp_wrapperssshd:192.168.17.130   //添加只允许访问的地址~              

[root@localhost ~]# vim /etc/hosts.deny

hosts.deny    This file contains access rules which are used to               deny connections to network services that either use               the tcp_wrappers library or that have been               started through a tcp_wrappers-enabled xinetd.               The rules in this file can also be set up in               /etc/hosts.allow with a 'deny' option instead.               See 'man 5 hosts_options' and 'man 5 hosts_access'               for information on rule syntax.               See 'man tcpd' for information on tcp_wrapperssshd:192.168.17.128                                                                                     ~                                                                                       ~                                                                                       ~        

以上就是我们的所有内容了