SSH服务

一、SSH认证方式

  • 基于密码(口令)方式

  • 基于密钥的方式
    基于密钥的方式连接远程主机时,可以直接执行命令并得到返回结果,不用登陆到目标主机

[root@m01 ~]# ssh 172.16.1.19 hostname
web03
[root@m01 ~]# ssh 172.16.1.19
Last login: Wed Jul 17 23:24:26 2019 from 172.16.1.161
[root@web03 ~]# hostname
web03
SSH服务默认是基于22端口为客户端提供服务;
安全的远程连接方式(数据经加密处理),默认可使用root用户连接;Telnet默认不可以使用root用户登录系统

二、SSH相关命令

ssh 主机地址 与目标主机建立SSH连接

不指定用户名,默认使用当前登录用户登入目标主机;
  • -p 端口 指定SSH连接端口号
[root@aspen ~]# ssh root@172.16.1.18
The authenticity of host '172.16.1.18 (172.16.1.18)' can't be established.
ECDSA key fingerprint is SHA256:4O+/HRUt2Qwcz4xXk3y+Y5It07gqAUNy//ju/dZH2Vc.
ECDSA key fingerprint is MD5:5b:e2:99:8c:b6:d6:88:85:2c:4a:84:65:4a:74:78:75.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.18' (ECDSA) to the list of known hosts.
root@172.16.1.18's password: 
Last login: Wed Jul 17 21:59:20 2019 from 10.0.0.1
[root@web02 ~]# ssh root@172.16.1.201 -p 16115
ssh: connect to host 172.16.1.201 port 16115: Connection refused

ssh-keygen 创建密钥对

  • -t 密钥对类型 指定密钥对类型
常用密钥对类型:dsa和rsa;
密钥对存放位置:~/.ssh/		 
[root@aspen ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:P/XYuQA8iH4Aefh6iDnXV8hnaf94Mbyafbbu35aDTOs root@aspen
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|     o           |
|    + .          |
|     + o + .     |
|      + S X ..   |
|   o = . * = =+. |
|  + + + o o * *+.|
|   o . o   . Xo+=|
|            =E*B*|
+----[SHA256]-----+
[root@aspen ~]# ll ~/.ssh/*rsa*
-rw------- 1 root root 1679 Jul 17 22:57 /root/.ssh/id_rsa          #私钥
-rw-r--r-- 1 root root  402 Jul 17 22:57 /root/.ssh/id_rsa.pub      #公钥

ssh-copy-id 用户名@主机地址 分发公钥信息

  • -i 文件位置 指定公钥文件位置
  • -o StrictHostKeyChecking=no 建立ssh链接时,不确认公钥信息
  • -p 端口 指定SSH连接端口号
[root@aspen ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.18
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.16.1.18 (172.16.1.18)' can't be established.
ECDSA key fingerprint is SHA256:4O+/HRUt2Qwcz4xXk3y+Y5It07gqAUNy//ju/dZH2Vc.
ECDSA key fingerprint is MD5:5b:e2:99:8c:b6:d6:88:85:2c:4a:84:65:4a:74:78:75.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.18's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.16.1.18'"
and check to make sure that only the key(s) you wanted were added.
[root@aspen ~]# ssh 172.16.1.18
Last login: Wed Jul 17 22:54:26 2019 from 172.16.1.201
[root@web02 ~]# cat /root/.ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNwJizmrzSpFwW0cCyzZsliUOIpSlXwpv7g7vqS7i8wLiMlPKVsBEaXT+WFmXVqidm29urgAui5dpUP4G/Vvn9Tu2e8NyK9BjNb37qXsAYiW1N0PGCiicMAaXw5KrwBRUYlnSPkxvBb+ckDcZvM+dIYpnV2CT1D045xe0N3AxhIBbPw/0IiVRcAVRMJic0ivQUOMIrcId/eYft08I3p3uERlJuA1Gr2BMriL7yjdCOJnJyq4xMXnhY1E/p1rXawCl0uOpHW0i/N97eeQHhiW0kHRG8AI0dZdqFqIpJor3pcIXeOPpw4hU5EOMIYo9DWC1br2TIs3sh5MY4HGoEntMx root@oaspen

sshpass 无交互式提供ssh密码信息

sshpass命令默认没有安装,需要使用yum进行安装
  • -p 密码 指定目标主机的明文密码
[root@web02 ~]# rm /root/.ssh/authorized_keys -f
[root@aspen ~]# >~/.ssh/known_hosts 
[root@aspen ~]# cat ~/.ssh/known_hosts 
[root@aspen ~]# ls ~/.ssh/
id_dsa  id_dsa.pub  known_hosts
[root@aspen ~]# sshpass -p ****** ssh-copy-id -i ~/.ssh/id_dsa.pub root@172.16.1.18 -o StrictHostKeyChecking=no
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_dsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' 'root@172.16.1.18'"
and check to make sure that only the key(s) you wanted were added.

[root@aspen ~]# ssh 172.16.1.18
Last login: Wed Jul 17 23:03:10 2019 from 172.16.1.201
[root@web02 ~]# ls ~/.ssh/
authorized_keys

使用sshpass命令时,一定先测试ssh-copy-id命令是否可成功运行;因使用sshpass后,命令无法自动补全

管理端批量分发SSH公钥脚本

[root@m01 ~]# cat /scripts/manager.sh 
#!/bin/bash 
#remote connection with ssh by Aspen_Han at 20190624
ip=`hostname -I | awk '{print $2}'`
for i in {17,18,19,131,141,151,161}
do
 if [ "$ip" != "172.16.1.$i" ]
 then
   echo "--------------------------- Deliver SSH Pub.key to 172.16.1.$i ---------------------------"
   sshpass -p123456 ssh-copy-id -i /root/.ssh/id_dsa.pub root@172.16.1.$i -o StrictHostKeyChecking=no &>/dev/null
   if [ $? -eq 0 ]
    then
     ssh 172.16.1.$i hostname
     echo "Deliver Pub.key for 172.16.1.$i Success"
     echo " "
    else
     echo "Deliver Pub.key for 172.16.1.$i Failed"
     echo " "
   fi
 else
  echo "--------------------------- Deliver SSH Pub.key to $ip ---------------------------"
  echo "$ip is localhost"
  echo " "
 fi
done
-----------------------------------------------------------------------------------------------------------------------
[root@m01 ~]# sh /scripts/manager.sh 
--------------------------- Deliver SSH Pub.key to 172.16.1.17 ---------------------------
web01
Deliver Pub.key for 172.16.1.17 Success

--------------------------- Deliver SSH Pub.key to 172.16.1.18 ---------------------------
web02
Deliver Pub.key for 172.16.1.18 Success

--------------------------- Deliver SSH Pub.key to 172.16.1.19 ---------------------------
web03
Deliver Pub.key for 172.16.1.19 Success

--------------------------- Deliver SSH Pub.key to 172.16.1.131 ---------------------------
Deliver Pub.key for 172.16.1.131 Failed

--------------------------- Deliver SSH Pub.key to 172.16.1.141 ---------------------------
Deliver Pub.key for 172.16.1.141 Failed

--------------------------- Deliver SSH Pub.key to 172.16.1.151 ---------------------------
Deliver Pub.key for 172.16.1.151 Failed

--------------------------- Deliver SSH Pub.key to 172.16.1.161 ---------------------------
172.16.1.161 is localhost

三、SSH服务配置文件

SSH服务端配置文件:/etc/ssh/sshd_config

配置文件常用参数

#Port 22 #SSH服务默认端口号
#ListenAddress 0.0.0.0 #SSH服务默认监听所有地址
监听地址必须是主机网卡地址
#PermitRootLogin yes #SSH服务默认允许使用root用户连接
在实际环境中,一般禁止root用户远程连接
#PermitEmptyPasswords no #SSH服务默认不允许空密码登入
在实际环境中一定禁止用户使用空密码登录
UseDNS no #禁用SSH服务的DNS反向解析
GSSAPIAuthentication no #关闭SSH服务的GSSAPI认证方式
 
[root@aspen ~]# egrep -n '^#(Port|ListenAddress|PermitRootLogin|PermitEmptyPasswords)|UseDNS|GSSAPIAuthentication' /etc/ssh/sshd_config 
17:#Port 22
19:#ListenAddress 0.0.0.0
20:#ListenAddress ::
38:#PermitRootLogin yes
64:#PermitEmptyPasswords no
79:GSSAPIAuthentication no
115:UseDNS no

SSH服务的其他文件

管理端

  • 公钥:~/.ssh/id_rsa.pub
  • 私钥:~/.ssh/id_rsa
  • 密钥登录记录文件:~/.ssh/known_hosts

被管理端

  • 公钥文件:~/.ssh/authorized_keys
[root@m01 ~/.ssh]# cat ./known_hosts 
172.16.1.17 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMxZN14tKWaBaKVzR4wnbQJoNGOrqnHwKtVLEeHRBg+hf68IZ5agxsmRijvLCcjp4r8AFra4gAvX198Wa7uuNo=
172.16.1.131 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMxZN14tKWaBaKVzR4wnbQJoNGOrqnHwKtVLEeHRBg+hf68IZ5agxsmRijvLCcjp4r8AFra4gAvX198Wa7uuNo=
172.16.1.141 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMxZN14tKWaBaKVzR4wnbQJoNGOrqnHwKtVLEeHRBg+hf68IZ5agxsmRijvLCcjp4r8AFra4gAvX198Wa7uuNo=
172.16.1.18 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMxZN14tKWaBaKVzR4wnbQJoNGOrqnHwKtVLEeHRBg+hf68IZ5agxsmRijvLCcjp4r8AFra4gAvX198Wa7uuNo=
172.16.1.19 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMxZN14tKWaBaKVzR4wnbQJoNGOrqnHwKtVLEeHRBg+hf68IZ5agxsmRijvLCcjp4r8AFra4gAvX198Wa7uuNo=

[root@m01 ~/.ssh]# cat ~/.ssh/id_dsa.pub 
ssh-dss AAAAB3NzaC1kc3MAAACBAIBA6clmqDROph49+lbGTDxvsM6ZQPoKn1yx+KnY8QIUuuNtkfn723cr/TDowRXgajoofinBFy3uw2eD0ECCx4WVF188PEb9O8bvDSDCslX9ShV7uUBbFv3HDckgSUSs4N8QGqJzFaZHuPoptlAhXaT4zGASDOm01846N6xDmkzZAAAAFQCE4syVdlb57SLBzAH0mwVx1J4j8QAAAIAT+CqMNJRNQpYpl0OQ9Kl/7JL+P8ryoZ7LzIKvQg9uCNZD6LoOcNcOoOX8TycRxtFQ5uo36rHwP+HeO4qkDTtMqFzczMaBGPg/YFRI2UEwPgyVW8z/2Sdf5yZ1OElmKwrIFdEkKXK8klwmQhV/8Sl2n58Iy9D2j0IjsNXYR/W9fAAAAIAkPRc+KgrNFHtziybw7Ly7KJ82wWhj+cY9FMygvMwMQKkzhnuhDR49JVR/PnKriaLK902cjbC/DRCSAemmb2yVNqBY07A/JP/a6nKWBW7Au0BUVfiVpvqWjbt1tJ+SvXqb3h9UZtH8zgLyRjZNO6kaoHAhu+/fFggmqW87SrODHQ== root@m01

[root@m01 ~/.ssh]# ssh 172.16.1.19 cat ~/.ssh/authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAIBA6clmqDROph49+lbGTDxvsM6ZQPoKn1yx+KnY8QIUuuNtkfn723cr/TDowRXgajoofinBFy3uw2eD0ECCx4WVF188PEb9O8bvDSDCslX9ShV7uUBbFv3HDckgSUSs4N8QGqJzFaZHuPoptlAhXaT4zGASDOm01846N6xDmkzZAAAAFQCE4syVdlb57SLBzAH0mwVx1J4j8QAAAIAT+CqMNJRNQpYpl0OQ9Kl/7JL+P8ryoZ7LzIKvQg9uCNZD6LoOcNcOoOX8TycRxtFQ5uo36rHwP+HeO4qkDTtMqFzczMaBGPg/YFRI2UEwPgyVW8z/2Sdf5yZ1OElmKwrIFdEkKXK8klwmQhV/8Sl2n58Iy9D2j0IjsNXYR/W9fAAAAIAkPRc+KgrNFHtziybw7Ly7KJ82wWhj+cY9FMygvMwMQKkzhnuhDR49JVR/PnKriaLK902cjbC/DRCSAemmb2yVNqBY07A/JP/a6nKWBW7Au0BUVfiVpvqWjbt1tJ+SvXqb3h9UZtH8zgLyRjZNO6kaoHAhu+/fFggmqW87SrODHQ== root@m01

四、SSH远程入侵防范思路

  1. 尽量使用SSH密钥方式进行登录
  2. 主机尽量不配置外网地址
  3. 进行防火墙安全策略控制
  4. 设置主机SSH服务仅监听内网地址
  5. 对系统重要数据信息进行监控
  6. 对系统重要目录和数据进行加锁(chattr)

附:思维导图