<OS 有关>Ubuntu 24 安装 openssh-server, tailscale+ssh 慢增加

davenian2025-01-17 12:22

更新日志:

Created on 14Jan.2025 by Dave , added openssh-server, tailescape

Updated on 15Jan.2025, added "tailescape - tailscape ssh"

前期准备:

1. 更新可用软件包的数据库

2. 升级系统中所有已安装的软件包到最新版本

3. 安装 curl 和 git 这两个软件包 (如果已经安装,会进行升级)

一、安装 openssh-server(服务器)

1. 安装软件包

sudo apt update
sudo apt install openssh-server

2. 启动 SSH 服务器

启动服务:

sudo systemctl start ssh

查看状态:

root@ub2:~# sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Tue 2025-01-14 20:11:43 CST; 17min ago
TriggeredBy: ● ssh.socket
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 954 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 965 (sshd)
      Tasks: 1 (limit: 4558)
     Memory: 3.2M (peak: 19.8M)
        CPU: 191ms
     CGroup: /system.slice/ssh.service
             └─965 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

Jan 14 20:11:43 ub2 systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Jan 14 20:11:43 ub2 sshd[965]: Server listening on :: port 22.
Jan 14 20:11:43 ub2 systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Jan 14 20:13:08 ub2 sshd[1851]: Accepted password for root from 192.168.19.1 port 44083 ssh2
Jan 14 20:13:08 ub2 sshd[1851]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)

确保 SSH 服务在系统启动时自动启动:

root@ub2:~# sudo systemctl enable ssh
Synchronizing state of ssh.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable ssh
root@ub2:~#

3. 配置防火墙 (UFW)

我用的是 Desktop 版本,ufw 没有启用(安装)。因此,只列出命令。

检查 UFW 的状态:

sudo ufw status

允许 SSH 连接 或 22端口:

sudo ufw allow ssh

sudo ufw allow 22

启用 UFW:

sudo vi /etc/ssh/sshd_config

4. 配置 SSH

让 root 用户,使用密码登录。配置文件:/etc/ssh/sshd_config

主要是这两个参数:

PermitRootLogin yes
PasswordAuthentication yes

我正在用的文件:/etc/ssh/sshd_config

root@ub2:~# cat /etc/ssh/sshd_config

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
root@ub2:~#

二、 安装 Tailscale 应用

1. 安装软件包

curl -fsSL https://tailscale.com/install.sh | sh

2. 启动 tailscale 应用

tailscale up

3. 按照提示激活连接 (略)

4. 在控制台确认连接

控制台: (当前是离线)

5. 配置 Tailscale SSH

参考源链接:Tailscale SSH · Tailscale Docs

a. tailscape ssh 用途

在 tailscale console 上,用 SSH 连接主机,见上图红框。

b. 配置 tailscape ssh

配置主要有两处: tailscale console 上的 access controls (见上图绿框), 还有主机上启用 ssh

1) access controls 配置

下面是我的配置内容,你需要替换 "//使用你的tailscale注册邮箱(https://login.tailscale.com/admin/users 里面的邮箱地址)" 为管理员组的 email ,要保留 双引号。

{
	"groups": {
		"group:admin": ["//使用你的tailscale注册邮箱(https://login.tailscale.com/admin/users 里面的邮箱地址)"],
	},
	"tagOwners": {
		"tag:linux":   ["group:admin"],
		"tag:windows": ["group:admin"],
	},
	"acls": [
		// 允许管理员访问所有设备的所有端口
		{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
		// 允许 Linux 设备间互相 SSH 访问
		{"action": "accept", "src": ["tag:linux"], "dst": ["tag:linux:22"]},
		// 允许 Windows 设备访问 Linux 设备的 SSH
		{"action": "accept", "src": ["tag:windows"], "dst": ["tag:linux:22"]},
	],
	"ssh": [
		{
			"action": "accept",
			"src":    ["autogroup:member"],
			"dst":    ["tag:linux"],
			"users":  ["autogroup:nonroot", "root"],
		},
		{
			"action": "check",
			"src":    ["group:admin"],
			"dst":    ["tag:linux", "tag:windows"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],
}
2) 在 ubuntu 24 desktop 上启动 tailscale ssh

这行命令带有能数 --reset 重置,会清除现有主机上的 Tailscale 配置。

sudo tailscale up --accept-routes --advertise-tags=tag:linux --ssh --reset

解释:

  • 为设备添加 linux 标签(--advertise-tags=tag:linux)
  • 启用 SSH 功能(--ssh)
  • 重置配置(--reset)
  • 接受路由(--accept-routes) ,白话:接受来自其它 Tailscale 网络访问

c. 演示

安全审核过程略过...

Damm, 竟然用浏览器,连接到我 Laptop 上的 Ubuntu VM.

ali 云上的 日本机 也ok

三、

相关推荐
wjy6_6 小时前
源码编译安装httpd 2.4,提供系统服务管理脚本并测试
运维
知本知至7 小时前
kubuntu24.04配置vmware17.5.1
ubuntu·typora·vmware·net·kubuntu
周杰伦_Jay7 小时前
Ubuntu20.4和docker终端指令、安装Go环境、安装搜狗输入法、安装WPS2019:保姆级图文详解
linux·python·ubuntu·docker·centos
Danileaf_Guo7 小时前
Ubuntu磁盘空间不足或配置错误时,如何操作扩容?
linux·运维·服务器·ubuntu
嘻嘻哈哈曹先生7 小时前
Java负载均衡
运维·github·负载均衡
Linux运维老纪7 小时前
K8s 集群 IP 地址管理指南(K8s Cluster IP Address Management Guide)
linux·运维·tcp/ip·容器·kubernetes·云计算·运维开发
大大菜鸟一枚7 小时前
arm使用ubi系统
linux·arm开发·学习
鸭梨山大。8 小时前
ubuntu安全配置基线
linux·安全·ubuntu
xiao-xiang8 小时前
nginx-lua模块安装
运维·nginx·lua
带电的小王8 小时前
Android Studio:Linux环境下安装与配置
android·linux·android studio
热门推荐
01(欧拉)openEuler系统添加网卡文件配置流程、(欧拉)openEuler系统手动配置ipv6地址流程、(欧拉)openEuler系统网络管理说明02Dell服务器升级ubuntu 22.04失败解决03半导体应用系统一些小知识收集(strip&wafer mapping,EAP&scada)04Oracle 高阶函数与高级功能详解05密码学原理技术-第六章-introduction to pulibc-key cryptography06优化手机性能,解决卡顿问题:关闭这3个微信开关,释放内存空间07每天40分玩转Django:问题解答(一)08go下载依赖提示连接失败09渗透测试之SQLMAP工具详解 kali自带SQLmap解释 重点sqlmap --tamper 使用方式详解 搞完你就很nice了10年出货2亿台,只赚“辛苦钱”!又一家代工巨头押宝汽车电子