Linux sshd 服务管理
环境准备
以链接克隆方式克隆原先的server虚拟机,取名为client,并设置ip地址为10.1.8.11/24。
bash
# 永久设置主机名
[root@localhost ~]# echo client.whisky.cloud > /etc/hostname
# 临时设置
[root@localhost ~]# hostname client.whisky.cloud
# 验证
[root@client ~]# hostname
# 准备名称解析
[root@client ~]# echo "10.1.8.10 server.whisky.cloud server
10.1.8.11 client.whisky.cloud client" >> /etc/hosts使用 ssh 访问远端CLI
SSH 介绍
SSH 全称是 Secure Shell,SSH协议是基于应用层的协议,为远程登录会话和其他网络服务提供安全性的协议。
实现此功能的传统方式,如 telnet (终端仿真协议)、 rcp、ftp、 rlogin、rsh都是极为不安全的,并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控件和文件传输过程中的数据,并由此来代替原来的类似服务。
SSH建立连接的过程
主要分为下面几个阶段:
- SSH协议版本协商阶段 ,SSH目前包括SSH1和SSH2两个大版本。
- 密钥和算法协商阶段,SSH支持多种加密算法,双方根据自己和对端支持的算法进行协商,最终决定要使用的算法。
- 认证阶段,服务器和客户端互相进行身份验证。
- 会话请求阶段,客户端会向服务器端发送会话请求。会话请求分为这样几类:申请对数据传送进行压缩、申请伪终端、启动 X11、TCP/IP 端口转发、启动认证代理等。
- 交互会话阶段,会话请求通过后,服务器端和客户端进行信息的交互。例如运行 shell、执行命令、传递文件。
加密类型
- 对称加密,加密和解密都使用一个钥匙。确保数据的完整性。速度快。
- 非对称加密,一对钥匙。公钥 用来加密 数据。私钥 用来解密数据。确保数据的安全性。
双向加密过程
SSH协议是基于非对称加密方法的,服务器和客户端都会生成自己的公钥和私钥。
- 公钥 用来加密数据。
- 私钥 用来解密数据。
双向加密过程:
-
服务器创建密钥对。远程服务器会在/etc/ssh目录下生成一个名为多个密钥对,例如ecdsa类型的密钥对:ssh_host_ecdsa_key.pub 公钥和 ssh_host_ecdsa_key 私钥。之后每回启动sshd服务的时候,系统会自动在此路径下查找公钥。
客户端请求连接。服务器接到请求后,把公钥传给客户端使用。
-
客户端记录服务器公钥并计算自己的公私钥。客户端将服务器传来的公钥记录在**~/.ssh/known_hosts** 中,若是已经记录有该服务器公钥,则比对是否一致,一致后就计算客户端自己的公私钥。
-
客户端使用服务器的公钥加密自己的公钥并发送给服务器。服务器端拥有客户端公钥+自己私钥,客户端拥有服务器公钥+自己私钥,组成了非对称加密系统。
-
双向加解密。服务器发送数据:用客户端公钥加密,客户端收到数据后用自己私钥解密。客户端发送数据:用服务器公钥加密,服务器收到数据后用自己私钥解密。
ssh 工具演示
方式一:只指定IP或主机名
bash
# 通过IP地址
[baoshenghui@client ~]$ ssh 10.1.8.10
The authenticity of host '10.1.8.10 (10.1.8.10)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.8.10' (ECDSA) to the list of known hosts.
baoshenghui@10.1.8.10's password:
Last login: Sun Jul 27 22:11:12 2025 from 10.1.8.1
[baoshenghui@server ~]$
# 通过主机名称
[baoshenghui@client ~]$ ssh server
The authenticity of host 'server (10.1.8.10)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server' (ECDSA) to the list of known hosts.
baoshenghui@server's password:
Last login: Sun Jul 27 22:12:14 2025 from client.whisky.clou
[baoshenghui@server ~]$ 方式二:额外指定用户名
bash
# 指定root用户登录
[baoshenghui@client ~]$ ssh root@server
root@server's password:
Last failed login: Sun Jul 27 22:14:19 CST 2025 from client.whisky.clou on ssh:notty
Last login: Sun Jul 27 22:11:24 2025 from 10.1.8.1
[root@server ~]#
# 或者
[baoshenghui@client ~]$ ssh -l root server方式三:额外指定命令
bash
# 同时指定用户和命令
[laoma@client ~]$ ssh laoma@server hostname
laoma@server's password: `redhat`
server.laoma.cloud
# shell提示符,仍然是本机。
[laoma@client ~]$配置ssh密钥认证
使用密钥登录,避免输入密码,更安全。
配置过程
bash
# 客户端生成密钥对
[baoshenghui@server ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/baoshenghui/.ssh/id_rsa): (回车)
Created directory '/home/baoshenghui/.ssh'.
Enter passphrase (empty for no passphrase): (回车)
Enter same passphrase again: (回车)
Your identification has been saved in /home/baoshenghui/.ssh/id_rsa.
Your public key has been saved in /home/baoshenghui/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:y8O+29kyh8eH5SSChvBmiNkquo/OQaerEKeH4Ol9FQs baoshenghui@server.laoma.cloud
The key's randomart image is:
+---[RSA 2048]----+
| |
| |
| |
| .E . |
|o..= +..S. |
|+=* o ==o.. . o |
|+=.. o..= + * |
|=o= . . o+o= o |
|OO... +oo=.. |
+----[SHA256]-----+
# 生成的文件如下
[baoshenghui@server ~]$ ls .ssh/
id_rsa id_rsa.pub
# 将公钥推动给目标服务器上的目标用户
[baoshenghui@server ~]$ ssh-copy-id baoshenghui@client
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baoshenghui/.ssh/id_rsa.pub"
The authenticity of host 'client (10.1.8.11)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
baoshenghui@client's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'baoshenghui@client'"
and check to make sure that only the key(s) you wanted were added.
# 验证
[baoshenghui@server ~]$ ssh baoshenghui@client
Last login: Mon Jul 28 22:14:33 2025 from 10.1.8.1
[baoshenghui@client ~]$
# 推送公钥相当于:
# 将公钥内容保存到目标服务器上目标用户家目录下.ssh/authorized_keys中
[baoshenghui@client ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmQMXl7Fo16AznPW8spszIfencz2xSqKuo0dCDycGjy3JZj9/SJI8CDODD1GjrsikMcHne7R/h/d1TVJ5usgTNPSh95QZxjcq5PpT7OB6FEj52mhiLZvyK1IgrFKWVZeH2P21sTa+OFHFho8feA0MLjBWj3kB+6k0Sfv+plBtvrZskOX1C7YpJs3Ly6Gl8R86+bIOLJ4V0VxrML84Z8TThKOv7+afUPd4jEcVq73hVCKE6Io9W9v7m8F4DLkWXvOmmDQgJDbZrVMoQpgAU4EopX/U8YMU9u28K7SOl9xCZtc+TYpmdXw/il/Jk5/ntuQ6iI0grIDrYLBWHSojJeLVn baoshenghui@client.whisky.cloud
[baoshenghui@client ~]$ ssh baoshenghui@server
baoshenghui@server's password:
Last login: Mon Jul 28 22:10:01 2025 from 10.1.8.1
[baoshenghui@server ~]$
[baoshenghui@client ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt8YKob4y+hpyLOAf2lHxnmYGfyOD2UAX+Yq/mEQcUEt0rCe+78PTTvK/gyz+jMt0VMLvr2aLuRGeZ2kTbiOMD4f7aeVl008seWf0iWXAhBYJzAVRVH6QfP/zkK6xZZlnRunAt0bTSQps1i+sXyXPsxENELTwY1CAeVjD9Znjyjv++rYRlun2CK4fQRvSrMaHIfvwl5rwtZlKbQ1dl/LRWGqKjFGbXfcnHzPlS2jrXkSLT28s/IduI3EeVSCX4mkpRChh9AseFtFUile4Ow2uwakl6SsT2XQAUNm6t/MQnHcHsxfewsBdmJLpnQQXA0eIQPd2nrAy9PhrvKmSiib0J baoshenghui@server.laoma.cloud
#!!!(主机名初次设置错误,重设后重启服务仍未更改,此处存疑)
# 推给目标主机root用户
[baoshenghui@server ~]$ ssh-copy-id root@client
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baoshenghui/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@client's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@client'"
and check to make sure that only the key(s) you wanted were added.
[baoshenghui@server ~]$ ssh root@client hostname
client.whisky.cloud非交互式生成密钥对
bash
[baoshenghui@server ~]$ ssh-keygen -t rsa -N '' -f id_rsa_new
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_new.
Your public key has been saved in id_rsa_new.pub.
The key fingerprint is:
SHA256:UXopkQ0UcdtmnfkVMX/hJ/7zljW5Uz5wMZF+OzcL5Aw baoshenghui@server.laoma.cloud
The key's randomart image is:
+---[RSA 2048]----+
| .**o =o|
| .=.+ ..==|
| + + + *.*|
| + E o *=|
| S = . B|
| = O+|
| +o%|
| *=|
| .+|
+----[SHA256]-----+
[baoshenghui@server ~]$ ls *new*
id_rsa_new id_rsa_new.pub其他选项
bash
# -p选项指定目标服务器 sshd 服务端口号,默认22
[baoshenghui@client ~]$ ssh -l root -p 1022 server hostname
root@server's password:
server.whisky.cloud
# -i 指定私钥位置
[baoshenghui@client ~]$ mv .ssh/id_rsa /tmp
[baoshenghui@client ~]$ ssh -i /tmp/id_rsa root@server hostname
server.whisky.cloud
# 如果找不到密钥,则使用密码登录
[baoshenghui@client ~]$ ssh root@server hostname
root@server's password: 排故
故障:配置密钥登录后,远程登录仍要需要输入密码验证。
bash
[root@client ~]# ssh 'root@10.1.8.20' hostname
root@10.1.8.20's password: 模拟:将用户家目录的权限改为777。
处理过程:
-
查看日志
bash# 客户端登录的时候,监控服务端日志 [root@centos7 ~]# tail -f /var/log/secure ...... Jul 31 16:13:41 centos7 sshd[3693]: Authentication refused: bad ownership or modes for directory /root ......发现提示:文件权限有问题。
-
查找文件权限。
bash[root@centos7 ~]# ll .ssh/ total 12 -rw-------. 1 root root 576 Jul 31 16:11 authorized_keys [root@centos7 ~]# ls -ld .ssh/ drwx------. 2 root root 61 Jul 31 16:11 .ssh/ [root@centos7 ~]# ls -ld /root drwxrwxrwx. 3 root root 4096 Jul 31 16:09 /root # 更改权限 [root@centos7 ~]# chmod 700 /root
自定义 SSH 服务
配置文件
sshd服务配置文件:/etc/ssh/sshd_config。帮助 sshd_config(5)
常见配置:
- PermitRootLogin no ,禁止 root 用户登录。
- root用户权限不受限制。
- root用户存在每个linux系统,只需要猜密码就可以。
- 从审计角度来看,很难跟踪哪个授权用户以root身份登录并进行了更改。 如果用户必须以普通用户身份登录并切换到root帐户,则会生成一个日志事件,可用于帮助提供问责制。
- PermitRootLogin prohibit-password,禁止root用户通过密码登录。
- PasswordAuthentication no,禁止用户使用密码登录。
- AllowUsers exampleuser,允许特定用户登录,该用户可以提权为root。
禁止 root 登录
bash
# 即使配置了免密登录,也无法远程登录
[baoshenghui-@client ~]$ ssh root@server
root@server's password:
Permission denied, please try again.
root@server's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
# 使用普通用户登录,然后提权为root用户
[baoshenghui@client ~]$ ssh baoshenghui@server
[baoshenghui@server ~]$ su -
[root@server ~]#禁止密码登录
bash
# laowang账户未配置密钥登录,直接拒绝
[baoshenghui@client ~]$ ssh user01@server
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).只允许特定用户登录
例如baoshenghui用户。
bash
# user01输入正确的密码也无法登录
[baoshenghui@client ~]$ ssh user01@server
user01@server's password:
Permission denied, please try again.
user01@server's password:
Permission denied, please try again.
user01@server's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[baoshenghui@client ~]$ ssh baoshenghui@server hostname
server.whisky.cloud