云计算一阶段章节十五——Linux sshd 服务管理

Linux sshd 服务管理

环境准备

以链接克隆方式克隆原先的server虚拟机,取名为client,并设置ip地址为10.1.8.11/24。

bash 复制代码
# 永久设置主机名
[root@localhost ~]# echo client.whisky.cloud > /etc/hostname

# 临时设置
[root@localhost ~]# hostname client.whisky.cloud

# 验证
[root@client ~]# hostname

# 准备名称解析
[root@client ~]# echo "10.1.8.10 server.whisky.cloud server 
10.1.8.11 client.whisky.cloud client" >> /etc/hosts

使用 ssh 访问远端CLI

SSH 介绍

SSH 全称是 Secure Shell,SSH协议是基于应用层的协议,为远程登录会话和其他网络服务提供安全性的协议。

实现此功能的传统方式,如 telnet (终端仿真协议)、 rcp、ftp、 rlogin、rsh都是极为不安全的,并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控件和文件传输过程中的数据,并由此来代替原来的类似服务。

SSH建立连接的过程

主要分为下面几个阶段:

  1. SSH协议版本协商阶段 ,SSH目前包括SSH1和SSH2两个大版本。
  2. 密钥和算法协商阶段,SSH支持多种加密算法,双方根据自己和对端支持的算法进行协商,最终决定要使用的算法。
  3. 认证阶段,服务器和客户端互相进行身份验证。
  4. 会话请求阶段,客户端会向服务器端发送会话请求。会话请求分为这样几类:申请对数据传送进行压缩、申请伪终端、启动 X11、TCP/IP 端口转发、启动认证代理等。
  5. 交互会话阶段,会话请求通过后,服务器端和客户端进行信息的交互。例如运行 shell、执行命令、传递文件。

加密类型

  • 对称加密,加密和解密都使用一个钥匙。确保数据的完整性。速度快。
  • 非对称加密,一对钥匙。公钥 用来加密 数据。私钥 用来解密数据。确保数据的安全性。

双向加密过程

SSH协议是基于非对称加密方法的,服务器和客户端都会生成自己的公钥和私钥。

  • 公钥 用来加密数据。
  • 私钥 用来解密数据。

双向加密过程:

  1. 服务器创建密钥对。远程服务器会在/etc/ssh目录下生成一个名为多个密钥对,例如ecdsa类型的密钥对:ssh_host_ecdsa_key.pub 公钥和 ssh_host_ecdsa_key 私钥。之后每回启动sshd服务的时候,系统会自动在此路径下查找公钥。

    客户端请求连接。服务器接到请求后,把公钥传给客户端使用。

  2. 客户端记录服务器公钥并计算自己的公私钥。客户端将服务器传来的公钥记录在**~/.ssh/known_hosts** 中,若是已经记录有该服务器公钥,则比对是否一致,一致后就计算客户端自己的公私钥。

  3. 客户端使用服务器的公钥加密自己的公钥并发送给服务器。服务器端拥有客户端公钥+自己私钥,客户端拥有服务器公钥+自己私钥,组成了非对称加密系统。

  4. 双向加解密。服务器发送数据:用客户端公钥加密,客户端收到数据后用自己私钥解密。客户端发送数据:用服务器公钥加密,服务器收到数据后用自己私钥解密。

ssh 工具演示

方式一:只指定IP或主机名

bash 复制代码
# 通过IP地址
[baoshenghui@client ~]$ ssh 10.1.8.10
The authenticity of host '10.1.8.10 (10.1.8.10)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.8.10' (ECDSA) to the list of known hosts.
baoshenghui@10.1.8.10's password: 
Last login: Sun Jul 27 22:11:12 2025 from 10.1.8.1
[baoshenghui@server ~]$ 

# 通过主机名称
[baoshenghui@client ~]$ ssh server
The authenticity of host 'server (10.1.8.10)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server' (ECDSA) to the list of known hosts.
baoshenghui@server's password: 
Last login: Sun Jul 27 22:12:14 2025 from client.whisky.clou
[baoshenghui@server ~]$ 

方式二:额外指定用户名

bash 复制代码
# 指定root用户登录
[baoshenghui@client ~]$ ssh root@server
root@server's password: 
Last failed login: Sun Jul 27 22:14:19 CST 2025 from client.whisky.clou on ssh:notty
Last login: Sun Jul 27 22:11:24 2025 from 10.1.8.1
[root@server ~]# 

# 或者
[baoshenghui@client ~]$ ssh -l root server

方式三:额外指定命令

bash 复制代码
# 同时指定用户和命令
[laoma@client ~]$ ssh laoma@server hostname
laoma@server's password: `redhat`
server.laoma.cloud
# shell提示符,仍然是本机。
[laoma@client ~]$

配置ssh密钥认证

使用密钥登录,避免输入密码,更安全。

配置过程
bash 复制代码
# 客户端生成密钥对
[baoshenghui@server ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/baoshenghui/.ssh/id_rsa): (回车)
Created directory '/home/baoshenghui/.ssh'.
Enter passphrase (empty for no passphrase): (回车)
Enter same passphrase again: (回车)
Your identification has been saved in /home/baoshenghui/.ssh/id_rsa.
Your public key has been saved in /home/baoshenghui/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:y8O+29kyh8eH5SSChvBmiNkquo/OQaerEKeH4Ol9FQs baoshenghui@server.laoma.cloud
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|                 |
|    .E .         |
|o..= +..S.       |
|+=* o ==o.. . o  |
|+=.. o..=  + *   |
|=o=  . . o+o= o  |
|OO...   +oo=..   |
+----[SHA256]-----+
# 生成的文件如下
[baoshenghui@server ~]$ ls .ssh/
id_rsa  id_rsa.pub

# 将公钥推动给目标服务器上的目标用户
[baoshenghui@server ~]$ ssh-copy-id baoshenghui@client
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baoshenghui/.ssh/id_rsa.pub"
The authenticity of host 'client (10.1.8.11)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
baoshenghui@client's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'baoshenghui@client'"
and check to make sure that only the key(s) you wanted were added.

# 验证
[baoshenghui@server ~]$ ssh baoshenghui@client
Last login: Mon Jul 28 22:14:33 2025 from 10.1.8.1
[baoshenghui@client ~]$ 


# 推送公钥相当于:
# 将公钥内容保存到目标服务器上目标用户家目录下.ssh/authorized_keys中
[baoshenghui@client ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmQMXl7Fo16AznPW8spszIfencz2xSqKuo0dCDycGjy3JZj9/SJI8CDODD1GjrsikMcHne7R/h/d1TVJ5usgTNPSh95QZxjcq5PpT7OB6FEj52mhiLZvyK1IgrFKWVZeH2P21sTa+OFHFho8feA0MLjBWj3kB+6k0Sfv+plBtvrZskOX1C7YpJs3Ly6Gl8R86+bIOLJ4V0VxrML84Z8TThKOv7+afUPd4jEcVq73hVCKE6Io9W9v7m8F4DLkWXvOmmDQgJDbZrVMoQpgAU4EopX/U8YMU9u28K7SOl9xCZtc+TYpmdXw/il/Jk5/ntuQ6iI0grIDrYLBWHSojJeLVn baoshenghui@client.whisky.cloud

[baoshenghui@client ~]$ ssh baoshenghui@server
baoshenghui@server's password: 
Last login: Mon Jul 28 22:10:01 2025 from 10.1.8.1
[baoshenghui@server ~]$ 

[baoshenghui@client ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt8YKob4y+hpyLOAf2lHxnmYGfyOD2UAX+Yq/mEQcUEt0rCe+78PTTvK/gyz+jMt0VMLvr2aLuRGeZ2kTbiOMD4f7aeVl008seWf0iWXAhBYJzAVRVH6QfP/zkK6xZZlnRunAt0bTSQps1i+sXyXPsxENELTwY1CAeVjD9Znjyjv++rYRlun2CK4fQRvSrMaHIfvwl5rwtZlKbQ1dl/LRWGqKjFGbXfcnHzPlS2jrXkSLT28s/IduI3EeVSCX4mkpRChh9AseFtFUile4Ow2uwakl6SsT2XQAUNm6t/MQnHcHsxfewsBdmJLpnQQXA0eIQPd2nrAy9PhrvKmSiib0J baoshenghui@server.laoma.cloud
#!!!(主机名初次设置错误,重设后重启服务仍未更改,此处存疑)
# 推给目标主机root用户
[baoshenghui@server ~]$ ssh-copy-id root@client
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baoshenghui/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@client's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@client'"
and check to make sure that only the key(s) you wanted were added.

[baoshenghui@server ~]$ ssh root@client hostname
client.whisky.cloud

非交互式生成密钥对

bash 复制代码
[baoshenghui@server ~]$ ssh-keygen -t rsa -N '' -f id_rsa_new
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_new.
Your public key has been saved in id_rsa_new.pub.
The key fingerprint is:
SHA256:UXopkQ0UcdtmnfkVMX/hJ/7zljW5Uz5wMZF+OzcL5Aw baoshenghui@server.laoma.cloud
The key's randomart image is:
+---[RSA 2048]----+
|       .**o    =o|
|        .=.+ ..==|
|        + + + *.*|
|         + E o *=|
|        S   = . B|
|             = O+|
|              +o%|
|               *=|
|               .+|
+----[SHA256]-----+
[baoshenghui@server ~]$ ls *new*
id_rsa_new  id_rsa_new.pub

其他选项

bash 复制代码
# -p选项指定目标服务器 sshd 服务端口号,默认22
[baoshenghui@client ~]$ ssh -l root -p 1022 server hostname
root@server's password: 
server.whisky.cloud


# -i 指定私钥位置
[baoshenghui@client ~]$ mv .ssh/id_rsa /tmp
[baoshenghui@client ~]$ ssh -i /tmp/id_rsa root@server hostname
server.whisky.cloud

# 如果找不到密钥,则使用密码登录
[baoshenghui@client ~]$ ssh root@server hostname
root@server's password: 
排故

故障:配置密钥登录后,远程登录仍要需要输入密码验证。

bash 复制代码
[root@client ~]# ssh 'root@10.1.8.20' hostname
root@10.1.8.20's password: 

模拟:将用户家目录的权限改为777。

处理过程:

  1. 查看日志

    bash 复制代码
    # 客户端登录的时候,监控服务端日志
    [root@centos7 ~]# tail -f /var/log/secure
    ......
    Jul 31 16:13:41 centos7 sshd[3693]: Authentication refused: bad ownership or modes for directory /root
    ......

    发现提示:文件权限有问题。

  2. 查找文件权限。

    bash 复制代码
    [root@centos7 ~]# ll .ssh/
    total 12
    -rw-------. 1 root root  576 Jul 31 16:11 authorized_keys
    
    [root@centos7 ~]# ls -ld .ssh/
    drwx------. 2 root root 61 Jul 31 16:11 .ssh/
    
    [root@centos7 ~]# ls -ld /root
    drwxrwxrwx. 3 root root 4096 Jul 31 16:09 /root
    
    # 更改权限
    [root@centos7 ~]# chmod 700 /root

自定义 SSH 服务

配置文件

sshd服务配置文件:/etc/ssh/sshd_config。帮助 sshd_config(5)

常见配置:

  • PermitRootLogin no ,禁止 root 用户登录。
    • root用户权限不受限制。
    • root用户存在每个linux系统,只需要猜密码就可以。
    • 从审计角度来看,很难跟踪哪个授权用户以root身份登录并进行了更改。 如果用户必须以普通用户身份登录并切换到root帐户,则会生成一个日志事件,可用于帮助提供问责制。
  • PermitRootLogin prohibit-password,禁止root用户通过密码登录。
  • PasswordAuthentication no,禁止用户使用密码登录。
  • AllowUsers exampleuser,允许特定用户登录,该用户可以提权为root。
禁止 root 登录
bash 复制代码
# 即使配置了免密登录,也无法远程登录
[baoshenghui-@client ~]$ ssh root@server
root@server's password: 
Permission denied, please try again.
root@server's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

# 使用普通用户登录,然后提权为root用户
[baoshenghui@client ~]$ ssh baoshenghui@server
[baoshenghui@server ~]$ su -
[root@server ~]#
禁止密码登录
bash 复制代码
# laowang账户未配置密钥登录,直接拒绝
[baoshenghui@client ~]$ ssh user01@server
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
只允许特定用户登录

例如baoshenghui用户。

bash 复制代码
# user01输入正确的密码也无法登录
[baoshenghui@client ~]$ ssh user01@server
user01@server's password: 
Permission denied, please try again.
user01@server's password: 
Permission denied, please try again.
user01@server's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

[baoshenghui@client ~]$ ssh baoshenghui@server hostname
server.whisky.cloud