Linux--远程访问及控制（详解OpenSSH的原理及配置）

• 一:OpenSSH服务器
• 1.1：SSH（Secure Shell）协议
• 1.2： OpenSSH
• 1.3： 服务监听选项
• 1.4： 用户登录控制
• 二：登录验证方式
• 2.1：密码验证
• 2.1.1：修改服务端ssh服务的配置文件，对客服端远程登录进行限制
• 2.1.2：客户端登录权限的验证
• 2.1.3：客户端最大失败连接次数的验证
• 2.2 密钥对验证
• 2.2.1 在客户机中创建密钥对
• 2.2.2 将公钥文件上传到服务器中目标用户的公钥库
• 2.2.3 客户端使用密钥对验证登录
• 三：scp命令--远程安全复制
• 四：sftp命令--安全FTP上下载

一:OpenSSH服务器

1.1：SSH（Secure Shell）协议

• 是一种安全通道协议
• 对通信数据进行了加密处理，用于远程管理

1.2： OpenSSH

• 服务名称：sshd
• 服务端主程序：/usr/sbin/sshd
• 服务端配置文件：/etc/ssh/sshd_config

1.3： 服务监听选项

• 端口号、监听IP地址

[root@localhost ~]# vim /etc/ssh/sshd_config 

17 #Port 22    ##默认22端口##
 18 #AddressFamily any
 19 #ListenAddress 0.0.0.0  ##监听地址IPV4##
 20 #ListenAddress ::

1.4： 用户登录控制

• 禁止root用户、空密码用户
• 限制登录验证时间、重试次数
• AllowUsers、DenyUsers

[root@localhost ~]# vim /etc/ssh/sshd_config 

35 # Authentication:
 36 
 37 LoginGraceTime 2m   ##登录验证时间##
 38 PermitRootLogin no  ##禁止root用户登录##
 39 #StrictModes yes
 40 MaxAuthTries 6  ##最大重试次数##
 41 MaxSessions 10   ##最大登录终端数##
 42 AllowUsers  tom harry@192.168.10.10  ##表示允许tom用户从所有终端登录、harry用户只能从192.168.10.10终端登录##
 ## AllowUsers与DenyUsers不能同时使用，配置文件中默认没有此行，需自己添加##

二：登录验证方式

2.1：密码验证

核对用户名密码是否匹配
准备两台虚拟机，一台作为客户端，一台作为服务端，用客服端远程连接服务端

[root@client ~]# ssh tom@192.168.209.134   ##tom为服务端的用户，192.168.209.134为服务端地址##
The authenticity of host '192.168.209.134 (192.168.209.134)' can't be established.
ECDSA key fingerprint is SHA256:GnK28SJbU4C8Op2rmLAg5lcSBpfM/oeTUSmq0QkfdJY.
ECDSA key fingerprint is MD5:5a:a5:35:49:b5:d0:1d:ce:f0:16:8a:b6:68:f2:d9:3d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.209.134' (ECDSA) to the list of known hosts.
tom@192.168.209.134's password:      ##输入tom用户的密码##
[tom@server ~]$    ##此时由客户端成功连接到服务端##

2.1.1：修改服务端ssh服务的配置文件，对客服端远程登录进行限制

[root@server ~]# vim /etc/ssh/sshd_config 
37 LoginGraceTime 2m
 38 PermitRootLogin no   ##不允许root用户登录##
 39 StrictModes yes
 40 MaxAuthTries 6   ##最大失败连接次数##
 41 MaxSessions 10
 42 AllowUsers tom ##只允许tom用户远程登录，相当于白名单##
[root@server ~]# systemctl restart sshd   ##修改完配置文件需重启服务##

2.1.2：客户端登录权限的验证

[root@client ~]# ssh harry@192.168.209.134
harry@192.168.209.134's password: 
Permission denied, please try again.  ##用harry用户登录，权限被拒##
[root@client ~]# ssh root@192.168.209.134
root@192.168.209.134's password: 
Permission denied, please try again.  ##用root用户登录，权限被拒##

[root@client ~]# ssh tom@192.168.209.134
tom@192.168.209.134's password: 
Last login: Thu Jul  9 11:27:11 2020 from 192.168.209.128
[tom@server ~]$   ##tom用户成功远程连接##
##注意：虽然root用户被禁止远程登录，但可通过tom用户作为中间用户来进行切换，只要知道root用户的密码就可以##

[tom@server ~]$ su - root
Password:    ##输入root的密码##
Last login: Thu Jul  9 11:42:12 CST 2020 on pts/0
Last failed login: Thu Jul  9 11:54:05 CST 2020 from 192.168.209.128 on ssh:notty
There was 1 failed login attempt since the last successful login.
[root@server ~]#   ##成功由tom用户切换为root用户##
##如要解决此bug需要在服务端开启pam认证，不给tom用户使用su命令切换用户的权限##
[root@server ~]# vim /etc/pam.d/su

 1 #%PAM-1.0
  2 auth            sufficient      pam_rootok.so
  3 # Uncomment the following line to implicitly trust users in the "wheel" group.
  4 #auth           sufficient      pam_wheel.so trust use_uid
  5 # Uncomment the following line to require a user to be in the "wheel" group.
  6 auth            required        pam_wheel.so use_uid  ##把此行的注释去掉##
  7 auth            substack        system-auth
  8 auth            include         postlogin
  9 account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
 10 account         include         system-auth
 11 password        include         system-auth
 12 session         include         system-auth
 13 session         include         postlogin
 14 session         optional        pam_xauth.so
###修改为后再用tom用户进行切换就没有权限了###
[root@client ~]# ssh tom@192.168.209.134
tom@192.168.209.134's password: 
Last login: Thu Jul  9 11:55:02 2020 from 192.168.209.128

[tom@server ~]$ su - root
Password: 
su: Permission denied
[tom@server ~]$ 

2.1.3：客户端最大失败连接次数的验证

[root@client ~]# ssh tom@192.168.209.134
tom@192.168.209.134's password:  ##第一次输入错误密码##
Permission denied, please try again.
tom@192.168.209.134's password: ##第二次输入错误密码##
Permission denied, please try again.
tom@192.168.209.134's password: ##第三次输入错误密码##
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
[root@client ~]# 
## 此时可以看到虽然服务端设置了最大失败连接次数是6次，但失败3次之后就直接退出了，这是因为系统默认的尝试连接次数是3次，如要修改尝试连接次数需要在服务端输入如下命令###
[root@client ~]# ssh -o numberofpasswordprompts=8 tom@192.168.209.134
tom@192.168.209.134's password: 
Permission denied, please try again.
tom@192.168.209.134's password: 
Permission denied, please try again.
tom@192.168.209.134's password: 
Permission denied, please try again.
tom@192.168.209.134's password: 
Permission denied, please try again.
tom@192.168.209.134's password: 
Received disconnect from 192.168.209.134 port 22:2: Too many authentication failures
Authentication failed.
[root@client ~]# 

2.2 密钥对验证

核对客户的私钥、服务端公钥是否匹配

2.2.1 在客户机中创建密钥对

• ssh-keygen命令
• 可用的加密算法：RSA、ECDSA、DSA

[zhangsan@client ~]$ ssh-keygen -t rsa  ## -t 指定加密算法类型##
Generating public/private rsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_rsa): 
Created directory '/home/zhangsan/.ssh'.
Enter passphrase (empty for no passphrase):   ##输入私钥密码##
Enter same passphrase again: 
Your identification has been saved in /home/zhangsan/.ssh/id_rsa.
Your public key has been saved in /home/zhangsan/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ptIlaG9SCS8XONON4PoAvZ76NYrZuKw1GFWDZXzoi2c zhangsan@client
The key's randomart image is:
+---[RSA 2048]----+
|   +*.           |
| ..+o=.o         |
|. o.*.+ .        |
| o o.* o         |
|. +.+.* S        |
| +.=E* =         |
|. =o* =          |
|.B + =           |
|O++              |
+----[SHA256]-----+
[zhangsan@client ~]$ 

2.2.2 将公钥文件上传到服务器中目标用户的公钥库

[zhangsan@client ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub tom@192.168.209.134
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/zhangsan/.ssh/id_rsa.pub"
The authenticity of host '192.168.209.134 (192.168.209.134)' can't be established.
ECDSA key fingerprint is SHA256:GnK28SJbU4C8Op2rmLAg5lcSBpfM/oeTUSmq0QkfdJY.
ECDSA key fingerprint is MD5:5a:a5:35:49:b5:d0:1d:ce:f0:16:8a:b6:68:f2:d9:3d.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
tom@192.168.209.134's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'tom@192.168.209.134'"
and check to make sure that only the key(s) you wanted were added.

[zhangsan@client ~]$ 

验证密码后，会将公钥自动添加到目标主机tom家目录下的.ssh/authorized_keys文件结尾

2.2.3 客户端使用密钥对验证登录

• 验证用户：服务端的用户tom
• 验证密码：客户端的用户zhangsan的私钥密码

[zhangsan@client ~]$ ssh tom@192.168.209.134
Enter passphrase for key '/home/zhangsan/.ssh/id_rsa': 
Last failed login: Thu Jul  9 12:24:42 CST 2020 from 192.168.209.128 on ssh:notty
There were 9 failed login attempts since the last successful login.
Last login: Thu Jul  9 12:15:31 2020 from 192.168.209.128
[tom@server ~]$ 

三：scp命令–远程安全复制

格式一：scp user@host:file1 file2
把服务端的文件复制到客服端

格式二：scp file1 user@host:file2
把客户端的文件复制到服务端

##客户端复制##
[root@client ~]# scp test01.txt tom@192.168.209.134:/home/tom
tom@192.168.209.134's password: 
test01.txt                                                                                                                  100%    0     0.0KB/s   00:00    
[root@client ~]# 
##服务端查看##
[root@server ~]# ls /home/tom
test01.txt

四：sftp命令–安全FTP上下载

格式：sftp user@host

[root@client ~]# sftp tom@192.168.209.134
tom@192.168.209.134's password: 
Connected to 192.168.209.134.
sftp> 
sftp> pwd
Remote working directory: /home/tom
sftp> ls
test01.txt  
sftp> get test01.txt   ##get 下载，put 上传##
Fetching /home/tom/test01.txt to test01.txt
sftp> bye   ##bye退出##
[root@client ~]# ls
anaconda-ks.cfg  Desktop  Documents  Downloads  initial-setup-ks.cfg  Music  openscap_data  Pictures  Public  Templates  test01.txt  Videos
[root@client ~]#