SSH远程管理和访问控制-摩杜云开发者社区

拓补图：

SSH远程管理和访问控制_服务器端

推荐步骤：

安装ssh服务器端和客户端设置服务开机自动启动，配置身份验证的ssh，保证ssh服务器的安全性禁止为空密码访问，将ssh服务器端口修改为2222，在ssh服务器端创建bob和tom两个用户允许客户端192.168.100.20登录bob和root账户，禁止tom用户通过192.168.100.20登录
配置免交互式身份验证ssh，允许Centos03使用root用户和alice用户免交互式访问ssh服务器端，配置访问控制阻止主机192.168.100.30访问ssh服务器

实验步骤：

一、安装ssh服务器配置身份验证ssh限制用户访问

1、挂载系统光盘安装服务

（1）挂载系统光盘

[root@centos01 ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 写保护，将以只读方式挂载
[root@centos01 ~]# ls /mnt
CentOS_BuildTag  EULA  images    LiveOS    repodata              RPM-GPG-KEY-CentOS-Testing-7
EFI              GPL   isolinux  Packages  RPM-GPG-KEY-CentOS-7  TRANS.TBL

（2）安装服务器端和客户端

[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm 
警告：/mnt/Packages/openssh-server-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中...                          ################################# [100%]
	软件包 openssh-server-7.4p1-11.el7.x86_64 已经安装
[root@centos01 ~]# rpm -ivh /mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm 
警告：/mnt/Packages/openssh-clients-7.4p1-11.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中...                          ################################# [100%]
	软件包 openssh-clients-7.4p1-11.el7.x86_64 已经安装

（3）设置服务开机自动启动

[root@centos01 ~]# systemctl enable sshd
[root@centos01 ~]# systemctl start sshd

2、创建验证账户配置密码

（1）创建验证账户bob、tom

[root@centos01 ~]# useradd bob
[root@centos01 ~]# useradd tom

（2）设置密码

[root@centos01 ~]# passwd bob
更改用户 bob 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。
[root@centos01 ~]# passwd tom
更改用户 tom 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。

3、配置ssh服务器控制用户访问

（1）修改ssh主配置文件

[root@centos01 ~]# vim /etc/ssh/sshd_config
17行 Port 2222
19行 ListenAddress 192.168.100.10
37行 LoginGraceTime 2m
38行 PermitRootLogin no
40行 MaxAuthxiTries 6
41行 MaxSessions 10
64行 PermitEmptyPasswords yes
65行 PasswordAuthentication yes
115行 UseDNS no
116行 AllowUsers bob@192.168.100.20
117行 DenyUsers tom@192.168.100.20

（2）重新启动服务监听端口

[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp        0      0 192.168.100.10:2222     0.0.0.0:*               LISTEN      1979/sshd

4、验证配置账户密码ssh服务器端

（1）允许root通过192.168.100.20登录

[root@centos02 ~]# ssh -p2222 root@192.168.100.10
root@192.168.100.10's password: 
Last failed login: Sun Apr 23 06:01:58 CST 2023 from 192.168.100.20 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Sun Apr 23 05:56:57 2023
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.

（2）允许bob通过192.168.100.20登录

[root@centos02 ~]# ssh -p2222 bob@192.168.100.10
bob@192.168.100.10's password: 
[bob@centos01 ~]$ exit
登出
Connection to 192.168.100.10 closed.

（3）禁止tom通过192.168.100.20登录

[root@centos02 ~]# ssh -p2222 tom@192.168.100.10
tom@192.168.100.10's password: 
Permission denied, please try again.

二、配置免交互式身份验证ssh，允许Centos03使用root用户和alice用户免交互式访问ssh服务器，配置访问控制拒绝192.168.100.30访问ssh服务

1、修改ssh服务器支持免交互式验证

（1）修改主配置文件

[root@centos01 ~]# vim /etc/ssh/sshd_config
43行 PubkeyAuthentication yes
47行 AuthorizedKeysFile      .ssh/authorized_keys
48行 AllowUsers alice root@192.168.100.30

（2）重新启动服务

[root@centos01 ~]# systemctl restart sshd
[root@centos01 ~]# netstat -anptu | grep sshd
tcp        0      0 192.168.100.10:2222     0.0.0.0:*               LISTEN      2364/sshd

2、配置客户端root用户免交互式验证

（1）生成密钥对

[root@centos03 ~]# ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:n8nuUjQDy12LgT9Qksoqm/qcdcGHckUynoehWJxmWVQ root@centos03
The key's randomart image is:
+---[RSA 2048]----+
|   ..=*.E+.      |
|   o*o B=.. .    |
|  .o..+oo* + .   |
|     .o+o O .    |
|    ..= S. +     |
|  . .o o o.o     |
|   +. .  .=      |
| .oo .  ..       |
|.o+      oo      |
+----[SHA256]-----+

（2）上传公钥到远程服务器

[root@centos03 ~]# ssh-copy-id -i -p 2222 root@192.168.100.10
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '[192.168.100.10]:2222 ([192.168.100.10]:2222)' can't be established.
ECDSA key fingerprint is SHA256:LuSDHJRzMptzroGB1eYCvj9Qqpf3wy4MV7184jNU2nA.
ECDSA key fingerprint is MD5:b6:4f:7b:03:8d:34:d0:f5:9c:bb:2a:de:cd:1c:ff:6a.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.10's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '2222' 'root@192.168.100.10'"
and check to make sure that only the key(s) you wanted were added.

（3）验证使用root登录

[root@centos03 ~]# ssh -p 2222 root@192.168.100.10
Last login: Sun Apr 23 06:03:54 2023 from 192.168.100.20
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.

3、配置使用alice用户身份验证免交互验证

（1）创建alice用户设置密码

[root@centos03 ~]# useradd alice
[root@centos03 ~]# passwd alice
更改用户 alice 的密码 。
新的 密码：
无效的密码： 密码少于 8 个字符
重新输入新的 密码：
passwd：所有的身份验证令牌已经成功更新。

（2）切换到alice用户生成密钥对

[root@centos03 ~]# su - alice
[alice@centos03 ~]$ ssh-keygen -t RSA
Generating public/private RSA key pair.
Enter file in which to save the key (/home/alice/.ssh/id_rsa): 
Created directory '/home/alice/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/alice/.ssh/id_rsa.
Your public key has been saved in /home/alice/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nF4SQCw26qCpvhYXnjRKu0hVuWmgmIHnZqm3QrRdnzw alice@centos03
The key's randomart image is:
+---[RSA 2048]----+
|.    o+          |
|o ..+o..         |
|.=.+ooo .        |
|++*= = . o       |
|+BO * o S .      |
|+Bo=   E o       |
|=.+.    o        |
|+o.              |
|o+.              |
+----[SHA256]-----+

（3）上传公钥

[alice@centos03 ~]$ ssh-copy-id - i -p 2222 root@192.168.100.10

/bin/ssh-copy-id: ERROR: invalid option (-)

Usage: /bin/ssh-copy-id [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname
	-f: force mode -- copy keys without trying to check if they are already installed
	-n: dry run    -- no keys are actually copied
	-h|-?: print this help
[alice@centos03 ~]$ ssh-copy-id -i -p 2222 root@192.168.100.10
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/alice/.ssh/id_rsa.pub"
The authenticity of host '[192.168.100.10]:2222 ([192.168.100.10]:2222)' can't be established.
ECDSA key fingerprint is SHA256:LuSDHJRzMptzroGB1eYCvj9Qqpf3wy4MV7184jNU2nA.
ECDSA key fingerprint is MD5:b6:4f:7b:03:8d:34:d0:f5:9c:bb:2a:de:cd:1c:ff:6a.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.10's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '2222' 'root@192.168.100.10'"
and check to make sure that only the key(s) you wanted were added.

（4）alice登录远程服务器

[alice@centos03 ~]$ ssh -p 2222 root@192.168.100.10
Last login: Sun Apr 23 06:26:43 2023 from 192.168.100.30
[root@centos01 ~]# exit
登出
Connection to 192.168.100.10 closed.

4、配置访问控制限制192.168.100.30主机访问ssh服务

（1）配置访问控制

[root@centos01 ~]# vim /etc/hosts.deny
sshd:192.168.100.30

（2）验证远程管理无法访问

[alice@centos03 ~]$ ssh -p 2222 root@192.168.100.10
ssh_exchange_identification: read: Connection reset by peer