linux學習筆記(7):sshd服務
sshd服務
1.sshd簡介
sshd= secure shell 可以通過網路在主機中開機shell的服務
客戶端軟體 sshd
連線方式: ssh [email protected] 文字模式的連結 ssh -X [email protected] 可以在連結成功後開機圖形 注意:第一次連結陌生主機是要建立認證檔案所以會詢問是否建立,需要樹入yes在次連結此臺主機時,因為已經生成~/.ssh/know_hosts檔案所以不需要再次輸入yes
遠端複製:
scp file [email protected]:dir 上傳
scp
2.sshd 的key認證
1.生成認證KEY
[[email protected] ~]# ssh-keygen 生成金鑰的命令 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): 指定儲存加密字元的檔案(使用預設) Enter passphrase (empty for no passphrase): 設定密碼(使用空密碼) Enter same passphrase again: 確認密碼 Your identification has been saved in "/root/.ssh/id_rsa". 私鑰(鑰匙) Your public key has been saved in "/root/.ssh/id_rsa.pub". 公鑰(鎖) The key fingerprint is: 86:61:e4:f1:6e:51:3a:4b:d7:3c:1b:2f:e8:3f:b0:5d
[email protected] The key's randomart image is: +--[ RSA 2048]----+ | o . | | o o o o | | + * . = | | . = = . = | | . S . o . | | o .. .E | | .+ . | | ..o | | .. | +-----------------+
2.加密服務 [[email protected] .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected] ##加密sshd服務 The authenticity of host ‘172.25.254.200 (172.25.254.200)’ can’t be established. ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed – if you are prompted now it is to install the new keys [email protected]’s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘[email protected]’” and check to make sure that only the key(s) you wanted were added.
[[email protected] .ssh]# ls authorized_keys id_rsa id_rsa.pub known_hosts ^ 此檔案出現表示加密完成 3.分發鑰匙 scp /root/.ssh/id_rsa [email protected]:/root/.ssh/ 4.測試 在客戶主機中(172.25.254.100) ssh [email protected] 連線時發現直接登陸不需要root登陸系統的密碼認證
3.sshd的安全設定
78 PasswordAuthentication yes|no 是否允許使用者通過登陸系統的密碼做sshd的認證
48 PermitRootLogin yes|no 是否允許root使用者通過sshd服務的認證
52 Allowusers student westos 設定使用者白名單,白名單出現預設不再名單中的使用者不能使用sshd
53 Denyusers westos 設定使用者黑名單,黑名單出現預設不再名單中的使用者可以使用sshd
4.新增sshd登陸登陸資訊
vim /etc/motd 檔案內容就是登陸後顯示的資訊
5.使用者的登陸審計
w 檢視正在使用當前系統的使用者
-f 檢視使用來源
-i 顯示IP
/var/run/utmp
2.
last 檢視使用過並退出的使用者資訊
/var/log/wtmp
3.
lastb 試圖登陸但沒成功的使用者
/var/log/btmp