您好,登錄后才能下訂單哦!
[root@localhost ~]# netstat -ntap | grep 22
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 3252/dnsm
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 968/sshd //默認我們的SSHD是開啟的
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 16227/sshot@pt
tcp 0 0 192.168.17.128:49342 180.97.251.226:80 TIME_WAIT -
tcp 0 0 192.168.17.128:42522 202.141.176.110:80
[root@localhost ~]# vim /etc/ssh/sshd_config //服務端的SSHD配置文件
17 #Port 22 //端口
18 #AddressFamily any
19 #ListenAddress 0.0.0.0 //監聽地址
20 #ListenAddress :: //IPV6地址
37#LoginGraceTime 2m //2分鐘會話時間
38 #PermitRootLogin yes //允許ROOT登錄
39 #StrictModes yes //驗證你的訪問權限
40 #MaxAuthTries 6 //驗證次數
41 #MaxSessions 10 // 訪問最大連接數10個
#PubkeyAuthentication yes //公鑰驗證開啟
[root@test02 ~]# ssh root@192.168.17.128
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
root@192.168.17.128's password:
Last login: Mon Sep 16 12:07:36 2019
37 #LoginGraceTime 2m
38 #PermitRootLogin no //禁止遠程用戶用ROOT登錄
39 #StrictModes yes
40 #MaxAuthTries 6
41 #MaxSessions 10
[root@test02 ~]# ssh root@192.168.17.128
root@192.168.17.128's password:
Permission denied, please try again.
root@192.168.17.128's password:
[root@test02 ~]# ssh lisi@192.168.17.128
lisi@192.168.17.128's password:
[lisi@test01 ~]$ su - root
密碼:
上一次登錄:一 9月 16 12:17:31 CST 2019pts/2 上
最后一次失敗的登錄:一 9月 16 12:25:59 CST 2019pts/2 上
最有一次成功登錄后有 1 次失敗的登錄嘗試。
[root@test01 ~]#
vim /etc/pam.d/su
//把“#”號去掉auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
[lisi@test01 ~]$ su - root
密碼:
su: 拒絕權限
[root@test02 ~]# ssh chen@192.168.17.128
chen@192.168.17.128's password:
Permission denied, please try again.
chen@192.168.17.128's password:
Permission denied, please try again.
chen@192.168.17.128's password:
Permission denied, please try again.
[root@test02 ~]#
[root@test01 ~]# ssh -o NumberOfPasswordPrompts=8 chen@192.168.17.128
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.128' (ECDSA) to the list of known hosts.
chen@192.168.17.128's password:
Permission denied, please try again.
chen@192.168.17.128's password:
Permission denied, please try again.
chen@192.168.17.128's password:
Permission denied, please try again.
chen@192.168.17.128's password:
Permission denied, please try again.
chen@192.168.17.128's password:
Permission denied, please try again.
chen@192.168.17.128's password:
Received disconnect from 192.168.17.128 port 22:2: Too many authentication failures
Authentication failed.
[root@test01 ~]#
37 #LoginGraceTime 2m
38 #PermitRootLogin no
39 #StrictModes yes
40 #MaxAuthTries 6
41 #MaxSessions 10
42 Allow Users chen@192.168.17.130
//只允許chen這個用戶用192.168.17.130地址登錄
[root@test01 ~]# systemctl restart sshd
scp 遠程復制
sftp get 遠程下載文件
sftp put 遠程上傳文件
[root@localhost ~]# vim /etc/ssh/sshd_config //服務端的SSHD配置文件
43 PubkeyAuthentication yes 把“#”去掉開啟公私鑰驗證登錄
44
45 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys 2
46 # but this is overridden so installations will only check .ssh/authorized_ke ys
47 AuthorizedKeysFile .ssh/authorized_keys
//生成的公私密鑰會在這個目錄底下
[root@client ~]# ls /home/
chen
[root@client ~]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:HqV9MQWYPqLHSodJciQEDpGhsbQheF3gVqXLMD6mhTo root@client
The key's randomart image is:
+---[ECDSA 256]---+
|B*.+ooo.. o... |
|*=+.o... o . |
|oo. =o. .. o |
| +.+o..+o o |
| . =+o=S.... |
| . + .=.+. . |
|E . . +. |
| . . |
| |
+----[SHA256]-----+
[root@client ~]# ls -a
. .bash_logout .dbus .mozilla 模板
.. .bash_profile .esd_auth .ssh 視頻
.1234.txt.swp .bashrc .ICEauthority .tcshrc 圖片
abc .cache initial-setup-ks.cfg test 文檔
abc.txt chen is this 下載
anaconda-ks.cfg chenchen .lesshst .viminfo 音樂
.anacond-ks.cfg.swp .config .local .Xauthority 桌面
.bash_history .cshrc lshelp1.txt 公共
[root@client ~]# cd .ssh/
[root@client .ssh]# ls
id_ecdsa id_ecdsa.pub known_hosts
[root@client .ssh]# ssh-copy-id -i id_ecdsa.pub chen@192.168.17.128
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub"
The authenticity of host '192.168.17.128 (192.168.17.128)' can't be established.
ECDSA key fingerprint is SHA256:Rpsrtp0nMlVYADWOhRjM0UVz6wVl682cNuzxhF0Q7C8.
ECDSA key fingerprint is MD5:fa:c3:d9:5c:96:87:ce:16:d8:63:b3:0c:7b:26:45:1f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
chen@192.168.17.128's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'chen@192.168.17.128'"
and check to make sure that only the key(s) you wanted were added.
[root@localhost chen]# cd .ssh/
[root@localhost .ssh]# ls
authorized_keys
[root@localhost .ssh]# cat authorized_keys
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC3jJu7k3skpOWd5azNtHhohBCyQvcE5vMQblIICOn48GGL3h2tQ9d7m34liu7YdXcdY+oLyQvgl23xiP9Au8ug= root@client
[root@client .ssh]# ssh chen@192.168.17.128
Enter passphrase for key '/root/.ssh/id_ecdsa':
Last login: Sat Aug 10 00:32:52 2019
[chen@localhost ~]$ exit
登出
Connection to 192.168.17.128 closed.
[root@client .ssh]# ssh-agent bash //代理bash環境
[root@client .ssh]# ssh-add //添加我們密鑰對的密碼
Enter passphrase for /root/.ssh/id_ecdsa:
Identity added: /root/.ssh/id_ecdsa (/root/.ssh/id_ecdsa)
[root@client .ssh]# ssh chen@192.168.17.128
Last login: Mon Sep 16 13:09:06 2019 from 192.168.17.134
[chen@localhost ~]$
訪問控制策略:
先檢查hosts.allow,找到匹配則允許訪問
?否則再檢查hosts.deny,找到則拒絕訪問
?若兩個文件中均無匹配策略,則默認允許
訪問
[root@localhost ~]# vim /etc/hosts.allow
hosts.allow This file contains access rules which are used to
allow or deny connections to network services that
either use the tcp_wrappers library or that have been
started through a tcp_wrappers-enabled xinetd.
See 'man 5 hosts_options' and 'man 5 hosts_access'
for information on rule syntax.
See 'man tcpd' for information on tcp_wrappers
sshd:192.168.17.130 //添加只允許訪問的地址
~
[root@localhost ~]# vim /etc/hosts.deny
hosts.deny This file contains access rules which are used to
deny connections to network services that either use
the tcp_wrappers library or that have been
started through a tcp_wrappers-enabled xinetd.
The rules in this file can also be set up in
/etc/hosts.allow with a 'deny' option instead.
See 'man 5 hosts_options' and 'man 5 hosts_access'
for information on rule syntax.
See 'man tcpd' for information on tcp_wrappers
sshd:192.168.17.128
~
~
~
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。