SSH是一種加密協(xié)議丐黄，它為網(wǎng)絡(luò)連接提供了安全性孔飒。在Linux系統(tǒng)中艰争，可以使用SSH連接到其它服務(wù)器或遠(yuǎn)程設(shè)備甩卓，并執(zhí)行CLI命令或通過(guò)它們進(jìn)行文件傳輸蕉斜。

使用SSH訪問(wèn)遠(yuǎn)程命令行

• 使用當(dāng)前用戶身份登錄
  -- ssh remotehost
• 使用指定用戶身份登錄
  -- ssh username@remotehost
• 使用指定用戶身份宅此，在遠(yuǎn)程系統(tǒng)執(zhí)行命令
  -- ssh username@remotehost command

#使用當(dāng)前用戶登錄
[root@myhost ~]# ssh 192.168.2.102
root@192.168.2.102's password:
Last login: Wed Apr 26 02:06:39 2023 from desktop-up0o41n.lan
[root@serverb ~]#

#使用指定用戶登錄
[root@myhost ~]# ssh user@192.168.2.102
user@192.168.2.102's password:
Last login: Wed Apr 26 01:21:48 2023
[user@serverb ~]$

#使用指定用戶，在遠(yuǎn)程系統(tǒng)執(zhí)行命令
[root@myhost ~]# ssh user@192.168.2.102 pwd
user@192.168.2.102's password:
/home/user

• 識(shí)別遠(yuǎn)程用戶
  -- 使用w命令可以顯示當(dāng)前登錄到計(jì)算機(jī)的用戶列表
  -- grep sshd /var/log/secure 查看遠(yuǎn)程用戶登錄的日志

[user@serverb ~]$ w
 19:37:13 up 5 days, 18:55,  3 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    desktop-up0o41n. 二01   17:53   0.10s  0.10s -bash
root     pts/1    desktop-up0o41n. 02:06   59:21   0.10s  0.10s -bash
user     pts/2    gateway          19:29    1.00s  0.04s  0.01s w

[root@serverb ~]# tail -10 /var/log/secure
Apr 26 19:28:17 serverb sshd[14072]: Received disconnect from 192.168.2.100 port 35388:11: disconnected by user
Apr 26 19:28:17 serverb sshd[14072]: Disconnected from 192.168.2.100 port 35388
Apr 26 19:28:17 serverb sshd[14065]: pam_unix(sshd:session): session closed for user user
Apr 26 19:29:04 serverb sshd[14118]: Accepted password for user from 192.168.2.100 port 35390 ssh2
Apr 26 19:29:04 serverb sshd[14118]: pam_unix(sshd:session): session opened for user user by (uid=0)
Apr 26 19:30:38 serverb sudo:    user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/bin/bash
Apr 26 19:30:38 serverb sudo: pam_unix(sudo-i:session): session opened for user root by user(uid=0)
Apr 26 19:36:50 serverb sudo: pam_unix(sudo-i:session): session closed for user root
Apr 26 19:37:48 serverb sudo:    user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/bin/bash
Apr 26 19:37:48 serverb sudo: pam_unix(sudo-i:session): session opened for user root by user(uid=0)

• SSH主機(jī)密鑰
  -- SSH通過(guò)公鑰加密的方式保持通信安全
  -- 當(dāng)客戶端連接到SSH服務(wù)器時(shí)，在客戶端登錄之前萧诫，服務(wù)器會(huì)向其發(fā)送公鑰副本帘饶，這可用于設(shè)置通信渠道安全加密群扶，并可驗(yàn)證客戶端的服務(wù)器
  -- 當(dāng)用戶使用ssh命令連接到ssh服務(wù)器時(shí)，該命令會(huì)檢測(cè)本地已知主機(jī)列表中是否有該服務(wù)的公鑰副本提茁。
• 無(wú)公鑰副本遠(yuǎn)程提示

[user@serverb ~]$ ssh user01@192.168.2.102
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.102' (ECDSA) to the list of known hosts.
user01@192.168.2.102's password:
Last login: Tue Apr 25 22:10:04 2023

• 有公鑰副本遠(yuǎn)程提示(直接輸入密碼即可)

[user@serverb ~]$ ssh user01@192.168.2.102
user01@192.168.2.102's password:
Last login: Wed Apr 26 20:22:52 2023 from serverb
[user01@serverb ~]$

• 本地存放的公鑰副本
  -- /etc/ssh/ssh_known_hosts
  -- ~/.ssh/known_hosts
• 公鑰的位置
  -- 服務(wù)端：/etc/ssh/ssh_host_*key.pub
  -- 客戶端使用ssh-keygen -R ip/hostname 移除該SSH服務(wù)器公鑰副本

[root@myhost ssh]# ssh root@192.168.2.102
root@192.168.2.102's password:
Last login: Wed Apr 26 21:35:17 2023 from gateway
[root@serverb ~]# 登出
Connection to 192.168.2.102 closed.
[root@myhost ssh]# cat ~/.ssh/known_hosts | grep 192.168.2.102
192.168.2.102 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlyynAx1JDpiqXoxj5wkpALP885QtsBjDDpFtPM/vceefTxbbxEmtTqATPqGhUlBX/dg8/N97xZxvxLhRtFTPw=
[root@myhost ssh]# ssh-keygen -R 192.168.2.102
# Host 192.168.2.102 found: line 4
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
[root@myhost ssh]# cat ~/.ssh/known_hosts | grep 192.168.2.102
[root@myhost ssh]# ssh root@192.168.2.102
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.102' (ECDSA) to the list of known hosts.
root@192.168.2.102's password:
Last login: Wed Apr 26 21:36:01 2023 from gateway
[root@serverb ~]#

配置基于SSH密鑰的身份驗(yàn)證

• 基于SSH的密鑰驗(yàn)證
  -- 可以配置SSH服務(wù)器，以便能通過(guò)基于密鑰的身份驗(yàn)證在不適用密碼的情況下進(jìn)行身份驗(yàn)證峭火。這種身份驗(yàn)證基于私鑰-公鑰方案
  -- 因此智嚷，要先生成一個(gè)密鑰對(duì)，私鑰用于身份驗(yàn)證憑證稍浆，公鑰復(fù)制到期望連接的服務(wù)器
• 生成SSH密鑰對(duì)
  -- ssh-keygen默認(rèn)生成的密鑰對(duì)存放在_{/.ssh/id_rsa和}/.ssh/id_rsa.pub中
  -- 自定義密鑰對(duì)ssh-keygen -t rsa -b 2048 -f -N "my_passwd" ~/.ssh/my_rsa_key（生成指定類(lèi)型為rsa衅枫，長(zhǎng)度為2048，文件名叫my_rsa_key步咪，口令為my_passwd的密鑰）
• 共享公鑰
  在使用基于密鑰身份驗(yàn)證之前益楼，需要將公鑰復(fù)制到目標(biāo)系統(tǒng)用戶的家目錄中
  -- ssh-copy-id -i ~/.ssh/my_rsa_key.pub
  -- 共享過(guò)后感凤，在目標(biāo)系統(tǒng)的用戶的家目錄中authorized_keys文件中有一段內(nèi)容和my_rsa_key.pub中內(nèi)容一致悯周，該文件就是公鑰

[user@myhost ~]$ ssh-keygen -t rsa -b 2048 -N "hello" -f ~/.ssh/test_rsa_key
Generating public/private rsa key pair.
Created directory '/home/user/.ssh'.
Your identification has been saved in /home/user/.ssh/test_rsa_key.
Your public key has been saved in /home/user/.ssh/test_rsa_key.pub.
The key fingerprint is:
SHA256:qAcSiJqUzrNzRG8ADVi5YuLRebADTPHa7WMFHCGDtwI user@myhost
The key's randomart image is:
+---[RSA 2048]----+
|+**+ o.          |
|E==++ .          |
|+o===o           |
|B==B+...         |
|**+o++..S        |
| .+.oo.          |
| o ..+.          |
|  o ...          |
|                 |
+----[SHA256]-----+
[user@myhost ~]$ ls ~/.ssh
test_rsa_key  test_rsa_key.pub
[user@myhost ~]$ ssh-copy-id -i ~/.ssh/test_rsa_key.pub user@192.168.2.102
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/test_rsa_key.pub"
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@192.168.2.102's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@192.168.2.102'"
and check to make sure that only the key(s) you wanted were added.
[user@serverb ~]$ ls ~/.ssh
authorized_keys

• 使用ssh-agent進(jìn)行非交互式身份驗(yàn)證

[user@myhost ~]$ eval $(ssh-agent)
Agent pid 2335
[user@myhost ~]$ ssh-add ~/.ssh/test_rsa_key
Enter passphrase for /home/user/.ssh/test_rsa_key:hello  #創(chuàng)建密鑰時(shí)的密語(yǔ)
Identity added: /home/user/.ssh/test_rsa_key (/home/user/.ssh/test_rsa_key)
#使用指定私鑰文件
[user@myhost ~]$ ssh -i ~/.ssh/test_rsa_key user@192.168.2.102
Last login: Thu Apr 27 01:26:23 2023 from gateway
[user@serverb ~]$

自定義OPENSSH服務(wù)配置

• 配置openssh服務(wù)
  openssh服務(wù)是由一個(gè)名為sshd的守護(hù)進(jìn)程提供。它的主配置文件為/etc/ssh/sshd_config
• 禁止超級(jí)用戶使用ssh登錄
  最好禁止從遠(yuǎn)程系統(tǒng)直接登錄root用戶賬戶陪竿。允許以root用戶身份直接登錄的一些風(fēng)險(xiǎn)：
  -- 所有Linux系統(tǒng)都默認(rèn)有root用戶队橙，因此潛在的攻擊者只需要猜測(cè)其密碼，而不必猜測(cè)
  -- root用戶不受限制會(huì)有風(fēng)險(xiǎn)

]# vim /etc/ssh/sshd_config
... ...
PermitRootLogin no  #改為no
... ...
]# systemctl reload sshd
#客戶端就無(wú)法使用root用戶ssh
[root@myhost ~]# ssh root@192.168.2.102
root@192.168.2.102's password:
Permission denied, please try again.

• 禁止對(duì)SSH進(jìn)行基于密碼的身份驗(yàn)證

]# vim /etc/ssh/sshd_config
... ...
PasswordAuthentication no  #禁用ssh連接時(shí)使用密碼驗(yàn)證萨惑，只允許使用公鑰認(rèn)證，減少了密碼在網(wǎng)絡(luò)中傳輸?shù)娘L(fēng)險(xiǎn)
PubkeyAuthentication yes  #指定是否啟用公鑰認(rèn)證仇矾。當(dāng)設(shè)置為yes時(shí)庸蔼，客戶端將通過(guò)將其公鑰放置在服務(wù)器的authorized_keys文件中贮匕，來(lái)進(jìn)行身份驗(yàn)證姐仅，而不是使用傳統(tǒng)的用戶名和密碼。這大大增加了安全性刻盐。
... ...
]# systemctl reload sshd