Home | 简体中文 | 繁体中文 | 杂文 | Github | 知乎专栏 | 51CTO学院 | CSDN程序员研修院 | OSChina 博客 | 腾讯云社区 | 阿里云栖社区 | Facebook | Linkedin | Youtube | 打赏(Donations) | About
32.2. /etc/ssh/
上一页 第 32 章 OpenSSH 下一页
知乎专栏多维度架构

32.2. /etc/ssh/

32.2.1. IP地址限制

只允许通过192.168.2.1,192.168.2.2 访问本机

			
# vim /etc/hosts.allow
sshd:192.168.2.1,192.168.2.2

禁止所有人访问本机

			
# vim /etc/hosts.deny
sshd:ALL

上面使白名单策略,你也可以采用黑名单策略。

32.2.2. sshd_config

			
# vi /etc/ssh/sshd_config
Authentication 配置

连接后2m没有任何键盘输入以及屏幕输出,将自动切换SSH连接。

				
LoginGraceTime 2m

禁止root用户登录(disable root SSH login)

				
PermitRootLogin no

限制SSH验证重试次数(maximum number of authentication):

				
MaxAuthTries 6
Automatic SSH / SSH without password

config /etc/ssh/sshd_config

				
$ sudo vim /etc/ssh/sshd_config

AuthorizedKeysFile  %h/.ssh/authorized_keys

$ sudo /etc/init.d/ssh reload

ssh-keygen

ssh-keygen -d

master server

				
[netkiller@master ~]$ ssh-keygen -d
Generating public/private dsa key pair.
Enter file in which to save the key (/home/netkiller/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/netkiller/.ssh/id_dsa.
Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub.
The key fingerprint is:
bf:a9:21:2c:82:77:2d:71:33:12:20:10:93:5f:cb:74 netkiller@master
[netkiller@master ~]$
[netkiller@master ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys
[netkiller@master ~]$ chmod 600 .ssh/authorized_keys
[netkiller@master ~]$ ls -l .ssh/
total 12
-rw-------  1 netkiller netkiller 612 Mar 27 15:31 authorized_keys
-rw-------  1 netkiller netkiller 736 Mar 27 15:24 id_dsa
-rw-r--r--  1 netkiller netkiller 612 Mar 27 15:24 id_dsa.pub
[netkiller@master ~]$

backup server

				
[netkiller@backup ~]$ ssh-keygen -d
Generating public/private dsa key pair.
Enter file in which to save the key (/home/netkiller/.ssh/id_dsa):
Created directory '/home/netkiller/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/netkiller/.ssh/id_dsa.
Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub.
The key fingerprint is:
c5:2f:0e:4e:b0:46:47:ec:19:30:be:9c:20:ad:9c:51 netkiller@backup
[netkiller@backup ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys
[netkiller@backup ~]$ chmod 600 .ssh/authorized_keys
[netkiller@backup ~]$ ls -l .ssh/
total 16
-rw-------  1 netkiller netkiller 609 Mar 27 15:31 authorized_keys
-rw-------  1 netkiller netkiller 736 Mar 27 15:27 id_dsa
-rw-r--r--  1 netkiller netkiller 609 Mar 27 15:27 id_dsa.pub

交换公钥证书

master => backup

				
[netkiller@master ~]$ scp .ssh/id_dsa.pub netkiller@backup.example.org:.ssh/master.pub
netkiller@backup.example.org's password:
id_dsa.p                                                     100%  612     0.6KB/s   00:00
[netkiller@master ~]$

[netkiller@backup ~]$ cat .ssh/master.pub >> .ssh/authorized_keys

test

				
[netkiller@master ~]$ ssh backup.example.org
Enter passphrase for key '/home/netkiller/.ssh/id_dsa':
Last login: Tue Mar 27 15:26:35 2007 from master.example.org
[netkiller@backup ~]$

master <= backup

				
[netkiller@backup ~]$ scp .ssh/id_dsa.pub netkiller@master.example.org:.ssh/backup.pub
netkiller@master.example.org's password:
id_dsa.pub                                                   100%  609     0.6KB/s   00:00
[netkiller@backup ~]$

[netkiller@master ~]$ cat .ssh/backup.pub >> .ssh/authorized_keys

test

				
[netkiller@backup ~]$ ssh master.example.org
Enter passphrase for key '/home/netkiller/.ssh/id_dsa':
Last login: Tue Mar 27 15:44:37 2007 from backup.example.org
[netkiller@master ~]$

注意:authorized_keys权限必须为600,否则可能登陆的时候还会让你输入密码,但是一旦改成600以后并且成功登陆,此问题不再出现。

script

				
ssh-keygen -d
cp .ssh/id_dsa.pub .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
ls -l .ssh/
[提示]提示

禁止证书登陆 PubkeyAuthentication no; 或者 AuthorizedKeysFile /dev/null

disable password authentication

建议你使用证书登录,并禁用密码认证 PasswordAuthentication yes,这样更安全,且不会骇客穷举你的口令。

				
PasswordAuthentication no
GSSAPI options

GSSAPI (Generic Security Services Application Programming Interface) 是一套类似Kerberos 5 的通用网络安全系统接口. 该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度. 但该接口在目标主机无域名解析时会有如下问题

GSSAPI 基本用不到建议关闭

				
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
				
				
				
debug1:  Host  '10.1.1.17'  is known and matches the RSA host key.  
debug1:  Found key in /home/neo/.ssh/known_hosts: 1   
debug1:  ssh_rsa_verify: signature correct  
debug1:  SSH 2 _MSG_NEWKEYS sent  
debug1:  expecting SSH 2 _MSG_NEWKEYS  
debug1:  SSH 2 _MSG_NEWKEYS received  
debug1:  SSH 2 _MSG_SERVICE_REQUEST sent  
debug1:  SSH 2 _MSG_SERVICE_ACCEPT received  
debug1:  Authentications that can continue: publickey,gssapi-with-mic,password  
debug1:  Next authentication method: gssapi-with-mic  
debug1:  An invalid name was supplied  
Cannot determine realm for numeric host address  
debug1:  An invalid name was supplied  
Cannot determine realm for numeric host address  
debug1:  An invalid name was supplied  
debug1:  Next authentication method: publickey  
debug1:  Trying private key: /home/neo/.ssh/identity  
debug1:  Trying private key: /home/neo/.ssh/id_rsa  
debug1:  Trying private key: /home/neo/.ssh/id_dsa  
debug1:  Next authentication method: password  
====>
事实上,正是从gssapi-with-mic这一行开始,开始耗时间:

找到
GSSAPIAuthentication yes
改为
GSSAPIAuthentication no

关闭 GSSAPI

				
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
忽略known_hosts文件

/etc/ssh/sshd_config

				
IgnoreUserKnownHosts yes

修改配置文件“~/.ssh/config”, 加入下面配置项

				 
StrictHostKeyChecking no                                      
UserKnownHostsFile /dev/null
UseDNS no

ssh登录服务器时总是要停顿等待一下才能连接上,这是因为OpenSSH服务器有一个DNS查找选项(UseDNS)默认是打开的. UseDNS选项打开状态下,当客户端试图登录OpenSSH服务器时,服务器端先根据客户端的IP地址进行DNS PTR反向查询,查询出客户端的host name,然后根据查询出的客户端host name进行DNS正向A记录查询,验证与其原始IP地址是否一致,这是防止客户端欺骗的一种手段. 

				
vim /etc/ssh/sshd_config 
=====>
增加 UseDNS no

打开这个参数ssh在连接sever如果无法进行dns解析的时候会出现如下卡顿现象(ssh 加 -v参数):
debug1: Found key in /home/neo/.ssh/known_hosts:71
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

<---- delay 4-5 seconds------>


debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/neo/.ssh/identity
禁止root用户登录

只允许普通用户登陆,然后通过su命令切换到root用过。后面还会将怎样限制su命令

			
PermitRootLogin no
限制SSH验证重试次数

超过3次socket连接会断开,效果不明显,有一点点用。

			
MaxAuthTries 3
禁止证书登陆

证书登陆非常安全,但是很有可能正常用户在你不知道情况下,给你安装了一个证书,他随时都可能进入你的系统

任何一个有权限的用户都能很方便的植入一个证书到 .ssh/authorized_keys 文件中

			
PubkeyAuthentication no
AuthorizedKeysFile /dev/null
使用证书替代密码认证

是不是自相矛盾? 这个跟上面讲的正好相反,这里只允许使用key文件登陆。

			
PasswordAuthentication no

这种方式比起密码要安全的多,唯一要注意的地方就是证书被拷贝 ,建议你给证书加上 passphrase。

证书的 passphrase 是可以通过openssl工具将其剥离的,SSH证书我没有试过,但是原理都差不多。

图形窗口客户端记忆密码的问题

当你使用XShell, Xftp, WinSCP, SecureCRT, SecureFX ......等等软件登录时,该软件都提供记住密码的功能,使你下次再登陆的时候无须输入密码就可以进入系统。这样做的确非常方便,

但是你是否想过你的电脑一旦丢失或者被其他人进入,那有多么危险。我之前每天背着笔记本电脑上班,上面安装着XShell并且密码全部记忆在里面。这使我意识到一点电脑丢失,有多么可怕。

禁止SSH客户端记住密码,你不要要求别人那么做。你也无法控制,最终我找到了一种解决方案。

			
ChallengeResponseAuthentication yes

每次登陆都回提示你输入密码。密码保存也无效。

用户白名单权限控制

在 Linux 中允许指定用户使用 SSH,将指定的用户添加 /etc/ssh/sshd_config 文件中即可,多个用户用空格分割他们。

				
# echo "AllowUsers myuser" >> /etc/ssh/sshd_config

运行下列命令检查是否添加成功。

				
# cat /etc/ssh/sshd_config | grep -i allowusers
AllowUsers myuser

重启生效

				
# systemctl restart sshd

测试一下效果

				
# ssh test@192.168.1.4
test@192.168.1.4's password: 
Permission denied, please try again.


日志输出:

Mar 29 02:00:35 CentOS7 sshd[4900]: User test from 192.168.1.6 not allowed because not listed in AllowUsers
Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user test [preauth]
Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (test)
Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6  user=test
Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user test from 192.168.1.6 port 42568 ssh2

使用用户 myuser 正常登陆,因为他在允许的用户列表中。

				
# ssh myuser@192.168.1.4
myuser@192.168.1.4's password: 

输出:

Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for myuser from 192.168.1.6 port 42590 ssh2
Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user myuser by (uid=0)
用户黑名单控制

				
# echo "DenyUsers user1" >> /etc/ssh/sshd_config

运行下列命令检查是否添加成功。

# cat /etc/ssh/sshd_config | grep -i denyusers
DenyUsers user1

重启 ssh 服务生效

# systemctl restart sshd
组白名单权限

				
# echo "AllowGroups wheel" >> /etc/ssh/sshd_config

确认是否添加成功

				
# cat /etc/ssh/sshd_config | grep -i AllowGroups
AllowGroups wheel

# getent group wheel
wheel:x:1005:user1,user2,user3
组黑名单权限

				
# echo "DenyGroups wheel" >> /etc/ssh/sshd_config				
				
				
				
# cat /etc/ssh/sshd_config | grep -i denygroups
DenyGroups wheel

# getent group wheel
wheel:x:1005:user1,user2,user3
禁止SSH端口映射

禁止使用SSH映射Socks5翻墙等等

			
AllowTcpForwarding no

32.2.3. ssh_config

ForwardAgent

转发Agent开启, 当你ssh root@remote 后,再从remote登录另一台服务器的时候就不许要再次输入密码

				
ForwardAgent yes

32.2.4. ~/.ssh/config

格式

			
Host    别名
    HostName        主机名
    Port            端口
    User            用户名
    IdentityFile    密钥文件的路径

指定主机175.46.28.88的默认端口2022

			
cat ~/.ssh/config
Host 175.46.28.88
    Port 2022

~/.ssh/config 文件的权限必须是600

			
chmod 600 ~/.ssh/config
上一页 上一级 下一页
第 32 章 OpenSSH 起始页 32.3. ssh client