[系统运维]SSH远程登录协议和TCP Wrappers

目录

一.SSH协议的基础

1.SSH (Secure Shell) 协议

2.ssh协议的优点

3.OpenSSH

?二.ssh原理

1.公钥传输

2.密钥对传输

3.服务端配置

三.TCP Wrappers

1.允许个别，拒绝所有

2.允许所有，拒绝个别

四.轻量级自动化运维工具pssh

一.SSH协议的基础

1.SSH (Secure Shell) 协议

• 是一种安全通道协议
• 对通信数据进行了加密处理，用于远程管理

是一种安全通道协议，主要用来实现字符界面的远程登录、远程复制等功能。SSH协议对通信双方的数据传输进行了加密处理，其中包括登录时输入的用户口令，SSH为建立在应用层和传输层基础上的安全协议。

2.ssh协议的优点

• 数据传输是加密的，可以防止信息泄露
• 数据传输是压缩的，可以提高传输速度

3.OpenSSH

• 服务名称：sshd
• 服务端主程序：/usr/sbin/sshd
• 服务端配置文件：/etc/ssh/sshd_config
• 客户端配置文件：/etc/ssh/ssh_config

ssh服务端主要包括两个服务功能 ssh远程链接和sftp服务 ?

?二.ssh原理

1.公钥传输

• 客户端发起链接请求

• 服务端返回自己的公钥，以及一个会话ID

• 客户端生成密钥对

• 客户端用自己的公钥异或会话ID，计算出一个值Res，并用服务端的公钥加密

• 客户端发送加密后的值到服务端，服务端用私钥解密，得到Res

• 服务端用解密后的值Res异或会话ID，计算出客户端的公钥

• 最终：双方各自持有三个秘钥，分别为自己的一对公、私钥，以及对方的公钥，之后的所有通讯都会被加密

2.密钥对传输

采用单钥密码系统的加密方法，同一个密钥可以同时用作信息的加密和解密，这种加密方法称为对称加密，由于其速度快，对称性加密通常在消息发送方需要加密大量数据时使用

[root@localhost .ssh]# ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa): 
/root/.ssh/id_ecdsa already exists.
Enter passphrase (empty for no passphrase):   //为空则是不设密码
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:o/rkzqNa1K1Z95FAKEd2jOHsV1eiYA6iYXLrkZGlAOA root@localhost.localdomain
The key's randomart image is:
+---[ECDSA 256]---+
|+.o =oo.===   . .|
|.  =.B.=+*.. . o |
| E  *  oo o o .  |
|   . o o   o o   |
|    o . S o o    |
|   .   = + . .   |
|    . =     .    |
|   . =.          |
|  ..o+=.         |
+----[SHA256]-----+
[root@localhost .ssh]# ls
id_ecdsa  id_ecdsa.pub  known_hosts
[root@localhost .ssh]# pwd
/root/.ssh
[root@localhost .ssh]# ssh-copy-id -i /root/.ssh/id_ecdsa.pub root@192.168.68.105
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ecdsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.68.105's password:  //这是输入的是被连接的主机的root登录密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.68.105'"
and check to make sure that only the key(s) you wanted were added.

[root@localhost .ssh]# ssh root@192.168.68.105
Last failed login: Sat Oct  2 17:38:30 CST 2021 from 192.168.68.30 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Sat Oct  2 17:35:30 2021 from 192.168.68.30  //若之前未设密码则不需要密码直接登录

与用户密码无关，与IP地址无关，只与密钥对有关?

所以当密码更新后，依旧可以登录

3.服务端配置

[root@localhost ~]# vim /etc/ssh/sshd_config 

#Port 22
#ListenAddress 0.0.0.0
#LoginGraceTime 2m
PermitRootLogin no 						#禁止root用户登录
MaxAuthTries 6 							#最大重试次数为 6

PermitEmptyPasswords no 				#禁止空密码用户登录
UseDNS no 								#禁用 DNS 反向解析，以提高服务器的响应速度

#PermitRootLogin yes   //默认Ubuntu不允许root远程ssh登录
#StrictModes yes       //检查.ssh/文件的所有者，权限等
#MaxAuthTries 6
#MaxSessions 10        //同一个连接最大会话

#PubkeyAuthentication yes   //基于key验证
#PermitEmptyPasswords no     //空密码连接
PasswordAuthentication yes   //基于用户名和密码连接

AllowUsers zhangsan lisi oyyy@192.168.68.30					#多个用户以空格分隔
#禁止某些用户登录，用法于AllowUsers 类似（注意不要同时使用）
DenyUsers zhangsan

三.TCP Wrappers

• TCP Wrappers 像一个防护罩一样，保护着TCP服务程序，它代为监听TCP服务程序的端口，为其增加了一个安全检测过程，外来的连接请求必须先通过这层安全检测，获得许可后才能访问真正的服务程序。
• 大多数 Linux 发行版，TCP Wrappers 是默认提供的功能。
• 使用“rpm -q tcp_wrappers”安装

1.允许个别，拒绝所有

2.允许所有，拒绝个别

vim /etc/hosts.allow
sshd:192.178.68.105

vim /etc/hosts.deny
sshd:ALL

四.轻量级自动化运维工具pssh

?[root@localhost yum.repos.d]# vim CentOS-Base.repo

[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# ls
CentOS-Base.repo  CentOS-Debuginfo.repo  CentOS-Media.repo    CentOS-Vault.repo
CentOS-CR.repo    CentOS-fasttrack.repo  CentOS-Sources.repo
[root@localhost yum.repos.d]# vim CentOS-Base.repo
最后一行添加
 [epel]
 name=epel
 baseurl=https://mirrors.aliyun.com/epel/$releasever/x86_64
        https://mirrors.cloud.tencent.com/epel/$releasever/x86_64
        https://mirrors.huaweicloud.com/epel/$releasever/x86_64
        https://mirrors.tuna.tsinghua.edu.cn/epel/$releasever/x86_64
gpgcheck=0
[root@localhost yum.repos.d]# yum clean all
已加载插件：fastestmirror, langpacks
正在清理软件源： base epel extras updates
Cleaning up everything
Maybe you want: rm -rf /var/cache/yum, to also free up space taken by orphaned data from disabled or removed repos
Cleaning up list of fastest mirrors
[root@localhost yum.repos.d]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:DpxRL6etEosAFicgW3OM8AMuBVUfkqFIwUdh7iOMBZ4 root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|XOBO*o. .        |
|=XO=oo o .       |
|=E*.  o . o      |
|=o.. . o =       |
|.o.o  = S .      |
|  .... = .       |
|    . o o        |
|       .         |
|                 |
+----[SHA256]-----+
[root@localhost .ssh]# ssh-copy-id 192.168.68.105
[root@localhost .ssh]# ssh-copy-id 192.168.68.40
[root@localhost .ssh]# pssh -H "192.168.68.105 192.168.68.40" touch /mnt/abc
[1] 20:53:32 [SUCCESS] 192.168.68.105
[2] 20:53:32 [SUCCESS] 192.168.68.40