Linux中的ssh服务
一.控制服务
1.用什么控制服务
系统初始化进程可以对服务进行相应的控制
2.当前系统的初始化进程是什么
systemd ##系统初始化进程
pstree ##显示系统中的进程树
3.进程的控制命令
ssh(客户)----------sshd(服务器)
systemctl ##服务控制命令
systemctl status sshd ##查看服务状态,inactive不可用,active可用
[[email protected] Desktop]# systemctl status sshd
sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Sun 2019-03-31 10:48:07 EDT; 2min 43s ago
Process: 2402 ExecStartPre=/usr/sbin/sshd-****** (code=exited, status=0/SUCCESS)
Main PID: 2403 (sshd)
CGroup: /system.slice/sshd.service
└─2403 /usr/sbin/sshd -D
Mar 31 10:48:07 localhost systemd[1]: Starting OpenSSH server daemon...
Mar 31 10:48:07 localhost systemd[1]: Started OpenSSH server daemon.
Mar 31 10:48:07 localhost sshd[2403]: Server listening on 0.0.0.0 port 22.
Mar 31 10:48:07 localhost sshd[2403]: Server listening on :: port 22.
systemctl start sshd ##开启服务
systemctl stop sshd ##关闭服务
[[email protected] Desktop]# systemctl stop sshd ##关闭虚拟机
[[email protected] Desktop]# systemctl status sshd ##查看状态
sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: inactive (dead) since Sun 2019-03-31 10:51:30 EDT; 1min 17s ago
Process: 2403 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2402 ExecStartPre=/usr/sbin/sshd-****** (code=exited, status=0/SUCCESS)
Main PID: 2403 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/sshd.service
Mar 31 10:48:07 localhost systemd[1]: Starting OpenSSH server daemon...
Mar 31 10:48:07 localhost systemd[1]: Started OpenSSH server daemon.
Mar 31 10:48:07 localhost sshd[2403]: Server listening on 0.0.0.0 port 22.
Mar 31 10:48:07 localhost sshd[2403]: Server listening on :: port 22.
Mar 31 10:51:30 localhost systemd[1]: Stopping OpenSSH server daemon...
Mar 31 10:51:30 localhost systemd[1]: Stopped OpenSSH server daemon.
Mar 31 10:52:32 localhost systemd[1]: Stopped OpenSSH server daemon.
[[email protected] Desktop]# systemctl start sshd ##开启服务
[[email protected] Desktop]# systemctl status sshd ##查看状态
sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Sun 2019-03-31 10:54:14 EDT; 4s ago
Process: 2653 ExecStartPre=/usr/sbin/sshd-****** (code=exited, status=0/SUCCESS)
Main PID: 2654 (sshd)
CGroup: /system.slice/sshd.service
└─2654 /usr/sbin/sshd -D
Mar 31 10:54:14 localhost systemd[1]: Starting OpenSSH server daemon...
Mar 31 10:54:14 localhost systemd[1]: Started OpenSSH server daemon.
Mar 31 10:54:14 localhost sshd[2654]: Server listening on 0.0.0.0 port 22.
Mar 31 10:54:14 localhost sshd[2654]: Server listening on :: port 22.
systemct restart sshd ##重启服务
systemctll reload sshd ##重新加载服务配置
systemctl enable sshd ##设定服务开机启动
systemctl disable sshd ##设定服务开机不启动
systemctl list-units ##列出已经开启服务当前状态
systemctl list-unit-files ##列出所有服务开机启动的状态,disable,enable,static
systemctl list-dependencies ##列出服务的依赖
systemctl set-default multi-user.target ##设定系统启动级别多用户模式
systemctl set-default graphical.target ##设定系统启动级别为图形模式
二.ssh
1.ssh的简介
sshd= secure shell
可以通过网络在主机中开机shell的服务
客户端软件
sshd
连接方式:
ssh [email protected] ##文本模式的链接
ssh -X [email protected] ##可以在链接成功后开机图形
注意:
第一次链接陌生主机是要建立认证文件
所以会询问是否建立,需要树入yes
在次链接此台主机时,因为已经生成~/.ssh/know_hosts 文件所以不需要再次输入yes
eg:真机与虚拟机的网络连接
(1)查看真机IP
[[email protected] Desktop]# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:00:04:0a brd ff:ff:ff:ff:ff:ff
inet 172.25.254.14/24 brd 172.25.254.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe00:40a/64 scope link
valid_lft forever preferred_lft forever
(2)设置虚拟机ip
nm-connection-editor ##进入虚拟机ip地址设置界面
进入设置界面后删除之前所建立的信息
设置Ethernet
设置IPv4 Setting
注意:Netmask填写24 Gateway不填写,但必须用鼠标进行点击才可以保存
(3)真机上ping设置的虚拟机网络是否接通
[[email protected] ~]$ ping 172.25.254.6
PING 172.25.254.6 (172.25.254.6) 56(84) bytes of data.
64 bytes from 172.25.254.6: icmp_seq=1 ttl=64 time=0.212 ms ##成功
64 bytes from 172.25.254.6: icmp_seq=2 ttl=64 time=0.150 ms
64 bytes from 172.25.254.6: icmp_seq=3 ttl=64 time=0.151 ms
^C
--- 172.25.254.6 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.150/0.171/0.212/0.029 ms
(4)真机连接虚拟机
[[email protected] Desktop]# ssh [email protected]
The authenticity of host '172.25.254.6 (172.25.254.6)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.6' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Sun Mar 31 10:39:09 2019
2.远程复制
(1)真机文件的上传
格式:scp file|dir [email protected]:file|dir
将真机上的‘命令勿删’文件上传到虚拟机上(命令在真机上操作)
[[email protected] ~]$ scp /home/kiosk/Desktop/命令勿删 [email protected]:/root/Desktop
The authenticity of host '172.25.254.6 (172.25.254.6)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.6' (ECDSA) to the list of known hosts.
[email protected]'s password:
命令勿删 100% 265 0.3KB/s 00:00
(2) 虚拟机文件的复制
格式:scp [email protected]:file dir
将虚拟机桌面的文件test复制到真机桌面上
[[email protected] ~]$ scp [email protected]:/root/Desktop/test /home/kiosk/Desktop
[email protected]'s password:
test 100% 0 0.0KB/s 00:00
三.sshd的Key认证
1.生成认证key
[[email protected] .ssh]# ssh-******
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
4e:10:0b:ea:dd:74:36:0f:ec:77:51:f1:17:c0:58:16 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| . . +E=o |
| . . + ..o ..|
| . + * . o|
| . . o = + . .|
| . . . S o . |
| o . . |
| . |
| |
| |
+-----------------+
2.加密服务(将锁给服务端)
[[email protected] .ssh]# cd /root/.ssh
[[email protected] .ssh]# ls
authorized_keys id_rsa id_rsa.pub
[[email protected] .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected] ##将锁给服务端
The authenticity of host '172.25.254.6 (172.25.254.6)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[[email protected] .ssh]# ls
authorized_keys id_rsa id_rsa.pub known_hosts ##出现authorized_keys则锁设置成功
3.将钥匙给客户端
[[email protected] .ssh]# scp /root/.ssh/id_rsa [email protected]:root/.sshThe authenticity of host '172.25.254.4 (172.25.254.4)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.4' (ECDSA) to the list of known hosts.
[email protected]'s password:
scp: root/.ssh: No such file or directory
[[email protected] .ssh]# scp /root/.ssh/id_rsa [email protected]:/root/.ssh ##将钥匙给客户端
[email protected]'s password:
id_rsa 100% 1679 1.6KB/s 00:00 ##钥匙上传成功
4.关于实验的测试
(1)当将服务端的钥匙去掉时,则无法打开,需要密码
(2)当将钥匙文件加上,则顺利打开,不需要密码
四.ssh的安全设定
在服务端:
vim /etc/ssh/sshd_config ##进入文件
78 PasswordAuthentication yes|no ##是否允许用户通过登陆系统的密码做sshd的认证
当允许用户通过时 (客户端)
[[email protected] Desktop]# ssh [email protected]
The authenticity of host '172.25.254.6 (172.25.254.6)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.6' (ECDSA) to the list of known hosts.
[email protected]'s password:
Last login: Tue Apr 2 17:14:24 2019
当不允许用户通过时(客户端)
[[email protected] ~]# ssh [email protected]
The authenticity of host '172.25.254.6 (172.25.254.6)' can't be established.
ECDSA key fingerprint is 65:4d:ac:8a:c9:58:82:b5:0c:91:c4:ef:a5:e6:f6:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.6' (ECDSA) to the list of known hosts.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ##设置成功
48 PermitRootLogin yes|no ##是否允许root用户通过sshd服务的认证
不允许root用户通过sshd服务认证 (客户端)
[[email protected] ~]# ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
52 Allowusers student westos ##设定用户白名单,仅指定用户登录
53 Denusers westos ##设定用户黑名单,黑名单用户不可以登录
注意:每一次设定完成以后需进行重启服务端
systemctl restart sshd.service
四.用户的登录与审计
[[email protected] Desktop]# vim /etc/motd
[[email protected] Desktop]# w ##查看那正在使用当前系统的用户
21:57:29 up 53 min, 9 users, load average: 0.03, 0.04, 0.06
USER TTY [email protected] IDLE JCPU PCPU WHAT
root :0 21:19 ?xdm? 2:11 0.14s gdm-session-worker [pam/gdm-pas
root pts/0 21:24 8:49 0.06s 0.06s /bin/bash
root pts/1 21:27 10:01 0.08s 0.04s ssh [email protected]
root pts/2 21:29 10:01 0.07s 0.03s ssh [email protected]
root pts/3 21:36 10:01 0.05s 0.02s ssh [email protected]
root pts/4 21:38 10:01 0.05s 0.01s ssh [email protected]
student pts/5 21:45 10:01 0.04s 0.00s ssh [email protected]
root pts/6 21:47 9:57 0.03s 0.03s -bash
root pts/7 21:55 1.00s 0.05s 0.02s w
[[email protected] Desktop]# w -f ##查看使用来源
21:57:57 up 53 min, 9 users, load average: 0.02, 0.04, 0.06
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root :0 :0 21:19 ?xdm? 2:12 0.14s gdm-session-wor
root pts/0 :0 21:24 9:17 0.06s 0.06s /bin/bash
root pts/1 172.25.254.127 21:27 10:29 0.08s 0.04s ssh [email protected]
root pts/2 172.25.254.67 21:29 10:29 0.07s 0.03s ssh [email protected]
root pts/3 172.25.254.67 21:36 10:29 0.05s 0.02s ssh [email protected]
root pts/4 172.25.254.67 21:38 10:29 0.05s 0.01s ssh [email protected]
student pts/5 172.25.254.67 21:45 10:29 0.04s 0.00s ssh [email protected]
root pts/6 172.25.254.67 21:47 10:25 0.03s 0.03s -bash
root pts/7 :0 21:55 5.00s 0.03s 0.00s w -f
[[email protected] Desktop]# w -i ##显示ip
21:58:14 up 54 min, 9 users, load average: 0.01, 0.03, 0.06
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
root :0 :0 21:19 ?xdm? 2:14 0.14s gdm-session-wor
root pts/0 :0 21:24 9:34 0.06s 0.06s /bin/bash
root pts/1 172.25.254.127 21:27 10:46 0.08s 0.04s ssh [email protected]
root pts/2 172.25.254.67 21:29 10:46 0.07s 0.03s ssh [email protected]
root pts/3 172.25.254.67 21:36 10:46 0.05s 0.02s ssh [email protected]
root pts/4 172.25.254.67 21:38 10:46 0.05s 0.01s ssh [email protected]
student pts/5 172.25.254.67 21:45 10:46 0.04s 0.00s ssh [email protected]
root pts/6 172.25.254.67 21:47 10:42 0.03s 0.03s -bash
root pts/7 :0 21:55 6.00s 0.03s 0.00s w -i
[[email protected] Desktop]# last ##查看使用过并退出的用户
root pts/7 :0 Mon Apr 1 21:55 still logged in
root pts/6 172.25.254.67 Mon Apr 1 21:47 still logged in
student pts/5 172.25.254.67 Mon Apr 1 21:45 still logged in
root pts/4 172.25.254.67 Mon Apr 1 21:38 still logged in
root pts/3 172.25.254.67 Mon Apr 1 21:36 still logged in
root pts/2 172.25.254.67 Mon Apr 1 21:29 still logged in
root pts/1 172.25.254.127 Mon Apr 1 21:27 still logged in
root pts/0 :0 Mon Apr 1 21:24 still logged in
root pts/1 172.25.254.127 Mon Apr 1 21:21 - 21:26 (00:05)
root pts/0 :0 Mon Apr 1 21:19 - 21:24 (00:05)
root :0 :0 Mon Apr 1 21:19 still logged in
(unknown :0 :0 Mon Apr 1 21:04 - 21:19 (00:14)
reboot system boot 3.10.0-123.el7.x Mon Apr 1 21:04 - 21:59 (00:55)
root pts/0 :0 Fri Sep 14 03:03 - 03:09 (00:05)
root :0 :0 Fri Sep 14 03:03 - 03:09 (00:05)
(unknown :0 :0 Fri Sep 14 03:03 - 03:03 (00:00)
reboot system boot 3.10.0-123.el7.x Fri Sep 14 03:02 - 03:09 (00:06)
reboot system boot 3.10.0-123.el7.x Thu Jul 10 18:18 - 19:06 (00:48)
wtmp begins Thu Jul 10 18:18:02 2014
[[email protected] Desktop]# lastb ##试图登陆但并没成功的用户
student ssh:notty 172.25.254.67 Mon Apr 1 21:47 - 21:47 (00:00)
student ssh:notty 172.25.254.67 Mon Apr 1 21:45 - 21:45 (00:00)
student ssh:notty 172.25.254.67 Mon Apr 1 21:45 - 21:45 (00:00)
student ssh:notty 172.25.254.67 Mon Apr 1 21:44 - 21:44 (00:00)
root ssh:notty 172.25.254.67 Mon Apr 1 21:44 - 21:44 (00:00)
root ssh:notty 172.25.254.67 Mon Apr 1 21:37 - 21:37 (00:00)
root ssh:notty 172.25.254.67 Mon Apr 1 21:32 - 21:32 (00:00)
root ssh:notty 172.25.254.100 Fri Sep 14 03:09 - 03:09 (00:00)
btmp begins Fri Sep 14 03:09:23 2018
注意:并且lastb该命令查看的信息均存储在/var/log/btmp 中,如果对该文件内容进行删除,则不显示试图登陆该系统但是没有成功的用户信息