SSH服务怎么配置 案例
配置SSH服务
ssh默认配置文件
1.#Port 22 监听端口,默认监听22端口 【默认可修改】
2.#AddressFamily any IPV4和IPV6协议家族用哪个,any表示二者均有
3.#ListenAddress 0.0.0.0 指明监控的地址,0.0.0.0表示本机的所有地址 【默认可修改】
4.#ListenAddress :: 指明监听的IPV6的所有地址格式
5.# The default requires explicit activation of protocol 1
6.#Protocol 2 使用SSH第二版本,centos7默认第一版本已拒绝
7.# HostKey for protocol version 1 一版的SSH支持以下一种秘钥形式
8.#HostKey /etc/ssh/ssh_host_key
9.# HostKeys for protocol version 2 使用第二版本发送秘钥,支持以下四种秘钥认证的存放位置:(centos6只支持rsa和dsa两种)
10.HostKey /etc/ssh/ssh_host_rsa_key rsa私钥认证 【默认】
11.#HostKey /etc/ssh/ssh_host_dsa_key dsa私钥认证
12.HostKey /etc/ssh/ssh_host_ecdsa_key ecdsa私钥认证
13.HostKey /etc/ssh/ssh_host_ed25519_key ed25519私钥认证
14.# Lifetime and size of ephemeral version 1 server key
15.#KeyRegenerationInterval 1h
16.#ServerKeyBits 1024 主机秘钥长度
17.# Ciphers and keying
18.#RekeyLimit default none
19.# Logging
20.# obsoletes QuietMode and FascistLogging
21.#SyslogFacility AUTH
22.SyslogFacility AUTHPRIV 当有人使用ssh登录系统的时候,SSH会记录信息,信息保存在/var/log/secure里面
23.#LogLevel INFO 日志的等级
24.# Authentication:
25.#LoginGraceTime 2m 登录的宽限时间,默认2分钟没有输入密码,则自动断开连接
26.#PermitRootLogin no
27.PermitRootLogin yes 是否允许管理员直接登录,'yes’表示允许
28.#StrictModes yes 是否让sshd去检查用户主目录或相关文件的权限数据
29.#MaxAuthTries 6 最大认证尝试次数,最多可以尝试6次输入密码。之后需要等待某段时间后才能再次输入密码
30.#MaxSessions 10 允许的最大会话数
31.#RSAAuthentication yes
32.#PubkeyAuthentication yes
33.# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
34.# but this is overridden so installations will only check .ssh/authorized_keys
35.AuthorizedKeysFile .ssh/authorized_keys 服务器生成一对公私钥之后,会将公钥放到.ssh/authorizd_keys里面,将公钥发给客户端
36.#AuthorizedPrincipalsFile none
37.#AuthorizedKeysCommand none
38.#AuthorizedKeysCommandUser nobody
39.# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
40.#RhostsRSAAuthentication no
41.# similar for protocol version 2
42.#HostbasedAuthentication no
43.# Change to yes if you don’t trust ~/.ssh/known_hosts for
44.# RhostsRSAAuthentication and HostbasedAuthentication
45.#IgnoreUserKnownHosts no
46.# Don’t read the user’s ~/.rhosts and ~/.shosts files
47.#IgnoreRhosts yes
48.# To disable tunneled clear text passwords, change to no here!
49.#PasswordAuthentication yes
50.#PermitEmptyPasswords no
51.PasswordAuthentication yes 是否允许支持基于口令的认证
52.# Change to no to disable s/key passwords
53.#ChallengeResponseAuthentication yes
54.ChallengeResponseAuthentication no 是否允许任何的密码认证
55.# Kerberos options 是否支持kerberos(基于第三方的认证,如LDAP)认证的方式,默认为no
56.#KerberosAuthentication no
57.#KerberosOrLocalPasswd yes
58.#KerberosTicketCleanup yes
59.#KerberosGetAFSToken no
60.#KerberosUseKuserok yes
61.# GSSAPI options
62.GSSAPIAuthentication yes
63.GSSAPICleanupCredentials no
64.#GSSAPIStrictAcceptorCheck yes
65.#GSSAPIKeyExchange no
66.#GSSAPIEnablek5users no
67.# Set this to ‘yes’ to enable PAM authentication, account processing,
68.# and session processing. If this is enabled, PAM authentication will
69.# be allowed through the ChallengeResponseAuthentication and
70.# PasswordAuthentication. Depending on your PAM configuration,
71.# PAM authentication via ChallengeResponseAuthentication may bypass
72.# the setting of “PermitRootLogin without-password”.
73.# If you just want the PAM account and session checks to run without
74.# PAM authentication, then enable this but set PasswordAuthentication
75.# and ChallengeResponseAuthentication to ‘no’.
76.# WARNING: ‘UsePAM no’ is not supported in Red Hat Enterprise Linux and may cause several
77.# problems.
78.UsePAM yes
79.#AllowAgentForwarding yes
80.#AllowTcpForwarding yes
81.#GatewayPorts no
82.X11Forwarding yes
#ssh -X [email protected]
83.#X11DisplayOffset 10
84.#X11UseLocalhost yes
85.#PermitTTY yes
86.#PrintMotd yes
87.#PrintLastLog yes
88.#TCPKeepAlive yes
89.#UseLogin no
90.UsePrivilegeSeparation sandbox # Default for new installations.
91.#PermitUserEnvironment no
92.#Compression delayed
93.#ClientAliveInterval 0
94.#ClientAliveCountMax 3
95.#ShowPatchLevel no
96.#UseDNS yes 是否反解DNS,如果想让客户端连接服务器端快一些,这个可以改为no
97.#PidFile /var/run/sshd.pid
98.#MaxStartups 10:30:100
99.#PermitTunnel no
100.#ChrootDirectory none
101.#VersionAddendum none
102.# no default banner path
103.#Banner none
104.# Accept locale-related environment variables
105.AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
106.AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
107.AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
108.AcceptEnv XMODIFIERS
109.# override default of no subsystems
110.Subsystem sftp /usr/libexec/openssh/sftp-server 支持 SFTP ,如果注释掉,则不支持sftp连接
111.# Example of overriding settings on a per-user basis
112.#Match User anoncvs
113.# X11Forwarding no
114.# AllowTcpForwarding no
115.# PermitTTY no
116.# ForceCommand cvs server
117.AllowUsers user1 user2 登录白名单(默认没有这个配置,需要自己手动添加),允许远程登录的用户。如果名单中没有的用户,则提示拒绝登录
案例一:修改ssh服务端口号
#修改ssh服务的端口号
[[email protected] ~]# vi /etc/ssh/sshd_config
Port 2222
#保存退出后,添加防火墙允许策略
[[email protected] ~]# firewall-cmd --permanent --add-port=2222/tcp
success
[[email protected] ~]# firewall-cmd --reload
#添加自定义端口到服务
[[email protected] ~]# semanage port -a -t ssh_port_t -p tcp 2222
注意:如果执行该命令时出现以下提示,请换个端口再试:
ValueError: Port tcp/4444 already defined
案例二:拒绝root用户远程登陆
#请保持服务器上至少有一个可以远程登陆的普通远程账号
#修改配置文件如下:
#打开该选项并修改参数为no
PermitRootLogin no
#重启服务后生效,使用时使用普通用户进行登陆,需要使用root用户时再切换
案例三:允许特定用户ssh登陆,其他用户都无法登陆
#编辑配置文件,在最后添加如下内容:
AllowUsers USERNAME
USERNAME为你允许登陆的账号,如果是多个用户,中间用空格隔开
#重启ssh服务后生效
案例四:虚拟和虚拟机之间实现ssh 互信,免登陆
#创建秘钥对
[[email protected] ~]# ssh-****** -t rsa
ssh-****** - 生成、管理和转换认证** -t制定类型 RSA
#证书的目录
/root/.ssh/id_rsa
#默认创建的公钥文件
/root/.ssh/id_rsa.pub
#复制该公钥文件到对端的该目录下:
[[email protected] ~]# scp /root/.ssh/id_rsa.pub [email protected]:/root/.ssh/authorized_keys
#在本地服务器上登陆对端服务器
[[email protected] ~]# ssh 192.168.40.132
案例五:通过xshell使用证书进行登陆
#使用以下命令创建证书:
[[email protected] ~]# ssh-****** -t rsa -b 4096
[[email protected] .ssh]# cp id_rsa.pub authorized_keys
#然后将私钥下载到本地系统,等下用
#如果sftp登陆的时候无法成功,请恢复之前修改的ssh服务配置
#在windows系统上使用xshell创建新会话,使用公钥进行免密登陆
#取消使用密码进行远程登陆
PasswordAuthentication no
#修改配置文件保存退出,重启服务
建立连接过程