linux服務(wù)之OpenSSH服務(wù)?
openSSH這一術(shù)語(yǔ)指系統(tǒng)中使用的Secure shell軟件的軟件實(shí)施。用于在遠(yuǎn)程系統(tǒng)上安全運(yùn)行shell。如果您在可提供ssh服務(wù)的遠(yuǎn)程Linux系統(tǒng)中擁有用戶帳戶,則ssh是通常用來(lái)遠(yuǎn)程登錄到該系統(tǒng)的命令。ssh命令也可用于在遠(yuǎn)程系統(tǒng)中運(yùn)行命令。
常見的遠(yuǎn)程登錄工具有:
telnetsshdropbeartelnet //遠(yuǎn)程登錄協(xié)議,23/TCP//一般用于測(cè)試端口或者接口是否開啟
認(rèn)證明文
數(shù)據(jù)傳輸明文
ssh //Secure SHell,應(yīng)用層協(xié)議,22/TCP
通信過(guò)程及認(rèn)證過(guò)程是加密的,主機(jī)認(rèn)證
用戶認(rèn)證過(guò)程加密
數(shù)據(jù)傳輸過(guò)程加密
dropbear //嵌入式系統(tǒng)專用的SSH服務(wù)器端和客戶端工具,一般應(yīng)用于手機(jī)上
1.2 SSH 版本
openssh有兩個(gè)版本,分別為v1和v2,其特點(diǎn)如下:
v1:基于CRC-32做MAC,無(wú)法防范中間人攻擊
v2:雙方主機(jī)協(xié)議選擇安全的MAC方式。基于DH算法做密鑰交換,基于RSA或DSA算法實(shí)現(xiàn)身份認(rèn)證
關(guān)于密鑰交換
協(xié)商生成密碼的過(guò)程叫做密鑰交換(Internet Key Exchange,IKE)使用的是DH協(xié)議(Diffie-Hellman):
A(主機(jī)) --> B(主機(jī))
p,g(大素?cái)?shù),生成數(shù)),在網(wǎng)絡(luò)中傳輸?shù)模_的
A:自己取一個(gè)隨機(jī)數(shù)x
B:自己取一個(gè)隨機(jī)數(shù)y
A:g^x%p --> B
B:g^y%p --> A
A:(g^y%p)^x=g^yx%p
B:(g^x%p)^y=g^xy%p
這最后得出的g^xy%p就是最終的密鑰
1.3 SSH 認(rèn)證方式
openssh有兩種認(rèn)證方式,分別是:
基于口令認(rèn)證(即密碼認(rèn)證)基于密鑰認(rèn)證(非對(duì)稱加密。有一對(duì)密鑰,公鑰(P)和私鑰(S))1.4 openSSH 的工作模式
openSSH是基于C/S架構(gòu)工作的
服務(wù)器端 //sshd,配置文件在/etc/ssh/sshd_config
[root@CTL .ssh]# vim /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
.
.
.
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
客戶端
//ssh,配置文件在/etc/ssh/ssh_config
ssh-keygen //密鑰生成器
ssh-copy-id //將公鑰傳輸至遠(yuǎn)程服務(wù)器
scp //跨主機(jī)安全復(fù)制工具
$OpenBSD: ssh_config,v 1.30 2016/02/20 23:06:23 sobrado Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
.
.
.
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
SendEnv XMODIFIERS
1.5 Secure Shell 示例
//以當(dāng)前用戶身份創(chuàng)建遠(yuǎn)程交互式shell,然后在結(jié)束時(shí)使用exit命令返回到之前的shell
[root@CTL .ssh]# ssh 192.168.112.131
The authenticity of host '192.168.112.131 (192.168.112.131)' can't be established.
//生成了一個(gè)算法是SHA256得公鑰
ECDSA key fingerprint is SHA256:dyCibeKTgTQDtKrGgYAKVnGsLcR/Necufp4Jvnx0cTc.
ECDSA key fingerprint is MD5:bb:a6:d4:16:be:40:d1:d9:ef:6b:89:c9:22:bb:bd:b0.
//問(wèn)你是否信任所連接得主機(jī),不信任則不連接
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.112.131' (ECDSA) to the list of known hosts.
root@192.168.112.131's password:
Last login: Mon Apr 1 14:24:13 2019 from 192.168.112.14
//此時(shí)從用戶名得知已經(jīng)登陸到另一臺(tái)主機(jī)
[root@GUI ~]#
//以其他用戶身份(remoteuser)在選定主機(jī)(remotehost)上連接到遠(yuǎn)程`shell`
[root@CTL .ssh]# ssh root@192.168.112.131
root@192.168.112.131's password:
Last login: Mon Apr 1 14:24:54 2019 from 192.168.112.14
[root@GUI ~]#
//以遠(yuǎn)程用戶身份(remoteuser)在遠(yuǎn)程主機(jī)(remotehost)上通過(guò)將輸出返回到本地顯示器的方式來(lái)執(zhí)行單一命令
//首先登陸一臺(tái)主機(jī)查看自己IP
[root@GUI .ssh]# ip a s ens33
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8e:77:9b brd ff:ff:ff:ff:ff:ffinet 192.168.112.131/24 brd 192.168.112.255 scope global dynamic ens33valid_lft 1191sec preferred_lft 1191secinet6 fe80::bc68:f1a3:4a1f:87fb/64 scope link
valid_lft forever preferred_lft forever
//在用另一臺(tái)主機(jī)通過(guò)ssh來(lái)遠(yuǎn)程執(zhí)行命令
[root@CTL .ssh]# ssh root@192.168.112.131 '/usr/sbin/ip a s ens33'
root@192.168.112.131's password:
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8e:77:9b brd ff:ff:ff:ff:ff:ffinet 192.168.112.131/24 brd 192.168.112.255 scope global dynamic ens33valid_lft 1783sec preferred_lft 1783secinet6 fe80::bc68:f1a3:4a1f:87fb/64 scope link
valid_lft forever preferred_lft forever
[root@CTL .ssh]#
//w命令可以顯示當(dāng)前登錄到計(jì)算機(jī)的用戶列表。這對(duì)于顯示哪些用戶使用ssh從哪些遠(yuǎn)程位置進(jìn)行了登錄以及執(zhí)行了何種操作等內(nèi)容特別有用
[root@CTL .ssh]# ssh 192.168.112.131
root@192.168.112.131's password:
Last login: Mon Apr 1 14:30:57 2019 from 192.168.112.14
//在切換到GUI主機(jī)使用w命令查看 可以看到192.168.112.14用戶在登陸中
[root@GUI .ssh]# w14:40:59 up 4:37, 2 users, load average: 0.00, 0.02, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 192.168.112.1 10:03 3.00s 0.17s 0.01s w
root pts/1 192.168.112.14 14:40 2.00s 0.03s 0.03s -bash
1.5 SSH 主機(jī)密鑰
ssh通過(guò)公鑰加密的方式保持通信安全。當(dāng)某一ssh客戶端連接到ssh服務(wù)器時(shí),在該客戶端登錄之前,服務(wù)器會(huì)向其發(fā)送公鑰副本。這可用于為通信渠道設(shè)置安全加密,并可驗(yàn)證客戶端的服務(wù)器。
當(dāng)用戶第一次使用ssh連接到特定服務(wù)器時(shí),ssh命令可在用戶的/.ssh/known_hosts文件中存儲(chǔ)該服務(wù)器的公鑰。在此之后每當(dāng)用戶進(jìn)行連接時(shí),客戶端都會(huì)通過(guò)對(duì)比/.ssh/known_hosts文件中的服務(wù)器條目和服務(wù)器發(fā)送的公鑰,確保從服務(wù)器獲得相同的公鑰。如果公鑰不匹配,客戶端會(huì)假定網(wǎng)絡(luò)通信已遭劫持或服務(wù)器已被入侵,并且中斷連接。
這意味著,如果服務(wù)器的公鑰發(fā)生更改(由于硬盤出現(xiàn)故障導(dǎo)致公鑰丟失,或者出于某些正當(dāng)理由替換公鑰),用戶則需要更新其~/.ssh/known_hosts文件并刪除舊的條目才能夠進(jìn)行登錄。
//主機(jī)ID存儲(chǔ)在本地客戶端系統(tǒng)上的 ~/.ssh/known_hosts 中(家目錄中的隱藏目錄.ssh)
[root@CTL ~]# cat /root/.ssh/known_hosts
192.168.112.131 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJvfkdzYN1ayz0bbvSc5be4/rddT4r2q/DfLo6VtruJgNNsexqi5GzSJ7AGB1kECRSw4/eg1Z11x05bGjRJfL+8=
//主機(jī)密鑰存儲(chǔ)在SSH服務(wù)器上的 /etc/ssh/ssh_host_key* 中(也就是不手動(dòng)生成密鑰的情況下會(huì)自動(dòng)使用這里的密鑰)
[root@CTL ~]# ls /etc/ssh/*key*
/etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
2. 配置基于 SSH 密鑰的身份驗(yàn)證用戶可通過(guò)使用公鑰身份驗(yàn)證進(jìn)行ssh登錄身份驗(yàn)證。ssh允許用戶使用私鑰-公鑰方案進(jìn)行身份驗(yàn)證。這意味著將生成私鑰和公鑰這兩個(gè)密鑰。私鑰文件用作身份驗(yàn)證憑據(jù),像密碼一樣,必須妥善保管。公鑰復(fù)制到用戶希望登錄的系統(tǒng),用于驗(yàn)證私鑰。公鑰并不需要保密。擁有公鑰的ssh服務(wù)器可以發(fā)布僅持有您私鑰的系統(tǒng)才可解答的問(wèn)題。因此,可以根據(jù)所持有的密鑰進(jìn)行驗(yàn)證。如此一來(lái),就不必在每次訪問(wèn)系統(tǒng)時(shí)鍵入密碼,但安全性仍能得到保證。
使用ssh-keygen命令生成密碼。將會(huì)生成私鑰/.ssh/id_rsa和公鑰/.ssh/id_rsa.pub。
//使用ssh-keygen生成密鑰時(shí)首先會(huì)詢問(wèn)你密鑰文件存放的位置,默認(rèn)是在/root/.ssh/id_rsa和id_rsa.pub
[root@CTL ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
//接著會(huì)詢問(wèn)你是否為你的私鑰配置密碼
Enter passphrase (empty for no passphrase):
//最后會(huì)提示你密鑰創(chuàng)建成功,私鑰存放在id_rsa,公鑰放在id_rsa.pub
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XFV5J+RPAuuHQZBipB8yUyQ22/QAOWT+z2Tsi+cJcpw root@CTL
The key's randomart image is:
//RSA算法密鑰一般為2048位
+---[RSA 2048]----+
.B=* .o+oo.
+oOoo.o +o o
Boo.o o ooo
B + . o +
S + o . .
. B .
. E +
o o.o
.o+
+----[SHA256]-----+
注意:
生成密鑰時(shí),系統(tǒng)將提供指定密碼的選項(xiàng),在訪問(wèn)私鑰時(shí)必須提供該密碼。如果私鑰被偷,除頒發(fā)者之外的其他任何人很難使用該私鑰,因?yàn)橐咽褂妹艽a對(duì)其進(jìn)行保護(hù)。這樣,在攻擊者破解并使用私鑰前,會(huì)有足夠的時(shí)間生成新的密鑰對(duì)并刪除所有涉及舊密鑰的內(nèi)容。
