| 知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
只允許通過192.168.2.1,192.168.2.2 訪問本機
# vim /etc/hosts.allow sshd:192.168.2.1,192.168.2.2
禁止所有人訪問本機
# vim /etc/hosts.deny sshd:ALL
上面使白名單策略,你也可以採用黑名單策略。
# vi /etc/ssh/sshd_config
連接後2m沒有任何鍵盤輸入以及屏幕輸出,將自動切換SSH連接。
LoginGraceTime 2m
禁止root用戶登錄(disable root SSH login)
PermitRootLogin no
限制SSH驗證重試次數(maximum number of authentication):
MaxAuthTries 6
config /etc/ssh/sshd_config
$ sudo vim /etc/ssh/sshd_config AuthorizedKeysFile %h/.ssh/authorized_keys $ sudo /etc/init.d/ssh reload
ssh-keygen
ssh-keygen -dmaster server
[netkiller@master ~]$ ssh-keygen -d Generating public/private dsa key pair. Enter file in which to save the key (/home/netkiller/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/netkiller/.ssh/id_dsa. Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub. The key fingerprint is: bf:a9:21:2c:82:77:2d:71:33:12:20:10:93:5f:cb:74 netkiller@master [netkiller@master ~]$ [netkiller@master ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys [netkiller@master ~]$ chmod 600 .ssh/authorized_keys [netkiller@master ~]$ ls -l .ssh/ total 12 -rw------- 1 netkiller netkiller 612 Mar 27 15:31 authorized_keys -rw------- 1 netkiller netkiller 736 Mar 27 15:24 id_dsa -rw-r--r-- 1 netkiller netkiller 612 Mar 27 15:24 id_dsa.pub [netkiller@master ~]$
backup server
[netkiller@backup ~]$ ssh-keygen -d Generating public/private dsa key pair. Enter file in which to save the key (/home/netkiller/.ssh/id_dsa): Created directory '/home/netkiller/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/netkiller/.ssh/id_dsa. Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub. The key fingerprint is: c5:2f:0e:4e:b0:46:47:ec:19:30:be:9c:20:ad:9c:51 netkiller@backup [netkiller@backup ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys [netkiller@backup ~]$ chmod 600 .ssh/authorized_keys [netkiller@backup ~]$ ls -l .ssh/ total 16 -rw------- 1 netkiller netkiller 609 Mar 27 15:31 authorized_keys -rw------- 1 netkiller netkiller 736 Mar 27 15:27 id_dsa -rw-r--r-- 1 netkiller netkiller 609 Mar 27 15:27 id_dsa.pub
交換公鑰證書
master => backup
[netkiller@master ~]$ scp .ssh/id_dsa.pub netkiller@backup.example.org:.ssh/master.pub netkiller@backup.example.org's password: id_dsa.p 100% 612 0.6KB/s 00:00 [netkiller@master ~]$ [netkiller@backup ~]$ cat .ssh/master.pub >> .ssh/authorized_keys
test
[netkiller@master ~]$ ssh backup.example.org Enter passphrase for key '/home/netkiller/.ssh/id_dsa': Last login: Tue Mar 27 15:26:35 2007 from master.example.org [netkiller@backup ~]$
master <= backup
[netkiller@backup ~]$ scp .ssh/id_dsa.pub netkiller@master.example.org:.ssh/backup.pub netkiller@master.example.org's password: id_dsa.pub 100% 609 0.6KB/s 00:00 [netkiller@backup ~]$ [netkiller@master ~]$ cat .ssh/backup.pub >> .ssh/authorized_keys
test
[netkiller@backup ~]$ ssh master.example.org Enter passphrase for key '/home/netkiller/.ssh/id_dsa': Last login: Tue Mar 27 15:44:37 2007 from backup.example.org [netkiller@master ~]$
注意:authorized_keys權限必須為600,否則可能登陸的時候還會讓你輸入密碼,但是一旦改成600以後並且成功登陸,此問題不再出現。
script
ssh-keygen -d cp .ssh/id_dsa.pub .ssh/authorized_keys chmod 600 .ssh/authorized_keys ls -l .ssh/
![[提示]](/graphics/tip.png) | 提示 |
|---|---|
|
禁止證書登陸 PubkeyAuthentication no; 或者 AuthorizedKeysFile /dev/null |
建議你使用證書登錄,並禁用密碼認證 PasswordAuthentication yes,這樣更安全,且不會駭客窮舉你的口令。
PasswordAuthentication no
GSSAPI (Generic Security Services Application Programming Interface) 是一套類似Kerberos 5 的通用網絡安全系統介面. 該介面是對各種不同的客戶端伺服器安全機制的封裝,以消除安全介面的不同,降低編程難度. 但該介面在目標主機無域名解析時會有如下問題
GSSAPI 基本用不到建議關閉
#GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no
debug1: Host '10.1.1.17' is known and matches the RSA host key. debug1: Found key in /home/neo/.ssh/known_hosts: 1 debug1: ssh_rsa_verify: signature correct debug1: SSH 2 _MSG_NEWKEYS sent debug1: expecting SSH 2 _MSG_NEWKEYS debug1: SSH 2 _MSG_NEWKEYS received debug1: SSH 2 _MSG_SERVICE_REQUEST sent debug1: SSH 2 _MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied debug1: Next authentication method: publickey debug1: Trying private key: /home/neo/.ssh/identity debug1: Trying private key: /home/neo/.ssh/id_rsa debug1: Trying private key: /home/neo/.ssh/id_dsa debug1: Next authentication method: password ====> 事實上,正是從gssapi-with-mic這一行開始,開始耗時間: 找到 GSSAPIAuthentication yes 改為 GSSAPIAuthentication no
關閉 GSSAPI
GSSAPIAuthentication no #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no
ssh登錄伺服器時總是要停頓等待一下才能連接上,這是因為OpenSSH伺服器有一個DNS查找選項(UseDNS)預設是打開的. UseDNS選項打開狀態下,當客戶端試圖登錄OpenSSH伺服器時,伺服器端先根據客戶端的IP地址進行DNS PTR反向查詢,查詢出客戶端的host name,然後根據查詢出的客戶端host name進行DNS正向A記錄查詢,驗證與其原始IP地址是否一致,這是防止客戶端欺騙的一種手段.
vim /etc/ssh/sshd_config =====> 增加 UseDNS no 打開這個參數ssh在連接sever如果無法進行dns解析的時候會出現如下卡頓現象(ssh 加 -v參數): debug1: Found key in /home/neo/.ssh/known_hosts:71 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received <---- delay 4-5 seconds------> debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/neo/.ssh/identity
證書登陸非常安全,但是很有可能正常用戶在你不知道情況下,給你安裝了一個證書,他隨時都可能進入你的系統
任何一個有權限的用戶都能很方便的植入一個證書到 .ssh/authorized_keys 檔案中
PubkeyAuthentication no AuthorizedKeysFile /dev/null
是不是自相矛盾? 這個跟上面講的正好相反,這裡只允許使用key檔案登陸。
PasswordAuthentication no
這種方式比起密碼要安全的多,唯一要注意的地方就是證書被拷貝 ,建議你給證書加上 passphrase。
證書的 passphrase 是可以通過openssl工具將其剝離的,SSH證書我沒有試過,但是原理都差不多。
當你使用XShell, Xftp, WinSCP, SecureCRT, SecureFX ......等等軟件登錄時,該軟件都提供記住密碼的功能,使你下次再登陸的時候無須輸入密碼就可以進入系統。這樣做的確非常方便,
但是你是否想過你的電腦一旦丟失或者被其他人進入,那有多麼危險。我之前每天背着筆記型電腦上班,上面安裝着XShell並且密碼全部記憶在裡面。這使我意識到一點電腦丟失,有多麼可怕。
禁止SSH客戶端記住密碼,你不要要求別人那麼做。你也無法控制,最終我找到了一種解決方案。
ChallengeResponseAuthentication yes
每次登陸都回提示你輸入密碼。密碼保存也無效。
在 Linux 中允許指定用戶使用 SSH,將指定的用戶添加 /etc/ssh/sshd_config 檔案中即可,多個用戶用空格分割他們。
# echo "AllowUsers myuser" >> /etc/ssh/sshd_config
運行下列命令檢查是否添加成功。
# cat /etc/ssh/sshd_config | grep -i allowusers AllowUsers myuser
重啟生效
# systemctl restart sshd
測試一下效果
# ssh test@192.168.1.4 test@192.168.1.4's password: Permission denied, please try again. 日誌輸出: Mar 29 02:00:35 CentOS7 sshd[4900]: User test from 192.168.1.6 not allowed because not listed in AllowUsers Mar 29 02:00:35 CentOS7 sshd[4900]: input_userauth_request: invalid user test [preauth] Mar 29 02:00:40 CentOS7 unix_chkpwd[4902]: password check failed for user (test) Mar 29 02:00:40 CentOS7 sshd[4900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.6 user=test Mar 29 02:00:43 CentOS7 sshd[4900]: Failed password for invalid user test from 192.168.1.6 port 42568 ssh2
使用用戶 myuser 正常登陸,因為他在允許的用戶列表中。
# ssh myuser@192.168.1.4 myuser@192.168.1.4's password: 輸出: Mar 29 02:01:13 CentOS7 sshd[4939]: Accepted password for myuser from 192.168.1.6 port 42590 ssh2 Mar 29 02:01:13 CentOS7 sshd[4939]: pam_unix(sshd:session): session opened for user myuser by (uid=0)
# echo "DenyUsers user1" >> /etc/ssh/sshd_config 運行下列命令檢查是否添加成功。 # cat /etc/ssh/sshd_config | grep -i denyusers DenyUsers user1 重啟 ssh 服務生效 # systemctl restart sshd
# echo "AllowGroups wheel" >> /etc/ssh/sshd_config
確認是否添加成功
# cat /etc/ssh/sshd_config | grep -i AllowGroups AllowGroups wheel # getent group wheel wheel:x:1005:user1,user2,user3
# echo "DenyGroups wheel" >> /etc/ssh/sshd_config
# cat /etc/ssh/sshd_config | grep -i denygroups DenyGroups wheel # getent group wheel wheel:x:1005:user1,user2,user3