云计算一阶段章节十五——Linux sshd 服务管理

Linux sshd 服务管理

环境准备

以链接克隆方式克隆原先的server虚拟机，取名为client，并设置ip地址为10.1.8.11/24。

# 永久设置主机名
[root@localhost ~]# echo client.whisky.cloud > /etc/hostname

# 临时设置
[root@localhost ~]# hostname client.whisky.cloud

# 验证
[root@client ~]# hostname

# 准备名称解析
[root@client ~]# echo "10.1.8.10 server.whisky.cloud server 
10.1.8.11 client.whisky.cloud client" >> /etc/hosts

使用 ssh 访问远端CLI

SSH 介绍

SSH 全称是 Secure Shell，SSH协议是基于应用层的协议，为远程登录会话和其他网络服务提供安全性的协议。

实现此功能的传统方式，如 telnet (终端仿真协议)、 rcp、ftp、 rlogin、rsh都是极为不安全的，并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具，用来加密远程控件和文件传输过程中的数据，并由此来代替原来的类似服务。

SSH建立连接的过程

主要分为下面几个阶段：

1. SSH协议版本协商阶段，SSH目前包括SSH1和SSH2两个大版本。
2. 密钥和算法协商阶段，SSH支持多种加密算法，双方根据自己和对端支持的算法进行协商，最终决定要使用的算法。
3. 认证阶段，服务器和客户端互相进行身份验证。
4. 会话请求阶段，客户端会向服务器端发送会话请求。会话请求分为这样几类：申请对数据传送进行压缩、申请伪终端、启动 X11、TCP/IP 端口转发、启动认证代理等。
5. 交互会话阶段，会话请求通过后，服务器端和客户端进行信息的交互。例如运行 shell、执行命令、传递文件。

加密类型

• 对称加密，加密和解密都使用一个钥匙。确保数据的完整性。速度快。
• 非对称加密，一对钥匙。公钥用来加密数据。私钥用来解密数据。确保数据的安全性。

双向加密过程

SSH协议是基于非对称加密方法的，服务器和客户端都会生成自己的公钥和私钥。

• 公钥用来加密数据。
• 私钥用来解密数据。

双向加密过程：

1. 服务器创建密钥对。远程服务器会在/etc/ssh目录下生成一个名为多个密钥对，例如ecdsa类型的密钥对：ssh_host_ecdsa_key.pub 公钥和 ssh_host_ecdsa_key 私钥。之后每回启动sshd服务的时候，系统会自动在此路径下查找公钥。

   客户端请求连接。服务器接到请求后，把公钥传给客户端使用。

2. 客户端记录服务器公钥并计算自己的公私钥。客户端将服务器传来的公钥记录在**~/.ssh/known_hosts** 中，若是已经记录有该服务器公钥，则比对是否一致，一致后就计算客户端自己的公私钥。

3. 客户端使用服务器的公钥加密自己的公钥并发送给服务器。服务器端拥有客户端公钥+自己私钥，客户端拥有服务器公钥+自己私钥，组成了非对称加密系统。

4. 双向加解密。服务器发送数据：用客户端公钥加密，客户端收到数据后用自己私钥解密。客户端发送数据：用服务器公钥加密，服务器收到数据后用自己私钥解密。

ssh 工具演示

方式一：只指定IP或主机名

# 通过IP地址
[baoshenghui@client ~]$ ssh 10.1.8.10
The authenticity of host '10.1.8.10 (10.1.8.10)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.8.10' (ECDSA) to the list of known hosts.
baoshenghui@10.1.8.10's password: 
Last login: Sun Jul 27 22:11:12 2025 from 10.1.8.1
[baoshenghui@server ~]$ 

# 通过主机名称
[baoshenghui@client ~]$ ssh server
The authenticity of host 'server (10.1.8.10)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server' (ECDSA) to the list of known hosts.
baoshenghui@server's password: 
Last login: Sun Jul 27 22:12:14 2025 from client.whisky.clou
[baoshenghui@server ~]$ 

方式二：额外指定用户名

# 指定root用户登录
[baoshenghui@client ~]$ ssh root@server
root@server's password: 
Last failed login: Sun Jul 27 22:14:19 CST 2025 from client.whisky.clou on ssh:notty
Last login: Sun Jul 27 22:11:24 2025 from 10.1.8.1
[root@server ~]# 

# 或者
[baoshenghui@client ~]$ ssh -l root server

方式三：额外指定命令

# 同时指定用户和命令
[laoma@client ~]$ ssh laoma@server hostname
laoma@server's password: `redhat`
server.laoma.cloud
# shell提示符，仍然是本机。
[laoma@client ~]$

配置ssh密钥认证

使用密钥登录，避免输入密码，更安全。

配置过程

# 客户端生成密钥对
[baoshenghui@server ~]$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/baoshenghui/.ssh/id_rsa): （回车）
Created directory '/home/baoshenghui/.ssh'.
Enter passphrase (empty for no passphrase): （回车）
Enter same passphrase again: （回车）
Your identification has been saved in /home/baoshenghui/.ssh/id_rsa.
Your public key has been saved in /home/baoshenghui/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:y8O+29kyh8eH5SSChvBmiNkquo/OQaerEKeH4Ol9FQs baoshenghui@server.laoma.cloud
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|                 |
|    .E .         |
|o..= +..S.       |
|+=* o ==o.. . o  |
|+=.. o..=  + *   |
|=o=  . . o+o= o  |
|OO...   +oo=..   |
+----[SHA256]-----+
# 生成的文件如下
[baoshenghui@server ~]$ ls .ssh/
id_rsa  id_rsa.pub

# 将公钥推动给目标服务器上的目标用户
[baoshenghui@server ~]$ ssh-copy-id baoshenghui@client
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baoshenghui/.ssh/id_rsa.pub"
The authenticity of host 'client (10.1.8.11)' can't be established.
ECDSA key fingerprint is SHA256:XCZ89dFD6IXfjeooNtJISIX1sDU2eWOdB3gt0oivWKg.
ECDSA key fingerprint is MD5:c2:bb:3b:ae:b1:58:38:a9:31:37:fc:8c:33:13:bd:01.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
baoshenghui@client's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'baoshenghui@client'"
and check to make sure that only the key(s) you wanted were added.

# 验证
[baoshenghui@server ~]$ ssh baoshenghui@client
Last login: Mon Jul 28 22:14:33 2025 from 10.1.8.1
[baoshenghui@client ~]$ 


# 推送公钥相当于：
# 将公钥内容保存到目标服务器上目标用户家目录下.ssh/authorized_keys中
[baoshenghui@client ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDmQMXl7Fo16AznPW8spszIfencz2xSqKuo0dCDycGjy3JZj9/SJI8CDODD1GjrsikMcHne7R/h/d1TVJ5usgTNPSh95QZxjcq5PpT7OB6FEj52mhiLZvyK1IgrFKWVZeH2P21sTa+OFHFho8feA0MLjBWj3kB+6k0Sfv+plBtvrZskOX1C7YpJs3Ly6Gl8R86+bIOLJ4V0VxrML84Z8TThKOv7+afUPd4jEcVq73hVCKE6Io9W9v7m8F4DLkWXvOmmDQgJDbZrVMoQpgAU4EopX/U8YMU9u28K7SOl9xCZtc+TYpmdXw/il/Jk5/ntuQ6iI0grIDrYLBWHSojJeLVn baoshenghui@client.whisky.cloud

[baoshenghui@client ~]$ ssh baoshenghui@server
baoshenghui@server's password: 
Last login: Mon Jul 28 22:10:01 2025 from 10.1.8.1
[baoshenghui@server ~]$ 

[baoshenghui@client ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt8YKob4y+hpyLOAf2lHxnmYGfyOD2UAX+Yq/mEQcUEt0rCe+78PTTvK/gyz+jMt0VMLvr2aLuRGeZ2kTbiOMD4f7aeVl008seWf0iWXAhBYJzAVRVH6QfP/zkK6xZZlnRunAt0bTSQps1i+sXyXPsxENELTwY1CAeVjD9Znjyjv++rYRlun2CK4fQRvSrMaHIfvwl5rwtZlKbQ1dl/LRWGqKjFGbXfcnHzPlS2jrXkSLT28s/IduI3EeVSCX4mkpRChh9AseFtFUile4Ow2uwakl6SsT2XQAUNm6t/MQnHcHsxfewsBdmJLpnQQXA0eIQPd2nrAy9PhrvKmSiib0J baoshenghui@server.laoma.cloud
#！！！（主机名初次设置错误，重设后重启服务仍未更改，此处存疑）
# 推给目标主机root用户
[baoshenghui@server ~]$ ssh-copy-id root@client
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/baoshenghui/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@client's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@client'"
and check to make sure that only the key(s) you wanted were added.

[baoshenghui@server ~]$ ssh root@client hostname
client.whisky.cloud

非交互式生成密钥对

[baoshenghui@server ~]$ ssh-keygen -t rsa -N '' -f id_rsa_new
Generating public/private rsa key pair.
Your identification has been saved in id_rsa_new.
Your public key has been saved in id_rsa_new.pub.
The key fingerprint is:
SHA256:UXopkQ0UcdtmnfkVMX/hJ/7zljW5Uz5wMZF+OzcL5Aw baoshenghui@server.laoma.cloud
The key's randomart image is:
+---[RSA 2048]----+
|       .**o    =o|
|        .=.+ ..==|
|        + + + *.*|
|         + E o *=|
|        S   = . B|
|             = O+|
|              +o%|
|               *=|
|               .+|
+----[SHA256]-----+
[baoshenghui@server ~]$ ls *new*
id_rsa_new  id_rsa_new.pub

其他选项

# -p选项指定目标服务器 sshd 服务端口号，默认22
[baoshenghui@client ~]$ ssh -l root -p 1022 server hostname
root@server's password: 
server.whisky.cloud


# -i 指定私钥位置
[baoshenghui@client ~]$ mv .ssh/id_rsa /tmp
[baoshenghui@client ~]$ ssh -i /tmp/id_rsa root@server hostname
server.whisky.cloud

# 如果找不到密钥，则使用密码登录
[baoshenghui@client ~]$ ssh root@server hostname
root@server's password: 

排故

故障：配置密钥登录后，远程登录仍要需要输入密码验证。

[root@client ~]# ssh 'root@10.1.8.20' hostname
root@10.1.8.20's password: 

模拟：将用户家目录的权限改为777。

处理过程：

1. 查看日志

   # 客户端登录的时候，监控服务端日志
   [root@centos7 ~]# tail -f /var/log/secure
   ......
   Jul 31 16:13:41 centos7 sshd[3693]: Authentication refused: bad ownership or modes for directory /root
   ......
   

   发现提示：文件权限有问题。

2. 查找文件权限。

   [root@centos7 ~]# ll .ssh/
   total 12
   -rw-------. 1 root root  576 Jul 31 16:11 authorized_keys
   
   [root@centos7 ~]# ls -ld .ssh/
   drwx------. 2 root root 61 Jul 31 16:11 .ssh/
   
   [root@centos7 ~]# ls -ld /root
   drwxrwxrwx. 3 root root 4096 Jul 31 16:09 /root
   
   # 更改权限
   [root@centos7 ~]# chmod 700 /root
   

自定义 SSH 服务

配置文件

sshd服务配置文件：/etc/ssh/sshd_config。帮助 sshd_config(5)

常见配置：

• PermitRootLogin no，禁止 root 用户登录。
  • root用户权限不受限制。
  • root用户存在每个linux系统，只需要猜密码就可以。
  • 从审计角度来看，很难跟踪哪个授权用户以root身份登录并进行了更改。 如果用户必须以普通用户身份登录并切换到root帐户，则会生成一个日志事件，可用于帮助提供问责制。
• PermitRootLogin prohibit-password，禁止root用户通过密码登录。
• PasswordAuthentication no，禁止用户使用密码登录。
• AllowUsers exampleuser，允许特定用户登录，该用户可以提权为root。

禁止 root 登录

# 即使配置了免密登录，也无法远程登录
[baoshenghui-@client ~]$ ssh root@server
root@server's password: 
Permission denied, please try again.
root@server's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

# 使用普通用户登录，然后提权为root用户
[baoshenghui@client ~]$ ssh baoshenghui@server
[baoshenghui@server ~]$ su -
[root@server ~]#

禁止密码登录

# laowang账户未配置密钥登录，直接拒绝
[baoshenghui@client ~]$ ssh user01@server
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

只允许特定用户登录

例如baoshenghui用户。

# user01输入正确的密码也无法登录
[baoshenghui@client ~]$ ssh user01@server
user01@server's password: 
Permission denied, please try again.
user01@server's password: 
Permission denied, please try again.
user01@server's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

[baoshenghui@client ~]$ ssh baoshenghui@server hostname
server.whisky.cloud