linux SSH服务——运维新手
用户投稿 学习笔记 23阅读
使用client的xiaoming用户基于秘钥认证方式通过端口2000使用ssh登录server端的xiaoming用户和xiaohei用户,server端的其他用户都不可被远程登录。
分析:其实看到题目大概就能明白是先针对服务器的ssh配置文件进行修改,把端口22改为监听2000端口,然后只允许xiaoming和xiaobei两个用户被其他用户远程登录,接下来先修改ssh的配置文件
1.修改ssh的配置文件,添加端口2000,设置允许xiaoming和xiaobei访问
[root@sever ssh]# cat sshd_config #Port 22port 2000allowusers xiaoming xiaobei root2.在两台主机上面创建用户这部分我就省略了,useradd无脑敲,passwd创建密码就行
3.然后两个主机之间的xiaoming,xiaoming和xiaobei用户先互相用ssh连接一下,让linux自动生成.ssh的隐藏文件
[root@localhost .ssh]# ssh -p 2000 xiaoming@192.168.147.38xiaoming@192.168.147.38's password: Activate the web console with: systemctl enable --now cockpit.socketThis system is not registered to Red Hat Insights. See https://cloud.redhat.com/To register this system, run: insights-client --registerLast login: Tue Dec 21 07:31:26 2021 from 192.168.147.130[root@localhost .ssh]# ssh -p 2000 xiaobei@192.168.147.38xiaobei@192.168.147.38's password: Activate the web console with: systemctl enable --now cockpit.socketThis system is not registered to Red Hat Insights. See https://cloud.redhat.com/To register this system, run: insights-client --registerLast failed login: Tue Dec 21 07:44:44 EST 2021 from 192.168.147.130 on ssh:nottyThere was 1 failed login attempt since the last successful login.Last login: Tue Dec 21 07:13:04 2021 from 192.168.147.200这里我就不一一往里面写了,我拿客户端做了示范,在连接服务端的时候一定要加上端口2000
3.在客户端上切换到xiaoming用户,然后使用ssh-keygen命令生成公私钥
[root@localhost .ssh]# su -xiaomingsu: invalid option -- 'x'Try 'su --help' for more information.[root@localhost .ssh]# su - xiaoming[xiaoming@localhost ~]$ ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/home/xiaoming/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/xiaoming/.ssh/id_rsa.Your public key has been saved in /home/xiaoming/.ssh/id_rsa.pub.The key fingerprint is:SHA256:tPHxNpq/ncGllm2Xyk95duFNnjIPHTJFR5NibNa6KQU xiaoming@localhost.localdomainThe key's randomart image is:+---[RSA 3072]----+| . .++|| E *.oo|| o . = o. || . + o o. || S . =oooo|| = ==BB|| o .+*BX|| ..oB=+|| o++o |+----[SHA256]-----+这里一定要记得切换到xiaoming用户再去建立公私钥4.然后用scp命令发送给xiaoming和xiaobei的.ssh隐藏目录里面
[xiaoming@localhost ~]$ scp -P 2000 /home/xiaoming/.ssh/id_rsa.pub xiaoming@192.168.147.38:/home/xiaoming/.ssh/The authenticity of host '[192.168.147.38]:2000 ([192.168.147.38]:2000)' can't be established.ECDSA key fingerprint is SHA256:LtNAcSYFse8nEl7hzPDpRbOzA+2NiwDkaRZVX29thNs.Are you sure you want to continue connecting (yes/no/[fingerprint])? yPlease type 'yes', 'no' or the fingerprint: yses^H^H^H^C[xiaoming@localhost ~]$ scp -P 2000 /home/xiaomin/.ssh//id_rsa.pub xiaoming@192.168.147.38:/home/xiaoming/The authenticity of host '[192.168.147.38]:2000 ([192.168.147.38]:2000)' can't be established.ECDSA key fingerprint is SHA256:LtNAcSYFse8nEl7hzPDpRbOzA+2NiwDkaRZVX29thNs.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '[192.168.147.38]:2000' (ECDSA) to the list of known hosts.xiaoming@192.168.147.38's password: id_rsa.pub 100% 584 859.4KB/s 00:00发送给xiaobei的路径同理,我这里就不粘贴了
5.服务端分别登录xiaoming和xiaobei用户,把刚刚传过来的id_rsa.pub文件修改文件名为authorized_keys(不修改系统无法识别,因为主配置文件里面有写)
[root@sever .ssh]# systemctl restart sshd[root@sever .ssh]# mv id_rsa.pub authorized_keys[root@sever .ssh]# cd /home/xiaobei/.ssh[root@sever .ssh]# mv id_rsa.pub authorized_keys基本上实验就结束了,然后开始验证,看看客户端上面的xiaoming用户登录服务端上的xiaoming和xiaobei用户是否需要密码
[xiaoming@localhost ~]$ ssh -i /home/xiaoming/.ssh/id_rsa -p 2000 xiaoming@192.168.147.38Activate the web console with: systemctl enable --now cockpit.socketThis system is not registered to Red Hat Insights. See https://cloud.redhat.com/To register this system, run: insights-client --registerLast login: Tue Dec 21 07:44:06 2021 from 192.168.147.130[xiaoming@sever ~]$ [xiaoming@localhost ~]$ ssh -i /home/xiaoming/.ssh/id_rsa -p 2000 xiaobei@192.168.147.38Activate the web console with: systemctl enable --now cockpit.socketThis system is not registered to Red Hat Insights. See https://cloud.redhat.com/To register this system, run: insights-client --registerLast login: Tue Dec 21 07:44:47 2021 from 192.168.147.130[xiaobei@sever ~]$可以看到远程登录的时候并没有让我们输入密码,实验终于成功了!!!
标签: