SSH免密登陆,VPS安全设置之1

By admin in 美高梅手机版4858 on 2019年4月13日

SSH远程免密登录

环境:两台centos虚拟机,一台为192.168.134.129(用作远程主机),另壹台为192.168.134.130.

先是查看一下两台linux的ip地址:

[root@promote ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.134.129  netmask 255.255.255.0  broadcast 192.168.134.255
        inet6 fe80::4881:9be0:2bb6:62e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:eb:2d:01  txqueuelen 1000  (Ethernet)
        RX packets 145  bytes 18326 (17.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 144  bytes 23724 (23.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 64  bytes 5696 (5.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 64  bytes 5696 (5.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

再来看一下其它1台:

[root@machine1 ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.134.130  netmask 255.255.255.0  broadcast 192.168.134.255
        inet6 fe80::4881:9be0:2bb6:62e  prefixlen 64  scopeid 0x20<link>
        inet6 fe80::134a:dd7d:6b15:96ea  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:42:f7:1d  txqueuelen 1000  (Ethernet)
        RX packets 127  bytes 15748 (15.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 134  bytes 21258 (20.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 64  bytes 5696 (5.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 64  bytes 5696 (5.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

先在192.168.134.130上长途登录192.168.134.129试试。

[root@machine1 ~]# ssh 192.168.134.129
The authenticity of host '192.168.134.129 (192.168.134.129)' can't be established.
ECDSA key fingerprint is SHA256:JqAC8jcLCLobvRy0wzY9VGBNuZU3EydpO8n2fEtQ178.
ECDSA key fingerprint is MD5:5d:26:a1:60:c3:eb:02:e9:97:7a:bb:7a:49:8a:14:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.134.129' (ECDSA) to the list of known hosts.
root@192.168.134.129's password:

发觉是要输入密码才足以登录的。
于今来落实免密登6。
首先在192.168.134.130上生成公钥。

[root@machine1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:pRHW15F3aA7esrPe39CEchPqzPCKAIKd/+4liaigyzo root@machine1
The key's randomart image is:
+---[RSA 2048]----+
|        o.   ..+ |
|       . .. o = o|
|        . .o =...|
| o .     +  o.oo |
|. + .   S . oo+ .|
|   + o .   *oo + |
|. . o + .   =o. .|
|E.   . + . ... ..|
|*+   o+ . ... ..o|
+----[SHA256]-----+

随后将此公钥发送到远程主机192.168.134.129

[root@machine1 ~]# ssh-copy-id 192.168.134.129
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.134.129's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.134.129'"
and check to make sure that only the key(s) you wanted were added.

传送完结之后,到长途主机192.168.134.129上修修改改ssh的计划文件/etc/ssh/sshd_config.
修改以下两条:PubkeyAuthentication yesPasswordAuthentication no,即密钥登6改为yes,密码登陆改为no.
美高梅手机版4858 1
美高梅手机版4858 ,随后重启一下sshd服务

[root@machine1 ~]# systemctl restart sshd

然后到192.168.134.130上长途免密登录192.168.134.129试试。

[root@machine1 ~]# ssh 192.168.134.129
Last login: Thu Jul 12 00:01:07 2018 from 192.168.134.1
[root@promote ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.134.129  netmask 255.255.255.0  broadcast 192.168.134.255
        inet6 fe80::4881:9be0:2bb6:62e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:eb:2d:01  txqueuelen 1000  (Ethernet)
        RX packets 1927  bytes 207095 (202.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1693  bytes 174581 (170.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 64  bytes 5696 (5.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 64  bytes 5696 (5.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

免密登录成功!

如何利用

前言

老左在后面包车型地铁诸多篇章中早已享受过在centos也许在debian环境下安装lnmp和llsmp的科目,老左用人格担保肯定是有效的,因为自身都是在实战操作后截图及写下来的篇章。能够让VPS初学者手把手的读书如何在Linux
VPS上安装系统及树立网址。老左第一次利用VPS不会安装环境,准备请3个网络朋友安装,还预备收取费用50元,鉴于此作者就自学。

SSH免密登陆,VPS安全设置之1。间接钦点ip然后-i 钦赐key文件,然后钦命用户

SSH为Secure Shell
的缩写,是日前较可信,专为远程登录会话和任何互连网服务提供安全性的协商。越来越多的同伴们使用远程登录,而ssh安全性无疑是很高的,那么我们明日来探望怎么着贯彻ssh无密码验证配置。

我们在学会了VPS的装置和建站之后,肯定需求附带学习VPS的拉萨设置。因为VPS和主机分化,主机商大概会给我们备份,而且主机的安全性都有主机商承担。可是,假诺前几天大家在选用VPS,那VPS的安全性主机商是不负责的,既然大家挑选选用VPS,就决然要办好安全保卫安全。接下来几篇小说老左将分享三种比较基础的Linux
VPS安全设置。明天先分享修改SSH端口。

ssh 1.1.1.1 -i Test1 -l userxxx

一. 预备干活

不论我们的网址是否驰名,很多黑客选手大概同行都是用软件直接扫描网址VPS/主机端口的,壹般的豪门都知晓VPS端口为2二,若是大家修改了端口至少先找不到端口,很多时候是因为大家的端口是暗中认可,即使主机安全也会留给多量的日记文件。那些文件正是被暴利破解的谬误记录。

不点名用户实际便是应用当前的本机登陆的用户名去登六远端主机,比如本地用户是AAA,那么:

率先要保险您的linux系统中一度安装了ssh,对于ubuntu系统1般私下认可只设置了ssh
client,所以还索要大家手动安装ssh server:

修改SSH端口的主意:登陆SSH,然后经过 vi /etc/ssh/sshd_config
命令打开文件,修改当中的port前边的数字。(vi
的主导使用应该会吧?:wq是保留退出的意思,a
是编辑的情致,esc是脱离当前的情趣)

ssh 1.1.1.1 -i Test1
sudo apt-get install openssh-server

美高梅手机版4858 2

等同于

二. SSH基本原理

终极一步正是重启ssh,须求留意的是centos和debian是见仁见智的吩咐,那也是无数新手站长在玩VPS的时候出现的疑问。所以小编把那二种方法都说一下。

ssh 1.1.1.1 -i Test1 -l AAA

2.1 基本原理

复制代码 代码如下:

此间要专注,生成的key是和1些用户绑定的,生成key的用户以及存款和储蓄那些key的公钥的远端主机的用户。ssh的原理就是,公钥给人家,本人留秘钥,远端主机的其余用户也是无能为力看出那一个内定的用户的收受到的公钥的,所以用户是一对一的。

SSH之所以能够保障安全,原因在于它选择了公钥加密。进程如下:

CentOS 重启SSH : service sshd restart
DeBian重启SSH:service ssh restart

比如本身在test-server
下边包车型大巴azuo1228生成key,然后拷贝到远端主机dest-server去使用,那么放在远端主机的哪个
用户home目录上边,对应的远端主机的那几个用户才得以被无密码登陆,并不等于对远端主机的别的用户也能免密码登六。

  1. 远程主机收到用户的记名请求,把本身的公钥发给用户;
  2. 用户选择这一个公钥,将登录密码加密后,发送回来;
  3. 长途主机用自个儿的私钥,解密登录密码,若是密码正确,就同意用户登录。

是还是不是改好,大家精诚团结用PUTTY登6SSH试试。老左测试是修改成功的。

千帆竞发操作

2.1 基本用法

你大概感兴趣的小说:

  • 详解虚拟机中CentOS 七互联网和ssh的安插
  • CentOS 7 sshd
    链接被拒绝难题化解办法
  • Redhat 7/CentOS 七 SSH
    免密登录的不二诀窍
  • centos
    陆.伍下修改SSH端口及禁止使用root远程登录的法子
  • docker centos7安装ssh具体步骤
  • CentOS
    6.5中SSH免密码登录配置教程
  • Centos陆.5ssh配置与行使教程
  • CentOS下SSH无密码登录的配置文件
  • CentOS SSH无密码登录的安插
  • 在CentOS / 索罗德HEL上设置 SSH
    免密码登录的办法

1.生成key:

SSH暗中同意端口号为:2二,能够依照自身的内需修改暗中认可端口号为其余,并合营使用iptables过滤来限制远程SSH登6的ip。常用用法如下:

[azuo1228@test-server ~]$ ssh-keygen
# 使用默认的22端口
ssh root@192.168.0.1
# 若修改过SSH默认端口号(例如:修改为了1000),则登陆时需要指定端口号10000
ssh root@192.168.0.1 -p 10000

此间一直敲回车就好

三. 配置SSH无密登六

Generating public/private rsa key pair.
Enter file in which to save the key (/home/azuo1228/.ssh/id_rsa):
Created directory '/home/azuo1228/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/azuo1228/.ssh/id_rsa.
Your public key has been saved in /home/azuo1228/.ssh/id_rsa.pub.
The key fingerprint is:
d2:33:66:86:0a:b4:27:a9:86:92:24:ff:13:63:96:15 azuo1228@test-server
The key's randomart image is:
+--[ RSA 2048]----+
|   |
| E  |
| . .  |
| . o .o  |
|..= .oo S |
|++ +*. = o |
|=..o.o  |
|o ..  |
| ..  |
+-----------------+
[azuo1228@test-server ~]$ cd .ssh/
[azuo1228@test-server .ssh]$ dir
id_rsa id_rsa.pub

三.① 首要用与Hadoop集群配置中:

翻看生产结果

Hadoop运转进度中需求管住远端Hadoop守护进程,在Hadoop运维现在,NameNode是透过SSH(Secure
Shell)来运行和平息各种DataNode上的各类护理进程的。那就不能够不在节点之间举办命令的时候是不必要输入密码的款型,故大家要求布署SSH运用无密码公钥认证的情势,那样NameNode使用SSH无密码登录并运维DataName进度,同样原理,DataNode上也能使用SSH无密码登录到
NameNode。

[azuo1228@test-server .ssh]$ ll
total 8
-rw------- 1 azuo1228 administrator 1675 Dec 21 18:11 id_rsa
-rw------- 1 azuo1228 administrator 403 Dec 21 18:11 id_rsa.pub
[azuo1228@test-server .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxp1CLe+v3L9OjlJCoBBMtQP5p2zQSACJuCD8rPRT2KQmLFznJo9ehTJQp3UfbSzAo3muudiJ9hvyL8f8hN05voXzBSyrul3v39iiqyPJGFbZhtlIsvVuHNEOVaa+StP/WVcH3nT50Y2TsIx0ikXUOVaaawHKUV3wBHlyLLANMAG8yOy4NIzCj++TO4n+66uyrgVvUf
mZ02ALGGL0gUIV97tlhdwVQLG+2mJwSU0E3fksMVlhKxQrpaOx1OtObF0Xo4CmuuXAowtm/uW50gHRVYMA7N/VNgbWaa4hbypCV5m6UqF6P8bHp1Kgz0qm/U0ro1jFzNv1+fin2ZdwV1Ytr azuo1228@test-server
  1. 率先,运转 ssh localhost 来发出 /home/用户名/.ssh
    目录,然后实施下边发号施令,将转变的 “ id_rsa.pub ”
    追加(这里切记是充实,不是覆盖)到授权的key里面去。那样的效果是落到实处了日前用户无密SSH登6到祥和:

二.拷贝到远端主机钦赐用户的home下边

 cd ~/.ssh  # 如果找不到这个文件夹,先执行一下 "ssh localhost"
 ssh-keygen -t rsa
 # 将id_rsa.pub追加到authorized_keys
 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

能够见到此次照旧要输密码的

  1. 如若要贯彻无密登六到任何的主机,只需将生成的 “ id_rsa.pub ”
    追加到其余主机的 ” ~/.ssh/authorized_keys “
    中去。那里大家利用的不贰诀要是先将本机的 ” ~/.ssh/id_rsa.pub “
    拷贝到您想无密登陆的主机上,再在相应的主机上使用 ” cat ” 命令将”
    ~/.ssh/id_rsa.pub “ 追加到该主机的 ” ~/.ssh/authorized_keys “ 中。
[azuo1228@test-server .ssh]$ scp id_rsa.pub azuo1228@10.148.167.106:/home/azuo1228
Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
azuo1228@10.148.167.106's password:
id_rsa.pub 100% 403 0.4KB/s 00:00
# 假设我们的主机名为:A,用户名:hadoop,ip:192.168.0.1
# 想要无密SSH登陆的主机名为:B, 用户名:hadoop,ip:192.168.0.2

# 首先,我们使用A中的hadoop用户拷贝 " ~/.ssh/id_rsa.pub " 到B的 " /home/hadoop/tmp/ " 目录下
scp ~/.ssh/id_rsa.pub hadoop@192.168.0.2:/home/hadoop/tmp
# 这里的ip也可以换为主机名

# 然后,ssh登陆B,将 " /home/hadoop/tmp/id_rsa.pub " 追加到 " ~/.ssh/authorized_keys " 中去。
cat /home/hadoop/tmp/id_rsa.pub >> ~/.ssh/authorized_keys

在此测试登录 — 要求密码,还没免密码

今昔,大家就足以在A中运用SSH无密登6到B的hadoop用户了,同理倘若想无密登陆别的的主机都能够动用此措施。供给专注的是布置hadoop集群时索要Master和Slave能够互相SSH无密登6。

[azuo1228@test-server .ssh]$ ssh azuo1228@10.148.167.106
Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
azuo1228@10.148.167.106's password:
Last login: Wed Dec 21 18:07:21 2016 from shang1lu4gnl.ads.autodesk.com
Authorized uses only. All activity may be monitored and reported.
[azuo1228@dest-server ~]$

总结

不存在.ssh的话必要创立

上述便是那篇小说的全体内容了,希望本文的内容对大家的学习只怕办事能带来一定的扶植,倘诺有毛病我们能够留言沟通,多谢大家对剧本之家的援助。

[azuo1228@dest-server ~]$ mkdir .ssh
[azuo1228@dest-server ~]$ cd .ssh/
[azuo1228@dest-server .ssh]$ cat ../id_rsa.pub | tee -a authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxp1CLe+v3L9OjlJCoBBMtQP5p2zQSACJuCD8rPRT2KQmLFznJo9ehTJQp3UfbSzAo3muudiJ9hvyL8f8hN05voXzBSyrul3v39iiqyPJGFbZhtlIsvVuHNEOVaa+StP/WVcH3nT50Y2TsIx0ikXUOVaaawHKUV3wBHlyLLANMAG8yOy4NIzCj++TO4n+66uyrgVvUfmZ02ALGGL0gUIV97tlhdwVQLG+2mJwSU0E3fksMVlhKxQrpaOx1OtObF0Xo4CmuuXAowtm/uW50gHRVYMA7N/VNgbWaa4hbypCV5m6UqF6P8bHp1Kgz0qm/U0ro1jFzNv1+fin2ZdwV1Ytr azuo1228@test-server
[azuo1228@dest-server .ssh]$ ll
total 4
-rw-r--r-- 1 azuo1228 administrator 403 Dec 21 20:33 authorized_keys

您也许感兴趣的作品:

  • 接纳ssh-keygen,达成免密码登6linux的方法
  • Linux配置远程SSH无密码登录
  • linux远程登录ssh免密码配置格局
  • Linux下完成SSH免密码登录和完成秘钥的军管、分发、布置SHELL脚本分享
  • Linux
    VPS利用SSH重置ROOT密码的不贰诀窍
  • Linux使用ssh公钥完毕免密码登录实例

急需权限为600

[azuo1228@dest-server .ssh]$ chmod 600 authorized_keys

[azuo1228@test-server .ssh]$ ssh azuo1228@10.148.167.106
Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
Last login: Wed Dec 21 20:32:08 2016 from c72
Authorized uses only. All activity may be monitored and reported.
[azuo1228@dest-server ~]$
[azuo1228@dest-server ~]$
[azuo1228@dest-server ~]$ exit
logout
Connection to 10.148.167.106 closed.

重复登6,就已经免密了

[azuo1228@test-server .ssh]$ ssh 10.148.167.106
Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
Last login: Wed Dec 21 20:33:34 2016 from c72
Authorized uses only. All activity may be monitored and reported.

在尝试登6zhour用户,依然要密码,可知免密进程是万分的。

[azuo1228@test-server .ssh]$ ssh 10.148.167.106 -l zhour
Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
zhour@10.148.167.106's password:

拷贝公钥到另一个用户zhour

[azuo1228@test-server .ssh]$ scp id_rsa.pub zhour@10.148.167.106:/home/zhour

Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
zhour@10.148.167.106's password:
id_rsa.pub  100% 403 0.4KB/s 00:00

登6如故需求密码

[azuo1228@test-server .ssh]$ ssh 10.148.167.106 -l zhour
Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
zhour@10.148.167.106's password:
Last login: Wed Dec 21 17:55:32 2016 from shang1lu4gnl.ads.autodesk.com
Authorized uses only. All activity may be monitored and reported.

累加公钥给zhour

[zhour@dest-server .ssh]$ cat ../id_rsa.pub | tee -a authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxp1CLe+v3L9OjlJCoBBMtQP5p2zQSACJuCD8rPRT2KQmLFznJo9ehTJQp3UfbSzAo3muudiJ9hvyL8f8hN05voXzBSyrul3v39iiqyPJGFbZhtlIsvVuHNEOVaa+StP/WVcH3nT50Y2TsIx0ikXUOVaaawHKUV3wBHlyLLANMAG8yOy4NIzCj++TO4n+66uyrgVvUfmZ02ALGGL0gUIV97tlhdwVQLG+2mJwSU0E3fksMVlhKxQrpaOx1OtObF0Xo4CmuuXAowtm/uW50gHRVYMA7N/VNgbWaa4hbypCV5m6UqF6P8bHp1Kgz0qm/U0ro1jFzNv1+fin2ZdwV1Ytr azuo1228@test-server

这么就免密了

[azuo1228@test-server .ssh]$ ssh 10.148.167.106 -l zhour
Access and Authorization to this server is controlled by Active Directory. Please login with your admin account.
Last login: Wed Dec 21 20:34:49 2016 from c72
Authorized uses only. All activity may be monitored and reported.

注意

亟需专注两点,如下:

免密之后,scp那种走ssh 通道的都会免密;

key拷贝到长途主机的钦定用户home目录下,最终,免输入密码的时候是远端主机的钦命用户,非本地主机的用户

总结

以上正是那篇文章的全体内容了,希望本文的剧情对我们的求学可能干活能推动一定的帮扶,如果有问号大家可以留言沟通,多谢我们对台本之家的支撑。

你可能感兴趣的篇章:

  • 浅谈SSH框架中spring的原理
  • SSH 使用原理 与解释
  • Linux使用ssh公钥完成免密码登录实例
  • centos
    陆.5下修改SSH端口及禁止使用root远程登录的不二诀窍
  • linux系统下的ssh登录和布局方式
  • Hadoop
    SSH免密码登录以及失利化解方案
  • SSH原理及二种登录方法图像和文字详解

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图
Copyright @ 2010-2019 美高梅手机版4858 版权所有