Linux的sshd服务及命令管理

1…sshd简介

sshd=secure shell
可以通过网络在主机中开启shell服务
客户端软件：sshd
连接方式：

ssh username@ip            ##文本模式的连接
ssh -X  username@ip        ##可以在连接成功后开启图形
ssh username@ip -X 命令     ##直接执行命令

• 注意：第一次连接陌生主机是要建立认证文件，所以会询问是否建立，需要输入yes,再次连接此台主机时，因为已经生成～/.ssh/know_hosts文件，所以不需要再次输入yes

远程管理

 scp  file  root@ip：dir   ##上传
 scp  root@ip：file  dir   ##下载

2.sshd的key认定

1. 生成密钥的命令
   ssh-keygen

   Generating public/private rsa key pair.
   Enter file in which to save the key (/root/.ssh/id_rsa):#指定保存加密字符的文件(使用默认) 
   Enter passphrase (empty for no passphrase): #设定密码(使用默认) 
   Enter same passphrase again: #确认密码(使用默认)
   Your identification has been saved in /root/.ssh/id_rsa. #私钥(钥匙)
   Your public key has been saved in /root/.ssh/id_rsa.pub. #公钥(锁)
   The key fingerprint is:
   cd:0b:9b:3e:ea:4c:cb:89:4f:9e:e4:8f:be:12:c3:85 [email protected]
   The key's randomart image is:
   +--[ RSA 2048]----+
   |                 |
   |                 |
   |     .           |
   |    E .  o       |
   |   . .  S o      |
   |    +    + .     |
   |     o+ o .      |
   |    .X *.        |
   |    .=/+o.       |
   +-----------------+

2. 加密服务

ssh-copy-id -i /root/.ssh/id_rsa.pub username@ip
The authenticity of host '172.25.254.138 (172.25.254.138)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 
    
Number of key(s) added: 1
    
Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

[root@server38 .ssh]# ls
authorized_keys  id_rsa  id_rsa.pub  known_hosts
         ^
 此文件出现标示加密完成

3. 分发钥匙
   scp /root/.ssh/id_rsa username@ip:/root/.ssh/

3.sshd的安全设定

78 PasswordAuthentication yes|no ##是否允许用户通过登陆系统的密码做sshd的认证
48 PermitRootLogin yes|no	 ##是否允许root用户通过sshd服务的认证
52 Allowusers student westos	 ##设定用户白名单，白名单出现默认不再名单中的用户不能使用sshd
53 Denyusers	westos		 ##设定用户黑名单，黑名单出现默认不再名单中的用户可以使用sshd

4.添加sshd登陆信息

[root@desktop0 ~]# cat /etc/motd 
welcome~
[root@desktop0 ~]# exit
logout
Connection to 172.25.0.10 closed.
[kiosk@foundation0 ~]$ ssh [email protected]
Last login: Sat Jan 12 13:36:03 2019 from 172.25.0.250
welcome~

5.用户登陆审计

w  #查看正在使用当前系统的用户
 13:37:03 up  4:27,  3 users,  load average: 0.00, 0.01, 0.05
USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT
root     :0        09:09   ?xdm?  26.97s  0.12s gdm-session-worker [pam/gdm-passwo
root     pts/0     09:09    4:27m  0.02s  0.02s /bin/bash
root     pts/1     13:36    7.00s  0.03s  0.01s w

w -f #查看使用来源
w -i #显示IP
/var/run/utmp

last #查看使用过并退出的用户信息  /var/log/wtmp

lastb  # 试图登陆但没有成功的用户 /var/log/btmp