跳到主要内容

ssh服务

[toc]

一、ssh禁止root远程登陆

1.编辑文件/etc/ssh/sshd_config

# 禁止root远程登陆
PermitRootLogin no

# 禁用密码验证
PasswordAuthentication no

# 启用密钥验证
RSAAuthentication yes //centos7没有这一项
PubkeyAuthentication yes

2.sudo免密配置等root权限用户

visudo或者编辑文件/etc/sudoers

# 创建一个用户
useradd lcc

# visudo编辑,101行写入以下内容
lcc ALL=NOPASSWD :ALL

3.配置ssh密钥

# 切换到lcc用户
su - lcc

# 生成密钥
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/lcc/.ssh/id_rsa):
Created directory '/home/lcc/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/lcc/.ssh/id_rsa.
Your public key has been saved in /home/lcc/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nSW5jEvQwr8zPZok5CfK+fnrhPJfk2motWOgx1/eNZ4 lcc@experiment
The key's randomart image is:
+---[RSA 2048]----+
| |
| . . . |
| + . o . |
| + + = |
| . S = |
| o.o = o |
| .o=.@ X o |
| ..=oXo@ + o o |
| +o=*Xo. . E |
+----[SHA256]-----+


# 向authorized_keys文件写入公钥
cd .ssh && cat id_rsa.pub >authorized_keys

# 修改authorized_keys文件权限至少为644,默认为664,无法使用密钥登陆
chmod 644 authorized_keys
提示

⚠️ssh服务配置文件/etc/ssh/sshd_config中有一项配置是AuthorizedKeysFile .ssh/authorized_keys,如果想要使用私钥免密登陆,则公钥必须写入到文件.ssh/authorized_keys中,即注册私钥,否则免密会失败!!!

4.配置完后验证

# root无法远程登陆
baixuebingdeMacBook-Pro:~ baixuebing$ ssh root@10.0.0.13
root@10.0.0.13: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

# 无法使用密码登陆,只能使用密钥登陆
baixuebingdeMacBook-Pro:~ baixuebing$ ssh lcc@10.0.0.13
lcc@10.0.0.13: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

二、ssh免交互配置

ssh-keygen免交互生成密钥

# 免交互生成密钥
ssh-keygen -t rsa -f /root/.ssh/id_dsa -P "" -q

-f filename #指定密钥文件的文件名
-P passphrase #提供旧密钥口令
-q Silence ssh-keygen #静默输出
-t key type #密钥类型
dsa
ecdsa
ed25519
rsa(默认)
rsa1
提示

⚠️ssh服务配置文件/etc/ssh/sshd_config中有一项配置是AuthorizedKeysFile .ssh/authorized_keys,如果想要使用私钥免密登陆,则公钥必须写入到文件.ssh/authorized_keys中,即注册私钥,否则免密会失败!!!

ssh-copy免交互推送密钥

sshpass -p1 ssh-copy-id -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root@IP

批量分发密钥脚本

#!/bin/bash

# 生成密钥
\rm -f /root/.ssh/id_*
ssh-keygen -t rsa -f /root/.ssh/id_rsa -P "" -q

# 分发密钥
for ip in IP
do
echo "=== 分发主机 10.0.0.$ip ==="
sshpass -p1 ssh-copy-id -i ~/.ssh/id_rsa.pub -o StrictHostKeyChecking=no root@10.0.0.$ip
echo "=== 分发ojbk ==="
echo ""
done

三、ssh自动断开远程服务器问题

编辑ssh服务配置文件/etc/ssh/sshd_config修改以下两项

# 向客户端每30秒发一次保持连接的信号
ClientAliveInterval 30

# 如果客户端30次未响应就断开连接
ClientAliveCountMax 30

重启服务

systemctl restart sshd
Right Bottom Gif
Right Top GIF