SSH是安全的远程登录,使用SSH v2的协议版本,基于DH算法做密钥交换,基于RSA或DSA实现身份认证。SSH的用户登录认证是基于password和基于key
准备工作
本次实验用到的虚拟机有
(1)c6 --------- IP:172.18.252.84
(2)c7 --------- IP:172.18.253.104
(3)Mini6 ----- IP:172.18.251.89
(4)Mini7 ----- IP:172.18.250.11
客户端工具包:openssh-clients.x86_64
服务器端工具包:openssh-server.x86_64
客户端配置文件:/etc/ssh/ssh_config
服务器端配置文件:/etc/ssh/sshd_config
登录记录保存文件:/root/.ssh/known_hosts
一、基于password的SSH连接
基于用户和口令登录验证的登录流程
1 客户端发起ssh请求,服务器会把自己的公钥发送给用户
2 用户会根据服务器发来的公钥对密码进行加密
3 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
SSH的安全性
在首次远程登录某个主机时,会保存对方主机的公钥储存于/root/.ssh/known_hosts文件里,方便于再次连接时的身份确认,不能被假冒或替代。由以下实验证实SSH的安全性
第一步:利用c6首次登录Mini6主机的ip地址172.18.251.89
[root@c6 ~]#ssh 172.18.251.89
The authenticity of host '172.18.251.89 (172.18.251.89)' can't be established.
RSA key fingerprint is 3d:25:b4:84:db:de:ef:e8:57:e9:79:10:cb:57:a6:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.251.89' (RSA) to the list of known hosts.
root@172.18.251.89's password:
Last login: Mon Sep 11 15:03:36 2017 from 192.168.10.1
[root@Mini6 ~]#
第二步:查看c6主机的连接记录文件known_hosts
[root@c6 ~]#cat .ssh/known_hosts
172.18.251.89 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8edaJKzACgj4cnfyGmjCy2p2vn87KAcm+i/5q5RadFUknS7ALyUxoMBMWz1VThdjoW4nII32qiRV+zoEYEn+ua5fc3ZtBmNZ+saeGeDApE6u0OsfHbBiR6lp97GbB1r1yi4ERgbZsRtlNpJPaHXoRKLx2VtiVQ5WHdBEPMoqXnoMbv54r7F3TvWIOGvDzzm9Xq0SCGUbWtz3M0PpxVVPTSb9RMgCLLt+qtWkkBL6G7WWQhMrc8fbKqzXZO26OUSW9nVowlDqkXXzHaGeNJvNyhkDSRXzCDV3GxSM7TksgCizaCY/ilTO77gZVzDZZyB870/j+uHaiPogdqcV1eLer
第三步:down掉Mini6主机IP地址172.18.251.89使用的网卡
[root@Mini6 ~]#ifconfig eth1 down
[root@Mini6 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:27:99:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.10.129/24 brd 192.168.10.255 scope global eth0
inet6 fe80::20c:29ff:fe27:990c/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:27:99:16 brd ff:ff:ff:ff:ff:ff
inet 172.18.251.89/16 brd 172.18.255.255 scope global eth1
第四步:修改Mini7主机的ip为172.18.251.89,实现冒充
[root@Mini7 network-scripts]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:fc:73:b3 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.128/24 brd 192.168.10.255 scope global dynamic ens33
valid_lft 1797sec preferred_lft 1797sec
inet6 fe80::dc7d:7e:6cb9:fcd5/64 scope link
valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:fc:73:bd brd ff:ff:ff:ff:ff:ff
inet 172.18.251.89/16 brd 172.18.255.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::d46f:ec3b:310f:2e3a/64 scope link
valid_lft forever preferred_lft forever
第五步:用c6主机重新登录172.18.251.89,会有报错提示
[root@c6 ~]#ssh 172.18.251.89
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
17:f2:11:d1:ca:b1:42:3e:72:bc:29:26:0d:ba:69:67.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 172.18.251.89 has changed and you have requested strict checking.
Host key verification failed.
第六步:重新恢复主机Mini6的IP地址,再次用主机c6登录Mini6,即可实现登录
[root@c6 ~]#ssh 172.18.251.89
root@172.18.251.89's password:
Last login: Mon Sep 11 16:27:20 2017 from 172.18.252.84
[root@Mini6 ~]#
第八步:查看主机Mini6的公钥,与主机c6登录时保存的文件known_hosts内的公钥一致
[root@Mini6 ssh]#cat ssh_host_rsa_key.pub
172.18.251.89 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8edaJKzACgj4cnfyGmjCy2p2vn87KAcm+i/5q5RadFUknS7ALyUxoMBMWz1VThdjoW4nII32qiRV+zoEYEn+ua5fc3ZtBmNZ+saeGeDApE6u0OsfHbBiR6lp97GbB1r1yi4ERgbZsRtlNpJPaHXoRKLx2VtiVQ5WHdBEPMoqXnoMbv54r7F3TvWIOGvDzzm9Xq0SCGUbWtz3M0PpxVVPTSb9RMgCLLt+qtWkkBL6G7WWQhMrc8fbKqzXZO26OUSW9nVowlDqkXXzHaGeNJvNyhkDSRXzCDV3GxSM7TksgCizaCY/ilTO77gZVzDZZyB870/j+uHaiPogdqcV1eLer
模拟IP地址的冒充
在SSH的登录过程中,因为会保存对方的公钥文件做为对主机的确认,也就是利用对方的公钥验证对方的私钥检验对方主机,所以如果要实现冒充对方主机,除了冒充对方的IP地址之外,还要拿到对方主机的私钥。在现实中很难拿到对方的私钥,以下实验仅做证实和参考。
第一步:复制主机Mini6的私钥文件到主机Mini7对应的私钥文件目录,替换掉主机Mini7自带的私钥文件
[root@Mini6 ~]#scp ssh_host_rsa_key 172.18.253.104:/etc/ssh/
The authenticity of host '172.18.253.104 (172.18.253.104)' can't be established.
RSA key fingerprint is 4a:3c:ce:1a:3f:e1:76:9a:89:9e:b0:c8:ff:ac:9e:0d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.253.104' (RSA) to the list of known hosts.
root@172.18.253.104's password:
ssh_host_rsa_key 100% 1675 1.6KB/s 00:00
第二步:down掉主机Mini6对应IP地址的网卡
[root@Mini6 ~]#ifconfig eth1 down
[root@Mini6 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:27:99:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.10.129/24 brd 192.168.10.255 scope global eth0
inet6 fe80::20c:29ff:fe27:990c/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:0c:29:27:99:16 brd ff:ff:ff:ff:ff:ff
inet 172.18.251.89/16 brd 172.18.255.255 scope global eth1
第三步:修改主机Mini7的IP地址为172.18.251.89
[root@Mini7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:32:35:10 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.134/24 brd 192.168.10.255 scope global dynamic ens33
valid_lft 951sec preferred_lft 951sec
inet6 fe80::997a:4280:f508:a15b/64 scope link
valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:32:35:1a brd ff:ff:ff:ff:ff:ff
inet 172.18.251.89/16 brd 172.18.255.255 scope global ens34
valid_lft forever preferred_lft forever
inet6 fe80::eaa:3e5a:d418:b3c3/64 scope link
valid_lft forever preferred_lft forever
第四步:重新用主机c6登录172.18.251.89,此时连接到主机Mini7,而不再是之前的主机Mini6
[root@c6 ~]#ssh 172.18.251.89
root@172.18.251.89's password:
Last login: Mon Sep 11 17:05:19 2017 from 192.168.10.1
[root@Mini7 ~]#
更改SSH的监听端口
第一步:修改SSH服务器端的配置文件/etc/ssh/sshd_config,找到Port 22(默认端口22),修改Port后的端口号
[root@Mini6 ~]#vim /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 2234 # 端口号修改为2234
第二步:因为端口改为非标准端口,需要关闭SELinux和防火墙iptables
[root@Mini6 ~]#vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@Mini6 ~]#service iptables stop
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
[root@Mini6 ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
第三步:重启sshd服务,并查看服务端口
[root@Mini6 ~]#service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@Mini6 ~]#ss -nl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 100 ::1:25 :::*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::2234 :::*
LISTEN 0 128 *:2234 *:*
第四步:用主机c6重新登录172.18.251.89
因为sshd端口的改变,此时用最基本的ssh命令重新登录172.18.251.89,系统会提示目标主机不可到达
[root@c6 ~]#ssh 172.18.251.89
ssh: connect to host 172.18.251.89 port 22: Connection refused
在远程登录时用-p属性指定端口2234即可连接
[root@c6 ~]#ssh 172.18.251.89 -p 2234
root@172.18.251.89's password:
Last login: Mon Sep 11 16:27:45 2017 from 172.18.252.84
[root@Mini6 ~]#
修改本机ssh的配置文件/etc/ssh/ssh_config,修改默认端口号Pork为2234,可以直接登录端口为2234的Mini6主机
[root@c6 ~]#vim /etc/ssh/ssh_config
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
Port 2234
[root@c6 ~]#ssh 172.18.251.89
root@172.18.251.89's password:
Last login: Mon Sep 11 18:42:43 2017 from 172.18.252.84
[root@Mini6 ~]#
SSH的跳转连接
生产环境中,某些服务器只循序特定的主机才能登录,隐藏其他机器需要利用这个特定的主机去跳转到服务器主机。在ssh命令中,使用-t选项可以实现ssh的跳转登录,以下实现模拟跳转登录
第一步:在主机Mini6中禁止来自于172.18.252.84的流量
[root@Mini6 ~]#iptables -A INPUT -s 172.18.252.84 -j REJECT
第二步:利用主机c7进行跳转,实现主机c6对主机Mini6的远程登录,登录时需要输入跳板机和对方主机的登录口令
[root@c6 ~]#ssh -t 172.18.253.104 ssh 172.18.251.89
root@172.18.253.104's password:
root@172.18.251.89's password:
Last login: Mon Sep 11 21:06:38 2017 from 172.18.253.104
[root@Mini6 ~]#
基于key的远程连接
在生产环境中,一个工作人员需要维护很多设备,需要经常登录不同的设备,每次登录都需要输入口令会大大降低工作的效率,基于key的验证可以解决这个问题
基于密钥的登录方式
1 首先在客户端生成一对密钥(ssh-keygen)
2 并将客户端的公钥ssh-copy-id 拷贝到服务端
3 当客户端再次发送一个连接请求,包括ip、用户名
4 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生成一个字符串,例如:acdf
5 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
6 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
7 服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
以下实验实现主机c6对Mini6基于key的登录
第一步:生成c6的密钥对,-t指定算法为rsa,-P指定私钥的加密口令为空,默认保存的文件夹为/root/.ssh/,私钥文件位为id_rsa,公钥文件为id_rsa.pub
[root@c6 ~]#ssh-keygen -t rsa -P ''
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f9:fc:db:08:05:6e:a2:58:6f:43:06:0b:b0:3d:a4:d0 root@c6
The key's randomart image is:
+--[ RSA 2048]----+
|... . |
| .E* |
| o + . . |
| o o o . |
| o S o . |
| o = = . |
| . . + + |
| . . o o |
| +.. |
+-----------------+
[root@c6 ~]#ls /root/.ssh/
id_rsa id_rsa.pub known_hosts
第二步:从主机c6复制公钥文件到需要连接的主机Mini6
-i指定要复制的公钥文件名,利用ssh-copy-id命令复制公钥文件时,即使指定的文件是私钥文件,也会复制公钥文件到对方主机,相对于用scp复制到对方主机,避免了修改路径、文件名和错误复制私钥。
[root@c6 ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.18.251.89
root@172.18.251.89's password:
Now try logging into the machine, with "ssh 'root@172.18.251.89'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@Mini6 ~]#ls .ssh/
authorized_keys known_hosts
第三步:利用主机c6直接连接Mini6
[root@c6 ~]#ssh 172.18.251.89
Last login: Mon Sep 11 21:06:50 2017 from 172.18.253.104
[root@Mini6 ~]#
复制公钥到所有需要直连的主机可实现对多主机的直接操作
在基于key的连接以后,大大的方便了对远程主机的操作,可以直接在本机执行远程主机的命令
[root@c6 ~]#ssh 172.18.251.89 'hostname'
Mini6
[root@c6 ~]#
[root@c6 ~]#ssh 172.18.251.89 'ifconfig eth1'
eth1 Link encap:Ethernet HWaddr 00:0C:29:27:99:16
inet addr:172.18.251.89 Bcast:172.18.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fe27:9916/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:432507 errors:0 dropped:0 overruns:0 frame:0
TX packets:87108 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:286056641 (272.8 MiB) TX bytes:6116023 (5.8 MiB)
私钥文件很重要!复制私钥到其他主机进行直接登录
第一步:从c6机器中复制私钥到c7
[root@c6 ~]#scp .ssh/id_rsa root@172.18.253.104:/root/.ssh/
root@172.18.253.104's password:
id_rsa 100% 1671 1.6KB/s 00:00
第二步:利用主机c7直接登录主机Mini6
[root@c7 ~]#ssh 172.18.251.89
Last login: Mon Sep 11 22:02:35 2017 from 192.168.10.1
[root@Mini6 ~]#
拥有私钥的主机可以无视直连主机的密码修改,为了私钥的安全,通常要对私钥进行加密
利用ssh-keygen -p可以直接找到私钥文件并进行加密
[root@c6 ~]#ssh-keygen -p
Enter file in which the key is (/root/.ssh/id_rsa):
Key has comment '/root/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
私钥加密后利用设备直接登录远程主机需要输入一次私钥的加密口令,仅此一次
[root@c6 ~]#ssh 172.18.251.89
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Mon Sep 11 22:23:18 2017 from 172.18.252.84
[root@Mini6 ~]#
启用代理,托管口令
利用命令ssh-agent bash启用代理,把私钥的密码进行托管,方便下次把公钥传给其他主机时,不用输入私钥加密口令即可直接登录。以下实验把c6的公钥复制到Mini7,第一次登录时跳过输入私钥密码
[root@c6 ~]#ssh-agent bash
[root@c6 ~]#ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@c6 ~]#ssh-copy-id -i /root/.ssh/id_rsa root@172.18.250.11
The authenticity of host '172.18.250.11 (172.18.250.11)' can't be established.
RSA key fingerprint is 17:f2:11:d1:ca:b1:42:3e:72:bc:29:26:0d:ba:69:67.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.250.11' (RSA) to the list of known hosts.
root@172.18.250.11's password:
Now try logging into the machine, with "ssh 'root@172.18.250.11'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@c6 ~]#ssh 172.18.250.11
Last login: Mon Sep 11 18:17:12 2017 from 192.168.10.1
[root@Mini7 ~]#
