SSH是一种加密协议，它为网络连接提供了安全性。在Linux系统中，可以使用SSH连接到其它服务器或远程设备，并执行CLI命令或通过它们进行文件传输。

使用SSH访问远程命令行

• 使用当前用户身份登录
  -- ssh remotehost
• 使用指定用户身份登录
  -- ssh username@remotehost
• 使用指定用户身份，在远程系统执行命令
  -- ssh username@remotehost command

#使用当前用户登录
[root@myhost ~]# ssh 192.168.2.102
root@192.168.2.102's password:
Last login: Wed Apr 26 02:06:39 2023 from desktop-up0o41n.lan
[root@serverb ~]#

#使用指定用户登录
[root@myhost ~]# ssh user@192.168.2.102
user@192.168.2.102's password:
Last login: Wed Apr 26 01:21:48 2023
[user@serverb ~]$

#使用指定用户，在远程系统执行命令
[root@myhost ~]# ssh user@192.168.2.102 pwd
user@192.168.2.102's password:
/home/user

• 识别远程用户
  -- 使用w命令可以显示当前登录到计算机的用户列表
  -- grep sshd /var/log/secure 查看远程用户登录的日志

[user@serverb ~]$ w
 19:37:13 up 5 days, 18:55,  3 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    desktop-up0o41n. 二01   17:53   0.10s  0.10s -bash
root     pts/1    desktop-up0o41n. 02:06   59:21   0.10s  0.10s -bash
user     pts/2    gateway          19:29    1.00s  0.04s  0.01s w

[root@serverb ~]# tail -10 /var/log/secure
Apr 26 19:28:17 serverb sshd[14072]: Received disconnect from 192.168.2.100 port 35388:11: disconnected by user
Apr 26 19:28:17 serverb sshd[14072]: Disconnected from 192.168.2.100 port 35388
Apr 26 19:28:17 serverb sshd[14065]: pam_unix(sshd:session): session closed for user user
Apr 26 19:29:04 serverb sshd[14118]: Accepted password for user from 192.168.2.100 port 35390 ssh2
Apr 26 19:29:04 serverb sshd[14118]: pam_unix(sshd:session): session opened for user user by (uid=0)
Apr 26 19:30:38 serverb sudo:    user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/bin/bash
Apr 26 19:30:38 serverb sudo: pam_unix(sudo-i:session): session opened for user root by user(uid=0)
Apr 26 19:36:50 serverb sudo: pam_unix(sudo-i:session): session closed for user root
Apr 26 19:37:48 serverb sudo:    user : TTY=pts/2 ; PWD=/home/user ; USER=root ; COMMAND=/bin/bash
Apr 26 19:37:48 serverb sudo: pam_unix(sudo-i:session): session opened for user root by user(uid=0)

• SSH主机密钥
  -- SSH通过公钥加密的方式保持通信安全
  -- 当客户端连接到SSH服务器时，在客户端登录之前，服务器会向其发送公钥副本，这可用于设置通信渠道安全加密，并可验证客户端的服务器
  -- 当用户使用ssh命令连接到ssh服务器时，该命令会检测本地已知主机列表中是否有该服务的公钥副本。
• 无公钥副本远程提示

[user@serverb ~]$ ssh user01@192.168.2.102
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.102' (ECDSA) to the list of known hosts.
user01@192.168.2.102's password:
Last login: Tue Apr 25 22:10:04 2023

• 有公钥副本远程提示(直接输入密码即可)

[user@serverb ~]$ ssh user01@192.168.2.102
user01@192.168.2.102's password:
Last login: Wed Apr 26 20:22:52 2023 from serverb
[user01@serverb ~]$

• 本地存放的公钥副本
  -- /etc/ssh/ssh_known_hosts
  -- ~/.ssh/known_hosts
• 公钥的位置
  -- 服务端：/etc/ssh/ssh_host_*key.pub
  -- 客户端使用ssh-keygen -R ip/hostname 移除该SSH服务器公钥副本

[root@myhost ssh]# ssh root@192.168.2.102
root@192.168.2.102's password:
Last login: Wed Apr 26 21:35:17 2023 from gateway
[root@serverb ~]# 登出
Connection to 192.168.2.102 closed.
[root@myhost ssh]# cat ~/.ssh/known_hosts | grep 192.168.2.102
192.168.2.102 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlyynAx1JDpiqXoxj5wkpALP885QtsBjDDpFtPM/vceefTxbbxEmtTqATPqGhUlBX/dg8/N97xZxvxLhRtFTPw=
[root@myhost ssh]# ssh-keygen -R 192.168.2.102
# Host 192.168.2.102 found: line 4
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
[root@myhost ssh]# cat ~/.ssh/known_hosts | grep 192.168.2.102
[root@myhost ssh]# ssh root@192.168.2.102
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.102' (ECDSA) to the list of known hosts.
root@192.168.2.102's password:
Last login: Wed Apr 26 21:36:01 2023 from gateway
[root@serverb ~]#

配置基于SSH密钥的身份验证

• 基于SSH的密钥验证
  -- 可以配置SSH服务器，以便能通过基于密钥的身份验证在不适用密码的情况下进行身份验证。这种身份验证基于私钥-公钥方案
  -- 因此，要先生成一个密钥对，私钥用于身份验证凭证，公钥复制到期望连接的服务器
• 生成SSH密钥对
  -- ssh-keygen默认生成的密钥对存放在_{/.ssh/id_rsa和}/.ssh/id_rsa.pub中
  -- 自定义密钥对ssh-keygen -t rsa -b 2048 -f -N "my_passwd" ~/.ssh/my_rsa_key（生成指定类型为rsa，长度为2048，文件名叫my_rsa_key，口令为my_passwd的密钥）
• 共享公钥
  在使用基于密钥身份验证之前，需要将公钥复制到目标系统用户的家目录中
  -- ssh-copy-id -i ~/.ssh/my_rsa_key.pub
  -- 共享过后，在目标系统的用户的家目录中authorized_keys文件中有一段内容和my_rsa_key.pub中内容一致，该文件就是公钥

[user@myhost ~]$ ssh-keygen -t rsa -b 2048 -N "hello" -f ~/.ssh/test_rsa_key
Generating public/private rsa key pair.
Created directory '/home/user/.ssh'.
Your identification has been saved in /home/user/.ssh/test_rsa_key.
Your public key has been saved in /home/user/.ssh/test_rsa_key.pub.
The key fingerprint is:
SHA256:qAcSiJqUzrNzRG8ADVi5YuLRebADTPHa7WMFHCGDtwI user@myhost
The key's randomart image is:
+---[RSA 2048]----+
|+**+ o.          |
|E==++ .          |
|+o===o           |
|B==B+...         |
|**+o++..S        |
| .+.oo.          |
| o ..+.          |
|  o ...          |
|                 |
+----[SHA256]-----+
[user@myhost ~]$ ls ~/.ssh
test_rsa_key  test_rsa_key.pub
[user@myhost ~]$ ssh-copy-id -i ~/.ssh/test_rsa_key.pub user@192.168.2.102
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/test_rsa_key.pub"
The authenticity of host '192.168.2.102 (192.168.2.102)' can't be established.
ECDSA key fingerprint is SHA256:d9/LkNVQitEnUA+bPVRxlTElFGBMfkZixM3Hi9min7A.
ECDSA key fingerprint is MD5:75:af:73:11:99:86:7e:51:75:f6:f6:f9:fc:d9:9c:95.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@192.168.2.102's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@192.168.2.102'"
and check to make sure that only the key(s) you wanted were added.
[user@serverb ~]$ ls ~/.ssh
authorized_keys

• 使用ssh-agent进行非交互式身份验证

[user@myhost ~]$ eval $(ssh-agent)
Agent pid 2335
[user@myhost ~]$ ssh-add ~/.ssh/test_rsa_key
Enter passphrase for /home/user/.ssh/test_rsa_key:hello  #创建密钥时的密语
Identity added: /home/user/.ssh/test_rsa_key (/home/user/.ssh/test_rsa_key)
#使用指定私钥文件
[user@myhost ~]$ ssh -i ~/.ssh/test_rsa_key user@192.168.2.102
Last login: Thu Apr 27 01:26:23 2023 from gateway
[user@serverb ~]$

自定义OPENSSH服务配置

• 配置openssh服务
  openssh服务是由一个名为sshd的守护进程提供。它的主配置文件为/etc/ssh/sshd_config
• 禁止超级用户使用ssh登录
  最好禁止从远程系统直接登录root用户账户。允许以root用户身份直接登录的一些风险：
  -- 所有Linux系统都默认有root用户，因此潜在的攻击者只需要猜测其密码，而不必猜测
  -- root用户不受限制会有风险

]# vim /etc/ssh/sshd_config
... ...
PermitRootLogin no  #改为no
... ...
]# systemctl reload sshd
#客户端就无法使用root用户ssh
[root@myhost ~]# ssh root@192.168.2.102
root@192.168.2.102's password:
Permission denied, please try again.

• 禁止对SSH进行基于密码的身份验证

]# vim /etc/ssh/sshd_config
... ...
PasswordAuthentication no  #禁用ssh连接时使用密码验证，只允许使用公钥认证，减少了密码在网络中传输的风险
PubkeyAuthentication yes  #指定是否启用公钥认证。当设置为yes时，客户端将通过将其公钥放置在服务器的authorized_keys文件中，来进行身份验证，而不是使用传统的用户名和密码。这大大增加了安全性。
... ...
]# systemctl reload sshd