目錄
- 日志管理
- 配置rsyslog服務(wù)器
- openssh
- Secure Shell 示例
- SSH 主機(jī)密鑰
- 配置基于 SSH 密鑰的身份驗證
[root@lnh ~]# cat /etc/redhat-release CentOS Stream release 8 //查看當(dāng)前系統(tǒng)版本 [root@lnh ~]# uname -r 4.18.0-257.el8.x86_64 //查看當(dāng)前系統(tǒng)內(nèi)核版本 [root@lnh ~]# dmesg ... [ 5.273545] XFS (dm-2): Starting recovery (logdev: internal) [ 5.323019] XFS (dm-2): Ending recovery (logdev: internal) [ 5.397922] XFS (sda1): Ending clean mount [ 7.026122] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 7.031966] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None [ 7.034521] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [ 7.034533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 7.045958] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready [ 7.050984] e1000: eth1 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None [ 7.052685] IPv6: ADDRCONF(NETDEV_UP): eth1: link is not ready [ 7.052696] IPv6: ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready //可以查看系統(tǒng)所有的調(diào)試信息,日志(此處是centos8里面的) [root@lnh ~]# tail -f /var/log/messages Jul 19 16:39:01 lnh systemd-logind[976]: New session 1 of user root. Jul 19 16:39:01 lnh systemd[1268]: Reached target Paths. Jul 19 16:39:01 lnh systemd[1268]: Reached target Timers. Jul 19 16:39:01 lnh systemd[1268]: Starting D-Bus User Message Bus Socket. Jul 19 16:39:02 lnh systemd[1268]: Listening on D-Bus User Message Bus Socket. Jul 19 16:39:02 lnh systemd[1268]: Reached target Sockets. Jul 19 16:39:02 lnh systemd[1268]: Reached target Basic System. Jul 19 16:39:02 lnh systemd[1268]: Reached target Default. Jul 19 16:39:02 lnh systemd[1268]: Startup finished in 71ms. Jul 19 16:39:02 lnh systemd[1]: Started User Manager for UID 0. //系統(tǒng)標(biāo)準(zhǔn)錯誤日志信息;非內(nèi)核產(chǎn)生的引導(dǎo)信息;各子系統(tǒng)產(chǎn)生的信息 [root@lnh ~]# cat /var/log/secure Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /etc/polkit-1/rules.d Jul 19 16:18:44 localhost polkitd[962]: Loading rules from directory /usr/share/polkit-1/rules.d Jul 19 16:18:44 localhost polkitd[962]: Finished loading, compiling and executing 2 rules Jul 19 16:18:44 localhost polkitd[962]: Acquired the name org.freedesktop.PolicyKit1 on the system bus Jul 19 16:18:44 localhost sshd[1062]: Server listening on 0.0.0.0 port 22. Jul 19 16:18:44 localhost sshd[1062]: Server listening on :: port 22. Jul 19 16:19:51 localhost systemd[1304]: pam_unix(systemd-user session opened for user root by (uid=0) Jul 19 16:19:51 localhost login[1083]: pam_unix(login session opened for user root by LOGIN(uid=0) Jul 19 16:19:51 localhost login[1083]: ROOT LOGIN ON tty1 Jul 19 16:20:53 localhost polkitd[935]: Loading rules from directory /etc/polkit-1/rules.d ... //與安全相關(guān)的日志信息 // /var/log/maillog:郵件系統(tǒng)產(chǎn)生的日志信息
syslog和rsyslog服務(wù)均有兩個進(jìn)程:
syslogd:系統(tǒng),非內(nèi)核產(chǎn)生的日志信息。
klogd:內(nèi)核,專門負(fù)責(zé)記錄內(nèi)核產(chǎn)生的日志信息。
[root@lnh ~]# ps aux |grep syslogd root 1194 0.0 0.2 218472 5768 ? Ssl 16:37 0:00 /usr/sbin/rsyslogd -n root 1355 0.0 0.0 12108 1088 pts/0 S+ 16:48 0:00 grep --color=auto syslogd //一直都在 [root@lnh ~]# ps aux |grep klogd root 1362 0.0 0.0 12108 1080 pts/0 S+ 16:51 0:00 grep --color=auto klogd //當(dāng)前沒有
配置rsyslog服務(wù)器
我們首先要關(guān)閉虛擬機(jī)創(chuàng)建一個克隆,記住是完整克隆
lnh作為客戶端,ip是192.168.222.250 xbz作為服務(wù)端,ip是192.168.222.251 在客戶端: [root@lnh ~]# vim /etc/rsyslog.conf
在客戶端賦予權(quán)限訪問服務(wù)端
[root@lnh ~]# systemctl restart rsyslog.service //重啟服務(wù) 在服務(wù)端: [root@xbz ~]# vim /etc/rsyslog.conf
取消這四行的注釋
[root@xbz ~]# systemctl restart rsyslog.service //重啟服務(wù) [root@xbz ~]# systemctl stop firewalld.service [root@xbz ~]# setenforce 0 //關(guān)閉防火墻 [root@xbz ~]# tail -f /var/log/secure Jul 19 17:02:19 lnh sshd[1012]: Server listening on :: port 22. Jul 19 17:03:03 lnh systemd[1258]: pam_unix(systemd-user session opened for user root by (uid=0) Jul 19 17:03:03 lnh login[1032]: pam_unix(login session opened for user root by LOGIN(uid=0) Jul 19 17:03:03 lnh login[1032]: ROOT LOGIN ON tty1 Jul 19 17:03:16 lnh sshd[1294]: Accepted password for root from 192.168.222.1 port 55495 ssh2 Jul 19 17:03:16 lnh sshd[1294]: pam_unix(sshd session opened for user root by (uid=0) Jul 19 17:03:22 lnh sshd[1320]: Accepted password for root from 192.168.222.1 port 55497 ssh2 Jul 19 17:03:22 lnh sshd[1320]: pam_unix(sshd session opened for user root by (uid=0) Jul 19 17:05:36 lnh sshd[1474]: Accepted password for root from 192.168.222.1 port 55524 ssh2 Jul 19 17:05:36 lnh sshd[1474]: pam_unix(sshd session opened for user root by (uid=0) //記錄安全相關(guān)的東西 驗證: 我們在客戶端進(jìn)行登錄用戶故意輸入錯誤密碼然后再登錄 可以在服務(wù)的看到下面的信息 [root@xbz ~]# tail -f /var/log/secure ser root by (uid=0) Jul 19 17:24:37 lnh sshd[1410]: pam_unix(sshd session closed for user root Jul 19 17:24:41 lnh unix_chkpwd[1441]: password check failed for user (root) Jul 19 17:24:41 lnh sshd[1439]: pam_unix(sshd authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.222.1 user=root Jul 19 17:24:44 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2 Jul 19 17:24:45 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2 Jul 19 17:24:46 lnh unix_chkpwd[1442]: password check failed for user (root) Jul 19 17:24:48 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2 Jul 19 17:24:50 lnh unix_chkpwd[1443]: password check failed for user (root) Jul 19 17:24:52 lnh sshd[1439]: Failed password for root from 192.168.222.1 port 55818 ssh2 Jul 19 17:24:54 lnh sshd[1439]: Accepted password for root from 192.168.222.1 port 55818 ssh2 Jul 19 17:24:54 lnh sshd[1439]: pam_unix(sshd session opened for user root by (uid=0)
openssh
Secure Shell 示例
lnh作為客戶端,ip是192.168.222.250
xbz作為服務(wù)端,ip是192.168.222.251
[root@lnh ~]# ssh root@192.168.222.251 '/usr/sbin/ip a' //接命令的絕對路徑,防止沒有識別出命令 The authenticity of host '192.168.222.251 (192.168.222.251)' can't be established. ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk. Are you sure you want to continue connecting (yes/no/[fingerprint])? y Please type 'yes', 'no' or the fingerprint: yes Warning: Permanently added '192.168.222.251' (ECDSA) to the list of known hosts. root@192.168.222.251's password: 1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:2925:ce brd ffffff:ff inet 192.168.222.251/24 brd 192.168.222.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff25ce/64 scope link valid_lft forever preferred_lft forever //在同一網(wǎng)段下可以以遠(yuǎn)程用戶身份(remoteuser)在遠(yuǎn)程主機(jī)(remotehost)上通過將輸出返回到本地顯示器的方式來執(zhí)行單一命令 [root@lnh ~]# w 17:41:09 up 38 min, 2 users, load average: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 - 17:02 38:20 0.28s 0.28s -bash root pts/0 192.168.222.1 17:06 0.00s 0.13s 0.02s w //w命令可以顯示當(dāng)前登錄到計算機(jī)的用戶列表。這對于顯示哪些用戶使用ssh從哪些遠(yuǎn)程位置進(jìn)行了登錄以及執(zhí)行了何種操作等內(nèi)容特別有用
SSH 主機(jī)密鑰
[root@lnh ~]# cat ~/.ssh/known_hosts 192.168.222.251 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NXY9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh8= //192.168.222.251是客戶端遠(yuǎn)程服務(wù)端的ip地址 ecdsa-sha2-nistp256 是算法,AAAA這里是公鑰 //主機(jī)ID存儲在本地客戶端系統(tǒng)上的 ~/.ssh/known_hosts 中 //此處也可以換ip地址,之后還是可以進(jìn)行登錄,因為公鑰沒有發(fā)生改變 [root@xbz ~]# cd /etc/ssh/ [root@xbz ssh]# ll total 600 -rw-r--r--. 1 root root 577388 Apr 27 2020 moduli -rw-r--r--. 1 root root 1770 Apr 27 2020 ssh_config drwxr-xr-x. 2 root root 28 Jul 19 16:14 ssh_config.d -rw-------. 1 root root 4269 Apr 27 2020 sshd_config -rw-r-----. 1 root ssh_keys 492 Jul 19 16:18 ssh_host_ecdsa_key -rw-r--r--. 1 root root 162 Jul 19 16:18 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys 387 Jul 19 16:18 ssh_host_ed25519_key -rw-r--r--. 1 root root 82 Jul 19 16:18 ssh_host_ed25519_key.pub -rw-r-----. 1 root ssh_keys 2578 Jul 19 16:18 ssh_host_rsa_key -rw-r--r--. 1 root root 554 Jul 19 16:18 ssh_host_rsa_key.pub [root@xbz ssh]# less ssh_host_ecdsa_key -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQSoeRQB8V3OnJODV2Pat9qBx6Gaytfm jE6RKOrJgKaDGwVH70nfWMbZUYXfU3T8vKnz8AYOmXUZBBXkcZSM2kofAAAAoP4DJvj+Ay b4AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKh5FAHxXc6ck4NX Y9q32oHHoZrK1+aMTpEo6smApoMbBUfvSd9YxtlRhd9TdPy8qfPwBg6ZdRkEFeRxlIzaSh 8AAAAhAP8Fsmj6nWXKoVWYgPeuv22eYQK8hQn4Wrr7PTXRlztaAAAAAAECAwQFBgc= -----END OPENSSH PRIVATE KEY----- //可以在服務(wù)端查看是否一樣 [root@lnh ~]# ls /etc/ssh/*key* /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_rsa_key.pub //主機(jī)密鑰存儲在SSH服務(wù)器上的 /etc/ssh/ssh_host_key* 中 //有pub的是公鑰,其他的是私鑰
配置基于 SSH 密鑰的身份驗證
在客戶端上面的操作: [root@lnh ~]# ssh-keygen -t rsa //-t是指定算法 rsa算法 Enter file in which to save the key (/root/.ssh/id_rsa): //確認(rèn)這個秘鑰保存在括號里面那個目錄里面?id_rsa是私鑰 Enter passphrase (empty for no passphrase): //請設(shè)置私鑰的密碼 Enter same passphrase again: //重新輸入私鑰密碼 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:Tgi3RqIiIw0nt3uMxeuyw3J3DM3uN8PUK4ItiDoWlXM root@lnh The key's randomart image is: +---[RSA 3072]----+ //rsa算法 長度3072 | | | | |o o + o | | * B E o | |= = =o+ S. | |o+ =.ooo. . | | o+.+* o. . | |+.*o+ * * . | |++.=.+.o + | +----[SHA256]-----+ [root@lnh ~]# ls .ssh/ id_rsa id_rsa.pub known_hosts //可以查看到私鑰,pub結(jié)尾的是公鑰 把這個客戶機(jī)上面的公鑰發(fā)送給服務(wù)端 [root@lnh ~]# ssh-copy-id root@192.168.222.251 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.222.251's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.222.251'" and check to make sure that only the key(s) you wanted were added. //因為我的公鑰就是叫id_rsa.pub 這個名字所以直接用這個 //如果公鑰不叫id_rsa.pub ,那么要指定位置 [root@lnh ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.222.251 在服務(wù)端查看: [root@xbz ~]# ls .ssh/ authorized_keys //這個就是傳過來的公鑰 在客戶端: [root@lnh ~]# ssh root@192.168.222.251 Last login: Tue Jul 19 1736 2022 from 192.168.222.1 //可以查看到可以直接免密登錄 在服務(wù)端也進(jìn)行設(shè)置秘鑰 [root@xbz ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:FppTggRIQaZOQGlZHVBCOyG5RicFG80NYUU9xl8wCys root@xbz The key's randomart image is: +---[RSA 3072]----+ |=@&%@=+. o. | |=B==++ =o o. | |+o+o.Eo.=.. | |oo . .= o | |.. + S | | o | | | | | | | +----[SHA256]-----+ [root@xbz ~]# ls .ssh/ authorized_keys id_rsa id_rsa.pub [root@xbz ~]# ssh-copy-id root@192.168.222.250 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.222.250 (192.168.222.250)' can't be established. ECDSA key fingerprint is SHA256:y11UDaNXs3AnvVUnZQfAim2VHAplF09YOvQp2NemHyk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.222.250's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.222.250'" and check to make sure that only the key(s) you wanted were added. 在客戶端查看: [root@xbz ~]# ls .ssh/ authorized_keys id_rsa id_rsa.pub known_hosts 在服務(wù)端登錄驗證: [root@xbz ~]# ssh root@192.168.222.250 Last login: Tue Jul 19 1754 2022 from 192.168.222.1 //直接免密登錄
//scp命令常用選項
-r //遞歸復(fù)制
-p //保持權(quán)限
-P //端口
-q //靜默模式
-a //全部復(fù)制
鏈接:https://www.cnblogs.com/tushanbu/p/16495244.html
-
內(nèi)核
+關(guān)注
關(guān)注
3文章
1372瀏覽量
40275 -
服務(wù)器
+關(guān)注
關(guān)注
12文章
9123瀏覽量
85322 -
虛擬機(jī)
+關(guān)注
關(guān)注
1文章
914瀏覽量
28160
原文標(biāo)題:openssh
文章出處:【微信號:magedu-Linux,微信公眾號:馬哥Linux運維】歡迎添加關(guān)注!文章轉(zhuǎn)載請注明出處。
發(fā)布評論請先 登錄
相關(guān)推薦
評論