創建普通用戶:
# useradd user01
# tail -n2 /etc/passwd
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
user01:x:1000:1000::/home/user01:/bin/bash
修改普通用戶密碼:
# passwd user01
更改用戶 user01 的密碼 。
新的 密碼:
重新輸入新的 密碼:
passwd:所有的身份驗證令牌已經成功更新。
# tail -n2 /etc/shadow
chrony:!!:17747::::::
user01:$6$gjFGJMEm$2JReki/pYBzsJqj0qkIExnEx7Q/u...xex3w/fxJ6JI05mOPMmLXf4QdsLvTBhfm5SnZnTetKAVtOkD2xfDnr1:17750:0:99999:7:::
所有服務器要求只能普通用戶登錄,root只能普通用戶sudo:
更改配置文件,搜索Root那行更改如下內容:
# vi /etc/ssh/sshd_config
把#PermitRootLogin yes改為PermitRootLogin no禁止root遠程登錄,保存並退出
改完配置文件要重啟服務:
# systemctl restart sshd.service
設置ssh在接收登錄請求之前是否檢查用戶家目錄和rhosts文件的權限和所有權
StrictModes yes
[root@app04 ~]# sed -i 's/^#StrictModes/StrictModes/g' /etc/ssh/sshd_config
設置是否允許只有RSA安全驗證
RSAAuthentication yes
PubkeyAuthentication yes
[root@app04 ~]# sed -i 's/^#PubkeyAuthentication/PubkeyAuthentication/g' /etc/ssh/sshd_config
#重啟sshd服務
[root@app04 ~]# systemctl restart sshd
注意:以上操作完成后,使用key文件(id_rsa)登陸,沒有錯誤可進行下面操作!
提醒:所有配置無誤后再執行修改下面的配置,以免發生不必要的問題
- 設置是否允許口令驗證
PasswordAuthentication yes
[root@app04 ~]# sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
禁用root登陸 (把yes修改為no,待密鑰登陸配置無誤后進行配置)
PermitRootLogin yes
[root@app04 ~]# sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
[root@app04 ~]# vim /etc/ssh/sshd_config
[root@app04 ~]# systemctl restart sshd
記得備份id_rsa id_rsa.pub文件,同時把服務器上的該文件刪除
密鑰登錄:
切換到新創建的用戶下創建秘鑰:並將需要登錄機器的公鑰寫進來
SSH登錄是用的RSA非對稱加密的,在SSH登錄的時候就可以使用RSA密鑰登錄,SSH有專門創建SSH密鑰的工具ssh-keygen。
執行命令ssh-keygen創建密鑰對,執行過程中有交互過程,可以輸入密鑰密碼也可以為空直接三次回車即可。
[root@zyshanlinux-04 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:4odZd916XMzHfVl6wd18TsM/aaPzJX2znzIfN5N87pU root@zyshanlinux-04
The key's randomart image is:
+---[RSA 2048]----+
| |
| o.o|
| =B|
| . OX|
| . S . . o*&|
| . = . . +=O|
| + . ooEX|
| . oo+&|
| +*=|
+----[SHA256]-----+
密鑰對生成后,會在/root/.ssh/目錄下多次兩個文件id_rsa私鑰和id_rsa.pub公鑰
[root@zyshanlinux-04 ~] # ls /root/.ssh
id_rsa id_rsa.pub
接着把生成的公鑰拷貝到需要登錄的遠程服務器上,這里可以使用ssh-copy-id命令,這時需要目標服務器的登錄密碼
[root@zyshanlinux-04 ~]# ssh-copy-id -i .ssh/id_rsa.pub root@192.168.106.131 ##該命令需要在根目錄上執行,如果在非根目錄上執行則是:ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.106.131
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.106.131's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.106.131'"
and check to make sure that only the key(s) you wanted were added.
拷貝公鑰完成后,遠程連接目標服務器,這時就不需要登錄密碼
[root@zyshanlinux-04 ~]# ssh 'root@192.168.106.131'
Last login: Tue Aug 7 21:13:09 2018 from 192.168.106.132
————————————————
版權聲明:本文為CSDN博主「zhengyshan」的原創文章,遵循 CC 4.0 BY-SA 版權協議,轉載請附上原文出處鏈接及本聲明。
原文鏈接:https://blog.csdn.net/zhengyshan/article/details/81515017