Linux 提高SSH服务安全

问题
本案例要求提高Linux主机上SSH服务端的安全性,完成以下任务:
1)配置基本安全策略(禁止root、禁止空口令)
2)针对SSH访问采用仅允许的策略,未明确列出的用户一概拒绝登录
3)实现密钥验证登录(私钥口令)、免密码登入(无私钥口令)
4)确认密钥验证使用正常后,禁用口令验证
方案
使用两台RHEL6虚拟机,其中svr5作为OpenSSH服务器,另一台pc205或svr5本机都可以作为测试用的客户机,如图-2所示。
Linux 提高SSH服务安全
图-2

步骤

实现此案例需要按照如下步骤进行。

步骤一:配置基本安全策略

1)调整sshd服务配置,并重载服务

[root@svr5 ~]# vim /etc/ssh/sshd_config
.. ..
Protocol 2  										//去掉SSH协议V1
PermitRootLogin no  								//禁止root用户登录
PermitEmptyPasswords no  							//禁止密码为空的用户登录
.. ..
[root@svr5 ~]# service sshd reload
重新载入 sshd:                                            [确定]

2)测试基本安全策略
尝试以root用户SSH登录,失败:

[root@svr5 ~]# ssh root@192.168.4.5
root@192.168.4.5's password:
Permission denied, please try again.

将服务器上用户kate的密码设为空,尝试SSH登录,也会失败:

[root@svr5 ~]# passwd -d kate  						//清空用户口令
清除用户的密码 kate。
passwd: 操作成功

[root@svr5 ~]# ssh kate@192.168.4.5
kate@192.168.4.5's password:
Permission denied, please try again.

步骤二:针对SSH访问采用仅允许的策略,未明确列出的用户一概拒绝登录
1)调整sshd服务配置,添加AllowUsers策略,仅允许用户zengye、john、ugadm,其中ugadm只能从网段192.168.4.0/24登录。

[root@svr5 ~]# vim /etc/ssh/sshd_config
.. ..
AllowUsers zengye john ugadm@192.168.4.0/24
[root@svr5 ~]# service sshd reload
重新载入 sshd:                                            [确定]
2)验证SSH访问控制,未授权的用户将拒绝登录。

[root@pc205 ~]# ssh ugadm@192.168.4.5  				//已授权的用户允许登录
ugadm@192.168.4.5's password:
[ugadm@svr5 ~]$ exit
[root@pc205 ~]# ssh zhangsan@192.168.4.5  			//未授权的用户被拒绝登录
zhangsan@192.168.4.5's password:
Permission denied, please try again.

步骤三:实现密钥对验证登录(私钥口令)、免密码登入(无私钥口令)
1)准备客户机测试环境
在客户机pc205上创建两个测试用户:mike、nono。其中mike将用来实现有私钥口令保护的SSH登录,而nono用来实现无私钥口令保护的SSH登录(免密码交互) 。

[root@pc205 ~]# useradd mike
[root@pc205 ~]# useradd nono
[root@pc205 ~]# echo 123456 | passwd --stdin mike
.. ..
[root@pc205 ~]# echo 123456 | passwd --stdin nono
.. ..

2)为客户机的用户mike、nono分别建立SSH密钥对
以用户mike登入客户机,使用ssh-keygen创建密钥对,设置好私钥口令:

[root@pc205 ~]# su - mike
[mike@pc205 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mike/.ssh/id_rsa):
Created directory '/home/mike/.ssh'.
Enter passphrase (empty for no passphrase):  			//设置私钥口令
Enter same passphrase again:  							//再次输入私钥口令
Your identification has been saved in /home/mike/.ssh/id_rsa.
Your public key has been saved in /home/mike/.ssh/id_rsa.pub.
The key fingerprint is:
63:6e:cf:45:f0:56:e2:89:6f:62:64:5a:5e:fd:68:d2 mike@pc205.tarena.com
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|          . . .  |
|           = =   |
|        S = B .  |
|       o B = . o |
|        + + = E .|
|       . + + o   |
|          o      |
+-----------------+
[mike@pc205 ~]$ ls -lh ~/.ssh/id_rsa*  				//确认密钥对文件
-rw-------. 1 mike mike 1.8K 8月  15 10:35 /home/mike/.ssh/id_rsa
-rw-r--r--. 1 mike mike  403 8月  15 10:35 /home/mike/.ssh/id_rsa.pub

[mike@pc205 ~]$ exit
Logout

切换到用户nono,使用ssh-keygen创建密钥对,将私钥口令设为空(直接回车):

[root@pc205 ~]# su - nono
[nono@pc205 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/nono/.ssh/id_rsa):
Created directory '/home/nono/.ssh'.
Enter passphrase (empty for no passphrase):  			//直接回车将口令设为空
Enter same passphrase again:  							//再次回车确认
Your identification has been saved in /home/nono/.ssh/id_rsa.
Your public key has been saved in /home/nono/.ssh/id_rsa.pub.
The key fingerprint is:
43:16:c1:88:5a:02:ec:d5:37:22:4e:c0:25:6f:84:63 nono@pc205.tarena.com
The key's randomart image is:
+--[ RSA 2048]----+
|+++o.. oo.       |
| E=+oo.o..       |
|o =*. o +        |
| .o.   o         |
|        S        |
|         .       |
|                 |
|                 |
|                 |
+-----------------+
[nono@pc205 ~]$ ls -lh ~/.ssh/id_rsa*  				//确认密钥对文件
-rw-------. 1 nono nono 1.7K 8月  15 10:37 /home/nono/.ssh/id_rsa
-rw-r--r--. 1 nono nono  403 8月  15 10:37 /home/nono/.ssh/id_rsa.pub

3)将客户机上用户mike、nono的公钥部署到SSH服务器
以用户nono登入客户机,使用ssh-copy-id命令将自己的公钥部署到服务器,服务器上的目标用户为john:

[nono@pc205 ~]$ ssh-copy-id john@192.168.4.5
john@192.168.4.5's password:
Now try logging into the machine, with "ssh 'john@192.168.4.5'", and check in:
  .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[nono@pc205 ~]$ exit
Logout
同样地

,以用户mike登入客户机,使用ssh-copy-id命令将自己的公钥部署到服务器,服务器上的目标用户也是john:

[root@pc205 ~]# su - mike
[mike@pc205 ~]$ ssh-copy-id john@192.168.4.5
john@192.168.4.5's password:
Now try logging into the machine, with "ssh 'john@192.168.4.5'", and check in:
  .ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

4)在服务器上确认客户机用户mike、nono上传的公钥信息
默认部署位置为目标用户de ~/.ssh/authorized_keys文件:

[root@svr5 ~]# tail -2 ~john/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzz+5AiFMGQ7LfuiV7eBnOcmRO9JRTcqRoynGO2y5
RyFL+LxR1IpEbkNrUyIZDk5uaX1Y8rwsf+pa7UZ2NyqmUEvNSUo0hQyDGsU9SPyAdzRCCvDgwpOFhaHi/OFnT+zqjAqXH2M9fFYEVUU4PIVL8HT19zCQRVZ/q3acQA34UsQUR0PpLJAobsf1BLe2EDM8BsSHckDGsNoDT9vk+u3e83RaehBMuy1cVEN5sLAaIrIeyM8Q0WxQNlqknL908HRkTlTeKrRoHbMnOBFj8StwlnscKHlkrsKkhUf8A9WWz/vL4GDwGND5jdca3I2hdITAySjMdfL1HMHnMYOgMjPM0Q== nono@pc205.tarena.com
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAl6PopFT7VoFaQFVVKrH4N7VgDIUUjcIc/TN/dmA1
EmTAqv9wYnX83Do3/14wUD6WkUQ1wkZV64bkHCrgUDsCy2iV7wvH7xiOg4CYGFk1RALn5edKC8fEKiveR8MrUafa6O2iBpuG/vYin2QDyc7PpipyRw4rFg7/PaD1XuRRwFGcHgiv8PLUjO6GcuS4c3gyKbSADM7mV1gu62wMHm47e5jAxzxNGkYnyYeb7Ut7hwvs5xP54MHy23zSs+DjN7oRvKN5xZueaFLbVUcnSvGzN5IZqV7Qu3NqtFGpgCdUr/yaFcZWC7VIrNH2IJJwKNboCMSUoEm+InRtIvITdCWWVQ== mike@pc205.tarena.com

5)在客户机上测试SSH密钥对验证
在客户机用户mike的环境中,以远程用户john登入192.168.4.5主机,需要验证客户机用户mike 的私钥口令:

[mike@pc205 ~]$ ssh john@192.168.4.5  					//需验证私钥口令
Enter passphrase for key '/home/mike/.ssh/id_rsa':
Last login: Thu Aug 15 10:10:37 2013 from 192.168.4.205
[john@svr5 ~]$ whoami
john
而在客户机用户nono的环境中,以远程用户john登入192.168.4.5主机时,无需验证口令即可登入(因为私钥口令为空):
[nono@pc205 ~]$ ssh john@192.168.4.5  					//免交互直接登入
Last login: Thu Aug 15 10:48:09 2013 from 192.168.4.205
[john@svr5 ~]$ whoami
john

步骤四:确认密钥验证使用正常后,禁用口令验证
1)调整sshd服务配置,将PasswordAuthentication设为no

[root@svr5 ~]# vim /etc/ssh/sshd_config
.. ..

PasswordAuthentication no  							//将此行yes改成no

[root@svr5 ~]# service sshd reload
重新载入 sshd:                                            [确定]

2)确认密码登录验证已不可用,只有部署了公钥的用户才可以登录

[root@pc205 ~]# su - mike
[mike@pc205 ~]$ ssh zengye@192.168.4.5  					//口令验证被拒绝
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

[mike@pc205 ~]$ ssh john@192.168.4.5  						//密钥验证登录成功
Enter passphrase for key '/home/mike/.ssh/id_rsa':
Last login: Thu Aug 15 10:49:13 2013 from 192.168.4.205
上一篇:jenkins获取GitLab的hook数据并处理


下一篇:MyEclipse开发的java web项目在 Eclipse中无法识别