3、回到tast01服务器,编辑ssh服务器配置文件
[root@tast01 ~]# vim /etc/ssh/sshd_config //编辑ssh服务器配置文件 #LoginGraceTime 2m PermitRootLogin no #StrictModes yes MaxAuthTries 6 #MaxSessions 10 DenyUsers sun@192.168.144.135 stii //删除仅允许条目,添加拒绝条目 #PubkeyAuthentication yes :wq //保存退出 [root@tast01 ~]# systemctl restart sshd //重启ssh服务4、分别在tast02、tast03客户机使用ssh服务远程登录tast01服务器
[root@tast02 ~]# ssh sun@192.168.144.133 //在tast02客户端中登录服务器sun用户 sun@192.168.144.133's password: //输入密码 Permission denied, please try again. //拒绝登录 [root@tast02 ~]# ssh stii@192.168.144.133 //在tast02客户端中登录服务器stii用户 stii@192.168.144.133's password: //输入密码 Permission denied, please try again. //拒绝登录 [root@tast02 ~]# ssh siti@192.168.144.133 //在tast02客户端中登录服务器siti用户 siti@192.168.144.133's password: //输入密码 Last failed login: Mon Sep 9 22:02:00 CST 2019 from 192.168.144.132 on ssh:notty There were 2 failed login attempts since the last successful login. Last login: Mon Sep 9 21:53:53 2019 from 192.168.144.135 [siti@tast01 ~]$ //成功登录 [root@tast03 ~]# ssh stii@192.168.144.133 //tast03客户机使用ssh服务登录服务器stii用户 stii@192.168.144.133's password: //输入密码 Permission denied, please try again. //拒绝登录 [root@tast03 ~]# ssh sun@192.168.144.133 //tast03客户机使用ssh服务登录服务器sun用户 sun@192.168.144.133's password: //输入密码 Last failed login: Mon Sep 9 22:30:55 CST 2019 from 192.168.144.135 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Mon Sep 9 22:24:51 2019 from 192.168.144.133 [sun@tast01 ~]$ //成功登录 [root@tast03 ~]# ssh siti@192.168.144.133 //tast03客户机使用ssh服务登录服务器siti用户 siti@192.168.144.133's password: //输入密码 Last login: Mon Sep 9 22:32:16 2019 from 192.168.144.135 [siti@tast01 ~]$ //成功登录 使用密钥对验证登录1、首先在tast01服务器中进入编辑ssh配置文件,开启密钥验证条目
[root@tast01 ~]# vim /etc/ssh/sshd_config //编辑ssh配置文件 #LoginGraceTime 2m PermitRootLogin no #StrictModes yes MaxAuthTries 6 #MaxSessions 10 DenyUsers sun@192.168.144.135 stii PubkeyAuthentication yes //开启密钥对验证功能 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys //密钥存放位置 :wq //保存退出2、进入客户端tast02客户机中,配置密钥
[root@tast02 ~]# useradd siaa //在tast02客户机中创建用户 [root@tast02 ~]# passwd siaa //设置用户目录 更改用户 siaa 的密码 。 新的 密码: 无效的密码: 密码少于 8 个字符 重新输入新的 密码: passwd:所有的身份验证令牌已经成功更新。 [root@tast02 ~]# su - siaa //切换至用户siaa [siaa@tast02 ~]$ ssh-keygen -t ecdsa //制作ecdsa类型密钥 Generating public/private ecdsa key pair. Enter file in which to save the key (/home/siaa/.ssh/id_ecdsa): //密钥存放位置,保持不变,直接回车 Created directory '/home/siaa/.ssh'. Enter passphrase (empty for no passphrase): //输入要设置的密码 Enter same passphrase again: //再次输入密码 Your identification has been saved in /home/siaa/.ssh/id_ecdsa. Your public key has been saved in /home/siaa/.ssh/id_ecdsa.pub. The key fingerprint is: SHA256:5mTvLU19q7uUUXECnEmNldB3S4gUiNZdvm1zupFUf0Y siaa@tast02 The key's randomart image is: +---[ECDSA 256]---+ | o +=B@+o.| | o o o*.+o=| | . ..oE| | ++.| //生成ecdsa密钥 | S +.+=| | = . ..=+=| | . .o o+..| | ...o + | | ...+= | +----[SHA256]-----+ [siaa@tast02 ~]$ ls -a //查看用户家目录隐藏文件 . .. .bash_logout .bash_profile .bashrc .cache .config .mozilla .ssh [siaa@tast02 ~]$ cd .ssh //进入生成的.ssh目录 [siaa@tast02 .ssh]$ ls //查看目录内容 id_ecdsa id_ecdsa.pub //生成的私钥与公钥文件 [siaa@tast02 .ssh]$ ssh-copy-id -i id_ecdsa.pub siti@192.168.144.133 //指定生成的公钥文件推送到服务器siti用户 /bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa.pub" The authenticity of host '192.168.144.133 (192.168.144.133)' can't be established. ECDSA key fingerprint is SHA256:B8IsZOFG7FbtVkIK+dMILmo0iA4OEIeVGY0GnnCbXhk. ECDSA key fingerprint is MD5:c2:d8:09:17:de:6e:ec:07:06:1b:ac:b6:1e:bd:62:09. Are you sure you want to continue connecting (yes/no)? yes //询问是推送,输入yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys siti@192.168.144.133's password: //输入服务器siti用户密码 Number of key(s) added: 1 //成功添加文件 Now try logging into the machine, with: "ssh 'siti@192.168.144.133'" and check to make sure that only the key(s) you wanted were added. [siaa@tast02 .ssh]$ ls //查看目录信息 id_ecdsa id_ecdsa.pub known_hosts //创建文件Known_hosts [siaa@tast02 .ssh]$ vim known_hosts //查看文件信息 192.168.144.133 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC6sBj5BEqQkEIXTdcRDCzDlQRfhaoaY7OvyWzxcNxt+n6ZjbA1PSYK2SeTW3MAhUZOry7T6gNDFL7YyfMfXOGo= //成功将ecdsa生成的密钥推送给服务器