1. 添加普通賬號

眾所周知，linux下的root擁有最高權限，可以執行任何命令。在使用root身份操作時，有時的一個不注意就可能將非常重要的刪除（最可怕的是 rm -rf /）。而linux不像windows有可以撤銷的回收箱，。所以建議建立普通用戶賬號，在平時的時候以普通用戶身份登錄，只在需要root權限時才通過sudo 臨時提高普通用戶的權限或是通過su - 切換到root用戶，執行完任務后立刻exit。

新建普通用戶，用戶名以example_user 為例

useradd example_user && passwd example_user # 將對應的用戶加入wheel組，wheel組用于sudo權限 usermod -aG wheel example_user

?

2. 創建ssh登錄時進行身份驗證的密鑰對

假設有以下情景，有3臺主機:

• node3? ? ip: 192.168.35.120
• node4? ? ip:? 192.168.35.130
• node5? ? ip: 192.168.35.140

node3上的用戶root 想通過私鑰 有密碼登錄node4,無密碼登錄node5

# 配置密碼登錄 node4 # 產生4096位的rsa密鑰對 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. # 指定存儲路徑 Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node4_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node4_id_rsa. Your public key has been saved in /root/.ssh/node4_id_rsa.pub.# 將公鑰發給node4主機，追加在 root用戶的~/.ssh/authorized_keys文件末尾 [root@node3 .ssh]# ssh-copy-id -i /root/.ssh/node4_id_rsa.pub root@node4 The authenticity of host 'node4 (192.168.35.130)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node4's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@node4'" and check to make sure that only the key(s) you wanted were added.# 遠程登錄 [root@node3 .ssh]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Last login: Fri Sep 14 23:21:48 2017 from 192.168.35.1# 配置無密碼登錄node5 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node5_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node5_id_rsa. Your public key has been saved in /root/.ssh/node5_id_rsa.pub. The key fingerprint is: 05:ef:46:a2:21:f1:26:28:af:bf:81:36:a7:7d:ed:2b root@node3[root@node3 .ssh]# ssh-copy-id -i ~/.ssh/node5_id_rsa.pub root@node5 The authenticity of host 'node5 (192.168.35.140)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node5's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@node5'" and check to make sure that only the key(s) you wanted were added.[root@node3 .ssh]# ssh -i ~/.ssh/node5_id_rsa root@node5 Last login: Fri Sep 14 22:45:22 2017 from 192.168.35.1 View Code

?

除了ssh-copy-id,還可以通過下面的方法進行公鑰的上傳

Step1:?通過ssh遠程登錄

ssh 用戶名@ip地址遠程登錄

Step 2:??通過文件上傳工具如filezilla，或是直接通過命令rz(通過yum install lrzsz安裝)上傳公鑰 xxx.pub

Step 3:? 將公鑰以追加的形式寫入authorized_keys文件中（該文件可以記錄多個公鑰信息）

cat xxx.pub >> ~/.ssh/authorized_keys

Step4 : 文件權設置

# chmod 700 ~/.ssh # chdmo 600 ~/.ssh/authorized_keys

?

注意，此時仍能通過密碼進行登錄

[root@node3 .ssh]# ssh root@node4 root@node4's password: Last login: Fri Sep 14 23:30:26 2017 from node3 [root@node4 ~]#

?

3. 修改配置文件，禁止密碼登錄

修改配置文件 /etc/ssh/sshd_config

# 禁止使用root身份進行遠程登錄,建議使用普通用戶身份登錄[可根據實際情況] PermitRootLogin no # 取消密碼驗證登錄 PasswordAuthentication no

然后重啟服務即可

sudo service sshd restart

?

測試效果如下:

# 普通用戶可以通過私鑰登錄 [alex@node3 ~]$ ssh alex@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [alex@node3 ~]$ ssh -i ~/.ssh/node4_id_rsa alex@node4 Last login: Sat Sep 15 00:38:53 2017 [alex@node4 ~]$ exit logout Connection to node4 closed.[alex@node3 ~]$ su - Password: Last login: Sat Sep 15 00:33:16 CST 2017 on pts/0 # root無法登錄 [root@node3 ~]# ssh root@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [root@node3 ~]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

?

參考:

• https://www.linode.com/docs/security/securing-your-server/

?

轉載于:https://www.cnblogs.com/hupeng1234/p/9649261.html

總結

以上是生活随笔為你收集整理的centos7下安全访问远程服务器的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。