Chapter 9. Configuring and Securing OpenSSH Service.
- What is the OpenSSH secure shell (SSH)?
The OpenSSH Secure Shell, ssh, is used to securely run a shell on a remote system.
- Secure Shell examples
# ssh remotehost
以 SSH 加密模式連線到遠端機器
# exit
關閉與遠端機器的連線
# ssh remoteuser@remotehost hostname
以 SSH 加密模式連線到遠端機器,並用 remoteuser 帳號登入
加上hostname 參數可額外顯示該主機名稱
- SSH host keys
Host IDs are stored in ~/.ssh/known_hosts on your local client system.(public key)
Host keys are stored in /etc/ssh/ssh_host_key* on the SSH server.
- SSH key-based authentication
Key generation is done using the ssh-keygen command. This generates the private key ~/.ssh/id_rsa and the public key ~/.ssh/id_rsa.pub.
Before key-based authentication can be used, the public key needs to be copied to the destination system. This can be done with ssh-copy-id.
- SSH key demonstration
# ssh-keygen
建立公鑰與私鑰
# ssh-copy-id -i ~/.ssh/id_rsa.pub root@serverX.example.com
將公鑰複製到 serverX 機器上
- The OpenSSH server configuration file
Various aspects of the OpenSSH server can be modified in the configuration file /etc/ssh/sshd_config.
- Prohibit the root user from logging in using SSH
sshd 伺服器詳細設定都放在 /etc/ssh/sshd_config 裡,
設定值前面若有加 # 字號,即為預設值,例如:
# PermitRootLogin yes
是否允許 root 登入,預設是允許的,建議設定成 no
去掉 # 字號後修改為:
PermitRootLogin no
存檔後,接著重新啟動 sshd 服務
# systemctl restart sshd
- Prohibit password authentication using SSH
PasswordAuthentication yes
登入時需要密碼驗證
PasswordAuthentication no
登入時不需要密碼驗證
記得,只要有修改/etc/ssh/sshd_config ,
存檔後,一定要重新啟動 sshd 服務
# systemctl restart sshd