1. 添加普通賬號(hào)

眾所周知，linux下的root擁有最高權(quán)限，可以執(zhí)行任何命令。在使用root身份操作時(shí)，有時(shí)的一個(gè)不注意就可能將非常重要的刪除（最可怕的是 rm -rf /）。而linux不像windows有可以撤銷的回收箱，。所以建議建立普通用戶賬號(hào)，在平時(shí)的時(shí)候以普通用戶身份登錄，只在需要root權(quán)限時(shí)才通過(guò)sudo 臨時(shí)提高普通用戶的權(quán)限或是通過(guò)su - 切換到root用戶，執(zhí)行完任務(wù)后立刻exit。

新建普通用戶，用戶名以example_user 為例

useradd example_user && passwd example_user # 將對(duì)應(yīng)的用戶加入wheel組，wheel組用于sudo權(quán)限 usermod -aG wheel example_user

?

2. 創(chuàng)建ssh登錄時(shí)進(jìn)行身份驗(yàn)證的密鑰對(duì)

假設(shè)有以下情景，有3臺(tái)主機(jī):

• node3? ? ip: 192.168.35.120
• node4? ? ip:? 192.168.35.130
• node5? ? ip: 192.168.35.140

node3上的用戶root 想通過(guò)私鑰 有密碼登錄node4,無(wú)密碼登錄node5

# 配置密碼登錄 node4 # 產(chǎn)生4096位的rsa密鑰對(duì) [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. # 指定存儲(chǔ)路徑 Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node4_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node4_id_rsa. Your public key has been saved in /root/.ssh/node4_id_rsa.pub.# 將公鑰發(fā)給node4主機(jī)，追加在 root用戶的~/.ssh/authorized_keys文件末尾 [root@node3 .ssh]# ssh-copy-id -i /root/.ssh/node4_id_rsa.pub root@node4 The authenticity of host 'node4 (192.168.35.130)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node4's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@node4'" and check to make sure that only the key(s) you wanted were added.# 遠(yuǎn)程登錄 [root@node3 .ssh]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Last login: Fri Sep 14 23:21:48 2017 from 192.168.35.1# 配置無(wú)密碼登錄node5 [root@node3 .ssh]# ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/node5_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/node5_id_rsa. Your public key has been saved in /root/.ssh/node5_id_rsa.pub. The key fingerprint is: 05:ef:46:a2:21:f1:26:28:af:bf:81:36:a7:7d:ed:2b root@node3[root@node3 .ssh]# ssh-copy-id -i ~/.ssh/node5_id_rsa.pub root@node5 The authenticity of host 'node5 (192.168.35.140)' can't be established. ECDSA key fingerprint is a7:13:be:25:f5:b5:28:1f:ce:42:ea:6d:df:e2:1a:83. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@node5's password: Number of key(s) added: 1Now try logging into the machine, with: "ssh 'root@node5'" and check to make sure that only the key(s) you wanted were added.[root@node3 .ssh]# ssh -i ~/.ssh/node5_id_rsa root@node5 Last login: Fri Sep 14 22:45:22 2017 from 192.168.35.1 View Code

?

除了ssh-copy-id,還可以通過(guò)下面的方法進(jìn)行公鑰的上傳

Step1:?通過(guò)ssh遠(yuǎn)程登錄

ssh 用戶名@ip地址遠(yuǎn)程登錄

Step 2:??通過(guò)文件上傳工具如filezilla，或是直接通過(guò)命令rz(通過(guò)yum install lrzsz安裝)上傳公鑰 xxx.pub

Step 3:? 將公鑰以追加的形式寫入authorized_keys文件中（該文件可以記錄多個(gè)公鑰信息）

cat xxx.pub >> ~/.ssh/authorized_keys

Step4 : 文件權(quán)設(shè)置

# chmod 700 ~/.ssh # chdmo 600 ~/.ssh/authorized_keys

?

注意，此時(shí)仍能通過(guò)密碼進(jìn)行登錄

[root@node3 .ssh]# ssh root@node4 root@node4's password: Last login: Fri Sep 14 23:30:26 2017 from node3 [root@node4 ~]#

?

3. 修改配置文件，禁止密碼登錄

修改配置文件 /etc/ssh/sshd_config

# 禁止使用root身份進(jìn)行遠(yuǎn)程登錄,建議使用普通用戶身份登錄[可根據(jù)實(shí)際情況] PermitRootLogin no # 取消密碼驗(yàn)證登錄 PasswordAuthentication no

然后重啟服務(wù)即可

sudo service sshd restart

?

測(cè)試效果如下:

# 普通用戶可以通過(guò)私鑰登錄 [alex@node3 ~]$ ssh alex@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [alex@node3 ~]$ ssh -i ~/.ssh/node4_id_rsa alex@node4 Last login: Sat Sep 15 00:38:53 2017 [alex@node4 ~]$ exit logout Connection to node4 closed.[alex@node3 ~]$ su - Password: Last login: Sat Sep 15 00:33:16 CST 2017 on pts/0 # root無(wú)法登錄 [root@node3 ~]# ssh root@node4 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). [root@node3 ~]# ssh -i ~/.ssh/node4_id_rsa root@node4 Enter passphrase for key '/root/.ssh/node4_id_rsa': Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

?

參考:

• https://www.linode.com/docs/security/securing-your-server/

?

轉(zhuǎn)載于:https://www.cnblogs.com/hupeng1234/p/9649261.html

總結(jié)

以上是生活随笔為你收集整理的centos7下安全访问远程服务器的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。