Linux RHCE练习之远程连接服务实战

要求

主机一

• 主机名：server.example.com
• ip: 172.25.254.100
• 建立用户timinglee，其密码为timinglee

主机二

• 主机名：client.example.com
• ip: 172.25.254.200

实现

主机一实现

[root@server100 ~]# hostnamectl hostname server.example.com
[root@server100 ~]# hostname
server.example.com
[root@server100 ~]# ifconfig | tr -s " " | grep broadcast | cut -d " " -f3
172.25.254.100
[root@server100 ~]# useradd timinglee
[root@server100 ~]# echo "timinglee" | passwd timinglee --stdin
Changing password for user timinglee.
passwd: all authentication tokens updated successfully.
[root@server100 ~]# tail -1 /etc/passwd
timinglee:x:1001:1001::/home/timinglee:/bin/bash

主机二实现

[root@server200 ~]# hostnamectl hostname client.example.com
[root@server200 ~]# hostname
client.example.com
[root@server200 ~]# ifconfig | tr -s " " | grep broadcast | cut -d " " -f3
172.25.254.200

# 免密登录设置
# 使用非交互式设置，并且指定加密算法为rsa算法
[root@server200 ~]# ssh-keygen -f /root/.ssh/id_rsa -P "" -t rsa
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:RhwHxNxgpVwJd39BZUncyKIG2QDKyv5JnxBd7Mjrsu0 root@client.example.com
The key's randomart image is:
+---[RSA 3072]----+
|      .=OX=...+=*|
|   . . ==*+...o+o|
|    o   B. . .. .|
| . . o =  o    . |
|  o . + S.       |
| .   . o         |
|  . o .          |
|   o.* .         |
|    ++E          |
+----[SHA256]-----+

# 查看是否生成公私密钥对
[root@server200 ~]# cd /root/.ssh/
[root@server200 .ssh]# ls
id_rsa  id_rsa.pu

# 向主机一的root账户上传本地公钥
[root@server200 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ED25519 key fingerprint is SHA256:7v4Yn0h5gqnR0kmEQJPtc9vLb4JZmmHL7CBz5aqco+o.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.25.254.100's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.

# 向主机一的timinglee账户上传本地公钥
[root@server200 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub timinglee@172.25.254.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
timinglee@172.25.254.100's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'timinglee@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.

设置只能root用户和timinglee用户可以被登录

需要在主机一操作

# 修改sshd主配置文件

[root@server ~]# vim /etc/ssh/sshd_config

# 修改内容如下：
PasswordAuthentication yes
# 添加一行内容，添加白名单
allowusers root timinglee

# 重启sshd服务
[root@server ~]# systemctl restart sshd

测试是否可以免密连接

# 查看在主机一root账户中是否存在主机二上传的公钥
[root@server .ssh]# cd /root/.ssh/
[root@server .ssh]# ls
authorized_keys

# 查看在主机一timinglee账户中是否存在主机二上传的公钥
[timinglee@server ~]$ cd /home/timinglee/.ssh/
[timinglee@server .ssh]$ ls
authorized_keys

# root账户直接免密连接100的主机
[root@client ~]# ssh -l root 172.25.254.100
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Fri Apr 19 20:57:54 2024 from 172.25.254.1
[root@server ~]#

# timinglee账户直接免密连接100的主机
[root@client ~]# ssh -l timinglee 172.25.254.100
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Fri Apr 19 20:58:41 2024
[timinglee@server ~]$s

测试是否只能root用户和timinglee用户可以被登录

# 在主机一添加test用户用来测试
[root@server ~]# useradd test
[root@server ~]# echo "test" | passwd test --stdin
Changing password for user test.
passwd: all authentication tokens updated successfully.

# 在主机二中使用test账户上传公钥至主机一
[root@client ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub test@172.25.254.100
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
test@172.25.254.100's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'test@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.

# 测试root和timinglee账户是否可以免密登录主机一
[root@client ~]# ssh root@172.25.254.100
Activate the web console with: systemctl enable --now cockpit.socket

Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Fri Apr 19 21:26:38 2024 from 172.25.254.1
# root账户免密登录成功

# [root@client ~]# ssh timinglee@172.25.254.100
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Fri Apr 19 21:01:39 2024 from 172.25.254.200

# timinglee账户免密登录成功

# 测试test测试账户是否可以免密登录主机一

[root@client ~]# ssh test@172.25.254.100
test@172.25.254.100's password:
Permission denied, please try again.
test@172.25.254.100's password:

# test账户免密登录主机一失败，因为设置了sshd白名单，只用在白名单的root和timinglee账户可以免密登录主机一