FancyKing's WebSite

SSH安全那些事儿

[TOC]

在更改配置文件后,都要重启相应的服务

在下文中,默认的 root 用户已经被禁止登录

除非已经确认新的配置生效,否则请永远不要关闭当前 SSH 窗口

使用非对称密钥登录SSH

  1. 生成非对称密钥

    ssh-keygen -t ecdsa -b 521 -C "$(whoami)@$(hostname)-$(date -I)"

  2. 将公钥文件加入 authorized_keys

    # 通过任何方式上传公钥到服务器
rsync -av /local_path_to/redhat.pub user@remote:/upload_to_path/file_path
mkdir -p ~/.ssh
cat ~/.ssh/redhat.pub >> ~/.ssh/authorized_keys

  3. 更改文件夹权限

    chmod 700 ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  4. 使用私钥进行SSH认证

服务器 sshd_config 文件应设置为允许密钥登陆且允许该用户登录

由于生成密钥时指定了算法为 ECDSA,所以 sshd 可以不开启 RSAAuthentication

ssh -i /path/to/key_file user@remote
  1. 禁止使用密码登录

修改 sshd_config 文件

sudo vim /etc/ssh/sshd_config

更改下述属性值

PasswordAuthentication 选项更改为 no

ChallengeResponseAuthentication 选项更改为 no

双因素认证

  1. 在此步之前请务必确保公钥登陆方式生效

  2. 安装 Google Authenticator

    sudo dnf install -y google-authenticator

  3. 生成配置文件

    google-authenticator

此命令会交互式的询问几个问题,简记如下:

  1. Do you want authentication tokens to be time-based (y/n) y
  2. Do you want me to update your "/home/user/.google_authenticator" file (y/n)?y
  3. Do you want to disallow multiple uses of the same authentication token?This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)** y
  4. By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
    Do you want to do so?(y/n)** n
  5. If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting (y/n) y

  1. 编辑 /etc/pam.d/sshd 文件

    sudo vim /etc/pam.d/sshd

注释如下行

#auth       substack     password-auth

文件尾追加如下行

auth sufficient pam_google_authenticator.so

  1. 编辑 /etc/ssh/sshd_config 文件

    sudo vim /etc/ssh/sshd_config

更改下述属性值

ChallengeResponseAuthentication yes
PasswordAuthentication no

文件尾追加如下行

AuthenticationMethods publickey,password publickey,keyboard-interactive

  1. 重启 sshd

    sudo systemctl restart sshd

当前页面是本站的「Google AMP」版。查看和发表评论请点击:完整版 »