SSH安全那些事儿
[TOC]
在更改配置文件后,都要重启相应的服务
在下文中,默认的 root 用户已经被禁止登录
除非已经确认新的配置生效,否则请永远不要关闭当前 SSH 窗口
使用非对称密钥登录SSH
生成非对称密钥
ssh-keygen -t ecdsa -b 521 -C "$(whoami)@$(hostname)-$(date -I)"
将公钥文件加入 authorized_keys
# 通过任何方式上传公钥到服务器 rsync -av /local_path_to/redhat.pub user@remote:/upload_to_path/file_path mkdir -p ~/.ssh cat ~/.ssh/redhat.pub >> ~/.ssh/authorized_keys
更改文件夹权限
chmod 700 ~/ chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
- 使用私钥进行SSH认证
服务器 sshd_config 文件应设置为允许密钥登陆且允许该用户登录
由于生成密钥时指定了算法为 ECDSA,所以 sshd 可以不开启 RSAAuthentication
ssh -i /path/to/key_file user@remote
- 禁止使用密码登录
修改 sshd_config
文件
sudo vim /etc/ssh/sshd_config
更改下述属性值
PasswordAuthentication
选项更改为 no
ChallengeResponseAuthentication
选项更改为 no
双因素认证
- 在此步之前请务必确保公钥登陆方式生效
安装
Google Authenticator
sudo dnf install -y google-authenticator
生成配置文件
google-authenticator
此命令会交互式的询问几个问题,简记如下:
- Do you want authentication tokens to be time-based (y/n) y
- Do you want me to update your "/home/user/.google_authenticator" file (y/n)?y
- Do you want to disallow multiple uses of the same authentication token?This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)** y
- By default, tokens are good for 30 seconds. In order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of +-1min (window size of 3) to about +-4min (window size of 17 acceptable tokens).
Do you want to do so?(y/n)** n- If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
编辑
/etc/pam.d/sshd
文件sudo vim /etc/pam.d/sshd
注释如下行
#auth substack password-auth
文件尾追加如下行
auth sufficient pam_google_authenticator.so
编辑
/etc/ssh/sshd_config
文件sudo vim /etc/ssh/sshd_config
更改下述属性值
ChallengeResponseAuthentication yes
PasswordAuthentication no
文件尾追加如下行
AuthenticationMethods publickey,password publickey,keyboard-interactive
重启
sshd
sudo systemctl restart sshd