SSH 的使用优化

发布于 2019-05-22  447 次阅读


sudo vi /etc/ssh/sshd_config

[title]一、速度优化[/title]
1.禁止DNS

UseDNS no

2.禁止GSSAPI认证

GSSAPIAuthentication yes =>GSSAPIAuthentication no

[title]二、安全优化[/title]
1.修改端口

Port 22011

2.禁止Root SSH

PermitRootLogin no //慎用

3.禁止空密码登陆

PermitEmptyPasswords no

3.证书无密码登陆
关闭密码登陆

PasswordAuthentication no  //慎用

开启证书登陆

      RSAAuthentication yes
      StrictModes no
      PubkeyAuthentication yes
      AuthorizedKeysFile      .ssh/authorized_keys

生成ssh公钥 ,客户端中生成 ,安全起见建议设置公钥密码

 $  cd && sudo mkdir .ssh
     $  sudo chown ysyy-it .ssh
     $ ssh-keygen -t rsa
      Generating public/private rsa key pair.
      Enter file in which to save the key (/home/ysyy-it/.ssh/id_rsa):  
      Enter passphrase (empty for no passphrase):  公钥密码
      Enter same passphrase again:  公钥密码
      Your identification has been saved in /home/ysyy-it/.ssh/id_rsa.
      Your public key has been saved in /home/ysyy-it/.ssh/id_rsa.pub.
      The key fingerprint is:
      SHA256:F2pRuTGwe9N6AaLJgJikbHcMY7Z03YT7wSvN6DSWOCY ysyy-it@jiar-test
      The key's randomart image is:
      +---[RSA 2048]----+
      | . * .. =o..      |
      |+o+.*  o ++       |
      |+o.o.o  * o+      |
      |. . .o + B.+      |
      |      = S * o     |
      |   E + O B o .    |
      |    o = o . .     |
      |       .   .      |
      |                  |
      +----[SHA256]-----+

复制公钥到服务器

.ssh/authorized_keys


客户机:

vi /home/ysyy-it/.ssh/id_rsa.pub

服务器:

cd && mkdir .ssh

复制到:

 vi authorized_keys

重启 ssh

 sudo systemctl restart sshd

测试
客户机

[ysyy-it@jiar-test ~]$ ssh itadmin@172.18.119.30
Enter passphrase for key '.ssh/id_rsa':  公钥密码
Last login: Wed May 22 20:28:56 2019 from 10.10.18.31
[itadmin@confluence-T ~]$ 

[title]三、访问优化[/title]

vim .ssh/config

Port 22
Host cf
User itadmin
HostName 172.18.119.30

chmod 600 ~/.ssh/config //修改权限

测试
客户机

[ysyy-it@jiar-test ~]$ ssh cf
Enter passphrase for key '/home/ysyy-it/.ssh/id_rsa':  
Last failed login: Wed May 22 22:43:17 CST 2019 from 10.10.18.31 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Wed May 22 22:41:06 2019 from 172.18.119.34
[itadmin@confluence-T ~]$ 

一沙一世界,一花一天堂。君掌盛无边,刹那成永恒。