CA证书颁发以及SSH的用法

2021-03-21  本文已影响0人  沐熙一叶_Leaf

1、创建私有CA并进行证书申请。

#1 创建CA相关目录和文件
[root@centos7 ~]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
[root@centos7 ~]# touch /etc/pki/CA/index.txt
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial
[root@centos7 ~]# 

#2 创建CA的私钥
[root@centos7 ~]# cd /etc/pki/CA/
[root@centos7 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
.............................+++
e is 65537 (0x10001)

#3 给CA颁发自签名证书
[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:yezeng
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:ca.yezeng.org
Email Address []:1787183478@qq.com

[root@centos7 CA]# openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            83:49:30:59:17:bb:ed:48
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=zhejiang, L=hangzhou, O=yezeng, OU=devops, CN=ca.yezeng.org/emailAddress=1787183478@qq.com
        Validity
            Not Before: Mar 20 14:00:49 2021 GMT
            Not After : Mar 18 14:00:49 2031 GMT
        Subject: C=CN, ST=zhejiang, L=hangzhou, O=yezeng, OU=devops, CN=ca.yezeng.org/emailAddress=1787183478@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:eb:17:fb:ed:0d:b5:75:f6:d8:3b:10:c1:ef:58:
                    8a:09:b6:58:f0:34:0f:52:cd:88:de:4e:c6:6e:b3:
                    3e:cc:a7:ed:b9:55:d4:37:25:cc:35:2b:6a:cc:df:
                    2f:72:0c:92:35:42:82:c0:b5:3b:a5:80:e3:23:4e:
                    cc:a0:af:5a:3b:0a:6a:96:45:6b:4a:66:27:a9:8f:
                    38:28:06:9c:e0:b9:2f:04:50:ae:ff:3c:56:fd:04:
                    89:7e:6a:ef:b6:2d:b6:7c:6f:54:49:23:3a:9a:68:
                    19:8e:55:7e:f0:3d:59:a4:5d:a8:a0:de:25:ef:a9:
                    67:db:59:40:c1:b2:95:97:86:bd:85:f0:dc:de:10:
                    ec:6f:87:9f:03:fe:de:f0:42:79:ee:6a:ad:e4:d7:
                    dc:6b:78:4c:e9:a2:50:88:f9:b0:ea:50:da:0f:0f:
                    ea:6c:c8:2e:0a:dd:cf:d2:41:fc:f4:f1:1c:35:bd:
                    9b:98:2e:0c:fe:b8:04:f1:b3:3c:d4:ec:b1:93:7b:
                    b2:f3:ee:cc:e0:70:e6:b6:8a:b3:0c:58:5a:d7:59:
                    9c:94:50:9c:d2:80:f3:dc:55:3e:59:df:44:c6:d3:
                    67:84:5d:83:13:e5:75:06:df:52:99:1e:59:02:91:
                    f1:f7:b3:49:cd:55:b5:36:57:4e:20:df:45:5a:d0:
                    9b:ef
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                15:F6:21:72:57:80:ED:79:61:51:51:30:44:92:B2:BF:E2:22:CC:F7
            X509v3 Authority Key Identifier: 
                keyid:15:F6:21:72:57:80:ED:79:61:51:51:30:44:92:B2:BF:E2:22:CC:F7

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         14:50:f6:e2:df:d4:f3:cc:3e:d0:98:b4:64:24:62:4b:f2:26:
         63:54:8f:bf:9c:d1:60:84:1e:9a:2b:c5:9c:f2:e0:73:10:66:
         79:76:65:e1:af:ee:6f:ff:0f:98:8f:05:99:83:ab:b1:af:14:
         53:e1:8a:76:1a:ed:73:90:bb:5e:69:cd:31:31:2b:f6:40:38:
         df:b1:f6:52:4f:aa:ac:57:1e:6f:03:79:98:6d:be:ea:8f:b3:
         c1:49:79:51:fb:2d:59:bb:91:b8:09:a0:d8:52:82:b6:e8:e6:
         e9:df:d4:06:b8:9f:c1:30:0f:fb:ec:6d:48:e4:51:dd:47:2d:
         4e:82:c3:ea:5d:ca:4d:a4:35:0d:57:09:18:1e:d5:cb:d9:fd:
         65:93:fd:f6:38:37:d0:90:94:1f:5c:78:fa:9c:0c:6d:5b:2b:
         19:e3:93:08:05:93:88:f9:3e:66:67:db:bb:c7:5d:6b:84:6d:
         71:77:01:8a:2e:0e:07:0a:61:f4:8d:08:98:bb:79:ca:72:bf:
         bb:25:53:44:59:53:89:1d:7d:f6:03:d0:cf:35:fa:9f:e8:aa:
         cd:c5:69:c0:e6:55:0e:90:99:a5:ac:97:d5:8d:ec:94:03:16:
         f4:d0:03:42:c2:99:49:ed:7a:1d:e9:ab:3f:74:5c:dd:a7:c5:
         56:db:e6:51

#4 用户生成私钥和证书申请
[root@centos7 CA]# cd
[root@centos7 ~]# mkdir -p /data/app1
[root@centos7 ~]# (umask 066; openssl genrsa -out /data/app1/app1.key 2048)
Generating RSA private key, 2048 bit long modulus
...........+++
.........................................................+++
e is 65537 (0x10001)
[root@centos7 ~]# openssl req -new -key /data/app1/app1.key -out /data/app1/app1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:zhejiang
Locality Name (eg, city) [Default City]:hangzhou
Organization Name (eg, company) [Default Company Ltd]:yezeng
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:app1.yezeng.org
Email Address []:1787183478@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos7 ~]# ll /data/app1/
total 8
-rw-r--r--. 1 root root 1058 Mar 20 22:06 app1.csr
-rw-------. 1 root root 1675 Mar 20 22:04 app1.key

#5 CA颁发证书
[root@centos7 ~]# openssl ca -in /data/app1/app1.csr -out /data/app1/app1.crt -days 1000
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 20 14:10:12 2021 GMT
            Not After : Dec 15 14:10:12 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = zhejiang
            organizationName          = yezeng
            organizationalUnitName    = it
            commonName                = app1.yezeng.org
            emailAddress              = 1787183478@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                30:84:20:A9:D2:6C:A1:49:70:FE:2B:15:97:3F:23:8A:6E:13:57:8D
            X509v3 Authority Key Identifier: 
                keyid:15:F6:21:72:57:80:ED:79:61:51:51:30:44:92:B2:BF:E2:22:CC:F7

Certificate is to be certified until Dec 15 14:10:12 2023 GMT (1000 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@centos7 ~]# tree /data/app1/
/data/app1/
├── app1.crt
├── app1.csr
└── app1.key

0 directories, 3 files

#6 查看证书
[root@centos7 ~]# cat /data/app1/app1.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=zhejiang, L=hangzhou, O=yezeng, OU=devops, CN=ca.yezeng.org/emailAddress=1787183478@qq.com
        Validity
            Not Before: Mar 20 14:10:12 2021 GMT
            Not After : Dec 15 14:10:12 2023 GMT
        Subject: C=CN, ST=zhejiang, O=yezeng, OU=it, CN=app1.yezeng.org/emailAddress=1787183478@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c0:58:d7:96:ce:04:82:7f:a5:b9:bf:36:3f:60:
                    59:df:ff:42:62:5a:5e:b2:c8:29:d5:9c:cb:ec:f5:
                    88:fa:6d:90:36:64:8d:4d:5e:d3:e2:00:4a:e0:98:
                    d3:79:69:ae:49:60:d3:41:b5:bd:79:5a:22:d8:9f:
                    3e:c1:75:ed:b2:8b:ba:17:7d:a2:09:cb:8e:18:6b:
                    5b:fb:a6:41:d4:1b:57:2d:81:58:fc:7e:06:d7:b1:
                    a2:28:4b:ec:b5:b8:7a:09:c3:72:62:79:95:e3:99:
                    88:0a:a5:72:05:43:64:5b:56:ed:20:07:02:26:53:
                    93:7a:8a:29:9f:a6:9c:a5:49:0e:a9:82:1e:a4:e3:
                    1e:49:28:35:31:c7:12:66:a9:ec:f9:bc:a4:47:14:
                    81:c2:77:b5:c3:05:35:e2:24:82:b4:93:51:78:6f:
                    96:0e:c4:cd:cb:a4:c0:ff:26:38:5d:d7:ab:b9:48:
                    21:59:43:e7:5e:c8:71:ee:6c:f9:73:fb:83:27:91:
                    ab:eb:81:e3:46:21:98:2f:a7:0e:76:c6:89:54:fe:
                    12:ab:03:bb:6c:07:33:d4:f8:99:60:dc:63:94:d3:
                    bb:65:80:09:31:b9:94:c9:c4:ef:1d:39:20:f4:f0:
                    73:0b:e7:fa:71:fd:fd:f9:16:c7:eb:0d:bd:3a:c1:
                    82:ab
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                30:84:20:A9:D2:6C:A1:49:70:FE:2B:15:97:3F:23:8A:6E:13:57:8D
            X509v3 Authority Key Identifier: 
                keyid:15:F6:21:72:57:80:ED:79:61:51:51:30:44:92:B2:BF:E2:22:CC:F7

    Signature Algorithm: sha256WithRSAEncryption
         7a:3b:3d:8d:28:94:bf:e3:3d:19:05:a6:7d:b0:54:af:80:c5:
         47:36:ea:7f:5d:2e:5d:0e:61:e2:30:d4:9a:82:fd:41:51:bc:
         7b:76:8e:07:5b:0e:f4:cc:13:a8:b8:17:fe:69:bb:73:de:6b:
         0e:71:9d:56:f9:79:8f:16:75:49:97:b9:84:d1:22:77:08:6a:
         60:49:63:b3:ca:f0:11:23:35:98:5e:b1:1e:67:02:dc:79:a9:
         74:1e:7c:14:4a:58:23:2d:49:29:12:79:f5:47:ee:af:20:34:
         ab:ea:fc:2f:d4:6e:89:4a:d7:9e:1c:8f:04:9c:00:e8:09:4c:
         a5:fc:59:eb:bb:04:05:84:25:89:7b:38:1b:2d:23:dc:04:fe:
         24:71:63:ce:2e:c9:2d:14:7c:2f:93:b6:80:bb:7b:89:44:43:
         74:0d:d2:27:d7:1a:b9:4f:88:97:d2:05:e1:02:f7:dc:c7:60:
         d6:48:55:09:5d:15:48:6d:36:2f:c4:1a:2e:f3:0c:8e:6d:ff:
         c3:4b:cf:06:46:83:dd:b4:fd:cf:41:df:f9:cb:2e:2d:6e:75:
         a8:15:76:6e:42:a6:07:5b:cf:34:07:5a:d2:f3:61:28:bc:16:
         2c:1a:9e:ac:a5:c6:c7:29:81:d6:72:b7:a3:0d:fd:b1:61:dc:
         f2:b8:10:b7
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCHpoZWppYW5nMREwDwYDVQQHDAhoYW5nemhvdTEPMA0GA1UECgwG
eWV6ZW5nMQ8wDQYDVQQLDAZkZXZvcHMxFjAUBgNVBAMMDWNhLnllemVuZy5vcmcx
IDAeBgkqhkiG9w0BCQEWETE3ODcxODM0NzhAcXEuY29tMB4XDTIxMDMyMDE0MTAx
MloXDTIzMTIxNTE0MTAxMlowejELMAkGA1UEBhMCQ04xETAPBgNVBAgMCHpoZWpp
YW5nMQ8wDQYDVQQKDAZ5ZXplbmcxCzAJBgNVBAsMAml0MRgwFgYDVQQDDA9hcHAx
LnllemVuZy5vcmcxIDAeBgkqhkiG9w0BCQEWETE3ODcxODM0NzhAcXEuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwFjXls4Egn+lub82P2BZ3/9C
Ylpessgp1ZzL7PWI+m2QNmSNTV7T4gBK4JjTeWmuSWDTQbW9eVoi2J8+wXXtsou6
F32iCcuOGGtb+6ZB1BtXLYFY/H4G17GiKEvstbh6CcNyYnmV45mICqVyBUNkW1bt
IAcCJlOTeoopn6acpUkOqYIepOMeSSg1MccSZqns+bykRxSBwne1wwU14iSCtJNR
eG+WDsTNy6TA/yY4XderuUghWUPnXshx7mz5c/uDJ5Gr64HjRiGYL6cOdsaJVP4S
qwO7bAcz1PiZYNxjlNO7ZYAJMbmUycTvHTkg9PBzC+f6cf39+RbH6w29OsGCqwID
AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMIQgqdJsoUlw/isVlz8jim4TV40w
HwYDVR0jBBgwFoAUFfYhcleA7XlhUVEwRJKyv+IizPcwDQYJKoZIhvcNAQELBQAD
ggEBAHo7PY0olL/jPRkFpn2wVK+AxUc26n9dLl0OYeIw1JqC/UFRvHt2jgdbDvTM
E6i4F/5pu3Peaw5xnVb5eY8WdUmXuYTRIncIamBJY7PK8BEjNZhesR5nAtx5qXQe
fBRKWCMtSSkSefVH7q8gNKvq/C/UbolK154cjwScAOgJTKX8Weu7BAWEJYl7OBst
I9wE/iRxY84uyS0UfC+TtoC7e4lEQ3QN0ifXGrlPiJfSBeEC99zHYNZIVQldFUht
Ni/EGi7zDI5t/8NLzwZGg920/c9B3/nLLi1udagVdm5CpgdbzzQHWtLzYSi8Fiwa
nqylxscpgdZyt6MN/bFh3PK4ELc=
-----END CERTIFICATE-----

[root@centos7 ~]# openssl x509 -in /data/app1/app1.crt -noout -issuer
issuer= /C=CN/ST=zhejiang/L=hangzhou/O=yezeng/OU=devops/CN=ca.yezeng.org/emailAddress=1787183478@qq.com
[root@centos7 ~]# openssl x509 -in /data/app1/app1.crt -noout -subject
subject= /C=CN/ST=zhejiang/O=yezeng/OU=it/CN=app1.yezeng.org/emailAddress=1787183478@qq.com
[root@centos7 ~]# openssl x509 -in /data/app1/app1.crt -noout -dates
notBefore=Mar 20 14:10:12 2021 GMT
notAfter=Dec 15 14:10:12 2023 GMT
[root@centos7 ~]# openssl x509 -in /data/app1/app1.crt -noout -serial
serial=01

#7 证书的吊销
[root@centos7 ~]# openssl ca -revoke /etc/pki/CA/newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
[root@centos7 ~]# openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)
[root@centos7 ~]# cat /etc/pki/CA/index.txt
R   231215141012Z   210320142847Z   01  unknown /C=CN/ST=zhejiang/O=yezeng/OU=it/CN=app1.yezeng.org/emailAddress=1787183478@qq.com

#8 生成证书吊销列表文件
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/crlnumber: No such file or directory
error while loading CRL number
139626724661136:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/crlnumber','r')
139626724661136:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
[root@centos7 ~]# echo 01 > /etc/pki/CA/crlnumber
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/c
cacert.pem  certs/      crl/        crlnumber   crl.pem     
[root@centos7 ~]# openssl ca -gencrl -out /etc/pki/CA/crl.pem 
Using configuration from /etc/pki/tls/openssl.cnf
[root@centos7 ~]# cat /etc/pki/CA/crlnumber
02
[root@centos7 ~]# openssl crl -in /etc/pki/CA/crl.pem -noout -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=CN/ST=zhejiang/L=hangzhou/O=yezeng/OU=devops/CN=ca.yezeng.org/emailAddress=1787183478@qq.com
        Last Update: Mar 20 14:35:15 2021 GMT
        Next Update: Apr 19 14:35:15 2021 GMT
        CRL extensions:
            X509v3 CRL Number: 
                1
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Mar 20 14:28:47 2021 GMT
    Signature Algorithm: sha256WithRSAEncryption
         9d:c8:d8:36:a9:80:5c:99:5c:36:40:f2:6c:b8:b8:07:91:ef:
         11:ea:a3:65:59:4a:a6:f4:30:22:13:72:f9:f5:03:6e:80:92:
         e1:0a:6f:e3:c8:17:03:dd:08:b5:9b:db:e8:2e:48:f4:25:46:
         b7:1e:05:b9:71:7a:43:f8:f3:32:61:dc:5c:d6:bf:50:8c:68:
         0b:05:f6:ca:45:cb:c6:a2:ce:69:3e:2e:b4:56:57:1d:8f:d9:
         ba:60:4f:8e:74:09:f0:15:02:0a:4b:a6:06:d5:89:aa:93:9e:
         23:8d:c3:64:fa:ac:ed:b3:12:c1:b6:61:a5:7b:29:ba:3b:f2:
         bc:04:81:31:71:05:7b:81:40:ef:de:54:2e:3c:05:bf:82:9c:
         0f:b0:f1:14:72:01:68:96:19:56:23:b3:93:93:0f:13:dd:bc:
         e1:19:ef:f2:e1:c4:e3:02:28:14:16:68:13:cc:a4:5c:c9:e5:
         a9:74:ea:6f:a7:fc:ba:98:f0:c7:3d:f0:35:07:00:00:1a:19:
         b7:e7:1c:43:de:68:be:45:c9:6c:20:bd:68:d4:98:7e:b4:69:
         eb:b7:ef:e1:67:c9:72:39:9a:c9:47:e4:2f:db:5b:5f:06:20:
         65:f2:15:2e:7d:7d:ed:69:77:5b:45:37:d6:30:75:f0:9c:05:
         27:82:d8:73

2、总结ssh常用参数、用法

SSH(全称 Secure Shell)是一种加密的网络协议。使用该协议的数据将被加密,如果在传输中间数据泄漏,也可以确保没有人能读取出有用信息。要使用 SSH,目标机器应该安装 SSH 服务端应用程序,因为 SSH 是基于客户-服务模式的。 当你想安全的远程连接到主机,可中间的网络(比如因特网)并不安全,通常这种情况下就会使用 SSH。默认的centos7中自带sshd服务。

客户端ssh命令

格式:

ssh [user@]host [COMMAND]
ssh [-l user] host [COMMAND]

常见选项:

-p port:远程服务器监听的端口
-b 指定连接的源IP
-v 调试模式
-C 压缩方式
-X 支持x11转发
-t 强制伪tty分配,如:ssh -t remoteserver1 ssh -t remoteserver2 ssh
remoteserver3
-o option 如:-o StrictHostKeyChecking=no
-i <file> 指定私钥文件路径,实现基于key验证,默认使用文件: ~/.ssh/id_dsa,
~/.ssh/id_ecdsa, ~/.ssh/id_ed25519,~/.ssh/id_rsa等

scp命令

用于服务之间文件的互传

scp [options] SRC... DEST/
#两种方式
scp [options] [user@]host:/sourcefile /destpath
scp [options] /sourcefile [user@]host:/destpath

选项

-C 压缩数据流
-r 递归复制
-p 保持原文件的属性信息
-q 静默模式
-P PORT 指明remote host的监听的端口

rsync 命令

rsync工具可以基于ssh和rsync协议实现高效率的远程系统之间复制文件,使用安全的shell连接做为传
输方式,比scp更快,基于增量数据同步,即只复制两方不同的文件,此工具来自于rsync包

#通信两端主机都需要安装 rsync软件
rsync -av /etc server1:/tmp #复制目录和目录下文件
rsync -av /etc/ server1:/tmp #只复制目录下文件
#选项
-n 模拟复制过程
-v 显示详细过程
-r 递归复制目录树
-p 保留权限
-t 保留修改时间戳
-g 保留组信息
-o 保留所有者信息
-l 将软链接文件本身进行复制(默认)
-L 将软链接文件指向的文件复制
-u 如果接收者的文件比发送者的文件较新,将忽略同步
-z 压缩,节约网络带宽
-a 存档,相当于–rlptgoD,但不保留ACL(-A)和SELinux属性(-X)
--delete 源数据删除,目标数据也自动同步删除

3、总结sshd服务常用参数。

sshd(secure shell)服务使用ssh协议远程开启其他主机shell的服务。首先需要打开sshd 服务

sshd服务状态调整

systemctl status sshd       #查看服务状态
systemctl start sshd        #打开服务
systemctl stop sshd         #关闭服务
systemctl restart sshd      #重起服务
systemctl enable sshd       #设定开机启动
systemctl disable sshd      #设定开机不启动
systemctl reload sshd       #重新加载配置文件
systemctl list-units        #列出已开启服务当前状态

查看配置文件

/etc/ssh/sshd_config

#下面是常用的参数
Port
ListenAddress ip
LoginGraceTime 2m
PermitRootLogin yes #默认ubuntu不允许root远程ssh登录
StrictModes yes   #检查.ssh/文件的所有者,权限等
MaxAuthTries   6     #
MaxSessions  10         #同一个连接最大会话
PubkeyAuthentication yes     #基于key验证
PermitEmptyPasswords no      #空密码连接
PasswordAuthentication yes   #基于用户名和密码连接
GatewayPorts no
ClientAliveInterval 10 #单位:秒
ClientAliveCountMax 3 #默认3
UseDNS yes #提高速度可改为no
GSSAPIAuthentication yes #提高速度可改为no
MaxStartups    #未认证连接最大值,默认值10
Banner /path/file
#以下可以限制可登录用户的办法:
AllowUsers user1 user2 user3
DenyUsers
AllowGroups
DenyGroups
上一篇 下一篇

猜你喜欢

热点阅读