#centos访问控制

https://abc.htmltoo.com/thread-46361.htm

# 开启密钥登陆

mkdir .ssh

cd /root/.ssh

cat me.pub  >> authorized_keys

chmod 600 ~/.ssh/authorized_keys

chmod -R 600 ~/.ssh/qbt

chmod 700 ~/.ssh

#7.3+: 不一定有

#sed -i 's/.*RSAAuthentication no/RSAAuthentication yes/' /etc/ssh/sshd_config

sed -i 's/.*#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config

# 取消密钥登陆，开启root登陆

sed -i 's/.*#RSAAuthentication yes/RSAAuthentication no/' /etc/ssh/sshd_config

sed -i 's/.*#PubkeyAuthentication yes/PubkeyAuthentication no/' /etc/ssh/sshd_config

cat /etc/ssh/sshd_config |grep Port

cat /etc/ssh/sshd_config |grep PubkeyAuthentication

cat /etc/ssh/sshd_config |grep PasswordAuthentication

cat /etc/ssh/sshd_config |grep PermitRootLogin 

cat /root/.ssh/authorized_keys

vi /etc/ssh/sshd_config

PermitRootLogin                       # 修改为yes,  允许root用户登录,  默认为"yes"。

RSAAuthentication no              # yes修改为no,  是否允许使用纯 RSA 公钥认证,  默认值是"yes"。

PubkeyAuthentication no         # yes修改为no,  是否允许公钥认证,  默认值是"yes"。

PasswordAuthentication yes     # no修改为yes,  是否允许使用基于密码的认证。默认为"yes"。

# 改端口

sed -i 's/.*#Port 22/Port 55555/' /etc/ssh/sshd_config

sed -i 's/.*Port 55555/Port 22/' /etc/ssh/sshd_config

sed -i 's/.*Port 22/Port 55555/' /etc/ssh/sshd_config

# 禁用/开启: 密码登陆

-禁用

sed -i 's/.*#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

sed -i 's/.*PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

-开启

sed -i 's/.*PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config

cat>cat>/etc/motd <<END

<---htmltoo.com--->

END

systemctl restart sshd

# authorized_keys

vim /root/.ssh/authorized_keys

# ssh-add命令是把专用密钥添加到ssh-agent的高速缓存

https://abc.htmltoo.com/thread-46539.htm

---如何生成RSA格式加密文件, 指定格式为PEM，即-m PEM

-m PEM -t rsa -b 4096

ssh-keygen -t rsa  -m PEM -b 4096   -f .ssh/com-1   -P 'QazWsx';

---ed25519密钥对，需要最新版本的客户端和服务器

ssh-keygen -t ed25519 -f .ssh/L-0 -P '';

ssh-keygen -t ed25519 -f .ssh/L-1 -P 'wdqdmm@L';

# 将公钥追加到”authorized_keys”文件

cat ~/.ssh/L-0.pub >> ~/.ssh/authorized_keys

cat ~/.ssh/L-1.pub >> ~/.ssh/authorized_keys

-------------------L-1: 有密码L  L-0:免密码-----------------

# L公钥     Xshell -> 工具 -> 用户密码管理者 ->  属性

vim  /home/admin/.ssh/L-1.pub

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGGIf4qUGPYYMTATpXYrCESOqOB9dAnZxC302jTeWal6 L-1

# L密钥      Xshell -> 工具 -> 用户密码管理者 -> 生成

vim  /home/admin/.ssh/L-1

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAsPoQApk
D0Q1407e3H2NYgAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIGGIf4qUGPYYMTAT
pXYrCESOqOB9dAnZxC302jTeWal6AAAAkHioWl2JXG5ryDyeLenBeVumk9GiVKa3McQe+e
KAN3DXGYm20fzyfUjdZTNKAYt1oGupIeEicjoyKOjMgR/gbo6o1/0DZPz420NDFeNHH48z
IdsriR7Pt5MYR4MXKU8gNTFrGz8G6QaKOxV2MMaw/PorAM4YVpYr2rhTUsnrh4E/lz69dM
PNBVoWeoEvNydZ2g==
-----END OPENSSH PRIVATE KEY-----

# L-1.ppk;   winscp是支持V2版，菜单Key - Parammeters for saving key files...  -  PPK file version: 2

vim /home/admin/.ssh/L-1.ppk

PuTTY-User-Key-File-2: ssh-ed25519
Encryption: aes256-cbc
Comment: L-1
Public-Lines: 2
AAAAC3NzaC1lZDI1NTE5AAAAIGGIf4qUGPYYMTATpXYrCESOqOB9dAnZxC302jTe
Wal6
Private-Lines: 1
9NlsjQqKNDK3mKUnsFZB2W8xmMfHpukCA+KIN6Y7WskD3AHGJxuX7ZBEmW99uRHj
Private-MAC: 79185547dead116831fd48253c96b1fe74a94303

====无密码====

vim   /root/.ssh/L-0.pub

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINI3cW8VrZfyVhE8SgQqEgrk4xiC/QyntFl6dfOemIt7 L-0

vim  /root/.ssh/L-0

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDSN3FvFa2X8lYRPEoEKhIK5OMYgv0Mp7RZenXznpiLewAAAJCBZXAggWVw
IAAAAAtzc2gtZWQyNTUxOQAAACDSN3FvFa2X8lYRPEoEKhIK5OMYgv0Mp7RZenXznpiLew
AAAEDgcrzTM/SCAuJ6h6GFrNa95AxftvEOom5eohZPzhmxrtI3cW8VrZfyVhE8SgQqEgrk
4xiC/QyntFl6dfOemIt7AAAABnJvb3RAYgECAwQFBgc=
-----END OPENSSH PRIVATE KEY-----

vim  /root/.ssh/L-0.ppk;  winscp是支持V2版，菜单Key - Parammeters for saving key files...  -  PPK file version: 2

PuTTY-User-Key-File-2: ssh-ed25519
Encryption: none
Comment: L-0
Public-Lines: 2
AAAAC3NzaC1lZDI1NTE5AAAAINI3cW8VrZfyVhE8SgQqEgrk4xiC/QyntFl6dfOe
mIt7
Private-Lines: 1
AAAAIOByvNMz9IIC4nqHoYWs1r3kDF+28Q6ibl6iFk/OGbGu
Private-MAC: eed033ad18e99ffc040afbfda05cc02e7a6c2dbd

# 登录异常日志

tail -f -n 100 /var/log/secure

# centos9

echo 'PubkeyAcceptedAlgorithms=+ssh-rsa' >> /etc/ssh/sshd_config

echo 'PubkeyAcceptedKeyTypes=+ssh-rsa' >> /etc/ssh/sshd_config

systemctl restart sshd