redhat linux 訪問控制

<<<第九單元練習>>>

1.在desktop主機中創建用戶westos，並設定其密碼爲westoslinux

2.配置desktop中的sshd服務要求以下：

*）設定sshd服務只容許westos用戶能夠被訪問使用

*）建立westos用戶的key認證方式

*）設定westos用戶只容許使用key認證方式，屏蔽其系統密碼認證方式

[root@desktop14 Desktop]# ssh-keygen  ##生成密鑰對（公鑰和私鑰，至關於鎖和鑰匙）

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

d2:95:e4:80:fa:b8:14:e7:16:94:2e:7a:aa:fa:5c:68 root@desktop14.example.com

The key's randomart p_w_picpath is:

+--[ RSA 2048]----+

|       o. .      |

|      +  + .     |

|     +    +      |

|    + +. .       |

|   . B..S        |

|  ..+ +.         |

|  E+.o           |

| o...            |

|+oo              |

+-----------------+

[root@desktop14 Desktop]# ls /root/.ssh/  ##查看生成的密鑰文件

authorized_keys  id_rsa  id_rsa.pub

[root@desktop14 Desktop]# useradd westos  ##添加用戶westos

[root@desktop14 Desktop]# passwd westos  ##設置westos用戶密碼

Changing password for user westos.

New password: 

BAD PASSWORD: The password contains the user name in some form

Retype new password: 

passwd: all authentication tokens updated successfully.

[root@desktop14 Desktop]# cd /root/.ssh/ ##進入密鑰文件目錄

[root@desktop14 .ssh]# ssh-copy-id -i id_rsa.pub westos@172.25.14.10  ##用密鑰綁定westos用戶

The authenticity of host '172.25.14.10 (172.25.14.10)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

westos@172.25.14.10's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'westos@172.25.14.10'"

and check to make sure that only the key(s) you wanted were added.

[root@desktop14 .ssh]# vim /etc/ssh/sshd_config ##配置訪問權限文件（見附件）

[root@desktop14 .ssh]# scp id_rsa root@172.25.14.11:/root/.ssh/ ##分發密鑰

The authenticity of host '172.25.14.11 (172.25.14.11)' can't be established.

ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '172.25.14.11' (ECDSA) to the list of known hosts.

root@172.25.14.11's password: 

id_rsa                                        100% 1679     1.6KB/s   00:00    

[root@desktop14 .ssh]# systemctl restart sshd ##重啓sshd服務

[root@server14 Desktop]# ssh root@172.25.14.10 ##遠程登錄root用戶被拒

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

[root@server14 Desktop]# ssh westos@172.25.14.10 ##遠程登錄westos用戶成功

Last login: Fri Sep 30 02:45:28 2016 from server14.example.com