redhat linux 访问控制

cl_303303303

　　<<<第九单元练习>>>
　　1.在desktop主机中建立用户westos，并设定其密码为westoslinux
　　2.配置desktop中的sshd服务要求如下：
　　*）设定sshd服务只允许westos用户可以被访问使用
　　*）创建westos用户的key认证方式
　　*）设定westos用户只允许使用key认证方式，屏蔽其系统密码认证方式
　　

[root@desktop14 Desktop]# ssh-keygen  ##生成密钥对（公钥和私钥，相当于锁和钥匙）

　　Generating public/private rsa key pair.
　　Enter file in which to save the key (/root/.ssh/id_rsa):
　　Enter passphrase (empty for no passphrase):
　　Enter same passphrase again:
　　Your identification has been saved in /root/.ssh/id_rsa.
　　Your public key has been saved in /root/.ssh/id_rsa.pub.
　　The key fingerprint is:
　　d2:95:e4:80:fa:b8:14:e7:16:94:2e:7a:aa:fa:5c:68 root@desktop14.example.com
　　The key's randomart image is:
　　+--[ RSA 2048]----+
　　|       o. .      |
　　|      +  + .     |
　　|     +    +      |
　　|    + +. .       |
　　|   . B..S        |
　　|  ..+ +.         |
　　|  E+.o           |
　　| o...            |
　　|+oo              |
　　+-----------------+

[root@desktop14 Desktop]# ls /root/.ssh/  ##查看生成的密钥文件

　　authorized_keys  id_rsa  id_rsa.pub

[root@desktop14 Desktop]# useradd westos  ##添加用户westos

[root@desktop14 Desktop]# passwd westos  ##设置westos用户密码

　　Changing password for user westos.
　　New password:
　　BAD PASSWORD: The password contains the user name in some form
　　Retype new password:
　　passwd: all authentication tokens updated successfully.

[root@desktop14 Desktop]# cd /root/.ssh/ ##进入密钥文件目录

[root@desktop14 .ssh]# ssh-copy-id -i id_rsa.pub westos@172.25.14.10  ##用密钥绑定westos用户

　　The authenticity of host '172.25.14.10 (172.25.14.10)' can't be established.
　　ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
　　Are you sure you want to continue connecting (yes/no)? yes
　　/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
　　/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
　　westos@172.25.14.10's password:
　　

　　Number of key(s) added: 1
　　

　　Now try logging into the machine, with:   "ssh 'westos@172.25.14.10'"
　　and check to make sure that only the key(s) you wanted were added.
　　

[root@desktop14 .ssh]# vim /etc/ssh/sshd_config ##配置访问权限文件（见附件）

　　

[root@desktop14 .ssh]# scp id_rsa root@172.25.14.11:/root/.ssh/ ##分发密钥

　　The authenticity of host '172.25.14.11 (172.25.14.11)' can't be established.
　　ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
　　Are you sure you want to continue connecting (yes/no)? yes
　　Warning: Permanently added '172.25.14.11' (ECDSA) to the list of known hosts.
　　root@172.25.14.11's password:
　　id_rsa                                        100% 1679     1.6KB/s   00:00

[root@desktop14 .ssh]# systemctl restart sshd ##重启sshd服务

　　

　　

[root@server14 Desktop]# ssh root@172.25.14.10 ##远程登陆root用户被拒

　　Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

[root@server14 Desktop]# ssh westos@172.25.14.10 ##远程登陆westos用户成功

　　Last login: Fri Sep 30 02:45:28 2016 from server14.example.com