限制用户通过ssh密钥进行认证登陆
- WBOYOriginal
- 2016-06-07 15:06:041937browse
为了服务器和 用户 的安全,禁止 用户 密码的 认证 方式,而基于钥匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.802008/07/0202:24:18djmExp$ #Thisisthesshdse
为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。
<ol class="dp-xml"> <li class="alt"><span><span>Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.251 </span></span></li> <li><span>root@Cacti.Nagios:[/root]<span>vi /etc/ssh/sshd_config </span> </span></li> <li class="alt"><span># $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ </span></li> <li><span> </span></li> <li class="alt"><span># This is the sshd server system-wide configuration file. See </span></li> <li><span># sshd_config(5) for more information. </span></li> <li class="alt"><span> </span></li> <li><span># This sshd was compiled with <span class="attribute">PATH</span><span>=/usr/local/bin:/bin:/usr/bin </span></span></li> <li class="alt"><span> </span></li> <li><span># The strategy used for options in the default sshd_config shipped with </span></li> <li class="alt"><span># OpenSSH is to specify options with their default value where </span></li> <li><span># possible, but leave them commented. Uncommented options change a </span></li> <li class="alt"><span># default value. </span></li> <li><span> </span></li> <li class="alt"><span>#Port 22 </span></li> <li><span>#AddressFamily any </span></li> <li class="alt"><span>#ListenAddress 0.0.0.0 </span></li> <li><span>#ListenAddress :: </span></li> <li class="alt"><span> </span></li> <li><span># Disable legacy (protocol version 1) support in the server for new </span></li> <li class="alt"><span># installations. In future the default will change to require explicit </span></li> <li><span># activation of protocol 1 </span></li> <li class="alt"> <strong><span>Protocol 2</span></strong><span> </span><span>← 修改后变为此状态,仅使用SSH2</span> </li> <li><span> </span></li> <li class="alt"><span># HostKey for protocol version 1 </span></li> <li><span>#HostKey /etc/ssh/ssh_host_key </span></li> <li class="alt"><span># HostKeys for protocol version 2 </span></li> <li><span>#HostKey /etc/ssh/ssh_host_rsa_key </span></li> <li class="alt"><span>#HostKey /etc/ssh/ssh_host_dsa_key </span></li> <li><span> </span></li> <li class="alt"><span># Lifetime and size of ephemeral version 1 server key </span></li> <li><span>#KeyRegenerationInterval 1h </span></li> <li class="alt"><span>#ServerKeyBits 1024 </span></li> <li><span> </span></li> <li class="alt"><span># Logging </span></li> <li><span># obsoletes QuietMode and FascistLogging </span></li> <li class="alt"><span>#SyslogFacility AUTH </span></li> <li><span>SyslogFacility AUTHPRIV </span></li> <li class="alt"><span>#LogLevel INFO </span></li> <li><span> </span></li> <li class="alt"><span># Authentication: </span></li> <li><span> </span></li> <li class="alt"><span>#LoginGraceTime 2m </span></li> <li><span>#PermitRootLogin yes </span></li> <li class="alt"> <strong><span>PermitRootLogin no</span></strong><span> </span><span>← 修改后变为此状态,不允许用root<strong><strong>进行</strong></strong>登录</span> </li> <li><span>#StrictModes yes </span></li> <li class="alt"><span>#MaxAuthTries 6 </span></li> <li><span>#MaxSessions 10 </span></li> <li class="alt"><span> </span></li> <li><span>#RSAAuthentication yes </span></li> <li class="alt"><span>#PubkeyAuthentication yes </span></li> <li><span>#AuthorizedKeysFile .ssh/authorized_keys </span></li> <li class="alt"><span>#AuthorizedKeysCommand none </span></li> <li><span>#AuthorizedKeysCommandRunAs nobody </span></li> <li class="alt"><span> </span></li> <li><span># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts </span></li> <li class="alt"><span>#RhostsRSAAuthentication no </span></li> <li><span># similar for protocol version 2 </span></li> <li class="alt"><span>#HostbasedAuthentication no </span></li> <li><span># Change to yes if you don't trust ~/.ssh/known_hosts for </span></li> <li class="alt"><span># RhostsRSAAuthentication and HostbasedAuthentication </span></li> <li><span>#IgnoreUserKnownHosts no </span></li> <li class="alt"><span># Don't read the user's ~/.rhosts and ~/.shosts files </span></li> <li><span>#IgnoreRhosts yes </span></li> <li class="alt"><span> </span></li> <li><span># To disable tunneled clear text passwords, change to no here! </span></li> <li class="alt"><span>#PasswordAuthentication yes </span></li> <li> <strong><span>PasswordAuthentication no </span></strong><span>← 修改后变为此状态,不允许密码方式的登录</span> </li> <li class="alt"><span>#PermitEmptyPasswords no </span></li> <li> <strong><span>PermitEmptyPasswords no</span></strong><span> </span><span>← 修改后变为此状态,禁止空密码<strong><strong>进行</strong></strong>登录</span> </li> <li class="alt"><span>"/etc/ssh/sshd_config" 141L, 3941C written </span></li> <li> <span>root@Cacti.Nagios:[/root]<span>vi /etc/hosts.deny</span> </span><span lang="EN-US"> ← </span><span>修改屏蔽规则,在文尾添加相应行</span> </li> <li class="alt"><span># </span></li> <li><span># hosts.deny This file contains access rules which are used to </span></li> <li class="alt"><span># deny connections to network services that either use </span></li> <li><span># the tcp_wrappers library or that have been </span></li> <li class="alt"><span># started through a tcp_wrappers-enabled xinetd. </span></li> <li><span># </span></li> <li class="alt"><span># The rules in this file can also be set up in </span></li> <li><span># /etc/hosts.allow with a 'deny' option instead. </span></li> <li class="alt"><span># </span></li> <li><span># See 'man 5 hosts_options' and 'man 5 hosts_access' </span></li> <li class="alt"><span># for information on rule syntax. </span></li> <li><span># See 'man tcpd' for information on tcp_wrappers </span></li> <li class="alt"><span># </span></li> <li> <span>sshd:ALL</span><span> </span><span lang="EN-US">← </span><span>添加这一行,屏蔽来自所有的</span><span lang="EN-US">SSH</span><span>连接请求</span> </li> <li class="alt"><span>"/etc/hosts.deny" 14L, 469C written </span></li> <li><span>You have new mail in /var/spool/mail/root </span></li> <li class="alt"> <span>root@Cacti.Nagios:[/root]<span>vi /etc/hosts.allow</span> </span><span lang="EN-US"> </span><span lang="EN-US">← </span><span>修改允许规则,在文尾添加相应行</span> </li> <li><span># </span></li> <li class="alt"><span># hosts.allow This file contains access rules which are used to </span></li> <li><span># allow or deny connections to network services that </span></li> <li class="alt"><span># either use the tcp_wrappers library or that have been </span></li> <li><span># started through a tcp_wrappers-enabled xinetd. </span></li> <li class="alt"><span># </span></li> <li><span># See 'man 5 hosts_options' and 'man 5 hosts_access' </span></li> <li class="alt"><span># for information on rule syntax. </span></li> <li><span># See 'man tcpd' for information on tcp_wrappers </span></li> <li class="alt"><span># </span></li> <li> <span>sshd:192.168.7.</span><span> 只允许192.168.7。网段的机器ssh<strong><strong>登陆</strong></strong></span> </li> <li class="alt"><span>~ </span></li> <li><span>~ </span></li> <li class="alt"><span>~ </span></li> <li><span>"/etc/hosts.allow" 11L, 386C written </span></li> <li class="alt"> </li> <li><span>root@Cacti.Nagios:[/root]su - admin </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data]ssh-keygen -t rsa </span></li> <li><span>Generating public/private rsa key pair. </span></li> <li class="alt"><span>Enter file in which to save the key (/data/.ssh/id_rsa): </span></li> <li><span>Created directory '/data/.ssh'. </span></li> <li class="alt"><span>Enter passphrase (empty for no passphrase): </span></li> <li><span>Enter same passphrase again: </span></li> <li class="alt"><span>Your identification has been saved in /data/.ssh/id_rsa. </span></li> <li><span>Your public key has been saved in /data/.ssh/id_rsa.pub. </span></li> <li class="alt"><span>The key fingerprint is: </span></li> <li><span>e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@Cacti.Nagios </span></li> <li class="alt"><span>The key's randomart image is: </span></li> <li><span>+--[ RSA 2048]----+ </span></li> <li class="alt"><span>| . | </span></li> <li><span>| . . | </span></li> <li class="alt"><span>| o . | </span></li> <li><span>| o o | </span></li> <li class="alt"><span>| S o | </span></li> <li><span>| . .... | </span></li> <li class="alt"><span>| o.+. o.| </span></li> <li><span>| <span class="attribute">.</span><span>=</span><span class="attribute">.o.</span><span> =| </span></span></li> <li class="alt"><span>| .+<span class="attribute">Eo</span><span>=</span><span class="attribute-value">B</span><span>*.| </span></span></li> <li><span>+-----------------+ </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data]ls -a </span></li> <li><span>. .. .bash_history .bash_logout .bash_profile .bashrc lost+found .ssh .viminfo </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data]cd .ssh/ </span></li> <li><span>admin@Cacti.Nagios:[/data/.ssh]ll </span></li> <li class="alt"><span>total 8 </span></li> <li><span>-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa </span></li> <li class="alt"><span>-rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub </span></li> <li><span>admin@Cacti.Nagios:[/data/.ssh]<span>cat ~/.ssh/id_rsa.pub <span class="tag">></span><span class="tag">></span> ~/.ssh/authorized_keys</span><span> </span></span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data/.ssh]ls -a </span></li> <li><span>. .. authorized_keys id_rsa id_rsa.pub </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data/.ssh]<span>chmod 400 authorized_keys</span> </span></li> <li><span>admin@Cacti.Nagios:[/data/.ssh]ll -a </span></li> <li class="alt"><span>total 20 </span></li> <li><span>drwx------ 2 admin admin 4096 Oct 12 17:20 . </span></li> <li class="alt"><span>drwxr-xr-x 4 admin admin 4096 Oct 12 17:19 .. </span></li> <li><span>-r-------- 1 admin admin 401 Oct 12 17:20 authorized_keys </span></li> <li class="alt"><span>-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa </span></li> <li><span>-rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub </span></li> <li> </li> <li><span>至此,将私钥id_rsa导出到windows客户端上。然后删除<font color="#5c5c5c">生成的公钥</font>id_rsa.pub。</span></li> <li>重启sshd服务,使得刚才所做的配置修改生效。</li> <li><span><span>root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshd restart</span> <span>Stopping sshd: [ OK ]</span> <span>Starting sshd: [ OK ]</span> <br></span></li> </ol>
虫子的博客
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:CISCO路由器连接ADSL之PPPoE配置Next article:用ROUTER做DHCP服务器