Maison  >  Article  >  base de données  >  限制用户通过ssh密钥进行认证登陆

限制用户通过ssh密钥进行认证登陆

WBOY
WBOYoriginal
2016-06-07 15:06:041961parcourir

为了服务器和 用户 的安全,禁止 用户 密码的 认证 方式,而基于钥匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.802008/07/0202:24:18djmExp$ #Thisisthesshdse

 为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。

<ol class="dp-xml">
<li class="alt"><span><span>Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.251 </span></span></li>
<li><span>root@Cacti.Nagios:[/root]<span>vi /etc/ssh/sshd_config </span> </span></li>
<li class="alt"><span>#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ </span></li>
<li><span> </span></li>
<li class="alt"><span># This is the sshd server system-wide configuration file.  See </span></li>
<li><span># sshd_config(5) for more information. </span></li>
<li class="alt"><span> </span></li>
<li><span># This sshd was compiled with <span class="attribute">PATH</span><span>=/usr/local/bin:/bin:/usr/bin </span></span></li>
<li class="alt"><span> </span></li>
<li><span># The strategy used for options in the default sshd_config shipped with </span></li>
<li class="alt"><span># OpenSSH is to specify options with their default value where </span></li>
<li><span># possible, but leave them commented.  Uncommented options change a </span></li>
<li class="alt"><span># default value. </span></li>
<li><span> </span></li>
<li class="alt"><span>#Port 22 </span></li>
<li><span>#AddressFamily any </span></li>
<li class="alt"><span>#ListenAddress 0.0.0.0 </span></li>
<li><span>#ListenAddress :: </span></li>
<li class="alt"><span> </span></li>
<li><span># Disable legacy (protocol version 1) support in the server for new </span></li>
<li class="alt"><span># installations. In future the default will change to require explicit </span></li>
<li><span># activation of protocol 1 </span></li>
<li class="alt">
<strong><span>Protocol 2</span></strong><span> </span><span>← 修改后变为此状态,仅使用SSH2</span>
</li>
<li><span> </span></li>
<li class="alt"><span># HostKey for protocol version 1 </span></li>
<li><span>#HostKey /etc/ssh/ssh_host_key </span></li>
<li class="alt"><span># HostKeys for protocol version 2 </span></li>
<li><span>#HostKey /etc/ssh/ssh_host_rsa_key </span></li>
<li class="alt"><span>#HostKey /etc/ssh/ssh_host_dsa_key </span></li>
<li><span> </span></li>
<li class="alt"><span># Lifetime and size of ephemeral version 1 server key </span></li>
<li><span>#KeyRegenerationInterval 1h </span></li>
<li class="alt"><span>#ServerKeyBits 1024 </span></li>
<li><span> </span></li>
<li class="alt"><span># Logging </span></li>
<li><span># obsoletes QuietMode and FascistLogging </span></li>
<li class="alt"><span>#SyslogFacility AUTH </span></li>
<li><span>SyslogFacility AUTHPRIV </span></li>
<li class="alt"><span>#LogLevel INFO </span></li>
<li><span> </span></li>
<li class="alt"><span># Authentication: </span></li>
<li><span> </span></li>
<li class="alt"><span>#LoginGraceTime 2m </span></li>
<li><span>#PermitRootLogin yes </span></li>
<li class="alt">
<strong><span>PermitRootLogin no</span></strong><span> </span><span>← 修改后变为此状态,不允许用root<strong><strong>进行</strong></strong>登录</span>
</li>
<li><span>#StrictModes yes </span></li>
<li class="alt"><span>#MaxAuthTries 6 </span></li>
<li><span>#MaxSessions 10 </span></li>
<li class="alt"><span> </span></li>
<li><span>#RSAAuthentication yes </span></li>
<li class="alt"><span>#PubkeyAuthentication yes </span></li>
<li><span>#AuthorizedKeysFile     .ssh/authorized_keys </span></li>
<li class="alt"><span>#AuthorizedKeysCommand none </span></li>
<li><span>#AuthorizedKeysCommandRunAs nobody </span></li>
<li class="alt"><span> </span></li>
<li><span># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts </span></li>
<li class="alt"><span>#RhostsRSAAuthentication no </span></li>
<li><span># similar for protocol version 2 </span></li>
<li class="alt"><span>#HostbasedAuthentication no </span></li>
<li><span># Change to yes if you don't trust ~/.ssh/known_hosts for </span></li>
<li class="alt"><span># RhostsRSAAuthentication and HostbasedAuthentication </span></li>
<li><span>#IgnoreUserKnownHosts no </span></li>
<li class="alt"><span># Don't read the user's ~/.rhosts and ~/.shosts files </span></li>
<li><span>#IgnoreRhosts yes </span></li>
<li class="alt"><span> </span></li>
<li><span># To disable tunneled clear text passwords, change to no here! </span></li>
<li class="alt"><span>#PasswordAuthentication yes </span></li>
<li>
<strong><span>PasswordAuthentication no </span></strong><span>← 修改后变为此状态,不允许密码方式的登录</span>
</li>
<li class="alt"><span>#PermitEmptyPasswords no </span></li>
<li>
<strong><span>PermitEmptyPasswords no</span></strong><span> </span><span>← 修改后变为此状态,禁止空密码<strong><strong>进行</strong></strong>登录</span>
</li>
<li class="alt"><span>"/etc/ssh/sshd_config" 141L, 3941C written                             </span></li>
<li>
<span>root@Cacti.Nagios:[/root]<span>vi /etc/hosts.deny</span>   </span><span lang="EN-US"> ← </span><span>修改屏蔽规则,在文尾添加相应行</span>
</li>
<li class="alt"><span># </span></li>
<li><span># hosts.deny    This file contains access rules which are used to </span></li>
<li class="alt"><span>#               deny connections to network services that either use </span></li>
<li><span>#               the tcp_wrappers library or that have been </span></li>
<li class="alt"><span>#               started through a tcp_wrappers-enabled xinetd. </span></li>
<li><span># </span></li>
<li class="alt"><span>#               The rules in this file can also be set up in </span></li>
<li><span>#               /etc/hosts.allow with a 'deny' option instead. </span></li>
<li class="alt"><span># </span></li>
<li><span>#               See 'man 5 hosts_options' and 'man 5 hosts_access' </span></li>
<li class="alt"><span>#               for information on rule syntax. </span></li>
<li><span>#               See 'man tcpd' for information on tcp_wrappers </span></li>
<li class="alt"><span># </span></li>
<li>
<span>sshd:ALL</span><span>   </span><span lang="EN-US">← </span><span>添加这一行,屏蔽来自所有的</span><span lang="EN-US">SSH</span><span>连接请求</span>
</li>
<li class="alt"><span>"/etc/hosts.deny" 14L, 469C written </span></li>
<li><span>You have new mail in /var/spool/mail/root </span></li>
<li class="alt">
<span>root@Cacti.Nagios:[/root]<span>vi /etc/hosts.allow</span>  </span><span lang="EN-US"> </span><span lang="EN-US">← </span><span>修改允许规则,在文尾添加相应行</span>
</li>
<li><span># </span></li>
<li class="alt"><span># hosts.allow   This file contains access rules which are used to </span></li>
<li><span>#               allow or deny connections to network services that </span></li>
<li class="alt"><span>#               either use the tcp_wrappers library or that have been </span></li>
<li><span>#               started through a tcp_wrappers-enabled xinetd. </span></li>
<li class="alt"><span># </span></li>
<li><span>#               See 'man 5 hosts_options' and 'man 5 hosts_access' </span></li>
<li class="alt"><span>#               for information on rule syntax. </span></li>
<li><span>#               See 'man tcpd' for information on tcp_wrappers </span></li>
<li class="alt"><span># </span></li>
<li>
<span>sshd:192.168.7.</span><span> 只允许192.168.7。网段的机器ssh<strong><strong>登陆</strong></strong></span>
</li>
<li class="alt"><span>~                                                                                        </span></li>
<li><span>~                                                                                        </span></li>
<li class="alt"><span>~                                                                                        </span></li>
<li><span>"/etc/hosts.allow" 11L, 386C written                                   </span></li>
<li class="alt"> </li>
<li><span>root@Cacti.Nagios:[/root]su - admin </span></li>
<li class="alt"><span>admin@Cacti.Nagios:[/data]ssh-keygen -t rsa </span></li>
<li><span>Generating public/private rsa key pair. </span></li>
<li class="alt"><span>Enter file in which to save the key (/data/.ssh/id_rsa):  </span></li>
<li><span>Created directory '/data/.ssh'. </span></li>
<li class="alt"><span>Enter passphrase (empty for no passphrase):  </span></li>
<li><span>Enter same passphrase again:  </span></li>
<li class="alt"><span>Your identification has been saved in /data/.ssh/id_rsa. </span></li>
<li><span>Your public key has been saved in /data/.ssh/id_rsa.pub. </span></li>
<li class="alt"><span>The key fingerprint is: </span></li>
<li><span>e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@Cacti.Nagios </span></li>
<li class="alt"><span>The key's randomart image is: </span></li>
<li><span>+--[ RSA 2048]----+ </span></li>
<li class="alt"><span>|            .    | </span></li>
<li><span>|           . .   | </span></li>
<li class="alt"><span>|          o .    | </span></li>
<li><span>|         o o     | </span></li>
<li class="alt"><span>|        S o      | </span></li>
<li><span>|         . ....  | </span></li>
<li class="alt"><span>|          o.+. o.| </span></li>
<li><span>|          <span class="attribute">.</span><span>=</span><span class="attribute">.o.</span><span> =| </span></span></li>
<li class="alt"><span>|         .+<span class="attribute">Eo</span><span>=</span><span class="attribute-value">B</span><span>*.| </span></span></li>
<li><span>+-----------------+ </span></li>
<li class="alt"><span>admin@Cacti.Nagios:[/data]ls -a </span></li>
<li><span>.  ..  .bash_history  .bash_logout  .bash_profile  .bashrc  lost+found  .ssh  .viminfo </span></li>
<li class="alt"><span>admin@Cacti.Nagios:[/data]cd .ssh/ </span></li>
<li><span>admin@Cacti.Nagios:[/data/.ssh]ll </span></li>
<li class="alt"><span>total 8 </span></li>
<li><span>-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa </span></li>
<li class="alt"><span>-rw-r--r-- 1 admin admin  401 Oct 12 17:19 id_rsa.pub </span></li>
<li><span>admin@Cacti.Nagios:[/data/.ssh]<span>cat ~/.ssh/id_rsa.pub <span class="tag">></span><span class="tag">></span> ~/.ssh/authorized_keys</span><span> </span></span></li>
<li class="alt"><span>admin@Cacti.Nagios:[/data/.ssh]ls -a </span></li>
<li><span>.  ..  authorized_keys  id_rsa  id_rsa.pub </span></li>
<li class="alt"><span>admin@Cacti.Nagios:[/data/.ssh]<span>chmod 400 authorized_keys</span>  </span></li>
<li><span>admin@Cacti.Nagios:[/data/.ssh]ll -a </span></li>
<li class="alt"><span>total 20 </span></li>
<li><span>drwx------ 2 admin admin 4096 Oct 12 17:20 . </span></li>
<li class="alt"><span>drwxr-xr-x 4 admin admin 4096 Oct 12 17:19 .. </span></li>
<li><span>-r-------- 1 admin admin  401 Oct 12 17:20 authorized_keys </span></li>
<li class="alt"><span>-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa </span></li>
<li><span>-rw-r--r-- 1 admin admin  401 Oct 12 17:19 id_rsa.pub </span></li>
<li> </li>
<li><span>至此,将私钥id_rsa导出到windows客户端上。然后删除<font color="#5c5c5c">生成的公钥</font>id_rsa.pub。</span></li>
<li>重启sshd服务,使得刚才所做的配置修改生效。</li>
<li><span><span>root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshd restart</span>  <span>Stopping sshd:                                             [  OK  ]</span>  <span>Starting sshd:                                             [  OK  ]</span> <br></span></li>
</ol>

 

 

虫子的博客

Déclaration:
Le contenu de cet article est volontairement contribué par les internautes et les droits d'auteur appartiennent à l'auteur original. Ce site n'assume aucune responsabilité légale correspondante. Si vous trouvez un contenu suspecté de plagiat ou de contrefaçon, veuillez contacter admin@php.cn