Maison > Article > base de données > 限制用户通过ssh密钥进行认证登陆
为了服务器和 用户 的安全,禁止 用户 密码的 认证 方式,而基于钥匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.802008/07/0202:24:18djmExp$ #Thisisthesshdse
为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。
<ol class="dp-xml"> <li class="alt"><span><span>Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.251 </span></span></li> <li><span>root@Cacti.Nagios:[/root]<span>vi /etc/ssh/sshd_config </span> </span></li> <li class="alt"><span># $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ </span></li> <li><span> </span></li> <li class="alt"><span># This is the sshd server system-wide configuration file. See </span></li> <li><span># sshd_config(5) for more information. </span></li> <li class="alt"><span> </span></li> <li><span># This sshd was compiled with <span class="attribute">PATH</span><span>=/usr/local/bin:/bin:/usr/bin </span></span></li> <li class="alt"><span> </span></li> <li><span># The strategy used for options in the default sshd_config shipped with </span></li> <li class="alt"><span># OpenSSH is to specify options with their default value where </span></li> <li><span># possible, but leave them commented. Uncommented options change a </span></li> <li class="alt"><span># default value. </span></li> <li><span> </span></li> <li class="alt"><span>#Port 22 </span></li> <li><span>#AddressFamily any </span></li> <li class="alt"><span>#ListenAddress 0.0.0.0 </span></li> <li><span>#ListenAddress :: </span></li> <li class="alt"><span> </span></li> <li><span># Disable legacy (protocol version 1) support in the server for new </span></li> <li class="alt"><span># installations. In future the default will change to require explicit </span></li> <li><span># activation of protocol 1 </span></li> <li class="alt"> <strong><span>Protocol 2</span></strong><span> </span><span>← 修改后变为此状态,仅使用SSH2</span> </li> <li><span> </span></li> <li class="alt"><span># HostKey for protocol version 1 </span></li> <li><span>#HostKey /etc/ssh/ssh_host_key </span></li> <li class="alt"><span># HostKeys for protocol version 2 </span></li> <li><span>#HostKey /etc/ssh/ssh_host_rsa_key </span></li> <li class="alt"><span>#HostKey /etc/ssh/ssh_host_dsa_key </span></li> <li><span> </span></li> <li class="alt"><span># Lifetime and size of ephemeral version 1 server key </span></li> <li><span>#KeyRegenerationInterval 1h </span></li> <li class="alt"><span>#ServerKeyBits 1024 </span></li> <li><span> </span></li> <li class="alt"><span># Logging </span></li> <li><span># obsoletes QuietMode and FascistLogging </span></li> <li class="alt"><span>#SyslogFacility AUTH </span></li> <li><span>SyslogFacility AUTHPRIV </span></li> <li class="alt"><span>#LogLevel INFO </span></li> <li><span> </span></li> <li class="alt"><span># Authentication: </span></li> <li><span> </span></li> <li class="alt"><span>#LoginGraceTime 2m </span></li> <li><span>#PermitRootLogin yes </span></li> <li class="alt"> <strong><span>PermitRootLogin no</span></strong><span> </span><span>← 修改后变为此状态,不允许用root<strong><strong>进行</strong></strong>登录</span> </li> <li><span>#StrictModes yes </span></li> <li class="alt"><span>#MaxAuthTries 6 </span></li> <li><span>#MaxSessions 10 </span></li> <li class="alt"><span> </span></li> <li><span>#RSAAuthentication yes </span></li> <li class="alt"><span>#PubkeyAuthentication yes </span></li> <li><span>#AuthorizedKeysFile .ssh/authorized_keys </span></li> <li class="alt"><span>#AuthorizedKeysCommand none </span></li> <li><span>#AuthorizedKeysCommandRunAs nobody </span></li> <li class="alt"><span> </span></li> <li><span># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts </span></li> <li class="alt"><span>#RhostsRSAAuthentication no </span></li> <li><span># similar for protocol version 2 </span></li> <li class="alt"><span>#HostbasedAuthentication no </span></li> <li><span># Change to yes if you don't trust ~/.ssh/known_hosts for </span></li> <li class="alt"><span># RhostsRSAAuthentication and HostbasedAuthentication </span></li> <li><span>#IgnoreUserKnownHosts no </span></li> <li class="alt"><span># Don't read the user's ~/.rhosts and ~/.shosts files </span></li> <li><span>#IgnoreRhosts yes </span></li> <li class="alt"><span> </span></li> <li><span># To disable tunneled clear text passwords, change to no here! </span></li> <li class="alt"><span>#PasswordAuthentication yes </span></li> <li> <strong><span>PasswordAuthentication no </span></strong><span>← 修改后变为此状态,不允许密码方式的登录</span> </li> <li class="alt"><span>#PermitEmptyPasswords no </span></li> <li> <strong><span>PermitEmptyPasswords no</span></strong><span> </span><span>← 修改后变为此状态,禁止空密码<strong><strong>进行</strong></strong>登录</span> </li> <li class="alt"><span>"/etc/ssh/sshd_config" 141L, 3941C written </span></li> <li> <span>root@Cacti.Nagios:[/root]<span>vi /etc/hosts.deny</span> </span><span lang="EN-US"> ← </span><span>修改屏蔽规则,在文尾添加相应行</span> </li> <li class="alt"><span># </span></li> <li><span># hosts.deny This file contains access rules which are used to </span></li> <li class="alt"><span># deny connections to network services that either use </span></li> <li><span># the tcp_wrappers library or that have been </span></li> <li class="alt"><span># started through a tcp_wrappers-enabled xinetd. </span></li> <li><span># </span></li> <li class="alt"><span># The rules in this file can also be set up in </span></li> <li><span># /etc/hosts.allow with a 'deny' option instead. </span></li> <li class="alt"><span># </span></li> <li><span># See 'man 5 hosts_options' and 'man 5 hosts_access' </span></li> <li class="alt"><span># for information on rule syntax. </span></li> <li><span># See 'man tcpd' for information on tcp_wrappers </span></li> <li class="alt"><span># </span></li> <li> <span>sshd:ALL</span><span> </span><span lang="EN-US">← </span><span>添加这一行,屏蔽来自所有的</span><span lang="EN-US">SSH</span><span>连接请求</span> </li> <li class="alt"><span>"/etc/hosts.deny" 14L, 469C written </span></li> <li><span>You have new mail in /var/spool/mail/root </span></li> <li class="alt"> <span>root@Cacti.Nagios:[/root]<span>vi /etc/hosts.allow</span> </span><span lang="EN-US"> </span><span lang="EN-US">← </span><span>修改允许规则,在文尾添加相应行</span> </li> <li><span># </span></li> <li class="alt"><span># hosts.allow This file contains access rules which are used to </span></li> <li><span># allow or deny connections to network services that </span></li> <li class="alt"><span># either use the tcp_wrappers library or that have been </span></li> <li><span># started through a tcp_wrappers-enabled xinetd. </span></li> <li class="alt"><span># </span></li> <li><span># See 'man 5 hosts_options' and 'man 5 hosts_access' </span></li> <li class="alt"><span># for information on rule syntax. </span></li> <li><span># See 'man tcpd' for information on tcp_wrappers </span></li> <li class="alt"><span># </span></li> <li> <span>sshd:192.168.7.</span><span> 只允许192.168.7。网段的机器ssh<strong><strong>登陆</strong></strong></span> </li> <li class="alt"><span>~ </span></li> <li><span>~ </span></li> <li class="alt"><span>~ </span></li> <li><span>"/etc/hosts.allow" 11L, 386C written </span></li> <li class="alt"> </li> <li><span>root@Cacti.Nagios:[/root]su - admin </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data]ssh-keygen -t rsa </span></li> <li><span>Generating public/private rsa key pair. </span></li> <li class="alt"><span>Enter file in which to save the key (/data/.ssh/id_rsa): </span></li> <li><span>Created directory '/data/.ssh'. </span></li> <li class="alt"><span>Enter passphrase (empty for no passphrase): </span></li> <li><span>Enter same passphrase again: </span></li> <li class="alt"><span>Your identification has been saved in /data/.ssh/id_rsa. </span></li> <li><span>Your public key has been saved in /data/.ssh/id_rsa.pub. </span></li> <li class="alt"><span>The key fingerprint is: </span></li> <li><span>e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@Cacti.Nagios </span></li> <li class="alt"><span>The key's randomart image is: </span></li> <li><span>+--[ RSA 2048]----+ </span></li> <li class="alt"><span>| . | </span></li> <li><span>| . . | </span></li> <li class="alt"><span>| o . | </span></li> <li><span>| o o | </span></li> <li class="alt"><span>| S o | </span></li> <li><span>| . .... | </span></li> <li class="alt"><span>| o.+. o.| </span></li> <li><span>| <span class="attribute">.</span><span>=</span><span class="attribute">.o.</span><span> =| </span></span></li> <li class="alt"><span>| .+<span class="attribute">Eo</span><span>=</span><span class="attribute-value">B</span><span>*.| </span></span></li> <li><span>+-----------------+ </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data]ls -a </span></li> <li><span>. .. .bash_history .bash_logout .bash_profile .bashrc lost+found .ssh .viminfo </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data]cd .ssh/ </span></li> <li><span>admin@Cacti.Nagios:[/data/.ssh]ll </span></li> <li class="alt"><span>total 8 </span></li> <li><span>-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa </span></li> <li class="alt"><span>-rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub </span></li> <li><span>admin@Cacti.Nagios:[/data/.ssh]<span>cat ~/.ssh/id_rsa.pub <span class="tag">></span><span class="tag">></span> ~/.ssh/authorized_keys</span><span> </span></span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data/.ssh]ls -a </span></li> <li><span>. .. authorized_keys id_rsa id_rsa.pub </span></li> <li class="alt"><span>admin@Cacti.Nagios:[/data/.ssh]<span>chmod 400 authorized_keys</span> </span></li> <li><span>admin@Cacti.Nagios:[/data/.ssh]ll -a </span></li> <li class="alt"><span>total 20 </span></li> <li><span>drwx------ 2 admin admin 4096 Oct 12 17:20 . </span></li> <li class="alt"><span>drwxr-xr-x 4 admin admin 4096 Oct 12 17:19 .. </span></li> <li><span>-r-------- 1 admin admin 401 Oct 12 17:20 authorized_keys </span></li> <li class="alt"><span>-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa </span></li> <li><span>-rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub </span></li> <li> </li> <li><span>至此,将私钥id_rsa导出到windows客户端上。然后删除<font color="#5c5c5c">生成的公钥</font>id_rsa.pub。</span></li> <li>重启sshd服务,使得刚才所做的配置修改生效。</li> <li><span><span>root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshd restart</span> <span>Stopping sshd: [ OK ]</span> <span>Starting sshd: [ OK ]</span> <br></span></li> </ol>
虫子的博客