限制用户通过ssh密钥进行认证登陆
2012-10-12 18:05
453 查看
为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。
本文出自 “虫子的博客” 博客,请务必保留此出处http://xlogin.blog.51cto.com/3473583/1022384
Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.251 root@Cacti.Nagios:[/root]vi /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 ← 修改后变为此状态,仅使用SSH2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes PermitRootLogin no ← 修改后变为此状态,不允许用root进行登录 #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes PasswordAuthentication no ← 修改后变为此状态,不允许密码方式的登录 #PermitEmptyPasswords no PermitEmptyPasswords no ← 修改后变为此状态,禁止空密码进行登录 "/etc/ssh/sshd_config" 141L, 3941C written root@Cacti.Nagios:[/root]vi /etc/hosts.deny ← 修改屏蔽规则,在文尾添加相应行 # # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:ALL ← 添加这一行,屏蔽来自所有的SSH连接请求 "/etc/hosts.deny" 14L, 469C written You have new mail in /var/spool/mail/root root@Cacti.Nagios:[/root]vi /etc/hosts.allow ← 修改允许规则,在文尾添加相应行 # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd:192.168.7. 只允许192.168.7。网段的机器ssh登陆 ~ ~ ~ "/etc/hosts.allow" 11L, 386C written root@Cacti.Nagios:[/root]su - admin admin@Cacti.Nagios:[/data]ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/data/.ssh/id_rsa): Created directory '/data/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /data/.ssh/id_rsa. Your public key has been saved in /data/.ssh/id_rsa.pub. The key fingerprint is: e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@Cacti.Nagios The key's randomart image is: +--[ RSA 2048]----+ | . | | . . | | o . | | o o | | S o | | . .... | | o.+. o.| | .=.o. =| | .+Eo=B*.| +-----------------+ admin@Cacti.Nagios:[/data]ls -a . .. .bash_history .bash_logout .bash_profile .bashrc lost+found .ssh .viminfo admin@Cacti.Nagios:[/data]cd .ssh/ admin@Cacti.Nagios:[/data/.ssh]ll total 8 -rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa -rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub admin@Cacti.Nagios:[/data/.ssh]cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys admin@Cacti.Nagios:[/data/.ssh]ls -a . .. authorized_keys id_rsa id_rsa.pub admin@Cacti.Nagios:[/data/.ssh]chmod 400 authorized_keys admin@Cacti.Nagios:[/data/.ssh]ll -a total 20 drwx------ 2 admin admin 4096 Oct 12 17:20 . drwxr-xr-x 4 admin admin 4096 Oct 12 17:19 .. -r-------- 1 admin admin 401 Oct 12 17:20 authorized_keys -rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa -rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub 至此,将私钥id_rsa导出到windows客户端上。然后删除生成的公钥id_rsa.pub。 重启sshd服务,使得刚才所做的配置修改生效。 root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]
本文出自 “虫子的博客” 博客,请务必保留此出处http://xlogin.blog.51cto.com/3473583/1022384
相关文章推荐
- 同主目录多用户通过ssh进行密钥登陆
- github使用(通过webstorm创建一个nodejs项目的本地git库,推送到github进行管理,(ssh密钥无用户密码方式))
- 如何限制IP和指定用户,通过SSH登陆linux服务器
- SSH通过密钥对验证方式进行远程访问及控制
- ssh的用户登陆限制
- Samba通过ad域进行认证并限制空间大小《转载》
- 使用数据库统一管理ssh登陆用户密钥信息
- 限制通过SSH远程连接的用户帐号
- 用存储过程进行用户登陆认证
- 如何限制IP,通过SSH登陆linux服务器
- Samba通过ad域进行认证并限制空间大小
- Ubuntu下、root用户通过ssh登陆
- ssh通过密钥进行连接
- Linux 限制用户使用ssh和tty登陆
- ssh命令:使用密钥文件进行登陆
- SSH通过密钥对验证方式进行远程访问及控制
- opensolaris下让root用户可以通过ssh登陆
- 通过密钥来实现无密码远程SSH登陆和自动同步
- Xshell创建密钥利用Key进行Linux系统的SSH认证
- ssh普通用户进行无密码登陆