限制用戶通過ssh密鑰進行認證登陸

來源：懂視網責編：小采時間：2020-11-09 08:22:28

限制用戶通過ssh密鑰進行認證登陸

限制用戶通過ssh密鑰進行認證登陸:為了服務器和用戶的安全，禁止用戶密碼的認證方式，而基于鑰匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.8

推薦度：

點擊下載本文 文檔為doc格式

導讀限制用戶通過ssh密鑰進行認證登陸:為了服務器和用戶的安全，禁止用戶密碼的認證方式，而基于鑰匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.8

為了服務器和用戶的安全，禁止用戶密碼的認證方式，而基于鑰匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.802008/07/0202:24:18djmExp$ #Thisisthesshdse

為了服務器和用戶的安全，禁止用戶密碼的認證方式，而基于“鑰匙”的方式。

Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.251 
root@Cacti.Nagios:[/root]vi /etc/ssh/sshd_config 
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ 
 
# This is the sshd server system-wide configuration file. See 
# sshd_config(5) for more information. 
 
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin 
 
# The strategy used for options in the default sshd_config shipped with 
# OpenSSH is to specify options with their default value where 
# possible, but leave them commented. Uncommented options change a 
# default value. 
 
#Port 22 
#AddressFamily any 
#ListenAddress 0.0.0.0 
#ListenAddress :: 
 
# Disable legacy (protocol version 1) support in the server for new 
# installations. In future the default will change to require explicit 
# activation of protocol 1 
Protocol 2 ← 修改后變為此狀態，僅使用SSH2
 
# HostKey for protocol version 1 
#HostKey /etc/ssh/ssh_host_key 
# HostKeys for protocol version 2 
#HostKey /etc/ssh/ssh_host_rsa_key 
#HostKey /etc/ssh/ssh_host_dsa_key 
 
# Lifetime and size of ephemeral version 1 server key 
#KeyRegenerationInterval 1h 
#ServerKeyBits 1024 
 
# Logging 
# obsoletes QuietMode and FascistLogging 
#SyslogFacility AUTH 
SyslogFacility AUTHPRIV 
#LogLevel INFO 
 
# Authentication: 
 
#LoginGraceTime 2m 
#PermitRootLogin yes 
PermitRootLogin no ← 修改后變為此狀態，不允許用root進行登錄
#StrictModes yes 
#MaxAuthTries 6 
#MaxSessions 10 
 
#RSAAuthentication yes 
#PubkeyAuthentication yes 
#AuthorizedKeysFile .ssh/authorized_keys 
#AuthorizedKeysCommand none 
#AuthorizedKeysCommandRunAs nobody 
 
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
#RhostsRSAAuthentication no 
# similar for protocol version 2 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication and HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
#IgnoreRhosts yes 
 
# To disable tunneled clear text passwords, change to no here! 
#PasswordAuthentication yes 
PasswordAuthentication no ← 修改后變為此狀態，不允許密碼方式的登錄
#PermitEmptyPasswords no 
PermitEmptyPasswords no ← 修改后變為此狀態，禁止空密碼進行登錄
"/etc/ssh/sshd_config" 141L, 3941C written 
root@Cacti.Nagios:[/root]vi /etc/hosts.deny ← 修改屏蔽規則，在文尾添加相應行
# 
# hosts.deny This file contains access rules which are used to 
# deny connections to network services that either use 
# the tcp_wrappers library or that have been 
# started through a tcp_wrappers-enabled xinetd. 
# 
# The rules in this file can also be set up in 
# /etc/hosts.allow with a 'deny' option instead. 
# 
# See 'man 5 hosts_options' and 'man 5 hosts_access' 
# for information on rule syntax. 
# See 'man tcpd' for information on tcp_wrappers 
# 
sshd:ALL ← 添加這一行，屏蔽來自所有的SSH連接請求
"/etc/hosts.deny" 14L, 469C written 
You have new mail in /var/spool/mail/root 
root@Cacti.Nagios:[/root]vi /etc/hosts.allow ← 修改允許規則，在文尾添加相應行
# 
# hosts.allow This file contains access rules which are used to 
# allow or deny connections to network services that 
# either use the tcp_wrappers library or that have been 
# started through a tcp_wrappers-enabled xinetd. 
# 
# See 'man 5 hosts_options' and 'man 5 hosts_access' 
# for information on rule syntax. 
# See 'man tcpd' for information on tcp_wrappers 
# 
sshd:192.168.7. 只允許192.168.7。網段的機器ssh登陸
~ 
~ 
~ 
"/etc/hosts.allow" 11L, 386C written 
 
root@Cacti.Nagios:[/root]su - admin 
admin@Cacti.Nagios:[/data]ssh-keygen -t rsa 
Generating public/private rsa key pair. 
Enter file in which to save the key (/data/.ssh/id_rsa): 
Created directory '/data/.ssh'. 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /data/.ssh/id_rsa. 
Your public key has been saved in /data/.ssh/id_rsa.pub. 
The key fingerprint is: 
e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@Cacti.Nagios 
The key's randomart image is: 
+--[ RSA 2048]----+ 
| . | 
| . . | 
| o . | 
| o o | 
| S o | 
| . .... | 
| o.+. o.| 
| .=.o. =| 
| .+Eo=B*.| 
+-----------------+ 
admin@Cacti.Nagios:[/data]ls -a 
. .. .bash_history .bash_logout .bash_profile .bashrc lost+found .ssh .viminfo 
admin@Cacti.Nagios:[/data]cd .ssh/ 
admin@Cacti.Nagios:[/data/.ssh]ll 
total 8 
-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa 
-rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub 
admin@Cacti.Nagios:[/data/.ssh]cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys 
admin@Cacti.Nagios:[/data/.ssh]ls -a 
. .. authorized_keys id_rsa id_rsa.pub 
admin@Cacti.Nagios:[/data/.ssh]chmod 400 authorized_keys 
admin@Cacti.Nagios:[/data/.ssh]ll -a 
total 20 
drwx------ 2 admin admin 4096 Oct 12 17:20 . 
drwxr-xr-x 4 admin admin 4096 Oct 12 17:19 .. 
-r-------- 1 admin admin 401 Oct 12 17:20 authorized_keys 
-rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa 
-rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub 
 
至此，將私鑰id_rsa導出到windows客戶端上。然后刪除生成的公鑰id_rsa.pub。
重啟sshd服務，使得剛才所做的配置修改生效。
root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]