搜索
您的当前位置:首页正文

限制用户通过ssh密钥进行认证登陆

2020-11-09 来源:独旅网

为了服务器和 用户 的安全,禁止 用户 密码的 认证 方式,而基于钥匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.802008/07/0202:24:18djmExp$ #Thisisthesshdse

为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。

  1. Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.251
  2. root@Cacti.Nagios:[/root]vi /etc/ssh/sshd_config
  3. # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
  4. # This is the sshd server system-wide configuration file. See
  5. # sshd_config(5) for more information.
  6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
  7. # The strategy used for options in the default sshd_config shipped with
  8. # OpenSSH is to specify options with their default value where
  9. # possible, but leave them commented. Uncommented options change a
  10. # default value.
  11. #Port 22
  12. #AddressFamily any
  13. #ListenAddress 0.0.0.0
  14. #ListenAddress ::
  15. # Disable legacy (protocol version 1) support in the server for new
  16. # installations. In future the default will change to require explicit
  17. # activation of protocol 1
  18. Protocol 2 ← 修改后变为此状态,仅使用SSH2
  19. # HostKey for protocol version 1
  20. #HostKey /etc/ssh/ssh_host_key
  21. # HostKeys for protocol version 2
  22. #HostKey /etc/ssh/ssh_host_rsa_key
  23. #HostKey /etc/ssh/ssh_host_dsa_key
  24. # Lifetime and size of ephemeral version 1 server key
  25. #KeyRegenerationInterval 1h
  26. #ServerKeyBits 1024
  27. # Logging
  28. # obsoletes QuietMode and FascistLogging
  29. #SyslogFacility AUTH
  30. SyslogFacility AUTHPRIV
  31. #LogLevel INFO
  32. # Authentication:
  33. #LoginGraceTime 2m
  34. #PermitRootLogin yes
  35. PermitRootLogin no ← 修改后变为此状态,不允许用root进行登录
  36. #StrictModes yes
  37. #MaxAuthTries 6
  38. #MaxSessions 10
  39. #RSAAuthentication yes
  40. #PubkeyAuthentication yes
  41. #AuthorizedKeysFile .ssh/authorized_keys
  42. #AuthorizedKeysCommand none
  43. #AuthorizedKeysCommandRunAs nobody
  44. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  45. #RhostsRSAAuthentication no
  46. # similar for protocol version 2
  47. #HostbasedAuthentication no
  48. # Change to yes if you don't trust ~/.ssh/known_hosts for
  49. # RhostsRSAAuthentication and HostbasedAuthentication
  50. #IgnoreUserKnownHosts no
  51. # Don't read the user's ~/.rhosts and ~/.shosts files
  52. #IgnoreRhosts yes
  53. # To disable tunneled clear text passwords, change to no here!
  54. #PasswordAuthentication yes
  55. PasswordAuthentication no ← 修改后变为此状态,不允许密码方式的登录
  56. #PermitEmptyPasswords no
  57. PermitEmptyPasswords no ← 修改后变为此状态,禁止空密码进行登录
  58. "/etc/ssh/sshd_config" 141L, 3941C written
  59. root@Cacti.Nagios:[/root]vi /etc/hosts.deny ← 修改屏蔽规则,在文尾添加相应行
  60. #
  61. # hosts.deny This file contains access rules which are used to
  62. # deny connections to network services that either use
  63. # the tcp_wrappers library or that have been
  64. # started through a tcp_wrappers-enabled xinetd.
  65. #
  66. # The rules in this file can also be set up in
  67. # /etc/hosts.allow with a 'deny' option instead.
  68. #
  69. # See 'man 5 hosts_options' and 'man 5 hosts_access'
  70. # for information on rule syntax.
  71. # See 'man tcpd' for information on tcp_wrappers
  72. #
  73. sshd:ALL ← 添加这一行,屏蔽来自所有的SSH连接请求
  74. "/etc/hosts.deny" 14L, 469C written
  75. You have new mail in /var/spool/mail/root
  76. root@Cacti.Nagios:[/root]vi /etc/hosts.allow ← 修改允许规则,在文尾添加相应行
  77. #
  78. # hosts.allow This file contains access rules which are used to
  79. # allow or deny connections to network services that
  80. # either use the tcp_wrappers library or that have been
  81. # started through a tcp_wrappers-enabled xinetd.
  82. #
  83. # See 'man 5 hosts_options' and 'man 5 hosts_access'
  84. # for information on rule syntax.
  85. # See 'man tcpd' for information on tcp_wrappers
  86. #
  87. sshd:192.168.7. 只允许192.168.7。网段的机器ssh登陆
  88. ~
  89. ~
  90. ~
  91. "/etc/hosts.allow" 11L, 386C written
  92. root@Cacti.Nagios:[/root]su - admin
  93. admin@Cacti.Nagios:[/data]ssh-keygen -t rsa
  94. Generating public/private rsa key pair.
  95. Enter file in which to save the key (/data/.ssh/id_rsa):
  96. Created directory '/data/.ssh'.
  97. Enter passphrase (empty for no passphrase):
  98. Enter same passphrase again:
  99. Your identification has been saved in /data/.ssh/id_rsa.
  100. Your public key has been saved in /data/.ssh/id_rsa.pub.
  101. The key fingerprint is:
  102. e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@Cacti.Nagios
  103. The key's randomart image is:
  104. +--[ RSA 2048]----+
  105. | . |
  106. | . . |
  107. | o . |
  108. | o o |
  109. | S o |
  110. | . .... |
  111. | o.+. o.|
  112. | .=.o. =|
  113. | .+Eo=B*.|
  114. +-----------------+
  115. admin@Cacti.Nagios:[/data]ls -a
  116. . .. .bash_history .bash_logout .bash_profile .bashrc lost+found .ssh .viminfo
  117. admin@Cacti.Nagios:[/data]cd .ssh/
  118. admin@Cacti.Nagios:[/data/.ssh]ll
  119. total 8
  120. -rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa
  121. -rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub
  122. admin@Cacti.Nagios:[/data/.ssh]cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  123. admin@Cacti.Nagios:[/data/.ssh]ls -a
  124. . .. authorized_keys id_rsa id_rsa.pub
  125. admin@Cacti.Nagios:[/data/.ssh]chmod 400 authorized_keys
  126. admin@Cacti.Nagios:[/data/.ssh]ll -a
  127. total 20
  128. drwx------ 2 admin admin 4096 Oct 12 17:20 .
  129. drwxr-xr-x 4 admin admin 4096 Oct 12 17:19 ..
  130. -r-------- 1 admin admin 401 Oct 12 17:20 authorized_keys
  131. -rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa
  132. -rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub
  133. 至此,将私钥id_rsa导出到windows客户端上。然后删除生成的公钥id_rsa.pub。
  134. 重启sshd服务,使得刚才所做的配置修改生效。
  135. root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]

虫子的博客

Top