欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  数据库

限制用户通过ssh密钥进行认证登陆

程序员文章站 2022-04-14 09:32:39
...

为了服务器和 用户 的安全,禁止 用户 密码的 认证 方式,而基于钥匙的方式。 Lastlogin:FriOct1214:14:012012from192.168.7.251 root@Cacti.Nagios:[/root] vi/etc/ssh/sshd_config #$OpenBSD:sshd_config,v1.802008/07/0202:24:18djmExp$ #Thisisthesshdse

为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。

  1. Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.251
  2. root@Cacti.Nagios:[/root]vi /etc/ssh/sshd_config
  3. # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
  4. # This is the sshd server system-wide configuration file. See
  5. # sshd_config(5) for more information.
  6. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
  7. # The strategy used for options in the default sshd_config shipped with
  8. # OpenSSH is to specify options with their default value where
  9. # possible, but leave them commented. Uncommented options change a
  10. # default value.
  11. #Port 22
  12. #AddressFamily any
  13. #ListenAddress 0.0.0.0
  14. #ListenAddress ::
  15. # Disable legacy (protocol version 1) support in the server for new
  16. # installations. In future the default will change to require explicit
  17. # activation of protocol 1
  18. Protocol 2 ← 修改后变为此状态,仅使用SSH2
  19. # HostKey for protocol version 1
  20. #HostKey /etc/ssh/ssh_host_key
  21. # HostKeys for protocol version 2
  22. #HostKey /etc/ssh/ssh_host_rsa_key
  23. #HostKey /etc/ssh/ssh_host_dsa_key
  24. # Lifetime and size of ephemeral version 1 server key
  25. #KeyRegenerationInterval 1h
  26. #ServerKeyBits 1024
  27. # Logging
  28. # obsoletes QuietMode and FascistLogging
  29. #SyslogFacility AUTH
  30. SyslogFacility AUTHPRIV
  31. #LogLevel INFO
  32. # Authentication:
  33. #LoginGraceTime 2m
  34. #PermitRootLogin yes
  35. PermitRootLogin no ← 修改后变为此状态,不允许用root进行登录
  36. #StrictModes yes
  37. #MaxAuthTries 6
  38. #MaxSessions 10
  39. #RSAAuthentication yes
  40. #PubkeyAuthentication yes
  41. #AuthorizedKeysFile .ssh/authorized_keys
  42. #AuthorizedKeysCommand none
  43. #AuthorizedKeysCommandRunAs nobody
  44. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  45. #RhostsRSAAuthentication no
  46. # similar for protocol version 2
  47. #HostbasedAuthentication no
  48. # Change to yes if you don't trust ~/.ssh/known_hosts for
  49. # RhostsRSAAuthentication and HostbasedAuthentication
  50. #IgnoreUserKnownHosts no
  51. # Don't read the user's ~/.rhosts and ~/.shosts files
  52. #IgnoreRhosts yes
  53. # To disable tunneled clear text passwords, change to no here!
  54. #PasswordAuthentication yes
  55. PasswordAuthentication no ← 修改后变为此状态,不允许密码方式的登录
  56. #PermitEmptyPasswords no
  57. PermitEmptyPasswords no ← 修改后变为此状态,禁止空密码进行登录
  58. "/etc/ssh/sshd_config" 141L, 3941C written
  59. root@Cacti.Nagios:[/root]vi /etc/hosts.deny 修改屏蔽规则,在文尾添加相应行
  60. #
  61. # hosts.deny This file contains access rules which are used to
  62. # deny connections to network services that either use
  63. # the tcp_wrappers library or that have been
  64. # started through a tcp_wrappers-enabled xinetd.
  65. #
  66. # The rules in this file can also be set up in
  67. # /etc/hosts.allow with a 'deny' option instead.
  68. #
  69. # See 'man 5 hosts_options' and 'man 5 hosts_access'
  70. # for information on rule syntax.
  71. # See 'man tcpd' for information on tcp_wrappers
  72. #
  73. sshd:ALL 添加这一行,屏蔽来自所有的SSH连接请求
  74. "/etc/hosts.deny" 14L, 469C written
  75. You have new mail in /var/spool/mail/root
  76. root@Cacti.Nagios:[/root]vi /etc/hosts.allow 修改允许规则,在文尾添加相应行
  77. #
  78. # hosts.allow This file contains access rules which are used to
  79. # allow or deny connections to network services that
  80. # either use the tcp_wrappers library or that have been
  81. # started through a tcp_wrappers-enabled xinetd.
  82. #
  83. # See 'man 5 hosts_options' and 'man 5 hosts_access'
  84. # for information on rule syntax.
  85. # See 'man tcpd' for information on tcp_wrappers
  86. #
  87. sshd:192.168.7. 只允许192.168.7。网段的机器ssh登陆
  88. ~
  89. ~
  90. ~
  91. "/etc/hosts.allow" 11L, 386C written
  92. root@Cacti.Nagios:[/root]su - admin
  93. admin@Cacti.Nagios:[/data]ssh-keygen -t rsa
  94. Generating public/private rsa key pair.
  95. Enter file in which to save the key (/data/.ssh/id_rsa):
  96. Created directory '/data/.ssh'.
  97. Enter passphrase (empty for no passphrase):
  98. Enter same passphrase again:
  99. Your identification has been saved in /data/.ssh/id_rsa.
  100. Your public key has been saved in /data/.ssh/id_rsa.pub.
  101. The key fingerprint is:
  102. e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@Cacti.Nagios
  103. The key's randomart image is:
  104. +--[ RSA 2048]----+
  105. | . |
  106. | . . |
  107. | o . |
  108. | o o |
  109. | S o |
  110. | . .... |
  111. | o.+. o.|
  112. | .=.o. =|
  113. | .+Eo=B*.|
  114. +-----------------+
  115. admin@Cacti.Nagios:[/data]ls -a
  116. . .. .bash_history .bash_logout .bash_profile .bashrc lost+found .ssh .viminfo
  117. admin@Cacti.Nagios:[/data]cd .ssh/
  118. admin@Cacti.Nagios:[/data/.ssh]ll
  119. total 8
  120. -rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa
  121. -rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub
  122. admin@Cacti.Nagios:[/data/.ssh]cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  123. admin@Cacti.Nagios:[/data/.ssh]ls -a
  124. . .. authorized_keys id_rsa id_rsa.pub
  125. admin@Cacti.Nagios:[/data/.ssh]chmod 400 authorized_keys
  126. admin@Cacti.Nagios:[/data/.ssh]ll -a
  127. total 20
  128. drwx------ 2 admin admin 4096 Oct 12 17:20 .
  129. drwxr-xr-x 4 admin admin 4096 Oct 12 17:19 ..
  130. -r-------- 1 admin admin 401 Oct 12 17:20 authorized_keys
  131. -rw------- 1 admin admin 1751 Oct 12 17:19 id_rsa
  132. -rw-r--r-- 1 admin admin 401 Oct 12 17:19 id_rsa.pub
  133. 至此,将私钥id_rsa导出到windows客户端上。然后删除生成的公钥id_rsa.pub。
  134. 重启sshd服务,使得刚才所做的配置修改生效。
  135. root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ]

限制用户通过ssh密钥进行认证登陆限制用户通过ssh密钥进行认证登陆限制用户通过ssh密钥进行认证登陆限制用户通过ssh密钥进行认证登陆

虫子的博客