为了服务器和 用户 的安全,禁止 用户 密码的 认证 方式,而基于钥匙的方式。 lastlogin:frioct1214:14:012012from192.168.7.251 root@cacti.nagios:[/root] vi/etc/ssh/sshd_config #$openbsd:sshd_config,v1.802008/07/0202:24:18djmexp$ #thisisthesshdse
为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。
last login: fri oct 12 14:14:01 2012 from 192.168.7.251 root@cacti.nagios:[/root]vi /etc/ssh/sshd_config # $openbsd: sshd_config,v 1.80 2008/07/02 02:24:18 djm exp $ # this is the sshd server system-wide configuration file. see # sshd_config(5) for more information. # this sshd was compiled with path=/usr/local/bin:/bin:/usr/bin # the strategy used for options in the default sshd_config shipped with # openssh is to specify options with their default value where # possible, but leave them commented. uncommented options change a # default value. #port 22 #addressfamily any #listenaddress 0.0.0.0 #listenaddress :: # disable legacy (protocol version 1) support in the server for new # installations. in future the default will change to require explicit # activation of protocol 1 protocol 2 ← 修改后变为此状态,仅使用ssh2 # hostkey for protocol version 1 #hostkey /etc/ssh/ssh_host_key # hostkeys for protocol version 2 #hostkey /etc/ssh/ssh_host_rsa_key #hostkey /etc/ssh/ssh_host_dsa_key # lifetime and size of ephemeral version 1 server key #keyregenerationinterval 1h #serverkeybits 1024 # logging # obsoletes quietmode and fascistlogging #syslogfacility auth syslogfacility authpriv #loglevel info # authentication: #logingracetime 2m #permitrootlogin yes permitrootlogin no ← 修改后变为此状态,不允许用root进行登录#strictmodes yes #maxauthtries 6 #maxsessions 10 #rsaauthentication yes #pubkeyauthentication yes #authorizedkeysfile .ssh/authorized_keys #authorizedkeyscommand none #authorizedkeyscommandrunas nobody # for this to work you will also need host keys in /etc/ssh/ssh_known_hosts #rhostsrsaauthentication no # similar for protocol version 2 #hostbasedauthentication no # change to yes if you don't trust ~/.ssh/known_hosts for # rhostsrsaauthentication and hostbasedauthentication #ignoreuserknownhosts no # don't read the user's ~/.rhosts and ~/.shosts files #ignorerhosts yes # to disable tunneled clear text passwords, change to no here! #passwordauthentication yes passwordauthentication no ← 修改后变为此状态,不允许密码方式的登录#permitemptypasswords no permitemptypasswords no ← 修改后变为此状态,禁止空密码进行登录/etc/ssh/sshd_config 141l, 3941c written root@cacti.nagios:[/root]vi /etc/hosts.deny ← 修改屏蔽规则,在文尾添加相应行# # hosts.deny this file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # the rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # see 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # see 'man tcpd' for information on tcp_wrappers # sshd:all ← 添加这一行,屏蔽来自所有的ssh连接请求/etc/hosts.deny 14l, 469c written you have new mail in /var/spool/mail/root root@cacti.nagios:[/root]vi /etc/hosts.allow ← 修改允许规则,在文尾添加相应行# # hosts.allow this file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # see 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # see 'man tcpd' for information on tcp_wrappers # sshd:192.168.7. 只允许192.168.7。网段的机器ssh登陆~ ~ ~ /etc/hosts.allow 11l, 386c written root@cacti.nagios:[/root]su - admin admin@cacti.nagios:[/data]ssh-keygen -t rsa generating public/private rsa key pair. enter file in which to save the key (/data/.ssh/id_rsa): created directory '/data/.ssh'. enter passphrase (empty for no passphrase): enter same passphrase again: your identification has been saved in /data/.ssh/id_rsa. your public key has been saved in /data/.ssh/id_rsa.pub. the key fingerprint is: e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da admin@cacti.nagios the key's randomart image is: +--[ rsa 2048]----+ | . | | . . | | o . | | o o | | s o | | . .... | | o.+. o.| | .=.o. =| | .+eo=b*.| +-----------------+ admin@cacti.nagios:[/data]ls -a . .. .bash_history .bash_logout .bash_profile .bashrc lost+found .ssh .viminfo admin@cacti.nagios:[/data]cd .ssh/ admin@cacti.nagios:[/data/.ssh]ll total 8 -rw------- 1 admin admin 1751 oct 12 17:19 id_rsa -rw-r--r-- 1 admin admin 401 oct 12 17:19 id_rsa.pub admin@cacti.nagios:[/data/.ssh]cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys admin@cacti.nagios:[/data/.ssh]ls -a . .. authorized_keys id_rsa id_rsa.pub admin@cacti.nagios:[/data/.ssh]chmod 400 authorized_keys admin@cacti.nagios:[/data/.ssh]ll -a total 20 drwx------ 2 admin admin 4096 oct 12 17:20 . drwxr-xr-x 4 admin admin 4096 oct 12 17:19 .. -r-------- 1 admin admin 401 oct 12 17:20 authorized_keys -rw------- 1 admin admin 1751 oct 12 17:19 id_rsa -rw-r--r-- 1 admin admin 401 oct 12 17:19 id_rsa.pub 至此,将私钥id_rsa导出到windows客户端上。然后删除生成的公钥id_rsa.pub。重启sshd服务,使得刚才所做的配置修改生效。root@cacti.nagios:[/root]/etc/rc.d/init.d/sshd restart stopping sshd: [ ok ] starting sshd: [ ok ]
650) this.width=650; src=http://cdn.verydemo.com/upload/2013_05_29/13698145869140.jpg border=0 alt=>650) this.width=650; src=http://cdn.verydemo.com/upload/2013_05_29/13698145872331.jpg border=0 alt=>650) this.width=650; src=http://cdn.verydemo.com/upload/2013_05_29/13698145875642.jpg border=0 alt=>650) this.width=650; src=http://cdn.verydemo.com/upload/2013_05_29/13698145878883.jpg border=0 alt=>
虫子的博客