【移动应用开发技术】限制用户通过ssh密钥进行认证登陆_第1页
【移动应用开发技术】限制用户通过ssh密钥进行认证登陆_第2页
【移动应用开发技术】限制用户通过ssh密钥进行认证登陆_第3页
【移动应用开发技术】限制用户通过ssh密钥进行认证登陆_第4页
免费预览已结束,剩余1页可下载查看

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

【移动应用开发技术】限制用户通过ssh密钥进行认证登陆

为了服务器和用户的安全,禁止用户密码的认证方式,而基于“钥匙”的方式。Last

login:

Fri

Oct

12

14:14:01

2012

from

192.168.7.251

root@Cacti.Nagios:[/root]vi

/etc/ssh/sshd_config

#

$OpenBSD:

sshd_config,v

1.80

2008/07/02

02:24:18

djm

Exp

$

#

This

is

the

sshd

server

system-wide

configuration

file.

See

#

sshd_config(5)

for

more

information.

#

This

sshd

was

compiled

with

PATH=/usr/local/bin:/bin:/usr/bin

#

The

strategy

used

for

options

in

the

default

sshd_config

shipped

with

#

OpenSSH

is

to

specify

options

with

their

default

value

where

#

possible,

but

leave

them

commented.

Uncommented

options

change

a

#

default

value.

#Port

22

#AddressFamily

any

#ListenAddress

0.0.0.0

#ListenAddress

::

#

Disable

legacy

(protocol

version

1)

support

in

the

server

for

new

#

installations.

In

future

the

default

will

change

to

require

explicit

#

activation

of

protocol

1

Protocol

2

←修改后变为此状态,仅使用SSH2

#

HostKey

for

protocol

version

1

#HostKey

/etc/ssh/ssh_host_key

#

HostKeys

for

protocol

version

2

#HostKey

/etc/ssh/ssh_host_rsa_key

#HostKey

/etc/ssh/ssh_host_dsa_key

#

Lifetime

and

size

of

ephemeral

version

1

server

key

#KeyRegenerationInterval

1h

#ServerKeyBits

1024

#

Logging

#

obsoletes

QuietMode

and

FascistLogging

#SyslogFacility

AUTH

SyslogFacility

AUTHPRIV

#LogLevel

INFO

#

Authentication:

#LoginGraceTime

2m

#PermitRootLogin

yes

PermitRootLogin

no

←修改后变为此状态,不允许用root进行登录#StrictModes

yes

#MaxAuthTries

6

#MaxSessions

10

#RSAAuthentication

yes

#PubkeyAuthentication

yes

#AuthorizedKeysFile

.ssh/authorized_keys

#AuthorizedKeysCommand

none

#AuthorizedKeysCommandRunAs

nobody

#

For

this

to

work

you

will

also

need

host

keys

in

/etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication

no

#

similar

for

protocol

version

2

#HostbasedAuthentication

no

#

Change

to

yes

if

you

don't

trust

~/.ssh/known_hosts

for

#

RhostsRSAAuthentication

and

HostbasedAuthentication

#IgnoreUserKnownHosts

no

#

Don't

read

the

user's

~/.rhosts

and

~/.shosts

files

#IgnoreRhosts

yes

#

To

disable

tunneled

clear

text

passwords,

change

to

no

here!

#PasswordAuthentication

yes

PasswordAuthentication

no

←修改后变为此状态,不允许密码方式的登录#PermitEmptyPasswords

no

PermitEmptyPasswords

no

←修改后变为此状态,禁止空密码进行登录"/etc/ssh/sshd_config"

141L,

3941C

written

root@Cacti.Nagios:[/root]vi

/etc/hosts.deny

←修改屏蔽规则,在文尾添加相应行#

#

hosts.deny

This

file

contains

access

rules

which

are

used

to

#

deny

connections

to

network

services

that

either

use

#

the

tcp_wrappers

library

or

that

have

been

#

started

through

a

tcp_wrappers-enabled

xinetd.

#

#

The

rules

in

this

file

can

also

be

set

up

in

#

/etc/hosts.allow

with

a

'deny'

option

instead.

#

#

See

'man

5

hosts_options'

and

'man

5

hosts_access'

#

for

information

on

rule

syntax.

#

See

'man

tcpd'

for

information

on

tcp_wrappers

#

sshd:ALL

←添加这一行,屏蔽来自所有的SSH连接请求"/etc/hosts.deny"

14L,

469C

written

You

have

new

mail

in

/var/spool/mail/root

root@Cacti.Nagios:[/root]vi

/etc/hosts.allow

←修改允许规则,在文尾添加相应行#

#

hosts.allow

This

file

contains

access

rules

which

are

used

to

#

allow

or

deny

connections

to

network

services

that

#

either

use

the

tcp_wrappers

library

or

that

have

been

#

started

through

a

tcp_wrappers-enabled

xinetd.

#

#

See

'man

5

hosts_options'

and

'man

5

hosts_access'

#

for

information

on

rule

syntax.

#

See

'man

tcpd'

for

information

on

tcp_wrappers

#

sshd:192.168.7.

只允许192.168.7。网段的机器ssh登陆~

~

~

"/etc/hosts.allow"

11L,

386C

written

root@Cacti.Nagios:[/root]su

-

admin

admin@Cacti.Nagios:[/data]ssh-keygen

-t

rsa

Generating

public/private

rsa

key

pair.

Enter

file

in

which

to

save

the

key

(/data/.ssh/id_rsa):

Created

directory

'/data/.ssh'.

Enter

passphrase

(empty

for

no

passphrase):

Enter

same

passphrase

again:

Your

identification

has

been

saved

in

/data/.ssh/id_rsa.

Your

public

key

has

been

saved

in

/data/.ssh/id_rsa.pub.

The

key

fingerprint

is:

e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:da

admin@Cacti.Nagios

The

key's

randomart

p_w_picpath

is:

+--[

RSA

2048]+

|

.

|

|

.

.

|

|

o

.

|

|

o

o

|

|

S

o

|

|

.

|

|

o.+.

o.|

|

.=.o.

=|

|

.+Eo=B*.|

++

admin@Cacti.Nagios:[/data]ls

-a

.

..

.bash_history

.bash_logout

.bash_profile

.bashrc

lost+found

.ssh

.viminfo

admin@Cacti.Nagios:[/data]cd

.ssh/

admin@Cacti.Nagios:[/data/.ssh]ll

total

8

-rw

1

admin

admin

1751

Oct

12

17:19

id_rsa

-rw-r--r--

1

admin

admin

401

Oct

12

17:19

id_rsa.pub

admin@Cacti.Nagios:[/data/.ssh]cat

~/.ssh/id_rsa.pub

>>

~/.ssh/authorized_keys

admin@Cacti.Nagios:[/data/.ssh]ls

-a

.

..

authorized_keys

id_rsa

id_rsa.pub

admin@Cacti.Nagios:[/data/.ssh]chmod

400

authorized_keys

admin@Cacti.Nagios:[/data/.ssh]ll

-a

total

20

drwx

2

admin

admin

4096

Oct

12

17:20

.

drwxr-xr-x

4

admin

admin

4096

Oct

12

17:19

..

-r

1

admin

admin

401

Oct

12

17:20

authorized_keys

-rw

1

admin

admin

1751

Oct

12

17:19

id_rsa

-rw-r--r--

1

admin

admin

401

Oct

12

17:19

id_r

人人文库> 全部分类> 专业文献 > IT计算机

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论