linux 远程rsa 登录配置 文件 /etc/ssh/sshd_config

linux 创建用户

?

1 2	useradd ccpit  # 创建ccpit用户 passwd ccpit  # 给这个用户设置密码

修改/etc/ssh/sshd_config文件

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136

#   $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $   # This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information.   # This sshd was compiled with PATH=/usr/local/bin:/usr/bin   # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options override the # default value.   # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #ListenAddress 0.0.0.0 #ListenAddress ::   HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key   # Ciphers and keying #RekeyLimit default none   # Logging #LogLevel INFO   # Authentication:   #LoginGraceTime 2m StrictModes no #MaxAuthTries 6 #MaxSessions 10   RSAAuthentication yes PubkeyAuthentication yes   # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile  .ssh/authorized_keys   #AuthorizedPrincipalsFile none   #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody   # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes   # To disable tunneled clear text passwords, change to no here! #PermitEmptyPasswords no   # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no   # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes   # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no   # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PAM authentication via ChallengeResponseAuthentication may bypass # If you just want the PAM account and session checks to run without # and ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes   #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation sandbox #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none   # no default banner path #Banner none   # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS   # override default of no subsystems Subsystem   sftp    /usr/libexec/openssh/sftp-server   # Example of overriding settings on a per-user basis #Match User anoncvs #   X11Forwarding no #   AllowTcpForwarding no #   PermitTTY no #   ForceCommand cvs server UseDNS no AddressFamily inet PermitRootLogin no SyslogFacility AUTHPRIV PasswordAuthentication no AllowUsers ccpit

 在/home/ccpit 下生成ssh_key

 

 把id_rsa 内容复制进authorized_keys (没有需要先创建authorized_keys文件)

?

1	cat id_rsa >> authorized_keys

 

systemctl restart sshd.service

退出重新登录即可

 

常用选项

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

UseDNS no AddressFamily inet PermitRootLogin no #SyslogFacility用来设定在记录来自sshd的消息的时候，是否给出“facility code” SyslogFacility AUTHPRIV #PasswordAuthentication用来设置是否开启密码验证机制，如果用密码登录系统，则设置yes PasswordAuthentication no #指定允许通过远程访问的用户，多个用户以空格隔开 AllowUsers root #X11Forwarding 用来设置是否允许X11转发 X11Forwarding yes #设置是否通过PAM验证 UsePAM yes #GSSAPIAuthentication 指定是否允许基于GSSAPI的用户认证，默认为no GSSAPIAuthentication yes #GSSAPICleanupCredentials 设置是否在用户退出登录是自动销毁用户的凭证缓存 GSSAPICleanupCredentials no #ChallengeResponseAuthentication 是否允许质疑-应答(challenge-response)认证 ChallengeResponseAuthentication no   #RSAAuthentication用来设置是否开启RSA密钥验证 RSAAuthentication yes #PubkeyAuthentication用来设置是否开启公钥验证，如果使用公钥验证的方式登录时，则设置为yes PubkeyAuthentication yes #AuthorizedKeysFile用来设置公钥验证文件的路径，与PubkeyAuthentication配合使用,默认值是".ssh/authorized_keys" AuthorizedKeysFile      .ssh/authorized_keys   #StrictModes用来设置ssh在接收登录请求之前是否检查用户根目录和rhosts文件的权限和所有权 StrictModes no #MaxAuthTries 用来设置最大失败尝试登陆次数为6 #MaxAuthTries 6