啟用普通使用者遠端ssh登入,和root遠端ssh登陸
進入 /etc/ssh 目錄lscd /etc/ssh
隻有[email protected]:/home/z# cd /etc/ssh/ [email protected]:/etc/ssh# ls ssh_config ssh_config.
沒有
ssh_config
說明 隻安裝了
sshd_config
, 沒有安裝
openssh-client
openssh-server
安裝
openssh-server
sudo apt install -y openssh-server
/etc/ssh
目錄下 變為
moduli ssh_config.d sshd_config.d ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub
ssh_config sshd_config ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key ssh_import_id
檢視
/etc/ssh/sshd_config
檔案
sudo cat /etc/ssh/sshd_config
sudo less /etc/ssh/sshd_config
sudo more /etc/ssh/sshd_config
sudo vi /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
sudo gedit /etc/ssh/sshd_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
其中
Include /etc/ssh/sshd_config.d/*.conf
會引入
/etc/ssh/sshd_config.d/
目錄下的,以
.conf
結尾的檔案,作為附加配置檔案, 是以, 不要直接修改這個檔案, 而是将修改的配置檔案以
.conf
結尾,并放入
/etc/ssh/sshd_config.d/
目錄
檢視幾個選項,
與遠端登陸相關
- #PasswordAuthentication yes 這個選項允許遠端登陸用密碼來認證, 但加了
#
号, 不會起作用
将前面的
去掉, 變為#
可以允許遠端用密碼登入認證PasswordAuthentication yes
- #PermitRootLogin prohibit-password 設為
允許root遠端登陸PermitRootLogin yes
與遠端連接配接保持相關
- #ClientAliveInterval 0 :
多少秒測試一次遠端用戶端是否線上, 設為預設是0, 0不會測試ClientAliveInterval
- #ClientAliveCountMax 3: 用戶端不響應的最大次數, 超過就斷開連接配接, 預設值是3, 所可以不設定, 隻設定ClientAliveInterval 就行了
PasswordAuthentication
Specifies whether password authentication is allowed. The default is yes.
指定是否允許密碼身份驗證。預設值為“yes”。
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, forced-commands-only, or no. The default is prohibit-password.
If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root.
If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to no, root is not allowed to log in.
指定 root 是否可以使用 ssh(1) 登入。參數必須是 [
,
yes
(禁止密碼) ,
prohibit-password
(僅強制指令) ,
forced-commands-only
] 其中之一。預設值為
no
prohibit-password
。
如果此選項設定為
(或其已棄用的别名,
prohibit-password
),則會為 root 禁用密碼和鍵盤互動式身份驗證。
without-password
是
prohibit-password
without-password
的新名字
如果此選項設定為
forced-commands-only
,則将允許使用公鑰身份驗證進行root登入,但前提是指定了指令選項(即使通常不允許root登入,這對于進行遠端備份也很有用)。所有其他身份驗證方法都禁用 root 使用者。
如果此選項設定為
,則不允許 root 登入。
no
ClientAliveCountMax
Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive.
The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero ClientAliveCountMax disables connection termination.
設定在 sshd(8) 接收到用戶端傳回的任何消息的情況下可以發送的用戶端活動消息的數量。如果在發送用戶端活動消息時達到此門檻值,sshd 将斷開用戶端的連接配接,進而終止會話。需要注意的是,用戶端活動消息的使用與 TCPKeepAlive 非常不同。用戶端活動消息通過加密通道發送,是以不會是可欺騙的。由 TCPKeepAlive 啟用的 TCP 保持連接配接選項是可欺騙的。當用戶端或伺服器依賴于知道連接配接何時變得無響應時,用戶端活動機制很有價值。
預設值為 3。如果 ClientAliveInterval 設定為 15,并且 ClientAliveCountMax 保留為預設值,則無響應的 SSH 用戶端将在大約 45 秒後斷開連接配接。設定零 ClientAliveCountMax 将禁用連接配接終止。
ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.
設定一個逾時間隔(以秒為機關),如果用戶端沒有收到任何資料, sshd(8) 将通過加密通道發送消息請求用戶端響應。預設值為 0,表示這些消息不會發送到用戶端。
不直接修改
/etc/ssh/sshd_config
, 而是在
/etc/ssh/sshd_config.d
下建立一個 Mysshd.conf 配置檔案
并重新開機sshd.service服務
echo '
PasswordAuthentication yes
PermitRootLogin yes
ClientAliveInterval 666
' | sudo tee /etc/ssh/sshd_config.d/Mysshd.conf
sudo systemctl restart sshd.service
因為
PasswordAuthentication
的預設值就是
yes
, 是以可以不設定
echo '
PermitRootLogin yes
ClientAliveInterval 666
' | sudo tee /etc/ssh/sshd_config.d/Mysshd.conf
sudo systemctl restart sshd.service
來個進入
/etc/ssh/sshd_config.d/
檔案夾 的指令, 友善複制
cd /etc/ssh/sshd_config.d/