Home | 簡體中文 | 繁體中文 | 雜文 | 打賞(Donations) | ITEYE 博客 | OSChina 博客 | Facebook | Linkedin | 知乎專欄 | Search | Email

43.2. /etc/ssh/

43.2.1. sshd_config

# vi /etc/ssh/sshd_config
			

43.2.1.1. Authentication 配置

連接後2m沒有任何鍵盤輸入以及屏幕輸出,將自動切換SSH連接。

LoginGraceTime 2m
				

禁止root用戶登錄(disable root SSH login)

PermitRootLogin no
				

限制SSH驗證重試次數(maximum number of authentication):

MaxAuthTries 6
				

43.2.1.2. Automatic SSH / SSH without password

config /etc/ssh/sshd_config

$ sudo vim /etc/ssh/sshd_config

AuthorizedKeysFile  %h/.ssh/authorized_keys

$ sudo /etc/init.d/ssh reload
				

ssh-keygen

ssh-keygen -d

master server

[netkiller@master ~]$ ssh-keygen -d
Generating public/private dsa key pair.
Enter file in which to save the key (/home/netkiller/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/netkiller/.ssh/id_dsa.
Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub.
The key fingerprint is:
bf:a9:21:2c:82:77:2d:71:33:12:20:10:93:5f:cb:74 netkiller@master
[netkiller@master ~]$
[netkiller@master ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys
[netkiller@master ~]$ chmod 600 .ssh/authorized_keys
[netkiller@master ~]$ ls -l .ssh/
total 12
-rw-------  1 netkiller netkiller 612 Mar 27 15:31 authorized_keys
-rw-------  1 netkiller netkiller 736 Mar 27 15:24 id_dsa
-rw-r--r--  1 netkiller netkiller 612 Mar 27 15:24 id_dsa.pub
[netkiller@master ~]$
				

backup server

[netkiller@backup ~]$ ssh-keygen -d
Generating public/private dsa key pair.
Enter file in which to save the key (/home/netkiller/.ssh/id_dsa):
Created directory '/home/netkiller/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/netkiller/.ssh/id_dsa.
Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub.
The key fingerprint is:
c5:2f:0e:4e:b0:46:47:ec:19:30:be:9c:20:ad:9c:51 netkiller@backup
[netkiller@backup ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys
[netkiller@backup ~]$ chmod 600 .ssh/authorized_keys
[netkiller@backup ~]$ ls -l .ssh/
total 16
-rw-------  1 netkiller netkiller 609 Mar 27 15:31 authorized_keys
-rw-------  1 netkiller netkiller 736 Mar 27 15:27 id_dsa
-rw-r--r--  1 netkiller netkiller 609 Mar 27 15:27 id_dsa.pub
				

交換公鑰證書

master => backup

				
[netkiller@master ~]$ scp .ssh/id_dsa.pub netkiller@backup.example.org:.ssh/master.pub
netkiller@backup.example.org's password:
id_dsa.p                                                     100%  612     0.6KB/s   00:00
[netkiller@master ~]$

[netkiller@backup ~]$ cat .ssh/master.pub >> .ssh/authorized_keys
				
				

test

[netkiller@master ~]$ ssh backup.example.org
Enter passphrase for key '/home/netkiller/.ssh/id_dsa':
Last login: Tue Mar 27 15:26:35 2007 from master.example.org
[netkiller@backup ~]$

				

master <= backup

				
[netkiller@backup ~]$ scp .ssh/id_dsa.pub netkiller@master.example.org:.ssh/backup.pub
netkiller@master.example.org's password:
id_dsa.pub                                                   100%  609     0.6KB/s   00:00
[netkiller@backup ~]$

[netkiller@master ~]$ cat .ssh/backup.pub >> .ssh/authorized_keys
				
				

test

[netkiller@backup ~]$ ssh master.example.org
Enter passphrase for key '/home/netkiller/.ssh/id_dsa':
Last login: Tue Mar 27 15:44:37 2007 from backup.example.org
[netkiller@master ~]$

				

注意:authorized_keys權限必須為600,否則可能登陸的時候還會讓你輸入密碼,但是一旦改成600以後並且成功登陸,此問題不再出現。

script

ssh-keygen -d
cp .ssh/id_dsa.pub .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
ls -l .ssh/
				
[提示]提示

禁止證書登陸 PubkeyAuthentication no; 或者 AuthorizedKeysFile /dev/null

43.2.1.3. disable password authentication

建議你使用證書登錄,並禁用密碼認證 PasswordAuthentication yes,這樣更安全,且不會駭客窮舉你的口令。

PasswordAuthentication no
				

43.2.1.4. GSSAPI options

GSSAPI (Generic Security Services Application Programming Interface) 是一套類似Kerberos 5 的通用網絡安全系統介面. 該介面是對各種不同的客戶端伺服器安全機制的封裝,以消除安全介面的不同,降低編程難度. 但該介面在目標主機無域名解析時會有如下問題

GSSAPI 基本用不到建議關閉

#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
				
debug1:  Host  '10.1.1.17'  is known and matches the RSA host key.  
debug1:  Found key in /home/neo/.ssh/known_hosts: 1   
debug1:  ssh_rsa_verify: signature correct  
debug1:  SSH 2 _MSG_NEWKEYS sent  
debug1:  expecting SSH 2 _MSG_NEWKEYS  
debug1:  SSH 2 _MSG_NEWKEYS received  
debug1:  SSH 2 _MSG_SERVICE_REQUEST sent  
debug1:  SSH 2 _MSG_SERVICE_ACCEPT received  
debug1:  Authentications that can continue: publickey,gssapi-with-mic,password  
debug1:  Next authentication method: gssapi-with-mic  
debug1:  An invalid name was supplied  
Cannot determine realm for numeric host address  
debug1:  An invalid name was supplied  
Cannot determine realm for numeric host address  
debug1:  An invalid name was supplied  
debug1:  Next authentication method: publickey  
debug1:  Trying private key: /home/neo/.ssh/identity  
debug1:  Trying private key: /home/neo/.ssh/id_rsa  
debug1:  Trying private key: /home/neo/.ssh/id_dsa  
debug1:  Next authentication method: password  
====>
事實上,正是從gssapi-with-mic這一行開始,開始耗時間:

找到
GSSAPIAuthentication yes
改為
GSSAPIAuthentication no				
				

43.2.1.5. 忽略known_hosts檔案

/etc/ssh/sshd_config

IgnoreUserKnownHosts yes
				

43.2.1.6. UseDNS no

ssh登錄伺服器時總是要停頓等待一下才能連接上,這是因為OpenSSH伺服器有一個DNS查找選項(UseDNS)預設是打開的. UseDNS選項打開狀態下,當客戶端試圖登錄OpenSSH伺服器時,伺服器端先根據客戶端的IP地址進行DNS PTR反向查詢,查詢出客戶端的host name,然後根據查詢出的客戶端host name進行DNS正向A記錄查詢,驗證與其原始IP地址是否一致,這是防止客戶端欺騙的一種手段.

				
vim /etc/ssh/sshd_config 
=====>
增加 UseDNS no

打開這個參數ssh在連接sever如果無法進行dns解析的時候會出現如下卡頓現象(ssh 加 -v參數):
debug1: Found key in /home/neo/.ssh/known_hosts:71
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received

<---- delay 4-5 seconds------>


debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/neo/.ssh/identity		
				
				

43.2.2. ssh_config

43.2.2.1. ForwardAgent

轉發Agent開啟, 當你ssh root@remote 後,再從remote登錄另一台伺服器的時候就不許要再次輸入密碼

ForwardAgent yes
				

43.2.3. ~/.ssh/config

格式

Host    別名
    HostName        主機名
    Port            連接埠
    User            用戶名
    IdentityFile    密鑰檔案的路徑			
			

指定主機175.46.28.88的預設連接埠2022

cat ~/.ssh/config
Host 175.46.28.88
    Port 2022
			

~/.ssh/config 檔案的權限必須是600

chmod 600 ~/.ssh/config