一、基础信息 1、要求从117免密码登录到160 使用帐号jimmy 2、10.1.10.117发行版本 cat /etc/debian_version 7.8 3、内核版本 uname -r 3.2.0-4-amd64 4、ssh版本 1:6.0p1-4+deb7u2 5、10.1.10.160发行版本 cat /etc/debian_version 5.0.10 6、内核版本 uname -r 2.6.26-2-amd64 7、ssh版本 1:5.1p1-5 二、ssh免密码配置 1、先查询下PubkeyAuthentication和PreferredAuthentications设置情况 cat /etc/ssh/ssh_config|egrep "PubkeyAuthentication|PreferredAuthentications" 2、开启公钥和私钥认证,在/etc/ssh/ssh_config添加或修改以下内容 PubkeyAuthentication yes 3、优先使用publickey身份验证,在/etc/ssh/ssh_config添加或修改以下内容 PreferredAuthentications publickey,password 4、切换到jimmy用户 su - jimmy 5、创建.ssh目录 mkdir .ssh -p 6、产生公钥和私钥 ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/jimmy/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/jimmy/.ssh/id_rsa. Your public key has been saved in /home/jimmy/.ssh/id_rsa.pub. The key fingerprint is: 98:4c:31:6d:60:9b:e6:f0:11:d4:79:d7:6b:71:63:03 jimmy@debian The key s randomart image is: +--[ RSA 2048]----+ | .B+ . E. | | . *= . . o+.| | . *. . . .+o| | B + o | | * S . | | | | | | | | | +-----------------+ PS:生成密钥的时候,不输入任何口令,直接3次回车 7、查看生成公钥和私钥 jimmy@debian:~$ ls .ssh/ id_rsa id_rsa.pub 8、传送key ssh-copy-id -i jimmy@10.1.10.160 The authenticity of host ‘10.1.10.160 (10.1.10.160)‘ can‘t be established. RSA key fingerprint is e0:6b:ef:86:c1:1d:bf:70:e4:cb:48:5b:9c:32:87:0f. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘10.1.10.160‘ (RSA) to the list of known hosts. jimmy@10.1.10.160‘s password: Now try logging into the machine, with "ssh ‘jimmy@10.1.10.160‘", and check in: ~/.ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting. 9、需要查看下10.1.10.160机器上的/etc/ssh/sshd_config是否有配置过PubkeyAuthentication cat /etc/ssh/sshd_config|grep "PubkeyAuthentication" PubkeyAuthentication yes 说明支持pubkey验证 10、测试登录 jimmy@debian:~$ ssh 10.1.10.160 Linux 10.1.10.160 2.6.26-2-amd64 #1 SMP Sun Mar 4 21:48:06 UTC 2012 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. jimmy@10:~$ jimmy@10:~$ /sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:d0:6a:30 inet addr:10.1.10.160 Bcast:10.1.10.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fed0:6a30/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21054 errors:0 dropped:0 overruns:0 frame:0 TX packets:786 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2269960 (2.1 MiB) TX bytes:104811 (102.3 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 三、常用sshd配置说明 cat /etc/ssh/sshd_config #使用SSHv2协议 Protocol 2 #设置监听端口 Port 55000 #设置监听地址 ListenAddress 1.1.1.1 #关闭kerberos验证 kerberosauthentication no kerberosorlocalpasswd no kerberosticketcleanup no #关闭质疑-应答 ChallengeResponseAuthentication no #关闭gssapi身份验证 GSSAPIAuthentication no GSSAPICleanupCredentials yes #使用pubkey验证 PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys #关闭hostbased和rhostsrsa验证方式 HostbasedAuthentication no IgnoreUserKnownHosts yes IgnoreRhosts yes #支持密码验证 PasswordAuthentication yes #关闭对X11的端口转发 X11Forwarding no #关闭除loopback外的其它网络接口转发 GatewayPorts no #不允许转发 AllowTcpForwarding no #调整日志级别为VERBOSE LogLevel VERBOSE SyslogFacility AUTH #不启用环境变量传递 AcceptEnv none AllowUsers * DenyUsers daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody Debian-exim statd identd sshd libuuid snmp #登录之前显示在用户屏幕上 Banner /etc/issue #不需要显示每一次成功登录后/etc/motd中的信息 PrintMotd no #不需要显示每一次成功登录后最后一位用户的登录信息 PrintLastLog no #指定支持的数据对称加密算法及指定支持的消息摘要算法 ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc macs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 #每300秒向客户端发送一次alive消息 clientaliveinterval 300 #如果两次alive消息都没有到达目的主机则断开连接 clientalivecountmax 2 #关闭tcpkeepalive tcpkeepalive no #允许未认证连接1000次 MaxStartups 1000 #认证时限20秒 LoginGraceTime 20 #允许输错3次密码 MaxAuthTries 3 #开启压缩 Compression yes #不使用dns反向解析 UseDNS no #使用/etc/pam.d/sshd配置 UsePAM yes #在连接前检查权限等,预防可能出现的低级错误 strictmodes yes #不允许root用户使用ssh登陆 PermitRootLogin no #不允许root用户空口令登录系统 PermitEmptyPasswords no #防止通过有缺陷的子进程提升权限 UsePrivilegeSeparation yes #不使用login程序登录 UseLogin no #启用sftp服务 Subsystem sftp /usr/lib/openssh/sftp-server PidFile /var/run/sshd.pid #HostKey指定主机的私钥文件 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key 四、常用ssh配置说明 cat /etc/ssh/ssh_config #针对所有主机配置 Host * #支持所有协议族 AddressFamily any #支持SSHv2/v1,优先使用SSHv2协议 Protocol 2,1 #设置监听端口 Port 55000 #调整日志级别为VERBOSE LogLevel VERBOSE #关闭批处理登录方式 BatchMode no #不检查known_hosts中主机公钥的正确性 HashKnownHosts yes #防止DNS欺骗 CheckHostIP yes #ssh客户端自动接受新主机的hostkey StrictHostKeyChecking no #允许三次尝试密码登录 NumberOfPasswordPrompts 3 #仅使用hmac-md5做为消息摘要算法 MACs hmac-md5 #仅使用arcfour(rc4)做为数据加密算法 Ciphers arcfour #关闭质疑-应答 ChallengeResponseAuthentication no #关闭hostbased和rhostsrsa验证方式 HostbasedAuthentication no EnableSSHKeysign no NoHostAuthenticationForLocalhost no #关闭gssapi身份验证 GSSAPIAuthentication no GSSAPIDelegateCredentials no #支持pubkey验证 PubkeyAuthentication yes #支持密码验证 PasswordAuthentication yes #身份验证方式的优先顺序 PreferredAuthentications publickey,password #客户端发现SSH服务端timeout后,3秒后断开连接 ConnectTimeout 3 #每300秒向客户端发送一次alive消息 serveraliveinterval 300 #如果两次alive消息都没有到达目的主机则断开连接 serveralivecountmax 2 #关闭tcpkeepalive tcpkeepalive no #关闭X11转发 ForwardX11 no ForwardX11Trusted no #关闭除loopback外的其它网络接口转发 GatewayPorts no #关闭转发代理 ForwardAgent no #关闭ssh tunnel tunnel no #不支持压缩 Compression no #设置退出符号Q(因和ipmi默认退出符号一致 所以更改为Q) EscapeChar Q
本文出自 “7928217” 博客,请务必保留此出处http://7938217.blog.51cto.com/7928217/1680308
原文地址:http://7938217.blog.51cto.com/7928217/1680308
