# vi /etc/ssh/sshd_config
连接后2m没有任何键盘输入以及屏幕输出,将自动切换SSH连接。
LoginGraceTime 2m
禁止root用户登录(disable root SSH login)
PermitRootLogin no
限制SSH验证重试次数(maximum number of authentication):
MaxAuthTries 6
config /etc/ssh/sshd_config
$ sudo vim /etc/ssh/sshd_config AuthorizedKeysFile %h/.ssh/authorized_keys $ sudo /etc/init.d/ssh reload
ssh-keygen
ssh-keygen -dmaster server
[netkiller@master ~]$ ssh-keygen -d Generating public/private dsa key pair. Enter file in which to save the key (/home/netkiller/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/netkiller/.ssh/id_dsa. Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub. The key fingerprint is: bf:a9:21:2c:82:77:2d:71:33:12:20:10:93:5f:cb:74 netkiller@master [netkiller@master ~]$ [netkiller@master ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys [netkiller@master ~]$ chmod 600 .ssh/authorized_keys [netkiller@master ~]$ ls -l .ssh/ total 12 -rw------- 1 netkiller netkiller 612 Mar 27 15:31 authorized_keys -rw------- 1 netkiller netkiller 736 Mar 27 15:24 id_dsa -rw-r--r-- 1 netkiller netkiller 612 Mar 27 15:24 id_dsa.pub [netkiller@master ~]$
backup server
[netkiller@backup ~]$ ssh-keygen -d Generating public/private dsa key pair. Enter file in which to save the key (/home/netkiller/.ssh/id_dsa): Created directory '/home/netkiller/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/netkiller/.ssh/id_dsa. Your public key has been saved in /home/netkiller/.ssh/id_dsa.pub. The key fingerprint is: c5:2f:0e:4e:b0:46:47:ec:19:30:be:9c:20:ad:9c:51 netkiller@backup [netkiller@backup ~]$ cp .ssh/id_dsa.pub .ssh/authorized_keys [netkiller@backup ~]$ chmod 600 .ssh/authorized_keys [netkiller@backup ~]$ ls -l .ssh/ total 16 -rw------- 1 netkiller netkiller 609 Mar 27 15:31 authorized_keys -rw------- 1 netkiller netkiller 736 Mar 27 15:27 id_dsa -rw-r--r-- 1 netkiller netkiller 609 Mar 27 15:27 id_dsa.pub
交换公钥证书
master => backup
[netkiller@master ~]$ scp .ssh/id_dsa.pub netkiller@backup.example.org:.ssh/master.pub netkiller@backup.example.org's password: id_dsa.p 100% 612 0.6KB/s 00:00 [netkiller@master ~]$ [netkiller@backup ~]$ cat .ssh/master.pub >> .ssh/authorized_keys
test
[netkiller@master ~]$ ssh backup.example.org Enter passphrase for key '/home/netkiller/.ssh/id_dsa': Last login: Tue Mar 27 15:26:35 2007 from master.example.org [netkiller@backup ~]$
master <= backup
[netkiller@backup ~]$ scp .ssh/id_dsa.pub netkiller@master.example.org:.ssh/backup.pub netkiller@master.example.org's password: id_dsa.pub 100% 609 0.6KB/s 00:00 [netkiller@backup ~]$ [netkiller@master ~]$ cat .ssh/backup.pub >> .ssh/authorized_keys
test
[netkiller@backup ~]$ ssh master.example.org Enter passphrase for key '/home/netkiller/.ssh/id_dsa': Last login: Tue Mar 27 15:44:37 2007 from backup.example.org [netkiller@master ~]$
注意:authorized_keys权限必须为600,否则可能登陆的时候还会让你输入密码,但是一旦改成600以后并且成功登陆,此问题不再出现。
script
ssh-keygen -d cp .ssh/id_dsa.pub .ssh/authorized_keys chmod 600 .ssh/authorized_keys ls -l .ssh/
![[提示]](http://www.netkiller.cn/graphics/tip.png) |
提示 |
|---|---|
| 禁止证书登陆 PubkeyAuthentication no; 或者 AuthorizedKeysFile /dev/null |
建议你使用证书登录,并禁用密码认证 PasswordAuthentication yes,这样更安全,且不会骇客穷举你的口令。
PasswordAuthentication no
GSSAPI (Generic Security Services Application Programming Interface) 是一套类似Kerberos 5 的通用网络安全系统接口. 该接口是对各种不同的客户端服务器安全机制的封装,以消除安全接口的不同,降低编程难度. 但该接口在目标主机无域名解析时会有如下问题
GSSAPI 基本用不到建议关闭
#GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no
debug1: Host '10.1.1.17' is known and matches the RSA host key. debug1: Found key in /home/neo/.ssh/known_hosts: 1 debug1: ssh_rsa_verify: signature correct debug1: SSH 2 _MSG_NEWKEYS sent debug1: expecting SSH 2 _MSG_NEWKEYS debug1: SSH 2 _MSG_NEWKEYS received debug1: SSH 2 _MSG_SERVICE_REQUEST sent debug1: SSH 2 _MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug1: Next authentication method: gssapi-with-mic debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied Cannot determine realm for numeric host address debug1: An invalid name was supplied debug1: Next authentication method: publickey debug1: Trying private key: /home/neo/.ssh/identity debug1: Trying private key: /home/neo/.ssh/id_rsa debug1: Trying private key: /home/neo/.ssh/id_dsa debug1: Next authentication method: password ====> 事实上,正是从gssapi-with-mic这一行开始,开始耗时间: 找到 GSSAPIAuthentication yes 改为 GSSAPIAuthentication no
ssh登录服务器时总是要停顿等待一下才能连接上,这是因为OpenSSH服务器有一个DNS查找选项(UseDNS)默认是打开的. UseDNS选项打开状态下,当客户端试图登录OpenSSH服务器时,服务器端先根据客户端的IP地址进行DNS PTR反向查询,查询出客户端的host name,然后根据查询出的客户端host name进行DNS正向A记录查询,验证与其原始IP地址是否一致,这是防止客户端欺骗的一种手段.
vim /etc/ssh/sshd_config =====> 增加 UseDNS no 打开这个参数ssh在连接sever如果无法进行dns解析的时候会出现如下卡顿现象(ssh 加 -v参数): debug1: Found key in /home/neo/.ssh/known_hosts:71 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received <---- delay 4-5 seconds------> debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /home/neo/.ssh/identity
格式
Host 别名
HostName 主机名
Port 端口
User 用户名
IdentityFile 密钥文件的路径
指定主机175.46.28.88的默认端口2022
cat ~/.ssh/config
Host 175.46.28.88
Port 2022
~/.ssh/config 文件的权限必须是600
chmod 600 ~/.ssh/config
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
