论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-08-19 20:24 |只看该作者 |倒序浏览

关于sshd_config的Configure files。我系统是redhat as4 位置： /etc/ssh/sshd_config，我把自己的配置文件贴上来，没用的话大家就不要顶了哈……
      # This is ssh server systemwide configuration file.

      Port 22
      ListenAddress 192.168.1.1
      HostKey /etc/ssh/ssh_host_key
      ServerKeyBits 1024
      LoginGraceTime 600
      KeyRegenerationInterval 3600
      PermitRootLogin no
      IgnoreRhosts yes
      IgnoreUserKnownHosts yes
      StrictModes yes
      X11Forwarding no
      PrintMotd yes
      SyslogFacility AUTH
      LogLevel INFO
      RhostsAuthentication no
      RhostsRSAAuthentication no
      RSAAuthentication yes
      PasswordAuthentication yes
      PermitEmptyPasswords no
      AllowUsers admin


根据自己服务器可能的配置，对应修改以下参数:

Port 22

这个是ssh的守护端口，默认一般都是22。.
ListenAddress 192.168.1.1

服务器监听的地址，一般设置为被连接的ssh服务器的地址。比如我服务器地址是：220.221.1.25，我就设置成这个就行了。
HostKey /etc/ssh/ssh_host_key

The option HostKey specifies the location containing the private host key.
ServerKeyBits 1024

The option ServerKeyBits specifies how many bits to use in the server key. These bits are used when the daemon starts to generate its RSA key.
LoginGraceTime 600

The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
KeyRegenerationInterval 3600

The option KeyRegenerationInterval specifies how long in seconds the server should wait before automatically regenerated its key. This is a security feature to prevent decrypting captured sessions.
PermitRootLogin no

The option PermitRootLogin specifies whether root can log in using ssh. Never say yes to this option. 这项比较重要，是否允许root从远程登陆，根据各人需要自己决定吧，一般都不打开这个，ssh远程登陆还是比较可怕的。
IgnoreRhosts yes

The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication. For security reasons it is recommended to no use rhosts or shosts files for authentication.
IgnoreUserKnownHosts yes

The option IgnoreUserKnownHosts specifies whether the ssh daemon should ignore the user's $HOME/.ssh/known_hosts during RhostsRSAAuthentication.
StrictModes yes

The option StrictModes specifies whether ssh should check user's permissions in their home directory and rhosts files before accepting login. This option must always be set to yes because sometimes users may accidentally leave their directory or files world-writable.
X11Forwarding no

The option X11Forwarding specifies whether X11 forwarding should be enabled or not on this server. Since we setup a server without GUI installed on it, we can safely turn this option off.
PrintMotd yes

The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively. The /etc/motd file is also known as the message of the day.
SyslogFacility AUTH

The option SyslogFacility specifies the facility code used when logging messages from sshd. The facility specifies the subsystem that produced the message--in our case, AUTH.
LogLevel INFO

The option LogLevel specifies the level that is used when logging messages from sshd. INFO is a good choice. See the man page for sshd for more information on other possibilities.
RhostsAuthentication no

The option RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. Because rhosts authentication is insecure you shouldn't use this option.
RhostsRSAAuthentication no

The option RhostsRSAAuthentication specifies whether to try rhosts authentication in concert with RSA host authentication.
RSAAuthentication yes

The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes for better security in your sessions. RSA use public and private key pairs created with the ssh-keygen1utility for authentication purposes.
PasswordAuthentication yes

The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security, this option must always be set to yes.
PermitEmptyPasswords no

The option PermitEmptyPasswords specifies whether the server allows logging in to accounts with a null password. If you intend to use the scp utility to make automatic backups over the network, you must set this option to yes.
AllowUsers admin
这项就是限制root登陆的，对我来说比较有用，因为我指定只有一个地址可以登陆，所以这项我在后面跟了root@192.168.0.42。我没有telnet和ftp，以前装了个webmin后来感觉不安全干脆也给停了。我登陆的时候用一个奇怪的用户名登陆，然后sudo到root上，其它用户就不准使用su，所以服务器应该是安全的，密码俺放在保险柜里，用的时候才打开然后拿出来，你要问我密码多少，我也记不起来。离开开地的时候我会把目标地址先搞定然后指定，再去出差，一般没这种情况哈，服务器一般一、二年都不重启一下，也不需要在外地维护。我做的比较绝，不知道还有没有其它办法比这更绝的，ＰＣ上又没ssh服务，反正别人也进不来，就一个root用户，我管理的时候才开机。
The option AllowUsers specifies and controls which users can access ssh services. Multiple users can be specified, separated by spaces. （AllowUsers指定用户从哪里登陆，需要指定的话就指定就行了。）改完了之后# /etc/rc.d/sshd reload就可以了。

文库|博客

aib

丰衣足食

论坛徽章:: 0

2楼 [报告]

发表于 2006-08-19 20:59 |只看该作者

The option AllowUsers specifies and controls which users can access ssh services. Multiple users can be specified, separated by spaces. （AllowUsers指定用户从哪里登陆，需要指定的话就指定就行了。）

这里怎么不是指定哪个(些)用户可以通过ssh登录进来呢?