找回密码
 加入我们

QQ登录

只需一步,快速开始

搜索
查看: 3145|回复: 5

[软硬件讨论] openssh改密码认证后

[复制链接]
发表于 2010-10-6 19:08 | 显示全部楼层 |阅读模式
v版pre 1.45,装了openssh,以前老版本的openssh好像是默认密码登录的,现在要密匙,感觉没必要,又改回密码认证了; m. u2 v0 W+ e" {
! m8 ~* M. O1 e4 A/ k$ ]% {5 }" Y
配置文件sshd_config改了一下就可以了,但是遇到一个奇怪的问题,每次第一次连接,如果wifi没先激活就用winscp之类的ssh客户端连接,就会出现”不支持的验证方式“的错误,重启关机pre也没用,只有把resolv.conf的nameserver更新了才行,附上我的配置文件,不知道跟设置有关系吗
% k6 p3 A1 t7 ~- [/ ?! J: i5 l* ?1 C% ?* C. h8 q
#        $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
) X/ k) h8 F9 x$ `  d  |
" F5 M" d% ]2 J# This is the sshd server system-wide configuration file.  See* {- B. l3 r% Q! [6 n8 G
# sshd_config(5) for more information.
: q2 M/ _2 E8 T; D' @; f7 t) ]1 J3 t9 _
# This sshd was compiled with PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/bin
. [- d+ D0 Y2 c/ ^6 D7 l0 h
% g& V4 P" Q, w- b# The strategy used for options in the default sshd_config shipped with" U4 W2 G1 {6 g+ \" ]5 B
# OpenSSH is to specify options with their default value where. ]9 f. @2 a9 T
# possible, but leave them commented.  Uncommented options change a
) P% }9 y1 t! b+ ]# N5 r% k# default value.
2 U" |) t' r* t. Z5 a7 V% b( |* a8 r
#Port 22+ g$ @, ?" `' q6 m
#AddressFamily any  w9 D* T( w) E  b" z
#ListenAddress 0.0.0.01 c- i5 X$ w) R, w+ G" [4 J
#ListenAddress ::0 g) [+ |" E7 M3 b  z
5 J8 x/ u  @$ L+ e
# Disable legacy (protocol version 1) support in the server for new
6 e) D; m6 v4 I# installations. In future the default will change to require explicit& t* g' w$ r% P# E
# activation of protocol 1$ N1 x' Q6 s4 t( }) t8 V, a
Protocol 26 o/ _9 V! R9 M! z& _7 Z; I

5 P6 c4 A- [, a' V% ~# a* j# HostKey for protocol version 1
% ~/ X. ^4 A4 S$ m" `- m/ r#HostKey /opt/etc/openssh/ssh_host_key
& H  K6 g+ E# f' F, i  @7 B" r# HostKeys for protocol version 2
, Y; V; D6 C, n& _#HostKey /opt/etc/openssh/ssh_host_rsa_key
/ B4 U6 }' P" B" O" }#HostKey /opt/etc/openssh/ssh_host_dsa_key$ _. J) ?. l/ n% _; o* F3 f! G
/ c3 E3 Q0 {$ H# R
# Lifetime and size of ephemeral version 1 server key
( s7 H) ~8 o  `0 M#KeyRegenerationInterval 1h# \8 x6 L) j8 l( E6 s
#ServerKeyBits 1024
/ r7 [% c. N9 S# n2 `9 _1 o6 H' }$ ?: V6 i5 t3 f
# Logging
( P4 U& s0 ^, H8 X- G# obsoletes QuietMode and FascistLogging( d# f. h7 K7 |2 R% d! `
#SyslogFacility AUTH9 k0 U5 F- H' v* _9 T8 {" Y- R
#LogLevel INFO8 q7 w- {4 l8 U1 v( ~
& ]3 @. a( Z$ I# n$ P
# Authentication:1 t4 e/ T$ `2 s& O" l7 p/ o9 ~9 G: t. s" P

5 k0 {( E/ Z! t, T( i#LoginGraceTime 2m
: e' @* x$ J' A) zPermitRootLogin yes( y+ |& K. n' l# ?
#StrictModes yes" F  e. Y3 n' g9 _
#MaxAuthTries 6
- i2 w: R& W& |) A6 L- T#MaxSessions 10
6 u( n/ w1 n( A; H: g
6 U" H) \. ?# J, L' Q0 LRSAAuthentication no6 ]4 \: v  Q& W+ m4 F  z4 }" }
PubkeyAuthentication no
( N4 Z8 m- f8 t2 J) l#AuthorizedKeysFile        .ssh/authorized_keys% k2 |' Z+ {+ E4 ]* p4 [

' R% K/ v: Q% a. z5 @2 Z# For this to work you will also need host keys in /opt/etc/openssh/ssh_known_hosts2 [8 H( }  m) ^( L1 `+ s0 X
#RhostsRSAAuthentication no! F' v$ M3 u1 |
# similar for protocol version 2+ B9 i& l  E4 g% }1 g
#HostbasedAuthentication no6 x5 s9 C- M: E3 R! r
# Change to yes if you don't trust ~/.ssh/known_hosts for
" w: e0 H7 W$ A1 Z3 {* A# RhostsRSAAuthentication and HostbasedAuthentication# _, G6 V8 ^, U3 z" U
#IgnoreUserKnownHosts no
  S/ @6 W, C8 m, K  j" F/ ^, s: |# Don't read the user's ~/.rhosts and ~/.shosts files
) d# D% s! t! A& j; [+ `% A#IgnoreRhosts yes
0 [& T0 o, M+ G0 h/ E% K
# H: z/ |+ O# ]! B1 I9 h# To disable tunneled clear text passwords, change to no here!7 `' j) N6 Y% [' d, s: ^0 m: \! z
PasswordAuthentication yes
5 T9 l$ p1 [  l) k! M5 JPermitEmptyPasswords yes  |0 F  ?- @: G
; {/ b) o3 o! E, X) S% z
# Change to no to disable s/key passwords  ?5 M, H3 _) a+ @0 W2 `9 m3 h
ChallengeResponseAuthentication yes
" `+ b0 \7 |( Y& A2 h, c( R3 M% r% K8 t, ]( X% w$ u/ D' s
# Kerberos options
' t# y3 h) g" I2 sKerberosAuthentication yes
9 x, P" r/ A# i9 M7 d#KerberosOrLocalPasswd yes5 S( W& Q7 `, R2 v1 y$ M) |
#KerberosTicketCleanup yes
+ L& I# g) u, m3 {. f9 o. {#KerberosGetAFSToken no
; r# X. X4 L, @! _, X) f$ g' X9 U1 ^5 z1 E9 `7 f& c  ^: m
# GSSAPI options
: F& d$ c/ n' @) s0 S9 _7 Q#GSSAPIAuthentication no
2 o2 O2 s6 \" B( G* U6 z) t! i6 Q#GSSAPICleanupCredentials yes( R8 f1 f) q) K9 |, W5 G
4 G" x3 c' s# Q7 z/ Y7 [- [7 O. l
# Set this to 'yes' to enable PAM authentication, account processing,
0 a) H, q% w) u1 a) d# and session processing. If this is enabled, PAM authentication will
, j* F  b& t6 {2 E3 `& l% I0 b# be allowed through the ChallengeResponseAuthentication and) Z! N6 [# ]) v* q4 x
# PasswordAuthentication.  Depending on your PAM configuration,' S( H/ n# }# T9 a3 J* ^& Q7 x/ Y
# PAM authentication via ChallengeResponseAuthentication may bypass
9 S0 ?. ?0 x0 d) l! L; B# the setting of "PermitRootLogin without-password".
/ @9 b7 b* j$ Z# If you just want the PAM account and session checks to run without
# i. ^# N6 D/ }. z0 g# PAM authentication, then enable this but set PasswordAuthentication+ y/ l0 f0 M: C/ a0 F
# and ChallengeResponseAuthentication to 'no'.0 v- b3 S- Q9 b! p. i  V; O) `
UsePAM yes
  e3 L0 R  W6 b: y$ h' g
  a; L9 K7 C2 {. m4 A" j#AllowAgentForwarding yes0 j) P, N) F/ [1 X/ h
#AllowTcpForwarding yes
) H) i: R! T9 `2 R2 _#GatewayPorts no
( [0 X% V7 p+ a/ q#X11Forwarding no
7 l) Q% t- ~; {6 W#X11DisplayOffset 10& q7 x/ Y+ F/ a5 E  u- h
#X11UseLocalhost yes% C9 K: R( B6 ~
#PrintMotd yes
0 P* c7 z. `7 u( F, J, y' a4 a6 q#PrintLastLog yes: V) [8 N+ R1 _' S6 i# R
#TCPKeepAlive yes& S) a1 c; y0 A2 _! E- V
#UseLogin no
  z+ z# J: W: E+ I( a/ N#UsePrivilegeSeparation yes, m3 ^6 |8 K& }& R6 m
#PermitUserEnvironment no
* [# w( b( [" E: h, p, A#Compression delayed! z0 i- E) {, \8 R5 |" a
#ClientAliveInterval 09 D5 m( L) x' v
#ClientAliveCountMax 38 U/ ^  p0 S4 Q1 b4 M3 |
#UseDNS yes! \5 i: w1 D0 L( P
#PidFile /opt/var/run/sshd.pid, Q" P: A4 c' m1 M5 M
#MaxStartups 105 X& ]& K, A1 ~3 l5 y
#PermitTunnel no1 o- W2 c# [# `, k: w" ]
#ChrootDirectory none1 c2 ^( d( e: J; p
) _9 b8 q3 [; v* A
# no default banner path- K! O0 T2 Z. `$ \
#Banner none
( q3 d, Z2 D! ~# r2 j; |
; F8 x; M# d. I4 M) m' k# override default of no subsystems' h" X5 K  v8 j' z% B+ t$ F
Subsystem        sftp        /opt/libexec/sftp-server: X$ l4 j" z. T0 s5 o* M
$ i; ]" A# W5 ~- B2 J
# Example of overriding settings on a per-user basis& G: l1 |( k! F
#Match User anoncvs; b$ p1 x6 z  n9 `
#        X11Forwarding no) `$ l& {. ~+ K4 y3 ?5 W& B
#        AllowTcpForwarding no
8 m1 F) S8 L! q( p/ o- G#        ForceCommand cvs server
回复

使用道具 举报

 楼主| 发表于 2010-10-7 00:19 | 显示全部楼层
感觉这个openssh不太稳定,有时候会验证失败,然后造成vpn都工作不正常了
回复 支持 反对

使用道具 举报

发表于 2010-10-8 10:01 | 显示全部楼层
俺的oppensh就从来没有连接上成功过,郁闷
回复 支持 反对

使用道具 举报

发表于 2010-10-8 10:07 | 显示全部楼层
这是我每次刷机后装ssh所用的配置文件,用wqi发到手机上,即可用密码登录.供参考% ?) R- l* \2 z' x3 V3 q+ e
2 L# }# _% J0 ~( z( Q9 q
/opt/etc/openssh/sshd_config
  1. Port 22% o* N: C2 Z0 b$ x
  2. Protocol 2
    - I  {; @7 H: `2 D3 _$ }' e
  3. PermitRootLogin yes& e) Y. D' `* j5 g3 d: T
  4. PasswordAuthentication yes! i) G5 a  ^% Q5 z/ `
  5. PermitEmptyPasswords no
    ; q& ~7 V# S( t( c7 E* X% K
  6. Subsystem        sftp        /opt/libexec/sftp-server
复制代码
/etc/event.d/mobi.optware.openssh
  1. description "OpenSSH Daemon"
    2 @+ p8 h% K7 m0 y6 Q' y

  2. & H6 R. a: C2 @" o* u! u1 r% o' e
  3. start on stopped finish9 Y* i3 u2 J3 R; Z$ f
  4. stop on runlevel [!2]7 a* a4 p7 f, F9 j0 F# ~  Q* t

  5. 5 u5 A0 o5 l+ y/ E
  6. console none. G+ v8 R; I" `* v

  7. 4 w8 y7 j* ]4 G
  8. # Make sure SSH sessions don't slow down GUI use
    , N$ `/ z9 x, N5 U( M
  9. nice 5& X. M. s* {: l9 f8 Q2 C
  10. 2 V" J! _, I8 x- [% O3 K: x
  11. # Restart the SSH daemon if it exits/dies
    3 R# ?, S9 K' b7 g1 R. M  Y
  12. respawn
    $ A% S# b( V, f3 N' _4 K4 B5 J

  13. 3 Q1 p$ Y+ d. Z. a9 v
  14. # -D doesn't detach and become daemon
    & s" t4 T, N6 |& [3 H
  15. # -p sets the TCP port) E/ A/ D9 `* t. T+ d  H
  16. # -o "PasswordAuthentication no" prohibits login using password. b8 J# j5 O' O; c% C6 l; o
  17. # but allows login using ssh key based authentication (same behavior as -s in dropbear)
    4 `5 d; N4 F& y+ f0 A/ h3 L0 W
  18. # -o "PermitRootLogin without-password" prohibits root login using password7 a8 D4 n6 Q5 I
  19. # but allows root login using ssh key based authentication (same behavior as -g in dropbear)' l# x8 c% h8 ?, s+ h* A- H
  20. exec /opt/sbin/sshd -D0 u& p. j5 a) v" O
  21. 9 V* r3 s) i  e" Q8 o( ?
  22. pre-start script4 E* F1 q. R( }0 ~) R! r
  23.      # Add firewall rule to allow SSH access over WiFi on port 22
    0 h, O8 Y& z5 E& U- o' q" W' i
  24.      # Remove the "-i eth0" on both of the following lines to enable SSH access+ o) C2 x, a0 ^! f( Q6 q( V3 J
  25.      # over the cellular data network (EVDO, etc).
    , r' T; Q9 _8 k$ i5 H
  26.      /usr/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -j ACCEPT || /bin/true# W& {( }/ \9 p  b
  27.      /usr/sbin/iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
    6 Z: ]+ _" H/ G7 p& i6 j' _
  28. end script
    7 e8 v2 T5 y: N' {  l
  29. - j( D: E& [0 q* e, I& _5 m3 a
  30. # end of file3 u3 P. T& B6 T9 L& S+ A& p
复制代码
3 n4 O# G) t6 k1 q/ l6 e7 ^& w
[ Edited by freezex on 2010-10-8 10:09 ]
回复 支持 反对

使用道具 举报

发表于 2010-10-9 16:46 | 显示全部楼层
俺的oppensh就从来没有连接上成功过,郁闷2
回复 支持 反对

使用道具 举报

头像被屏蔽
发表于 2011-4-2 03:26 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 加入我们

本版积分规则

QQ|Archiver|手机版|小黑屋|吹友吧 ( 京ICP备05078561号 )

GMT+8, 2025-4-2 17:28 , Processed in 0.304324 second(s), 15 queries .

Powered by Discuz! X3.5 Licensed

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表