|
v版pre 1.45,装了openssh,以前老版本的openssh好像是默认密码登录的,现在要密匙,感觉没必要,又改回密码认证了; m. u2 v0 W+ e" {
! m8 ~* M. O1 e4 A/ k$ ]% {5 }" Y
配置文件sshd_config改了一下就可以了,但是遇到一个奇怪的问题,每次第一次连接,如果wifi没先激活就用winscp之类的ssh客户端连接,就会出现”不支持的验证方式“的错误,重启关机pre也没用,只有把resolv.conf的nameserver更新了才行,附上我的配置文件,不知道跟设置有关系吗
% k6 p3 A1 t7 ~- [/ ?! J: i5 l* ?1 C% ?* C. h8 q
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
) X/ k) h8 F9 x$ ` d |
" F5 M" d% ]2 J# This is the sshd server system-wide configuration file. See* {- B. l3 r% Q! [6 n8 G
# sshd_config(5) for more information.
: q2 M/ _2 E8 T; D' @; f7 t) ]1 J3 t9 _
# This sshd was compiled with PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/bin
. [- d+ D0 Y2 c/ ^6 D7 l0 h
% g& V4 P" Q, w- b# The strategy used for options in the default sshd_config shipped with" U4 W2 G1 {6 g+ \" ]5 B
# OpenSSH is to specify options with their default value where. ]9 f. @2 a9 T
# possible, but leave them commented. Uncommented options change a
) P% }9 y1 t! b+ ]# N5 r% k# default value.
2 U" |) t' r* t. Z5 a7 V% b( |* a8 r
#Port 22+ g$ @, ?" `' q6 m
#AddressFamily any w9 D* T( w) E b" z
#ListenAddress 0.0.0.01 c- i5 X$ w) R, w+ G" [4 J
#ListenAddress ::0 g) [+ |" E7 M3 b z
5 J8 x/ u @$ L+ e
# Disable legacy (protocol version 1) support in the server for new
6 e) D; m6 v4 I# installations. In future the default will change to require explicit& t* g' w$ r% P# E
# activation of protocol 1$ N1 x' Q6 s4 t( }) t8 V, a
Protocol 26 o/ _9 V! R9 M! z& _7 Z; I
5 P6 c4 A- [, a' V% ~# a* j# HostKey for protocol version 1
% ~/ X. ^4 A4 S$ m" `- m/ r#HostKey /opt/etc/openssh/ssh_host_key
& H K6 g+ E# f' F, i @7 B" r# HostKeys for protocol version 2
, Y; V; D6 C, n& _#HostKey /opt/etc/openssh/ssh_host_rsa_key
/ B4 U6 }' P" B" O" }#HostKey /opt/etc/openssh/ssh_host_dsa_key$ _. J) ?. l/ n% _; o* F3 f! G
/ c3 E3 Q0 {$ H# R
# Lifetime and size of ephemeral version 1 server key
( s7 H) ~8 o `0 M#KeyRegenerationInterval 1h# \8 x6 L) j8 l( E6 s
#ServerKeyBits 1024
/ r7 [% c. N9 S# n2 `9 _1 o6 H' }$ ?: V6 i5 t3 f
# Logging
( P4 U& s0 ^, H8 X- G# obsoletes QuietMode and FascistLogging( d# f. h7 K7 |2 R% d! `
#SyslogFacility AUTH9 k0 U5 F- H' v* _9 T8 {" Y- R
#LogLevel INFO8 q7 w- {4 l8 U1 v( ~
& ]3 @. a( Z$ I# n$ P
# Authentication:1 t4 e/ T$ `2 s& O" l7 p/ o9 ~9 G: t. s" P
5 k0 {( E/ Z! t, T( i#LoginGraceTime 2m
: e' @* x$ J' A) zPermitRootLogin yes( y+ |& K. n' l# ?
#StrictModes yes" F e. Y3 n' g9 _
#MaxAuthTries 6
- i2 w: R& W& |) A6 L- T#MaxSessions 10
6 u( n/ w1 n( A; H: g
6 U" H) \. ?# J, L' Q0 LRSAAuthentication no6 ]4 \: v Q& W+ m4 F z4 }" }
PubkeyAuthentication no
( N4 Z8 m- f8 t2 J) l#AuthorizedKeysFile .ssh/authorized_keys% k2 |' Z+ {+ E4 ]* p4 [
' R% K/ v: Q% a. z5 @2 Z# For this to work you will also need host keys in /opt/etc/openssh/ssh_known_hosts2 [8 H( } m) ^( L1 `+ s0 X
#RhostsRSAAuthentication no! F' v$ M3 u1 |
# similar for protocol version 2+ B9 i& l E4 g% }1 g
#HostbasedAuthentication no6 x5 s9 C- M: E3 R! r
# Change to yes if you don't trust ~/.ssh/known_hosts for
" w: e0 H7 W$ A1 Z3 {* A# RhostsRSAAuthentication and HostbasedAuthentication# _, G6 V8 ^, U3 z" U
#IgnoreUserKnownHosts no
S/ @6 W, C8 m, K j" F/ ^, s: |# Don't read the user's ~/.rhosts and ~/.shosts files
) d# D% s! t! A& j; [+ `% A#IgnoreRhosts yes
0 [& T0 o, M+ G0 h/ E% K
# H: z/ |+ O# ]! B1 I9 h# To disable tunneled clear text passwords, change to no here!7 `' j) N6 Y% [' d, s: ^0 m: \! z
PasswordAuthentication yes
5 T9 l$ p1 [ l) k! M5 JPermitEmptyPasswords yes |0 F ?- @: G
; {/ b) o3 o! E, X) S% z
# Change to no to disable s/key passwords ?5 M, H3 _) a+ @0 W2 `9 m3 h
ChallengeResponseAuthentication yes
" `+ b0 \7 |( Y& A2 h, c( R3 M% r% K8 t, ]( X% w$ u/ D' s
# Kerberos options
' t# y3 h) g" I2 sKerberosAuthentication yes
9 x, P" r/ A# i9 M7 d#KerberosOrLocalPasswd yes5 S( W& Q7 `, R2 v1 y$ M) |
#KerberosTicketCleanup yes
+ L& I# g) u, m3 {. f9 o. {#KerberosGetAFSToken no
; r# X. X4 L, @! _, X) f$ g' X9 U1 ^5 z1 E9 `7 f& c ^: m
# GSSAPI options
: F& d$ c/ n' @) s0 S9 _7 Q#GSSAPIAuthentication no
2 o2 O2 s6 \" B( G* U6 z) t! i6 Q#GSSAPICleanupCredentials yes( R8 f1 f) q) K9 |, W5 G
4 G" x3 c' s# Q7 z/ Y7 [- [7 O. l
# Set this to 'yes' to enable PAM authentication, account processing,
0 a) H, q% w) u1 a) d# and session processing. If this is enabled, PAM authentication will
, j* F b& t6 {2 E3 `& l% I0 b# be allowed through the ChallengeResponseAuthentication and) Z! N6 [# ]) v* q4 x
# PasswordAuthentication. Depending on your PAM configuration,' S( H/ n# }# T9 a3 J* ^& Q7 x/ Y
# PAM authentication via ChallengeResponseAuthentication may bypass
9 S0 ?. ?0 x0 d) l! L; B# the setting of "PermitRootLogin without-password".
/ @9 b7 b* j$ Z# If you just want the PAM account and session checks to run without
# i. ^# N6 D/ }. z0 g# PAM authentication, then enable this but set PasswordAuthentication+ y/ l0 f0 M: C/ a0 F
# and ChallengeResponseAuthentication to 'no'.0 v- b3 S- Q9 b! p. i V; O) `
UsePAM yes
e3 L0 R W6 b: y$ h' g
a; L9 K7 C2 {. m4 A" j#AllowAgentForwarding yes0 j) P, N) F/ [1 X/ h
#AllowTcpForwarding yes
) H) i: R! T9 `2 R2 _#GatewayPorts no
( [0 X% V7 p+ a/ q#X11Forwarding no
7 l) Q% t- ~; {6 W#X11DisplayOffset 10& q7 x/ Y+ F/ a5 E u- h
#X11UseLocalhost yes% C9 K: R( B6 ~
#PrintMotd yes
0 P* c7 z. `7 u( F, J, y' a4 a6 q#PrintLastLog yes: V) [8 N+ R1 _' S6 i# R
#TCPKeepAlive yes& S) a1 c; y0 A2 _! E- V
#UseLogin no
z+ z# J: W: E+ I( a/ N#UsePrivilegeSeparation yes, m3 ^6 |8 K& }& R6 m
#PermitUserEnvironment no
* [# w( b( [" E: h, p, A#Compression delayed! z0 i- E) {, \8 R5 |" a
#ClientAliveInterval 09 D5 m( L) x' v
#ClientAliveCountMax 38 U/ ^ p0 S4 Q1 b4 M3 |
#UseDNS yes! \5 i: w1 D0 L( P
#PidFile /opt/var/run/sshd.pid, Q" P: A4 c' m1 M5 M
#MaxStartups 105 X& ]& K, A1 ~3 l5 y
#PermitTunnel no1 o- W2 c# [# `, k: w" ]
#ChrootDirectory none1 c2 ^( d( e: J; p
) _9 b8 q3 [; v* A
# no default banner path- K! O0 T2 Z. `$ \
#Banner none
( q3 d, Z2 D! ~# r2 j; |
; F8 x; M# d. I4 M) m' k# override default of no subsystems' h" X5 K v8 j' z% B+ t$ F
Subsystem sftp /opt/libexec/sftp-server: X$ l4 j" z. T0 s5 o* M
$ i; ]" A# W5 ~- B2 J
# Example of overriding settings on a per-user basis& G: l1 |( k! F
#Match User anoncvs; b$ p1 x6 z n9 `
# X11Forwarding no) `$ l& {. ~+ K4 y3 ?5 W& B
# AllowTcpForwarding no
8 m1 F) S8 L! q( p/ o- G# ForceCommand cvs server |
|