找回密码
 加入我们

QQ登录

只需一步,快速开始

搜索
查看: 3146|回复: 5

[软硬件讨论] openssh改密码认证后

[复制链接]
发表于 2010-10-6 19:08 | 显示全部楼层 |阅读模式
v版pre 1.45,装了openssh,以前老版本的openssh好像是默认密码登录的,现在要密匙,感觉没必要,又改回密码认证了3 ~7 u, O7 h% H
: e9 A$ V# r' F6 X
配置文件sshd_config改了一下就可以了,但是遇到一个奇怪的问题,每次第一次连接,如果wifi没先激活就用winscp之类的ssh客户端连接,就会出现”不支持的验证方式“的错误,重启关机pre也没用,只有把resolv.conf的nameserver更新了才行,附上我的配置文件,不知道跟设置有关系吗
, i$ N8 m) l; q
5 `9 j+ b7 t: Q# T+ `+ \4 ?! L  o#        $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+ Y/ v# g5 }4 F% D" ^7 i' \8 v  Z$ l# |$ [- [: X1 X
# This is the sshd server system-wide configuration file.  See/ J. b' t7 R: [" O: Q
# sshd_config(5) for more information.& F1 X9 E* |. y6 J+ k5 P! R
$ O; }  q4 g; g4 ^6 k
# This sshd was compiled with PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/bin0 F( s! R' `! n! |2 z2 h# r5 R
2 Y( ?' f, {# j) H/ Y& ?0 |: J* A
# The strategy used for options in the default sshd_config shipped with
4 p& f4 P4 ^9 M3 C# OpenSSH is to specify options with their default value where
, k5 `, v1 b6 h% S& z/ n, `# B' Y9 A9 u# possible, but leave them commented.  Uncommented options change a5 O: a4 B3 O5 q. E
# default value.& P" a% h% g. U8 d5 b
, r" z5 ]' G; E4 x2 q4 e/ ~$ W
#Port 22! ^( D4 Y! g' W; h" u
#AddressFamily any
: Z: f" s3 \4 S( M" n* B; v( j#ListenAddress 0.0.0.0
+ U% \$ I% u0 B# Q#ListenAddress ::1 W8 C; X' x& S, [1 c

0 W- X, M1 q  |5 O# m3 j4 v# Disable legacy (protocol version 1) support in the server for new2 a# N; N$ C( T& q- W
# installations. In future the default will change to require explicit
+ X  D. ]" f$ |! ]# G) ^# activation of protocol 1& L! X1 C. \  w
Protocol 21 s6 X2 Z0 r+ H9 Y, T8 {$ u
' Q+ t+ U' H) t+ ^: `# u  ?7 D
# HostKey for protocol version 1, ?" J% ~! ^3 o* i( P
#HostKey /opt/etc/openssh/ssh_host_key) t" ]) o0 [0 ]
# HostKeys for protocol version 2
1 ~' J4 _, W; y, u#HostKey /opt/etc/openssh/ssh_host_rsa_key. m; J5 `/ U  J; h6 ?9 E# x+ k1 b) t! h! W
#HostKey /opt/etc/openssh/ssh_host_dsa_key
) M2 f  u9 Q2 \/ c$ z1 T# t6 O" \' y" e: |2 W
# Lifetime and size of ephemeral version 1 server key4 t* l0 s& m- {
#KeyRegenerationInterval 1h- v1 q4 B4 P' x" ]5 l4 J1 V0 J: a
#ServerKeyBits 10241 L' u/ k1 H1 N6 Q7 K0 V

0 M  i4 b+ y  H7 g# Logging) ~( v8 _4 w- J, D2 G3 Z
# obsoletes QuietMode and FascistLogging
: Y: a  U$ p2 @4 V4 S* P#SyslogFacility AUTH
( V7 d$ `- i5 t9 T" `#LogLevel INFO3 B$ J2 ~9 R7 v

, K8 N( M: y$ k) ^+ D5 a/ x# Authentication:% ^' u: r2 Q5 y' V
. [0 `5 [8 M, l) N" V* M7 K( Y
#LoginGraceTime 2m' N1 r2 _7 [3 |, i
PermitRootLogin yes2 d: U4 a( q9 t8 h2 @
#StrictModes yes7 ^$ F5 c: e0 i% ~# \5 y
#MaxAuthTries 61 \6 J, Q4 }0 o1 d$ @9 F' c6 H
#MaxSessions 10) r( o) r( X1 j* G8 z

. o0 d) P1 K  }# i+ {: aRSAAuthentication no
. o( i$ k$ b; G4 F7 |) M! O. UPubkeyAuthentication no1 O5 m+ l/ `  y% A- P' Z8 O
#AuthorizedKeysFile        .ssh/authorized_keys# D3 P$ y& ^0 X
- N3 ]4 a2 P- N3 q% }
# For this to work you will also need host keys in /opt/etc/openssh/ssh_known_hosts
$ T' U) ^" \5 @* O3 h#RhostsRSAAuthentication no6 v) k" G/ m4 U( _5 {; q
# similar for protocol version 2
  e4 E7 f, S" K' m#HostbasedAuthentication no
& j% A/ s5 M6 j, d, ^# Change to yes if you don't trust ~/.ssh/known_hosts for
  j8 Q% a: }! m" ~" l1 M# RhostsRSAAuthentication and HostbasedAuthentication
; Z+ j: e6 V3 A, M. e: `2 J+ n#IgnoreUserKnownHosts no% c1 \2 v: K6 k* N9 m9 ^
# Don't read the user's ~/.rhosts and ~/.shosts files
5 Z# H6 @$ ]# x#IgnoreRhosts yes
# R5 U& Q. I( g. F: z6 B: p6 l0 u2 l$ k' h& M. Z- A/ z5 Q
# To disable tunneled clear text passwords, change to no here!
: p1 Z2 ^3 V' Z2 m$ Y4 v' H* xPasswordAuthentication yes, I2 Y9 T3 s* [( ?9 p+ J. z
PermitEmptyPasswords yes
0 Z) i+ |/ w  A  T
' O* `% A" g" j+ u# Change to no to disable s/key passwords8 U2 D4 F' T4 T  k0 I% ^9 Q- u
ChallengeResponseAuthentication yes
- g4 v2 t$ L4 d) l7 M* t
5 O0 @9 P2 z; G1 s; g3 j& c" j# Kerberos options& B" K/ ~9 |0 @/ k: x+ b5 V
KerberosAuthentication yes
' w. |# I0 F9 U! s" i, N#KerberosOrLocalPasswd yes
% F6 K- Q9 T7 @, g- g- J2 Q. Z#KerberosTicketCleanup yes
  w* o6 q8 R% y9 D#KerberosGetAFSToken no
2 J' ~1 b$ [. h8 D% w/ s& \6 _8 `* _6 t/ Y! _2 G$ ~
# GSSAPI options: L# }4 g7 W9 d
#GSSAPIAuthentication no
, b  Y" f* m& m: \& e0 H  C#GSSAPICleanupCredentials yes
- P; h4 _  E' z" v' ?- W9 B) B3 ?0 Z7 u# M4 A8 }/ \! w- K# k
# Set this to 'yes' to enable PAM authentication, account processing, ; Q: R4 \5 ~( w  t, V
# and session processing. If this is enabled, PAM authentication will
; Z4 [( A& v  N% m& s3 Q( h# be allowed through the ChallengeResponseAuthentication and5 z& X" E( F  K- R7 E5 n7 Y% o
# PasswordAuthentication.  Depending on your PAM configuration,& F5 i1 f6 i4 K
# PAM authentication via ChallengeResponseAuthentication may bypass
6 O$ Y& w5 k8 ?( V! r( @" x# the setting of "PermitRootLogin without-password".( N' g& l/ G! K4 ?9 e& c/ R9 u, L
# If you just want the PAM account and session checks to run without
& S; t9 ?. E) h, }( s3 V# PAM authentication, then enable this but set PasswordAuthentication+ p  P( M( b6 D; ^- R' R0 Y; r+ \
# and ChallengeResponseAuthentication to 'no'.* b: G* z$ b! e# @" J6 I& W
UsePAM yes4 N# X% n( c4 a% u; S" t6 ~2 K; j
! A& g/ \+ U1 P
#AllowAgentForwarding yes0 Z5 K1 D% g0 v
#AllowTcpForwarding yes2 l# h% K- |: t! v' i! y# P6 m9 ~
#GatewayPorts no
7 X$ W) ~+ V( U2 e0 a+ X9 w#X11Forwarding no
0 E$ ~% r0 d$ P3 u% P4 i#X11DisplayOffset 109 t. n# D& R- w4 B! ?& e
#X11UseLocalhost yes! b- v! t( i; v- @4 C* u
#PrintMotd yes
3 f2 |; T! x, K5 d/ Z5 ]! o#PrintLastLog yes3 w7 k0 M! J: |3 V5 H; K8 S/ K* D
#TCPKeepAlive yes
1 U& d9 G/ P  d0 L' M4 p% X#UseLogin no
6 o  z7 W% u# _3 J#UsePrivilegeSeparation yes
1 k( x/ T8 h% t. P% e% K1 E#PermitUserEnvironment no. M4 f" N' F- j0 v; D
#Compression delayed
$ T- b5 v. F6 o" f#ClientAliveInterval 03 q! f$ T0 Y! L7 |
#ClientAliveCountMax 3* s$ K' d6 C6 K1 |2 ~
#UseDNS yes
: P3 V. I& y2 v9 M2 |#PidFile /opt/var/run/sshd.pid4 w  G/ r, r- b
#MaxStartups 10: N8 S5 q& o/ k" s
#PermitTunnel no
# I. i- j- b! Y9 H* K9 n' N#ChrootDirectory none
. B8 J5 E  X, w# M- J8 F% g" A8 K5 x7 }* q3 N3 [
# no default banner path1 u4 X6 u* B* w6 v8 Z% p# I
#Banner none) K8 Q0 G/ O4 \/ [" m$ c2 |

, s. O$ _, w  C$ w( m- n  x. j! b# override default of no subsystems
3 s1 o& M: t) ZSubsystem        sftp        /opt/libexec/sftp-server# I3 M6 ^( \8 v& _# b  O
$ x$ K9 J0 V0 k6 e
# Example of overriding settings on a per-user basis
) E% ^9 @* Q# @9 ]/ \0 m9 g#Match User anoncvs
6 ^9 v$ x% F- x" e: X- `" {#        X11Forwarding no
3 e6 [( k! K' X8 z4 w! l#        AllowTcpForwarding no/ v  \. o- a. c: W+ N
#        ForceCommand cvs server
回复

使用道具 举报

 楼主| 发表于 2010-10-7 00:19 | 显示全部楼层
感觉这个openssh不太稳定,有时候会验证失败,然后造成vpn都工作不正常了
回复 支持 反对

使用道具 举报

发表于 2010-10-8 10:01 | 显示全部楼层
俺的oppensh就从来没有连接上成功过,郁闷
回复 支持 反对

使用道具 举报

发表于 2010-10-8 10:07 | 显示全部楼层
这是我每次刷机后装ssh所用的配置文件,用wqi发到手机上,即可用密码登录.供参考
5 s% }, {& ]! X. I6 F& Q8 D# k- c" b# o
/opt/etc/openssh/sshd_config
  1. Port 223 s5 |- u8 F: K, A: J' W' R+ D
  2. Protocol 2" \9 J& l. G1 y- T( [/ `3 \
  3. PermitRootLogin yes) e) g' \2 \; L3 U! [
  4. PasswordAuthentication yes
    & Y8 d5 [2 y; a
  5. PermitEmptyPasswords no. Z: I" B* v& X2 d
  6. Subsystem        sftp        /opt/libexec/sftp-server
复制代码
/etc/event.d/mobi.optware.openssh
  1. description "OpenSSH Daemon"
    0 N+ ?& P! K- F% u
  2. 2 `" b& x$ G, e5 c) c
  3. start on stopped finish
    * K$ H" Q# O7 c  {1 C* p5 c
  4. stop on runlevel [!2]
    4 a2 I# }: A) a$ m7 U$ J

  5. / E1 @& @- e/ o/ M/ k2 r
  6. console none2 h9 y4 w* @7 D: g- n
  7. 8 c/ b" Y$ Q8 \
  8. # Make sure SSH sessions don't slow down GUI use0 ?4 ~- w+ b$ ?
  9. nice 5
    , B8 ^- p$ v! m6 E3 K/ G
  10. ! r& A& A! O! Q" v
  11. # Restart the SSH daemon if it exits/dies- G  T  _, ]$ i& ~
  12. respawn* P3 q0 P5 B3 g
  13. ' Y5 ~6 n% o! Y$ _7 {/ k$ n  }% v
  14. # -D doesn't detach and become daemon8 P( E8 T5 [. z" z
  15. # -p sets the TCP port* ~% m$ h2 k, t* n7 R8 d) F
  16. # -o "PasswordAuthentication no" prohibits login using password& e' Q, ^, Z& f" b6 m8 ~" L5 k+ `
  17. # but allows login using ssh key based authentication (same behavior as -s in dropbear)  l8 S* y5 A% T; M' x
  18. # -o "PermitRootLogin without-password" prohibits root login using password
    , ~$ d4 n. O: p- p
  19. # but allows root login using ssh key based authentication (same behavior as -g in dropbear)
    5 x* Y8 P7 t- u/ g6 Y, ^7 N
  20. exec /opt/sbin/sshd -D, s1 n/ W: n! c7 a" v0 w; H( Q
  21. 4 s% h' W3 ~* e9 ~
  22. pre-start script
    6 p# J, \' L% C  @  w* c# X
  23.      # Add firewall rule to allow SSH access over WiFi on port 22- D- T+ b+ _* M9 Q
  24.      # Remove the "-i eth0" on both of the following lines to enable SSH access
    * W5 x+ B5 h9 X1 o. N; }
  25.      # over the cellular data network (EVDO, etc).
    # E! W6 G- I: N5 c0 n
  26.      /usr/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -j ACCEPT || /bin/true6 c( E2 M/ s; i% Q; N3 o9 h
  27.      /usr/sbin/iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT. I( j% F6 s2 o9 s  E8 K' F/ U- C+ l; D; [
  28. end script# y4 S. E- h6 U  z" z

  29. * Q) e; C6 Y2 H
  30. # end of file- }% r* V( M8 V* a  ]% [* w
复制代码

; L& V+ C7 q3 _7 z, x9 v& Y[ Edited by freezex on 2010-10-8 10:09 ]
回复 支持 反对

使用道具 举报

发表于 2010-10-9 16:46 | 显示全部楼层
俺的oppensh就从来没有连接上成功过,郁闷2
回复 支持 反对

使用道具 举报

头像被屏蔽
发表于 2011-4-2 03:26 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 加入我们

本版积分规则

QQ|Archiver|手机版|小黑屋|吹友吧 ( 京ICP备05078561号 )

GMT+8, 2025-4-4 10:27 , Processed in 0.436945 second(s), 16 queries .

Powered by Discuz! X3.5 Licensed

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表