找回密码
 加入我们

QQ登录

只需一步,快速开始

搜索
查看: 3173|回复: 5

[软硬件讨论] openssh改密码认证后

[复制链接]
发表于 2010-10-6 19:08 | 显示全部楼层 |阅读模式
v版pre 1.45,装了openssh,以前老版本的openssh好像是默认密码登录的,现在要密匙,感觉没必要,又改回密码认证了
3 x3 h6 P1 [* ~: o, P4 ?  `% J7 ]9 a* z. K( W- {4 g0 O
配置文件sshd_config改了一下就可以了,但是遇到一个奇怪的问题,每次第一次连接,如果wifi没先激活就用winscp之类的ssh客户端连接,就会出现”不支持的验证方式“的错误,重启关机pre也没用,只有把resolv.conf的nameserver更新了才行,附上我的配置文件,不知道跟设置有关系吗
/ d+ v% c0 m7 ~
, y( k1 L. S8 z7 {# D) v#        $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
1 V4 o" j6 S* r& D) ?0 j1 e. h2 z/ g) S" T8 t) D3 O  P
# This is the sshd server system-wide configuration file.  See* r$ V: ]1 k. Z7 `, ?% a
# sshd_config(5) for more information.+ G' m. U/ h: q

2 ^1 H2 N" D! ]. X9 O9 J# This sshd was compiled with PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/bin
$ }2 v: {( K% N# J4 m4 |5 j
1 [& C/ s8 n; `/ P: }# The strategy used for options in the default sshd_config shipped with
% Y* r( Z, G( i* i- `# OpenSSH is to specify options with their default value where
+ X: ?4 ~% _( G" k* g( o# possible, but leave them commented.  Uncommented options change a
: A. d: ~5 C5 \# T# default value.8 i1 y9 ], z  R4 G8 b( V1 ^
# @& W8 k0 v  A! v
#Port 22
6 x* ?. o. h7 s; ]#AddressFamily any
6 J& d+ O5 ?* E2 v% X1 \#ListenAddress 0.0.0.0" V0 T  {& [, D) k: N4 T
#ListenAddress ::
& |( v8 b" x! f8 q% B; }6 s5 @; |* t% G+ u
# Disable legacy (protocol version 1) support in the server for new+ B5 \9 e$ A8 L
# installations. In future the default will change to require explicit
! g/ L5 _. K. j# activation of protocol 1
! b& b) ^6 R* d# ^+ {( OProtocol 2% s7 P+ m3 ?0 Y- O" T- ^" J( c
, B; p$ r8 n, h4 _# Q
# HostKey for protocol version 1; v* Q/ Q' K( t  }
#HostKey /opt/etc/openssh/ssh_host_key0 b' j4 P5 z" D( D
# HostKeys for protocol version 2  L/ H& u( J5 |
#HostKey /opt/etc/openssh/ssh_host_rsa_key; @( Y2 }. q7 ?9 }7 I
#HostKey /opt/etc/openssh/ssh_host_dsa_key
7 a! @2 h3 K+ m4 W- V" W$ M
2 S( K, P: ^4 P9 E# ^) _# Lifetime and size of ephemeral version 1 server key" [% t9 t2 |/ h. D* z
#KeyRegenerationInterval 1h
) U: B; p3 U, A% ]#ServerKeyBits 1024! u0 {5 K( |; I; ]( @

, f( N; U$ }. ?% @' b# Logging: R& B. d' u/ W) i- |! [, H3 m
# obsoletes QuietMode and FascistLogging
9 k7 D  u2 ?/ e  P#SyslogFacility AUTH
5 G8 f. E! J! q* Q( l! M#LogLevel INFO
* k/ S" u2 _4 @; X7 w. O$ t2 k1 q( B1 m: x& D  y
# Authentication:, ^: M/ [: B6 z3 G0 D0 {

3 E* [% o+ R, ]6 n4 |' h# _#LoginGraceTime 2m% Z: P6 q: w0 n$ H- d( N' J! p0 d( l
PermitRootLogin yes
* J; u. |6 R. \6 P8 {#StrictModes yes
) r" L# X" P, k! S! B#MaxAuthTries 6
* @( c& G2 \1 X) \: s* B& _#MaxSessions 10+ X6 P% o9 T+ h: n+ z
# D, S8 c$ b+ ~. V$ o: z: H
RSAAuthentication no) B4 G7 k- F. S, W& m1 Y. W+ s7 r& B
PubkeyAuthentication no
, L2 u8 o% k* c( z/ H#AuthorizedKeysFile        .ssh/authorized_keys  Y8 k; G+ h6 \9 L
! A4 x6 O, I: _, k8 B, ]) d
# For this to work you will also need host keys in /opt/etc/openssh/ssh_known_hosts
' Z7 Q: y5 X& _# v$ l9 \6 N#RhostsRSAAuthentication no( Z$ P- Z' t: E! S; j. ?0 \
# similar for protocol version 20 w. g* F6 w6 Q: x, m! s5 i& G, _- z( W
#HostbasedAuthentication no4 }- U7 C2 Y; l" |3 x2 ]. W
# Change to yes if you don't trust ~/.ssh/known_hosts for/ t! J# L1 w' [
# RhostsRSAAuthentication and HostbasedAuthentication- S* E2 Q8 H% H# l; i
#IgnoreUserKnownHosts no, E$ A0 l5 h" l( {
# Don't read the user's ~/.rhosts and ~/.shosts files) l+ n' p0 n. g% ^
#IgnoreRhosts yes. E2 z/ s) j! [

& C9 W2 q$ `8 S8 ]" e7 P# To disable tunneled clear text passwords, change to no here!* i% j" o2 a% x& v% M) b
PasswordAuthentication yes0 C( B9 |5 c  M& L
PermitEmptyPasswords yes
; W2 u& x$ Q. ^) H  L, B: w( m" I; {- Y+ C! I1 |5 S9 S9 K+ H
# Change to no to disable s/key passwords
( ]' O$ ?% \: N9 D, x; W: qChallengeResponseAuthentication yes
0 o9 R9 d5 ]- U6 H" K
8 l8 ~/ d; z4 _; E0 V4 x  n0 g+ V# Kerberos options
( s8 d( y2 W) I. o" [KerberosAuthentication yes$ y4 `3 T# y' @. r% D; N: T4 Q
#KerberosOrLocalPasswd yes
! ~+ ^# k/ e) z# G#KerberosTicketCleanup yes( l! D6 _% k. J) \  v
#KerberosGetAFSToken no3 a1 c2 m9 M% u6 y! x* q5 _( L) Y

/ ~- c9 ~8 K( I2 n7 G2 R# GSSAPI options
1 J8 D% T+ B6 K% ^3 n+ T3 E#GSSAPIAuthentication no. V; G; J" S( e7 K' X
#GSSAPICleanupCredentials yes
! t: G# X+ u' ]" U( z
4 T% l  B: f; V2 M" b6 ]# t+ U# Set this to 'yes' to enable PAM authentication, account processing,
& O! c0 T& [4 W6 u4 C; D& H  r1 I# and session processing. If this is enabled, PAM authentication will & F4 j$ C' K0 b- S5 u1 m; L. k
# be allowed through the ChallengeResponseAuthentication and
, i" M5 ^6 c, S0 {# PasswordAuthentication.  Depending on your PAM configuration,
" o$ H1 a$ b; l1 I7 L0 h# PAM authentication via ChallengeResponseAuthentication may bypass
8 Y8 Q- L  x$ p) ?# the setting of "PermitRootLogin without-password".
% j$ M; \% n0 u# If you just want the PAM account and session checks to run without$ S' f% V3 k' I: Y9 I
# PAM authentication, then enable this but set PasswordAuthentication
. A1 P" `) o1 }4 u3 _8 c" U6 i# and ChallengeResponseAuthentication to 'no'.7 X! \" D1 S& k- r4 G, h
UsePAM yes% q+ ~, b: Y3 Q) K1 f. J2 f
% a. d5 L; _. ^2 j
#AllowAgentForwarding yes; C; k- g) g8 h0 q- W' p
#AllowTcpForwarding yes
7 U9 N5 B( e0 j2 h' p5 H7 A#GatewayPorts no
* E$ Z+ ?7 p& ]) f" e#X11Forwarding no
8 h2 H6 h9 `" ]$ k/ y9 ?5 U) R#X11DisplayOffset 10' K; q/ _# Q& g+ R$ O3 S
#X11UseLocalhost yes- I$ |, z+ X; f; u
#PrintMotd yes
; Z. D& B: B/ J: N1 f#PrintLastLog yes$ Z2 \; v1 L% T" a
#TCPKeepAlive yes
! e( W3 M! A( \/ t#UseLogin no
9 g, R  ], u  k2 A6 M6 B4 D#UsePrivilegeSeparation yes5 v9 ]9 j( A4 D9 z- |8 E
#PermitUserEnvironment no
9 S4 R% E% T0 t8 o#Compression delayed
) P- Q6 \8 O  a, U! i; s. K#ClientAliveInterval 0
$ w7 q0 d# K! L8 X# o#ClientAliveCountMax 3# ]1 q+ I: H; k1 T
#UseDNS yes
4 E  X1 }( r" l9 \#PidFile /opt/var/run/sshd.pid
2 \- N, K+ q% p0 ]1 A#MaxStartups 10
# y3 `8 G" H5 ~' O2 j, [#PermitTunnel no! _; n" F$ {) _; R
#ChrootDirectory none
% n, o$ b, R: Z4 }( t" P/ C1 B
3 _" Q- Q$ x$ u: s- J0 J/ U# no default banner path3 \8 M& Z. S1 G: A. s$ U+ g
#Banner none& A8 j6 T6 N. D: u

' H6 T% A4 U) s$ T# override default of no subsystems
% C, C0 P% E5 z; L% kSubsystem        sftp        /opt/libexec/sftp-server
, @% ]9 [9 F4 B4 R3 V9 C; S  V  g2 R4 W
# Example of overriding settings on a per-user basis
2 H3 V+ P/ Z6 j8 J0 U#Match User anoncvs
6 a3 l% u7 n& p7 F: G! y#        X11Forwarding no  v3 ]: R& w% \/ @
#        AllowTcpForwarding no
9 x' Q" v# W) ?, x9 ]# ~5 \#        ForceCommand cvs server
回复

使用道具 举报

 楼主| 发表于 2010-10-7 00:19 | 显示全部楼层
感觉这个openssh不太稳定,有时候会验证失败,然后造成vpn都工作不正常了
回复 支持 反对

使用道具 举报

发表于 2010-10-8 10:01 | 显示全部楼层
俺的oppensh就从来没有连接上成功过,郁闷
回复 支持 反对

使用道具 举报

发表于 2010-10-8 10:07 | 显示全部楼层
这是我每次刷机后装ssh所用的配置文件,用wqi发到手机上,即可用密码登录.供参考) y' ]7 c, Z5 _* b. Y2 y

4 F/ r9 C: t2 B! j) L/opt/etc/openssh/sshd_config
  1. Port 220 K& u+ E! D7 \& k! G4 ^
  2. Protocol 2
    ; o. I7 p, X$ f! y) W
  3. PermitRootLogin yes
    ; N# L$ D1 I0 V) W* D# c
  4. PasswordAuthentication yes; |7 H8 o  G; W6 }$ R- c; A
  5. PermitEmptyPasswords no% }  ]" ?. H! l0 i$ u* s. N5 \
  6. Subsystem        sftp        /opt/libexec/sftp-server
复制代码
/etc/event.d/mobi.optware.openssh
  1. description "OpenSSH Daemon"1 s4 G1 _7 q. U; J/ `
  2. $ E4 |- O9 `2 t* k! Z$ O9 J
  3. start on stopped finish
    % J. L! \+ \( i+ H* ~3 P
  4. stop on runlevel [!2]
    ; m# R' }* r. b; l; f" \: v. J

  5. ; \  s+ D, _1 E$ f- x2 P: L# }$ ?) I( A
  6. console none. J. H' Q9 j4 b" w4 q6 @+ p- H# Q
  7. $ p6 P, n3 S% J" E* S. Z$ P  ~
  8. # Make sure SSH sessions don't slow down GUI use6 J" n( i3 ~& Z* S/ m: T, m
  9. nice 5( y5 ]8 o: M% R0 v; ]; t5 N
  10. * I" ^3 I% m0 S) d* Q. ]
  11. # Restart the SSH daemon if it exits/dies
    5 f+ P0 u. T  u: Y) ~5 y* [" W, \5 |
  12. respawn
    ) j; {* s2 w! T+ ]) ?

  13. + `2 e, Q: B9 w% o+ p& u
  14. # -D doesn't detach and become daemon2 V5 o5 t8 J; O# N5 S* x4 K. u
  15. # -p sets the TCP port; T" t  F5 |* C  T
  16. # -o "PasswordAuthentication no" prohibits login using password' M+ A% B, _) C% {. R
  17. # but allows login using ssh key based authentication (same behavior as -s in dropbear)
    % O1 ^0 a3 K& V( b. s& U. }
  18. # -o "PermitRootLogin without-password" prohibits root login using password) h, y- d: D2 P! V
  19. # but allows root login using ssh key based authentication (same behavior as -g in dropbear)
    4 F7 u2 [! C. {* }
  20. exec /opt/sbin/sshd -D1 }  `4 s6 r& v% f# Z+ r
  21. 3 G: S; g9 p# ?6 s2 k
  22. pre-start script
    ) r( g, F3 p* `, O7 L6 Y
  23.      # Add firewall rule to allow SSH access over WiFi on port 22
    $ W2 p4 G1 w. m, y
  24.      # Remove the "-i eth0" on both of the following lines to enable SSH access
    & J7 |1 y4 o. m0 |+ o
  25.      # over the cellular data network (EVDO, etc).
    / N6 i8 ]; M- d' W  i# C* M
  26.      /usr/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -j ACCEPT || /bin/true
    1 U6 e4 `) L& A+ r  j# \+ g4 h
  27.      /usr/sbin/iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT8 P( T5 G! e; y( @( b& `
  28. end script/ V/ \3 w* [$ T1 M# j1 l
  29. 2 P5 w% }& ~, R! G1 a8 q" M  M
  30. # end of file
    0 b- ]; U. B4 u! h# Z2 S! n- C
复制代码
* V( }3 \! d' R( [$ T& `' k
[ Edited by freezex on 2010-10-8 10:09 ]
回复 支持 反对

使用道具 举报

发表于 2010-10-9 16:46 | 显示全部楼层
俺的oppensh就从来没有连接上成功过,郁闷2
回复 支持 反对

使用道具 举报

头像被屏蔽
发表于 2011-4-2 03:26 | 显示全部楼层
提示: 作者被禁止或删除 内容自动屏蔽
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 加入我们

本版积分规则

QQ|Archiver|手机版|小黑屋|吹友吧 ( 京ICP备05078561号 )

GMT+8, 2025-4-26 13:09 , Processed in 0.458554 second(s), 15 queries .

Powered by Discuz! X3.5 Licensed

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表