openssh改密码认证后

prenewbie

v版pre 1.45，装了openssh，以前老版本的openssh好像是默认密码登录的，现在要密匙，感觉没必要，又改回密码认证了
3 x3 h6 P1 [* ~: o, P4 ?  `
配置文件sshd_config改了一下就可以了，但是遇到一个奇怪的问题，每次第一次连接，如果wifi没先激活就用winscp之类的ssh客户端连接，就会出现”不支持的验证方式“的错误，重启关机pre也没用，只有把resolv.conf的nameserver更新了才行，附上我的配置文件，不知道跟设置有关系吗
/ d+ v% c0 m7 ~
, y( k1 L. S8 z7 {# D) v#        $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
1 V4 o" j6 S* r& D) ?0 j1 e
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

2 ^1 H2 N" D! ]. X9 O9 J# This sshd was compiled with PATH=/opt/sbin:/opt/bin:/usr/sbin:/usr/bin:/sbin:/bin
$ }2 v: {( K% N# J4 m4 |5 j
1 [& C/ s8 n; `/ P: }# The strategy used for options in the default sshd_config shipped with
% Y* r( Z, G( i* i- `# OpenSSH is to specify options with their default value where
+ X: ?4 ~% _( G" k* g( o# possible, but leave them commented.  Uncommented options change a
: A. d: ~5 C5 \# T# default value.

#Port 22
6 x* ?. o. h7 s; ]#AddressFamily any
6 J& d+ O5 ?* E2 v% X1 \#ListenAddress 0.0.0.0
#ListenAddress ::
& |( v8 b" x! f8 q
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
! g/ L5 _. K. j# activation of protocol 1
! b& b) ^6 R* d# ^+ {( OProtocol 2

# HostKey for protocol version 1
#HostKey /opt/etc/openssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/etc/openssh/ssh_host_rsa_key
#HostKey /opt/etc/openssh/ssh_host_dsa_key
7 a! @2 h3 K+ m4 W- V" W$ M
2 S( K, P: ^4 P9 E# ^) _# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
) U: B; p3 U, A% ]#ServerKeyBits 1024

, f( N; U$ }. ?% @' b# Logging
# obsoletes QuietMode and FascistLogging
9 k7 D  u2 ?/ e  P#SyslogFacility AUTH
5 G8 f. E! J! q* Q( l! M#LogLevel INFO
* k/ S" u2 _4 @; X7 w. O
# Authentication:

3 E* [% o+ R, ]6 n4 |' h# _#LoginGraceTime 2m
PermitRootLogin yes
* J; u. |6 R. \6 P8 {#StrictModes yes
) r" L# X" P, k! S! B#MaxAuthTries 6
* @( c& G2 \1 X) \: s* B& _#MaxSessions 10

RSAAuthentication no
PubkeyAuthentication no
, L2 u8 o% k* c( z/ H#AuthorizedKeysFile        .ssh/authorized_keys

# For this to work you will also need host keys in /opt/etc/openssh/ssh_known_hosts
' Z7 Q: y5 X& _# v$ l9 \6 N#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

& C9 W2 q$ `8 S8 ]" e7 P# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes
; W2 u& x$ Q. ^) H  L, B: w
# Change to no to disable s/key passwords
( ]' O$ ?% \: N9 D, x; W: qChallengeResponseAuthentication yes
0 o9 R9 d5 ]- U6 H" K
8 l8 ~/ d; z4 _; E0 V4 x  n0 g+ V# Kerberos options
( s8 d( y2 W) I. o" [KerberosAuthentication yes
#KerberosOrLocalPasswd yes
! ~+ ^# k/ e) z# G#KerberosTicketCleanup yes
#KerberosGetAFSToken no

/ ~- c9 ~8 K( I2 n7 G2 R# GSSAPI options
1 J8 D% T+ B6 K% ^3 n+ T3 E#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
! t: G# X+ u' ]" U( z
4 T% l  B: f; V2 M" b6 ]# t+ U# Set this to 'yes' to enable PAM authentication, account processing,
& O! c0 T& [4 W6 u4 C; D& H  r1 I# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
, i" M5 ^6 c, S0 {# PasswordAuthentication.  Depending on your PAM configuration,
" o$ H1 a$ b; l1 I7 L0 h# PAM authentication via ChallengeResponseAuthentication may bypass
8 Y8 Q- L  x$ p) ?# the setting of "PermitRootLogin without-password".
% j$ M; \% n0 u# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
. A1 P" `) o1 }4 u3 _8 c" U6 i# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
7 U9 N5 B( e0 j2 h' p5 H7 A#GatewayPorts no
* E$ Z+ ?7 p& ]) f" e#X11Forwarding no
8 h2 H6 h9 `" ]$ k/ y9 ?5 U) R#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
; Z. D& B: B/ J: N1 f#PrintLastLog yes
#TCPKeepAlive yes
! e( W3 M! A( \/ t#UseLogin no
9 g, R  ], u  k2 A6 M6 B4 D#UsePrivilegeSeparation yes
#PermitUserEnvironment no
9 S4 R% E% T0 t8 o#Compression delayed
) P- Q6 \8 O  a, U! i; s. K#ClientAliveInterval 0
$ w7 q0 d# K! L8 X# o#ClientAliveCountMax 3
#UseDNS yes
4 E  X1 }( r" l9 \#PidFile /opt/var/run/sshd.pid
2 \- N, K+ q% p0 ]1 A#MaxStartups 10
# y3 `8 G" H5 ~' O2 j, [#PermitTunnel no
#ChrootDirectory none
% n, o$ b, R: Z4 }( t" P/ C1 B
3 _" Q- Q$ x$ u: s- J0 J/ U# no default banner path
#Banner none

' H6 T% A4 U) s$ T# override default of no subsystems
% C, C0 P% E5 z; L% kSubsystem        sftp        /opt/libexec/sftp-server
, @% ]9 [9 F4 B4 R3 V9 C
# Example of overriding settings on a per-user basis
2 H3 V+ P/ Z6 j8 J0 U#Match User anoncvs
6 a3 l% u7 n& p7 F: G! y#        X11Forwarding no
#        AllowTcpForwarding no
9 x' Q" v# W) ?, x9 ]# ~5 \#        ForceCommand cvs server

prenewbie

感觉这个openssh不太稳定，有时候会验证失败，然后造成vpn都工作不正常了

cantondiablo

俺的oppensh就从来没有连接上成功过，郁闷

freezex

这是我每次刷机后装ssh所用的配置文件,用wqi发到手机上,即可用密码登录.供参考

4 F/ r9 C: t2 B! j) L/opt/etc/openssh/sshd_config

1. Port 22
   
2. Protocol 2
   ; o. I7 p, X$ f! y) W
3. PermitRootLogin yes
   ; N# L$ D1 I0 V) W* D# c
4. PasswordAuthentication yes
   
5. PermitEmptyPasswords no
   
6. Subsystem        sftp        /opt/libexec/sftp-server

复制代码

/etc/event.d/mobi.optware.openssh

1. description "OpenSSH Daemon"
   
2. 
   
3. start on stopped finish
   % J. L! \+ \( i+ H* ~3 P
4. stop on runlevel [!2]
   ; m# R' }* r. b; l; f" \: v. J
5. 
   ; \  s+ D, _1 E$ f- x2 P: L# }$ ?) I( A
6. console none
   
7. 
   
8. # Make sure SSH sessions don't slow down GUI use
   
9. nice 5
   
10. 
    
11. # Restart the SSH daemon if it exits/dies
    5 f+ P0 u. T  u: Y) ~5 y* [" W, \5 |
12. respawn
    ) j; {* s2 w! T+ ]) ?
13. 
    + `2 e, Q: B9 w% o+ p& u
14. # -D doesn't detach and become daemon
    
15. # -p sets the TCP port
    
16. # -o "PasswordAuthentication no" prohibits login using password
    
17. # but allows login using ssh key based authentication (same behavior as -s in dropbear)
    % O1 ^0 a3 K& V( b. s& U. }
18. # -o "PermitRootLogin without-password" prohibits root login using password
    
19. # but allows root login using ssh key based authentication (same behavior as -g in dropbear)
    4 F7 u2 [! C. {* }
20. exec /opt/sbin/sshd -D
    
21. 
    
22. pre-start script
    ) r( g, F3 p* `, O7 L6 Y
23.      # Add firewall rule to allow SSH access over WiFi on port 22
    $ W2 p4 G1 w. m, y
24.      # Remove the "-i eth0" on both of the following lines to enable SSH access
    & J7 |1 y4 o. m0 |+ o
25.      # over the cellular data network (EVDO, etc).
    / N6 i8 ]; M- d' W  i# C* M
26.      /usr/sbin/iptables -D INPUT -i eth0 -p tcp --dport 22 -j ACCEPT || /bin/true
    1 U6 e4 `) L& A+ r  j# \+ g4 h
27.      /usr/sbin/iptables -I INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
    
28. end script
    
29. 
    
30. # end of file
    0 b- ]; U. B4 u! h# Z2 S! n- C

复制代码

[ Edited by freezex on 2010-10-8 10:09 ]

szlittle

俺的oppensh就从来没有连接上成功过，郁闷2