我已经在我的一台PC上configuration了ssh服务器,只允许一台电脑进行rootlogin。 这工作得很好,直到我更新ssh(目前,服务器正在运行Debian Jessie)。 这是我的sshd_config的样子:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes ############# To Allow Root Login #################### Match Host pc01 PermitRootLogin yes 这是做ssh -v root @ p00的结果:
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 56: Applying options for * debug1: Connecting to pc00 [10.255.255.100] port 22. debug1: Connection established. debug1: identity file /home/masteradmin/.ssh/id_rsa type 1 debug1: identity file /home/masteradmin/.ssh/id_rsa-cert type -1 debug1: identity file /home/masteradmin/.ssh/id_dsa type -1 debug1: identity file /home/masteradmin/.ssh/id_dsa-cert type -1 debug1: identity file /home/masteradmin/.ssh/id_ecdsa type -1 debug1: identity file /home/masteradmin/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/masteradmin/.ssh/id_ed25519 type -1 debug1: identity file /home/masteradmin/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u1 debug1: match: OpenSSH_7.4p1 Debian-10+deb9u1 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr [email protected] none debug1: kex: client->server aes128-ctr [email protected] none debug1: kex: [email protected] need=20 dh_need=20 debug1: kex: [email protected] need=20 dh_need=20 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 6a:be:7f:f8:3a:89:26:0b:08:16:6f:5a:ec:12:d7:bc debug1: Host 'pc00' is known and matches the ECDSA host key. debug1: Found key in /home/masteradmin/.ssh/known_hosts:2 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/masteradmin/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey debug1: Trying private key: /home/masteradmin/.ssh/id_dsa debug1: Trying private key: /home/masteradmin/.ssh/id_ecdsa debug1: Trying private key: /home/masteradmin/.ssh/id_ed25519 debug1: No more authentication methods to try.
只是要清楚,更新已完成到服务器,它工作得很好,在它之前。
我想configuration服务器只允许从pc01(它在主机文件中)的根访问和只有与密钥交换。
我的configuration有什么问题?
更新:另一个线索是,如果我将PermitRootLogin从no更改为yes,那么我可以很好地login,但是这种方式会打败整个“只允许一个IP根”的目的。
以下build设有一个问题:
PermitRootLogin no ... Match Host pc01 PermitRootLogin yes
它在ssh_config(5)的手册页中进行了描述:
对于每个参数,将使用第一个获得的值。
这意味着PermitRootLogin yes永远不会被使用的。 为了避免这种情况,反过来写下configuration:
Match Host pc01 PermitRootLogin yes Match all PermitRootLogin no
编辑:如果基于hosname的Match块停止工作,它可能与UseDNS选项有关,这可能会更改某些更新的默认值。 将hostname更改为IP或添加UseDNS yes也将解决问题。