Linux下ssh服务端配置详细记录和教程,ssh详细记录
Linux下ssh服务端配置详细记录和教程,ssh详细记录
linux sshd公钥及双重验证配置方法
打开配置文件
通常,linux发行版的sshd配置文件路径为/etc/ssh/sshd_config,使用你喜欢的编辑器打开,非root账户加上sudo,否则权限不够,无法保存!
例如:
AllowUsers yourusername
配置公钥
生成证书
在用户目录创建.ssh文件夹并进入:
mkdir ~/.ssh cd ~/.ssh
生成默认加密方式的证书使用如下命令
ssh-keygen
提示证书存放的路径,直接回车,设置证书密码,确认后将生产id_rsa和id_rsa.pub两个文件,id_rsa.pub为服务端使用的公钥,id_rsa为客户端使用的私钥!
如需更改加密方式可参考SSH keys
将公钥命名为指定文件名,以启用:
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
更改公钥权限,保证安全
chmod 400 ~/.ssh/authorized_keys chattr +i ~/.ssh/authorized_keys chattr +i ~/.ssh
配置双重认证
密码的安全性相对较低,公钥认证需要上传私钥文件到客户端,在不常用的设备上登录的话特别麻烦,所以建议使用google-authenticator和密码双重认证!
使用前需要在服务端安装 libpam-google-authenticator
安装libpam-google-authenticator
sudo apt-get isntall libpam-google-authenticator
自行搜索安装google Authenticator手机客户端
生成并绑定双重认证密钥
输入google-authenticator命令,按照提示绑定并设置密钥。
$ google-authenticator Do you want authentication tokens to be time-based (y/n) y #<这里是自动生成的二维码> Your new secret key is: ZVZG5UZU4D7MY4DH #(密钥) Your verification code is 269371 #(验证码) Your emergency scratch codes are: #(备用令牌码) 70058954 97277505 99684896 56514332 82717798 Do you want me to update your "/home/username/.google_authenticator" file (y/n) y Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y #(是否拒绝多次使用使用相同的令牌?这将限制你每30s仅能登录一次,但会提醒/阻止中间人攻击。) # By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n #(是否将窗口时间由1分30秒增加到约4分钟?这将缓解时间同步问题。) # If the computer that you are logging into is not hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y #(是否启用此模块的登录频率限制,登录者将会被限制为最多在30秒内登录3次。) #
启用双重认证:
注意:启用前请确保双重认证设置无误,否则将导致ssh无法登陆,最好有备用登录方式,如启用vnc!启用双重认证请确保sshd_config的ChallengeResponseAuthentication设置为yes!本文介绍的方法并不会对公钥认证的方式启用双重认证,如需设置公钥+google-authenticator的认证方式,请参阅wiki
设置插入式验证模块
在/etc/pam.d/sshd文件的开始位置添加pam_google_authenticator.so:
# google-auth auth required pam_google_authenticator.so # google-authend
重启sshd服务生效
sudo systemctl restart sshd
评论暂时关闭