Restrict users from using ssh keys for authentication and login

For the sake of server and user security, the user password authentication method is prohibited, and the key-based method is used. Lastlogin: FriOct1214: 14: 012012from192.168.7.251root@Cacti.Nagios: [root] vietcsshsshd_config # $ OpenBSD: sshd_config, v1.802008070202: 24: 18 djmExp $ # Thisisthesshdse

For the sake of server and user security, the user password authentication method is prohibited, and the key-based method is used. Lastlogin: FriOct1214: 14: example. 168.7.small root@Cacti.Nagios: [/root] vi/etc/ssh/sshd_config # $ OpenBSD: sshd_config, v1.802008/07/0202: 24: 18 djmExp $ # Thisisthesshdse

For servers andUserIs not allowed.UserPasswordAuthenticationThe "key" method.

 
 

  
  
Last login: Fri Oct 12 14:14:01 2012 from 192.168.7.20.
  
  
Root@Cacti.Nagios: [/root] vi/etc/ssh/sshd_config
  
  
# $ OpenBSD: sshd_config, v 1.80 2008/07/02 02:24:18 djm Exp $
  
  
 
  
  
# This is the sshd server system-wide configuration file. See
  
  
# Sshd_config (5) for more information.
  
  
 
  
  
# This sshd was compiled with PATH =/usr/local/bin:/usr/bin
  
  
 
  
  
# The strategy used for options in the default sshd_config shipped
  
  
# OpenSSH is to specify options with their default value where
  
  
# Possible, but leave them commented. Uncommented options change
  
  
# Default value.
  
  
 
  
  
# Port 22
  
  
# AddressFamily any
  
  
# ListenAddress 0.0.0.0
  
  
# ListenAddress ::
  
  
 
  
  
# Disable legacy (protocol version 1) support in the server for new
  
  
# Installations. In future the default will change to require explicit
  
  
# Activation of protocol 1
  
  
Protocol 2The listener is changed to this status after modification. Only SSH2 is used.
  
  
 
  
  
# HostKey for protocol version 1
  
  
# HostKey/etc/ssh/ssh_host_key
  
  
# HostKeys for protocol version 2
  
  
# HostKey/etc/ssh/ssh_host_rsa_key
  
  
# HostKey/etc/ssh/ssh_host_dsa_key
  
  
 
  
  
# Lifetime and size of ephemeral version 1 server key
  
  
# KeyRegenerationInterval 1 h
  
  
# ServerKeyBits 1024
  
  
 
  
  
# Logging
  
  
# Obsoletes QuietMode and FascistLogging
  
  
# SyslogFacility AUTH
  
  
SyslogFacility AUTHPRIV
  
  
# LogLevel INFO
  
  
 
  
  
# Authentication:
  
  
 
  
  
# LoginGraceTime 2 m
  
  
# PermitRootLogin yes
  
  
PermitRootLogin noThe supervisor is changed to this status after modification, and root is not allowed.ProceedLogin
  
  
# StrictModes yes
  
  
# MaxAuthTries 6
  
  
# MaxSessions 10
  
  
 
  
  
# RSAAuthentication yes
  
  
# PubkeyAuthentication yes
  
  
# AuthorizedKeysFile. ssh/authorized_keys
  
  
# AuthorizedKeysCommand none
  
  
# AuthorizedKeysCommandRunAs nobody
  
  
 
  
  
# For this to work you will also need host keys in/etc/ssh/ssh_known_hosts
  
  
# RhostsRSAAuthentication no
  
  
# Similar for protocol version 2
  
  
# HostbasedAuthentication no
  
  
# Change to yes if you don't trust ~ /. Ssh/known_hosts
  
  
# RhostsRSAAuthentication and HostbasedAuthentication
  
  
# IgnoreUserKnownHosts no
  
  
# Don't read the user's ~ /. Rhosts and ~ /. Shosts files
  
  
# IgnoreRhosts yes
  
  
 
  
  
# To disable tunneled clear text passwords, change to no here!
  
  
# PasswordAuthentication yes
  
  
PasswordAuthentication noThe token is changed to this status after modification. logon using a password is not allowed.
  
  
# PermitEmptyPasswords no
  
  
PermitEmptyPasswords noReset changes to this status. Do not enter a password.ProceedLogin
  
  
"/Etc/ssh/sshd_config" 141L, 3941C written
  
  
Root@Cacti.Nagios: [/root] vi/etc/hosts. deny shield modify blocking rules and add lines at the end of the text
  
  
#
  
  
# Hosts. deny This file contains access rules which are used
  
  
# Deny connections to network services that either use
  
  
# The tcp_wrappers library or that have been
  
  
# Started through a tcp_wrappers-enabled xinetd.
  
  
#
  
  
# The rules in this file can also be set up in
  
  
#/Etc/hosts. allow with a 'deny' option instead.
  
  
#
  
  
# See 'man 5 hosts_options 'and 'man 5 hosts_access'
  
  
# For information on rule syntax.
  
  
# See 'man tcpd' for information on tcp_wrappers
  
  
#
  
  
Sshd: ALL clients add this line to shield all ssh connection requests.
  
  
"/Etc/hosts. deny" 14L, 469C written
  
  
You have new mail in/var/spool/mail/root
  
  
Root@Cacti.Nagios: [/root] vi/etc/hosts. allow modify allow rules to add lines at the end of the text
  
  
#
  
  
# Hosts. allow This file contains access rules which are used
  
  
# Allow or deny connections to network services that
  
  
# Either use the tcp_wrappers library or that have been
  
  
# Started through a tcp_wrappers-enabled xinetd.
  
  
#
  
  
# See 'man 5 hosts_options 'and 'man 5 hosts_access'
  
  
# For information on rule syntax.
  
  
# See 'man tcpd' for information on tcp_wrappers
  
  
#
  
  
Sshd: 192.168.7. Only 192.168.7 is allowed. Network Segment machine sshLogin
  
  
~
  
  
~
  
  
~
  
  
"/Etc/hosts. allow" 11L, Objective C written
  
  
 
  
  
Root@Cacti.Nagios: [/root] su-admin
  
  
Admin@Cacti.Nagios: [/data] ssh-keygen-t rsa
  
  
Generating public/private rsa key pair.
  
  
Enter file in which to save the key (/data/. ssh/id_rsa ):
  
  
Created directory '/data/. ssh '.
  
  
Enter passphrase (empty for no passphrase ):
  
  
Enter same passphrase again:
  
  
Your identification has been saved in/data/. ssh/id_rsa.
  
  
Your public key has been saved in/data/. ssh/id_rsa.pub.
  
  
The key fingerprint is:
  
  
E5: 15: ba: be: 59: ef: 2e: 74: df: b6: ee: e1: 6a: 24: be: da admin@Cacti.Nagios
  
  
The key's randomart image is:
  
  
+ -- [RSA 2048] ---- +
  
  
|. |
  
  
|... |
  
  
| O. |
  
  
| O |
  
  
| S o |
  
  
| ...... |
  
  
| O. +. o. |
  
  
|. =. O. = |
  
  
|. + Eo = B *. |
  
  
+ ----------------- +
  
  
Admin@Cacti.Nagios: [/data] ls-
  
  
... Bash_history. bash_logout. bash_profile. bashrc lost + found. ssh. viminfo
  
  
Admin@Cacti.Nagios: [/data] cd. ssh/
  
  
Admin@Cacti.Nagios: [/data/. ssh] ll
  
  
Total 8
  
  
-Rw ------- 1 admin 1751 Oct 12 id_rsa
  
  
-Rw-r -- 1 admin 401 Oct 12 id_rsa.pub
  
  
Admin@Cacti.Nagios: [/data/. ssh] cat ~ /. Ssh/id_rsa.pub> ~ /. Ssh/authorized_keys
  
  
Admin@Cacti.Nagios: [/data/. ssh] ls-
  
  
... Authorized_keys id_rsa id_rsa.pub
  
  
Admin@Cacti.Nagios: [/data/. ssh] chmod 400 authorized_keys
  
  
Admin@Cacti.Nagios: [/data/. ssh] ll-
  
  
Total 20
  
  
Drwx ------ 2 admin 4096 Oct 12.
  
  
Drwxr-xr-x 4 admin 4096 Oct 12 ..
  
  
-R -------- 1 admin 401 Oct 12 authorized_keys
  
  
-Rw ------- 1 admin 1751 Oct 12 id_rsa
  
  
-Rw-r -- 1 admin 401 Oct 12 id_rsa.pub
  
  
 
  
  
Now, the private key id_rsa is exported to the windows client. Then, delete the generated public key id_rsa.pub.
  
  
Restart the sshd service to make the configuration changes take effect.
  
  
Root@Cacti.Nagios: [/root]/etc/rc. d/init. d/sshd restart Stopping sshd: [OK] Starting sshd: [OK]

 
 

650) this. width = 650; "src =" http://cdn.verydemo.com/upload/2013_05_29/13698145869140.jpg "border =" 0 "alt =" "/> 650) this. width = 650; "src =" http://cdn.verydemo.com/upload/2013_05_29/13698145872331.jpg "border =" 0 "alt =" "/> 650) this. width = 650; "src =" http://cdn.verydemo.com/upload/2013_05_29/13698145875642.jpg "border =" 0 "alt =" "/> 650) this. width = 650; "src =" http://cdn.verydemo.com/upload/2013_05_29/13698145878883.jpg "border =" 0 "alt =" "/>

Bug blog