admin avatar

Enable or disable users to log in using SSH in Linux

🕚 by admin

Restrictions on logged-in users Edit the configuration file of the SSH service #vim /etc/ssh/sshd_config Modify the content of this line to prohibit Root users from logging in using SSH #PermitRootLogin yes remove the # sign and change yes to no. Add the following content, only allow the following users and user groups to log in using SSH AllowUsers username AllowGroups groupname Add the following content, only forbid the following users and user groups to use SSH login, DenyUsers username DenyGroups groupname The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, AllowGroups After modifying the configuration file, the SSH service must be restarted to take effect #/etc/init.d/sshd restart

Restrictions on login IP Modify the configuration file #vim /etc/hosts.allow Add the following content to set the IP allowed to log in sshd: Modify the configuration file #vim /etc/hosts.deny Add the following content to reject all IP login sshd:ALL After completing the above two steps, we ban all IPs, but allow related IPs to log in.

Login with certificate

  1. Generate public and private keys ssh-keygen -t rsa -f /root/.ssh/id_rsa The key type is determined by the SSH protocol. SSH1 can only use RSA encryption, and SSH2 supports RSA and DSA algorithms
  2. Register the public key on the server vim /root/.ssh/authorized_keys Edit this file on the server and copy the content of the public key to the file
  3. Turn on certificate authentication on the server and turn off password login Edit the sshd-config file and modify the following content
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys
    RSAAuthentication yes
    PasswordAuthentication no
  4. The client logs in to the ssh server through the private key ssh -i /root/.ssh/id_rsa root@<ssh_server_ip> -p port The path of the private key can be set in /etc/ssh/ssh_config IdentityFile ~/.ssh/id_rsa, so you don’t need to specify the path every time you log in

Other configuration of sshd_config file #Port 22 Modify port

Protocol 2 Select ssh protocol version

AddressFamily Specifies which address family should be used by sshd(8). The value range is: "any" (default), "inet" (IPv4 only), and "inet6" (IPv6 only).

ListenAddress Specify the network address that sshd(8) listens to. By default, it listens to all addresses. You can use multiple ListenAddress to listen to multiple addresses. The format is like ListenAddress host|IPv4_addr:port

#LogLevel INFO Set the log level, INFO is the default level

#LoginGraceTime 2m Restricted users must be successfully authenticated within the specified time limit, 0 means unlimited. The default value is 120 seconds.

AllowGroups Followed by a list of group names separated by spaces (the "*" and "?" wildcards can be used). All groups are allowed to log in by default. If this command is used, only members of these groups will be allowed to log in, and all other groups will be denied. "Group" refers to the "main group" and GID cannot be used

AllowTcpForwarding Whether to allow TCP forwarding, the default value is "yes". Disabling TCP forwarding does not enhance security, unless users are prohibited from accessing the shell, because users can install their own forwarders.

AllowUsers Followed by a list of user names separated by spaces (the "*" and "?" wildcards can be used). All users are allowed to log in by default. If this command is used, then only these users will be allowed to log in, and all other users will be denied.

#ClientAliveInterval 0 When the timeout is disconnected, the message is requested from the client every few seconds, and the default is 0 not to send. #ClientAliveCountMax 3 The client disconnected without responding to the request more than 3 times

PubkeyAuthentication yes Enable public-private key pairing authentication method, which can only be used for SSH-2 AuthorizedKeysFile .ssh/authorized_keys Set the PublicKey file path, if there are multiple public keys, add them directly RSAAuthentication yes Allow RSA keys PasswordAuthentication no Now that you have a certificate to log in, disable password login

Banner Display the contents of the file specified by this command to the remote user before the user is authenticated. This feature can only be used in SSH-2, and nothing is displayed by default. "none" means that this feature is disabled.

AcceptEnv Specify which environment variables sent by the client will be passed to the session environment. Only the SSH-2 protocol supports the transfer of environment variables, and the value of the instruction is a list of variable names separated by spaces (you can use'*' and'?' as wildcards). Multiple AcceptEnv can also be used. For details, refer to the SendEnv configuration command in ssh_config(5).

Ciphers Specifies the encryption algorithm allowed by SSH-2. Use commas to separate multiple algorithms. The algorithms that can be used are as follows: "aes128-cbc", "aes192-cbc", "aes256-cbc", "aes128-ctr", "aes192-ctr", "aes256-ctr", "3des-cbc", "arcfour128 ", "arcfour256", "arcfour", "blowfish-cbc", "cast128-cbc" The default value is that all the above algorithms can be used.

💘 相关文章