CentOS中文网

CentOS禁止某些用户使用ssh远程登录

CentOS中文网 https://www.centos.net.cn 2014-06-02 23:57 出处:网络 编辑:@iCMS
[root@localhost~]#vi/etc/pam.d/sshd 在第一行加入authrequiredpam_listfile.soitem=usersense=denyfile=/etc/sshdusersonerr=succeed,注意一定要在第一行,因为pam中执行顺序是上面优先

[root@localhost ~]# vi /etc/pam.d/sshd


在第一行加入 auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed,注意一定要在第一行,因为pam中执行顺序是上面优先


authrequiredpam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed


#%PAM-1.0


authrequiredpam_sepermit.so


authincludepassword-auth


accountrequiredpam_nologin.so


accountincludepassword-auth


passwordincludepassword-auth


# pam_selinux.so close should be the first session rule


sessionrequiredpam_selinux.so close


sessionrequiredpam_loginuid.so


# pam_selinux.so open should only be followed by sessions to be executed in the user context


sessionrequiredpam_selinux.so open env_params


sessionoptionalpam_keyinit.so force revoke


sessionincludepassword-auth


#查看此服务器下是什么用户


[root@localhost ~]# cd /home/


[root@localhost home]# ls


将此用户的名字加入配置文件


git[root@localhost home]# vi /etc/sshdusers


git


在文件中加入git #git是个本地用户


#重启sshd服务


[root@localhost home]# service sshd restart


Stopping sshd:[OK]


Starting sshd:[OK]


在另一个终端测试

Last login: Wed Sep4 14:45:19 2013 from 10.191.197.161


root@Git-Ubutntu:~#ssh git@202.205.161.48


The authenticity of host '202.205.161.48 (202.205.161.48)' can't be established.


RSA key fingerprint is 40:2a:10:80:c3:20:e6:ea:fe:4a:4d:cd:79:df:86:29.


Are you sure you want to continue connecting (yes/no)? yes


Warning: Permanently added '202.205.161.48' (RSA) to the list of known hosts.


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


也看到有人这样解决 “在/etc/ssh/sshd_config里,设置DenyUsers” 但是我编辑此文件时没有找到DenyUsers字段呢。。。所以没做成。。


测试结果为用户git 无法进行远程SSH登录。。。


下面再试一下root的SSH远程登录是否正常。。


root@Git-Ubutntu:~#ssh root@202.205.161.48


root@202.205.161.48's password:


Last login: Wed Sep4 15:00:45 2013 from 10.191.197.39


[root@localhost ~]# ifconfig


eth0Link encap:EthernetHWaddr 00:15:5D:A1:58:09


inet addr:202.205.161.48Bcast:202.205.161.255Mask:255.255.254.0


inet6 addr: fe80::215:5dff:fea1:5809/64 Scope:Link


UP BROADCAST RUNNING MULTICASTMTU:1500Metric:1


RX packets:11199428 errors:0 dropped:0 overruns:0 frame:0


TX packets:191501 errors:0 dropped:0 overruns:0 carrier:0


collisions:0 txqueuelen:1000


RX bytes:2603340038 (2.4 GiB)TX bytes:13760114 (13.1 MiB)


loLink encap:Local Loopback


inet addr:127.0.0.1Mask:255.0.0.0


inet6 addr: ::1/128 Scope:Host


UP LOOPBACK RUNNINGMTU:16436Metric:1


RX packets:226 errors:0 dropped:0 overruns:0 frame:0


TX packets:226 errors:0 dropped:0 overruns:0 carrier:0


collisions:0 txqueuelen:0


RX bytes:29132 (28.4 KiB)TX bytes:29132 (28.4 KiB)


[root@localhost ~]#


以上测试 root 用户已经正常通过SSH远程登录!


################################################################################


下面测试 禁用git用户SSH远程登录的情况下,git 客户端使用SSH 是否还可用。


root@Git-Ubutntu:~# cd /home/git/


root@Git-Ubutntu:/home/git# ls


myworkplace


root@Git-Ubutntu:/home/git# cd myworkplace/


root@Git-Ubutntu:/home/git/myworkplace# ls


git-test


root@Git-Ubutntu:/home/git/myworkplace# cd git-test/


root@Git-Ubutntu:/home/git/myworkplace/git-test# ls


file.txt


root@Git-Ubutntu:/home/git/myworkplace/git-test# git log


commit dfe7feafbe3f95f6217cb59eda3c117e7057e852


Author: user <user@qq.com>


Date:Tue Sep 3 16:25:10 2013 +0800


version1.1 user.qq


commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e


Author: Jeffery <Jeffery@localhost.localdomain>


Date:Wed Sep 4 00:18:50 2013 +0800


version 1.0 (zhangwj)


root@Git-Ubutntu:/home/git/myworkplace/git-test# vi file.txt


version 1.0 (zhangwj);


version 1.1 (user.qq);


version 1.2 (user.qq);Test the Ssh is OK?


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


"file.txt" 3L, 90C written


root@Git-Ubutntu:/home/git/myworkplace/git-test# git add file.txt


root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m "test the ssh


is ok"


*** Please tell me who you are.


Run


git config --global user.email "you@example.com"


git config --global user.name "Your Name"


to set your account's default identity.


Omit --global to set the identity only in this repository.


fatal: unable to auto-detect email address (got 'root@Git-Ubutntu.(none)')


#让我设置git的全局配置。。。配置用户名及邮箱


root@Git-Ubutntu:/home/git/myworkplace/git-test# git config --global user.email


"user@qq.com"


root@Git-Ubutntu:/home/git/myworkplace/git-test# git config --global user.name "


user"


root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m"test the ssh is ok"


[master 84386d7] test the ssh is ok


1 file changed, 1 insertion(+)


#以上,提交到本地代码 仓库正常。。


下面重点测试是否可以推送到服务器上去。。


root@Git-Ubutntu:/home/git/myworkplace/git-test#git push


warning: push.default is unset; its implicit value is changing in


Git 2.0 from 'matching' to 'simple'. To squelch this message


and maintain the current behavior after the default changes, use:


git config --global push.default matching


To squelch this message and adopt the new behavior now, use:


git config --global push.default simple


See 'git help config' and search for 'push.default' for further information.


(the 'simple' mode was introduced in Git 1.7.11. Use the similar mode


'current' instead of 'simple' if you sometimes use older versions of Git)


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


fatal: Could not read from remote repository.


测试失败。。。。不能连接远程代码仓库。。。

CentOS禁止某些用户使用ssh远程登录


Please make sure you have the correct access rights


and the repository exists.


下面是提交成功了,这是因为我在git server上取消了git用户的SSH登录限制。。


root@Git-Ubutntu:/home/git/myworkplace/git-test# git push


warning: push.default is unset; its implicit value is changing in


Git 2.0 from 'matching' to 'simple'. To squelch this message


and maintain the current behavior after the default changes, use:


git config --global push.default matching


To squelch this message and adopt the new behavior now, use:


git config --global push.default simple


See 'git help config' and search for 'push.default' for further information.


(the 'simple' mode was introduced in Git 1.7.11. Use the similar mode


'current' instead of 'simple' if you sometimes use older versions of Git)


git@202.205.161.48's password:


Counting objects: 5, done.


Compressing objects: 100% (2/2), done.


Writing objects: 100% (3/3), 297 bytes, done.


Total 3 (delta 0), reused 0 (delta 0)


To git@202.205.161.48:/home/git/git-test


dfe7fea..84386d7master -> master


root@Git-Ubutntu:/home/git/myworkplace/git-test# git log


commit 84386d7e6c4b4fc506efbd02e402fc993c15e011


Author: user <user@qq.com>


Date:Wed Sep 4 15:16:16 2013 +0800


test the ssh is ok


commit dfe7feafbe3f95f6217cb59eda3c117e7057e852


Author: user <user@qq.com>


Date:Tue Sep 3 16:25:10 2013 +0800


version1.1 user.qq


commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e


Author: Jeffery <Jeffery@localhost.localdomain>


Date:Wed Sep 4 00:18:50 2013 +0800


version 1.0 (zhangwj)


结论。禁止用户SSH远程登录后,git 使用口令方式验证时,也将无法使用!!


下一步,测试使用公钥 私钥方式进行git 登录!

在第一行加入 auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed,注意一定要在第一行,因为pam中执行顺序是上面优先


authrequiredpam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed


#%PAM-1.0


authrequiredpam_sepermit.so


authincludepassword-auth


accountrequiredpam_nologin.so


accountincludepassword-auth


passwordincludepassword-auth


# pam_selinux.so close should be the first session rule


sessionrequiredpam_selinux.so close


sessionrequiredpam_loginuid.so


# pam_selinux.so open should only be followed by sessions to be executed in the user context


sessionrequiredpam_selinux.so open env_params


sessionoptionalpam_keyinit.so force revoke


sessionincludepassword-auth


#查看此服务器下是什么用户


[root@localhost ~]# cd /home/


[root@localhost home]# ls


将此用户的名字加入配置文件


git[root@localhost home]# vi /etc/sshdusers


git


在文件中加入git #git是个本地用户


#重启sshd服务


[root@localhost home]# service sshd restart


Stopping sshd:[OK]


Starting sshd:[OK]


在另一个终端测试

Last login: Wed Sep4 14:45:19 2013 from 10.191.197.161


root@Git-Ubutntu:~#ssh git@202.205.161.48


The authenticity of host '202.205.161.48 (202.205.161.48)' can't be established.


RSA key fingerprint is 40:2a:10:80:c3:20:e6:ea:fe:4a:4d:cd:79:df:86:29.


Are you sure you want to continue connecting (yes/no)? yes


Warning: Permanently added '202.205.161.48' (RSA) to the list of known hosts.


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


也看到有人这样解决 “在/etc/ssh/sshd_config里,设置DenyUsers” 但是我编辑此文件时没有找到DenyUsers字段呢。。。所以没做成。。


测试结果为用户git 无法进行远程SSH登录。。。


下面再试一下root的SSH远程登录是否正常。。


root@Git-Ubutntu:~#ssh root@202.205.161.48


root@202.205.161.48's password:


Last login: Wed Sep4 15:00:45 2013 from 10.191.197.39


[root@localhost ~]# ifconfig


eth0Link encap:EthernetHWaddr 00:15:5D:A1:58:09


inet addr:202.205.161.48Bcast:202.205.161.255Mask:255.255.254.0


inet6 addr: fe80::215:5dff:fea1:5809/64 Scope:Link


UP BROADCAST RUNNING MULTICASTMTU:1500Metric:1


RX packets:11199428 errors:0 dropped:0 overruns:0 frame:0


TX packets:191501 errors:0 dropped:0 overruns:0 carrier:0


collisions:0 txqueuelen:1000


RX bytes:2603340038 (2.4 GiB)TX bytes:13760114 (13.1 MiB)


loLink encap:Local Loopback


inet addr:127.0.0.1Mask:255.0.0.0


inet6 addr: ::1/128 Scope:Host


UP LOOPBACK RUNNINGMTU:16436Metric:1


RX packets:226 errors:0 dropped:0 overruns:0 frame:0


TX packets:226 errors:0 dropped:0 overruns:0 carrier:0


collisions:0 txqueuelen:0


RX bytes:29132 (28.4 KiB)TX bytes:29132 (28.4 KiB)


[root@localhost ~]#


以上测试 root 用户已经正常通过SSH远程登录!


################################################################################


下面测试 禁用git用户SSH远程登录的情况下,git 客户端使用SSH 是否还可用。


root@Git-Ubutntu:~# cd /home/git/


root@Git-Ubutntu:/home/git# ls


myworkplace


root@Git-Ubutntu:/home/git# cd myworkplace/


root@Git-Ubutntu:/home/git/myworkplace# ls


git-test


root@Git-Ubutntu:/home/git/myworkplace# cd git-test/


root@Git-Ubutntu:/home/git/myworkplace/git-test# ls


file.txt


root@Git-Ubutntu:/home/git/myworkplace/git-test# git log


commit dfe7feafbe3f95f6217cb59eda3c117e7057e852


Author: user <user@qq.com>


Date:Tue Sep 3 16:25:10 2013 +0800


version1.1 user.qq


commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e


Author: Jeffery <Jeffery@localhost.localdomain>


Date:Wed Sep 4 00:18:50 2013 +0800


version 1.0 (zhangwj)


root@Git-Ubutntu:/home/git/myworkplace/git-test# vi file.txt


version 1.0 (zhangwj);


version 1.1 (user.qq);


version 1.2 (user.qq);Test the Ssh is OK?


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


~


"file.txt" 3L, 90C written


root@Git-Ubutntu:/home/git/myworkplace/git-test# git add file.txt


root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m "test the ssh


is ok"


*** Please tell me who you are.


Run


git config --global user.email "you@example.com"


git config --global user.name "Your Name"


to set your account's default identity.


Omit --global to set the identity only in this repository.


fatal: unable to auto-detect email address (got 'root@Git-Ubutntu.(none)')


#让我设置git的全局配置。。。配置用户名及邮箱


root@Git-Ubutntu:/home/git/myworkplace/git-test# git config --global user.email


"user@qq.com"


root@Git-Ubutntu:/home/git/myworkplace/git-test# git config --global user.name "


user"


root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m"test the ssh is ok"


[master 84386d7] test the ssh is ok


1 file changed, 1 insertion(+)


#以上,提交到本地代码 仓库正常。。


下面重点测试是否可以推送到服务器上去。。


root@Git-Ubutntu:/home/git/myworkplace/git-test#git push


warning: push.default is unset; its implicit value is changing in


Git 2.0 from 'matching' to 'simple'. To squelch this message


and maintain the current behavior after the default changes, use:


git config --global push.default matching


To squelch this message and adopt the new behavior now, use:


git config --global push.default simple


See 'git help config' and search for 'push.default' for further information.


(the 'simple' mode was introduced in Git 1.7.11. Use the similar mode


'current' instead of 'simple' if you sometimes use older versions of Git)


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied, please try again.


git@202.205.161.48's password:


Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


fatal: Could not read from remote repository.


测试失败。。。。不能连接远程代码仓库。。。

CentOS禁止某些用户使用ssh远程登录


Please make sure you have the correct access rights


and the repository exists.


下面是提交成功了,这是因为我在git server上取消了git用户的SSH登录限制。。


root@Git-Ubutntu:/home/git/myworkplace/git-test# git push


warning: push.default is unset; its implicit value is changing in


Git 2.0 from 'matching' to 'simple'. To squelch this message


and maintain the current behavior after the default changes, use:


git config --global push.default matching


To squelch this message and adopt the new behavior now, use:


git config --global push.default simple


See 'git help config' and search for 'push.default' for further information.


(the 'simple' mode was introduced in Git 1.7.11. Use the similar mode


'current' instead of 'simple' if you sometimes use older versions of Git)


git@202.205.161.48's password:


Counting objects: 5, done.


Compressing objects: 100% (2/2), done.


Writing objects: 100% (3/3), 297 bytes, done.


Total 3 (delta 0), reused 0 (delta 0)


To git@202.205.161.48:/home/git/git-test


dfe7fea..84386d7master -> master


root@Git-Ubutntu:/home/git/myworkplace/git-test# git log


commit 84386d7e6c4b4fc506efbd02e402fc993c15e011


Author: user <user@qq.com>


Date:Wed Sep 4 15:16:16 2013 +0800


test the ssh is ok


commit dfe7feafbe3f95f6217cb59eda3c117e7057e852


Author: user <user@qq.com>


Date:Tue Sep 3 16:25:10 2013 +0800


version1.1 user.qq


commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e


Author: Jeffery <Jeffery@localhost.localdomain>


Date:Wed Sep 4 00:18:50 2013 +0800


version 1.0 (zhangwj)


结论。禁止用户SSH远程登录后,git 使用口令方式验证时,也将无法使用!!


下一步,测试使用公钥 私钥方式进行git 登录!

0

精彩评论

暂无评论...
验证码 换一张
取 消