linux 远程rsa 登录配置 文件 /etc/ssh/sshd_config

linux 创建用户

useradd ccpit  # 创建ccpit用户
passwd ccpit  # 给这个用户设置密码

修改/etc/ssh/sshd_config文件

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
StrictModes no
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes 
PubkeyAuthentication yes 

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PAM authentication via ChallengeResponseAuthentication may bypass
# If you just want the PAM account and session checks to run without
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
UseDNS no
AddressFamily inet
PermitRootLogin no 
SyslogFacility AUTHPRIV
PasswordAuthentication no
AllowUsers ccpit

 在/home/ccpit 下生成ssh_key

 把id_rsa 内容复制进authorized_keys (没有需要先创建authorized_keys文件)

cat id_rsa >> authorized_keys

systemctl restart sshd.service

退出重新登录即可

常用选项

UseDNS no
AddressFamily inet
PermitRootLogin no
#SyslogFacility用来设定在记录来自sshd的消息的时候，是否给出“facility code”
SyslogFacility AUTHPRIV
#PasswordAuthentication用来设置是否开启密码验证机制，如果用密码登录系统，则设置yes
PasswordAuthentication no
#指定允许通过远程访问的用户，多个用户以空格隔开
AllowUsers root
#X11Forwarding 用来设置是否允许X11转发
X11Forwarding yes
#设置是否通过PAM验证
UsePAM yes
#GSSAPIAuthentication 指定是否允许基于GSSAPI的用户认证，默认为no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials 设置是否在用户退出登录是自动销毁用户的凭证缓存
GSSAPICleanupCredentials no
#ChallengeResponseAuthentication 是否允许质疑-应答(challenge-response)认证
ChallengeResponseAuthentication no

#RSAAuthentication用来设置是否开启RSA密钥验证
RSAAuthentication yes
#PubkeyAuthentication用来设置是否开启公钥验证，如果使用公钥验证的方式登录时，则设置为yes
PubkeyAuthentication yes
#AuthorizedKeysFile用来设置公钥验证文件的路径，与PubkeyAuthentication配合使用,默认值是".ssh/authorized_keys"
AuthorizedKeysFile      .ssh/authorized_keys

#StrictModes用来设置ssh在接收登录请求之前是否检查用户根目录和rhosts文件的权限和所有权
StrictModes no
#MaxAuthTries 用来设置最大失败尝试登陆次数为6
#MaxAuthTries 6