Centos * 禁止除本机外其他服务器使用root用户登录服务器，允许指定用户登录服务器配置

1.本机ip信息

# 配置 允许那些服务器可以ssh连接本机 服务器
[root@centos-test ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.30  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::20c:29ff:fe37:bb34  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:37:bb:34  txqueuelen 1000  (Ethernet)
        RX packets 773269  bytes 1067575861 (1018.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 216881  bytes 21516022 (20.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

# 测试ssh连接centos-test 服务器
[root@test ~]# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.56.29  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::20c:29ff:fe4d:2d9  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:4d:02:d9  txqueuelen 1000  (Ethernet)
        RX packets 80809  bytes 59858430 (57.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 58786  bytes 6633500 (6.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.禁止root用户登录，并指定用户服务器登录

[root@centos-test ~]# cat /etc/ssh/sshd_config
#    $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile    .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PAM authentication via ChallengeResponseAuthentication may bypass
# If you just want the PAM account and session checks to run without
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem    sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    PermitTTY no
#    ForceCommand cvs server

UseDNS no
AddressFamily inet
PermitRootLogin yes
SyslogFacility AUTHPRIV
PasswordAuthentication yes
AllowUsers root@192.168.56.30 test@192.168.56.29

3.参数注释

GSSAPIAuthentication no: 是否允许使用基于 GSSAPI 的用户认证。默认值为"no"。仅用于SSH-2【关闭GSSAPI用户认证，优化ssh连接速度】

UseDNS no：OpenSSH在用户登录的时候会验证IP，它根据用户的IP使用反向DNS找到主机名，再使用DNS找到IP地址，最后匹配一下登录的IP是否合法。如果客户机的IP没有域名，或者DNS服务器很慢或
           不通，那么登录就会很花时间【关闭 SSH 的 DNS 反解析，优化ssh连接速度】

PermitRootLogin yes：允许root用户登录【PermitRootLogin no # 禁止root用户远程登录】

PasswordAuthentication yes：开启基于密码认证的远程登录

AllowUsers ：允许192.168.56.30地址的root用户登录本机/允许全部192.168.56.29的test用户登录本机。

4.重启centos-test服务器sshd，测试链接

[root@centos-test ~]# systemctl restart sshd 

[root@test ~]# ssh root@192.168.56.30
root@192.168.56.30's password: 
Permission denied, please try again.


[root@test ~]# ssh test@192.168.56.30
test@192.168.56.30's password: 
Last login: Sun Sep 27 15:30:10 2020 from 192.168.56.28
[test@centos7 ~]$

#####