Linux下OpenSSH的安装和配置祥解(3)

X11Forwarding yes
#允许X转发
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
如果没有特别要求使用默认设置即可满足使用要求.
基于口令的认证
缺省情况下，ssh仍然使用传统的口令验证，在使用这种认证方式时，我们不需要进行任何配置。你可以使用自己帐号和口令登录到远程主机。所有传输的数据都会被加密，但是不能保证你正在连接的服务器就是你想连接的服务器。可能会有别的服务器在冒充真正的服务器，也就是受到“中间人”这种方式的攻击。
使用以下方法登录服务器：
$ ssh tony@192.168.102.50
tony@192.168.102.50's password:
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Dec 8 12:31:58 2006 from 192.168.102.249
$
基于密钥的认证
密匙认证需要依靠密匙，可以使用ssh-keygen 命令生成密钥对，将会把生成的私钥存储在 /.ssh/id_rsa文件中，公钥存储在/.ssh/id_rsa.pub文件中,需要将其复制到远程服务器上, 这样当登录远程服务器时，客户端软件就会向服务器发出请求，请求用你的密匙进行认证,服务器收到请求之后，先在你在该服务器的宿主目录下寻找你的公匙,进行身份认证. ssh-keygen 默认使用rsa算法生成密钥，如果要使用dsa算法，则需要使用-t 指定比如($ ssh-keygen -t dsa)
tony@tonybox:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tony/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tony/.ssh/id_rsa.
Your public key has been saved in /home/tony/.ssh/id_rsa.pub.
The key fingerprint is:
5e:25:fe:32:af:96:e5:e2:c9:55:ad:f9:d2:f1:67:5d tony@tonybox
tony@tonybox:~$
然后使用scp 命令将公钥上传到远程SSH服务器的对应用户的.ssh目录下，并更名为authorized_keys并确保权限为644
tony@tonybox:~/.ssh$ scp id_rsa.pub tony@192.168.102.50:.ssh/authorized_keys
tony@192.168.102.50's password:
id_rsa.pub 100% 394 0.4KB/s 00:00
tony@tonybox:~/.ssh$
这样，以后登录这台SSH服务器的时候，就会使用您上传的公钥进行身份认证。
tony@tonybox:~$ ssh tony@192.168.102.50
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 26 12:59:12 2006 from 192.168.102.43
tony@vmdebian:~$
如果为密钥设置了 passphrase, 则登录过程如下:
tony@tonybox:~$ ssh tony@192.168.102.50
Enter passphrase for key '/home/tony/.ssh/id_rsa':
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 26 14:27:58 2006 from 192.168.102.43
tony@vmdebian:~$
如果将客户端私钥 id_rsa 更名, 并在服务器端sshd_config文件中做如下设置:
PasswordAuthentication no
tony@tonybox:$ mv /home/tony/.ssh/id_rsa /home/tony/.ssh/id_rsa.bak
tony@tonybox:$ ssh tony@192.168.102.50
Permission denied (publickey).
tony@tonybox:~$
如果在服务器端sshd_config文件中做如下设置:
PasswordAuthentication yes
则当密钥口令输入错误, 或密钥不存在是,就会使用口令认证
tony@tonybox:~$ ssh tony@192.168.102.50
Enter passphrase for key '/home/tony/.ssh/id_rsa':
tony@192.168.102.50's password:
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 26 17:30:43 2006 from 192.168.102.43
tony@vmdebian:~$