侧边栏壁纸
博主头像
★街角晚灯★博主等级

博观而约取 厚积而薄发

  • 累计撰写 438 篇文章
  • 累计创建 181 个标签
  • 累计收到 0 条评论

目 录CONTENT

文章目录

禁止某些用户使用ssh远程登录

WinJay
2013-09-04 / 0 评论 / 0 点赞 / 92 阅读 / 7698 字 / 正在检测是否收录...
温馨提示:
文章发布较早,内容可能过时,阅读注意甄别。。。。

[root@localhost ~]# vi /etc/pam.d/sshd

在第一行加入 auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed,注意一定要在第一行,因为pam中执行顺序是上面优先 auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth #pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so #pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth

#查看此服务器下是什么用户

[root@localhost ~]# cd /home/ [root@localhost home]# ls

将此用户的名字加入配置文件 git[root@localhost home]# vi /etc/sshdusers git 在文件中加入git #git是个本地用户

#重启sshd服务 [root@localhost home]# service sshd restart Stopping sshd: [ OK ] Starting sshd: [ OK ] 在另一个终端测试

Last login: Wed Sep

4 14:45:19 2013 from 10.191.197.161 root@Git-Ubutntu:~# ssh git@202.205.161.48 The authenticity of host ‘202.205.161.48 (202.205.161.48)’ can’t be established. RSA key fingerprint is 40:2a:10:80:c3:20:e6:ea:fe:4a:4d:cd:79:df:86:29. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘202.205.161.48’ (RSA) to the list of known hosts. git@202.205.161.48’s password: Permission denied, please try again. git@202.205.161.48’s password: Permission denied, please try again. git@202.205.161.48’s password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). 也看到有人这样解决 “在/etc/ssh/sshd_config里,设置DenyUsers” 但是我编辑此文件时没有找到DenyUsers字段呢。。。所以没做成。。

测试结果为用户git 无法进行远程SSH登录。。。

下面再试一下root的SSH远程登录是否正常。。 root@Git-Ubutntu:~# ssh root@202.205.161.48 root@202.205.161.48’s password: Last login: Wed Sep 4 15:00:45 2013 from 10.191.197.39 [root@localhost ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:15:5D:A1:58:09 inet addr:202.205.161.48 Bcast:202.205.161.255 Mask:255.255.254.0 inet6 addr: fe80::215:5dff:fea1:5809/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11199428 errors:0 dropped:0 overruns:0 frame:0 TX packets:191501 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2603340038 (2.4 GiB) TX bytes:13760114 (13.1 MiB)

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:226 errors:0 dropped:0 overruns:0 frame:0 TX packets:226 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:29132 (28.4 KiB) TX bytes:29132 (28.4 KiB)

[root@localhost ~]#

以上测试 root 用户已经正常通过SSH远程登录!

########################################################## 下面测试 禁用git用户SSH远程登录的情况下,git 客户端使用SSH 是否还可用。

root@Git-Ubutntu:~# cd /home/git/ root@Git-Ubutntu:/home/git# ls myworkplace root@Git-Ubutntu:/home/git# cd myworkplace/ root@Git-Ubutntu:/home/git/myworkplace# ls git-test root@Git-Ubutntu:/home/git/myworkplace# cd git-test/ root@Git-Ubutntu:/home/git/myworkplace/git-test# ls file.txt root@Git-Ubutntu:/home/git/myworkplace/git-test# git log commit dfe7feafbe3f95f6217cb59eda3c117e7057e852 Author: user user@qq.com Date: Tue Sep 3 16:25:10 2013 +0800

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e Author: Jeffery Jeffery@localhost.localdomain Date: Wed Sep 4 00:18:50 2013 +0800

version 1.0 (zhangwj) root@Git-Ubutntu:/home/git/myworkplace/git-test# vi file.txt version 1.0 (zhangwj); version 1.1 (user.qq); version 1.2 (user.qq); Test the Ssh is OK? ~

“file.txt” 3L, 90C written
root@Git-Ubutntu:/home/git/myworkplace/git-test# git add file.txt root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m “test the ssh is ok”

*** Please tell me who you are.

Run

git config –global user.email “you@example.com” git config –global user.name “Your Name”

to set your account’s default identity. Omit –global to set the identity only in this repository.

fatal: unable to auto-detect email address (got ‘root@Git-Ubutntu.(none)’)

#让我设置git的全局配置。。。配置用户名及邮箱

root@Git-Ubutntu:/home/git/myworkplace/git-test# git config –global user.email “user@qq.com” root@Git-Ubutntu:/home/git/myworkplace/git-test# git config –global user.name ” user” root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m”test the ssh is ok” [master 84386d7] test the ssh is ok 1 file changed, 1 insertion(+) #以上,提交到本地代码 仓库正常。。

下面重点测试是否可以推送到服务器上去。。

root@Git-Ubutntu:/home/git/myworkplace/git-test# git push warning: push.default is unset; its implicit value is changing in Git 2.0 from ‘matching’ to ‘simple’. To squelch this message and maintain the current behavior after the default changes, use:

git config –global push.default matching

To squelch this message and adopt the new behavior now, use:

git config –global push.default simple

See ‘git help config’ and search for ‘push.default’ for further information. (the ‘simple’ mode was introduced in Git 1.7.11. Use the similar mode ‘current’ instead of ‘simple’ if you sometimes use older versions of Git)

git@202.205.161.48’s password: Permission denied, please try again. git@202.205.161.48’s password: Permission denied, please try again. git@202.205.161.48’s password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). fatal: Could not read from remote repository.

测试失败。。。。不能连接远程代码仓库。。。禁止某些用户使用ssh远程登录

Please make sure you have the correct access rights and the repository exists.

下面是提交成功了,这是因为我在git server上取消了git用户的SSH登录限制。。 root@Git-Ubutntu:/home/git/myworkplace/git-test# git push warning: push.default is unset; its implicit value is changing in Git 2.0 from ‘matching’ to ‘simple’. To squelch this message and maintain the current behavior after the default changes, use:

git config –global push.default matching

To squelch this message and adopt the new behavior now, use:

git config –global push.default simple

See ‘git help config’ and search for ‘push.default’ for further information. (the ‘simple’ mode was introduced in Git 1.7.11. Use the similar mode ‘current’ instead of ‘simple’ if you sometimes use older versions of Git)

git@202.205.161.48’s password: Counting objects: 5, done. Compressing objects: 100% (2/2), done. Writing objects: 100% (3/3), 297 bytes, done. Total 3 (delta 0), reused 0 (delta 0) To git@202.205.161.48:/home/git/git-test dfe7fea..84386d7 master -> master

root@Git-Ubutntu:/home/git/myworkplace/git-test# git log commit 84386d7e6c4b4fc506efbd02e402fc993c15e011 Author: user user@qq.com Date: Wed Sep 4 15:16:16 2013 +0800

test the ssh is ok

commit dfe7feafbe3f95f6217cb59eda3c117e7057e852 Author: user user@qq.com Date: Tue Sep 3 16:25:10 2013 +0800

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e Author: Jeffery Jeffery@localhost.localdomain Date: Wed Sep 4 00:18:50 2013 +0800

version 1.0 (zhangwj)

结论。禁止用户SSH远程登录后,git 使用口令方式验证时,也将无法使用!!

下一步,测试使用公钥 私钥方式进行git 登录!

0
  1. qrcode alipay
  2. qrcode weixin

评论区