之前用谷歌虚拟主机搭了一个小机场,但是只当机场用,有点浪费,所以最近觉得应该把这个服务器用起来,ssh连接的时候遇到点小问题,所以记录下来
SSH
什么是SSH?
如果你经常玩linux,经常需要远程连接服务器,那么对于ssh应该很熟,关于具体原理可以参考另外一篇博文阮一峰的ssh原理,我觉得他讲的很通俗易懂。
遇到的问题
SSH一直连接不上
一直提示Pemission Denied(publickey),可是我明明已经把rsa的公钥放到~/.ssh/authorized_keys 里面了,也把/etc/sshd_config的配置文件也配置了,但是最终还是失败,最后发现问题所在,就是允许密码登陆的地方给遗漏了,配置文件如下:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95 Package generated configuration file
See the sshd_config(5) manpage for details
What ports, IPs and protocols we listen for
Port 22
Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Privilege Separation is turned on for security
UsePrivilegeSeparation yes
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
Logging
SyslogFacility AUTH
LogLevel INFO
Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
IgnoreUserKnownHosts yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Kerberos options
KerberosAuthentication no
KerberosGetAFSToken no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
UseLogin no
MaxStartups 10:30:60
Banner /etc/issue.net
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the ChallengeResponseAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via ChallengeResponseAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Google Compute Engine times out connections after 10 minutes of inactivity.
Keep alive ssh connections by sending a packet every 2 minutes.
ClientAliveInterval 120
Prevent reverse DNS lookups.
UseDNS no
ssh的配置文件存放在/etc/ssh/下,sshd_config是ssh服务器(也就是个人主机连接你的服务器,你对个人主机的限制)的配置文件,ssh_config是ssh客户端的配置文件,需要修改sshd_config,这样我才能实现远程连接到谷歌的这台主机,修改的地方如下:1
2
3
4
5PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication yes
把上面几处的值改成yes,然后把注释符号#去除,然后可以了。
添加本机的rsa公钥到主机上,实现无密码登陆
生成秘钥命令:1
ssh-keygen
可以一直回车,对于私钥可以设置一个密码,进行加密,防止泄露
查看本机的rsa公钥:cat ~/ssh/id_rsa.pub,然后复制,粘贴到远程主机的~/.ssh/authorized_keys里面就可以了,最后实现无密码的登陆。
参考:
ssh原理
