CentOS禁止某些用户使用ssh远程登录

centos 系统安全防御 2014年6月2日

834 0 0

[root@localhost ~]# vi /etc/pam.d/sshd

在第一行加入 auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed，注意一定要在第一行，因为pam中执行顺序是上面优先

auth       required     pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

#查看此服务器下是什么用户

[root@localhost ~]# cd /home/
[root@localhost home]# ls

将此用户的名字加入配置文件
git[root@localhost home]# vi /etc/sshdusers
git
在文件中加入git #git是个本地用户

#重启sshd服务
[root@localhost home]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

在另一个终端测试

Last login: Wed Sep 4 14:45:19 2013 from 10.191.197.161
root@Git-Ubutntu:~# ssh git@202.205.161.48
The authenticity of host '202.205.161.48 (202.205.161.48)' can't be established.
RSA key fingerprint is 40:2a:10:80:c3:20:e6:ea:fe:4a:4d:cd:79:df:86:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '202.205.161.48' (RSA) to the list of known hosts.
git@202.205.161.48's password:
Permission denied, please try again.
git@202.205.161.48's password:
Permission denied, please try again.
git@202.205.161.48's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

也看到有人这样解决 “在/etc/ssh/sshd_config里，设置DenyUsers” 但是我编辑此文件时没有找到DenyUsers字段呢。。。所以没做成。。

测试结果为用户git 无法进行远程SSH登录。。。

下面再试一下root的SSH远程登录是否正常。。
root@Git-Ubutntu:~# ssh root@202.205.161.48
root@202.205.161.48's password:
Last login: Wed Sep  4 15:00:45 2013 from 10.191.197.39
[root@localhost ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:15:5D:A1:58:09
          inet addr:202.205.161.48  Bcast:202.205.161.255  Mask:255.255.254.0
          inet6 addr: fe80::215:5dff:fea1:5809/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11199428 errors:0 dropped:0 overruns:0 frame:0
          TX packets:191501 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2603340038 (2.4 GiB)  TX bytes:13760114 (13.1 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:226 errors:0 dropped:0 overruns:0 frame:0
          TX packets:226 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:29132 (28.4 KiB)  TX bytes:29132 (28.4 KiB)

[root@localhost ~]#

以上测试 root 用户已经正常通过SSH远程登录！

################################################################################
下面测试禁用git用户SSH远程登录的情况下，git 客户端使用SSH 是否还可用。

root@Git-Ubutntu:~# cd /home/git/
root@Git-Ubutntu:/home/git# ls
myworkplace
root@Git-Ubutntu:/home/git# cd myworkplace/
root@Git-Ubutntu:/home/git/myworkplace# ls
git-test
root@Git-Ubutntu:/home/git/myworkplace# cd git-test/
root@Git-Ubutntu:/home/git/myworkplace/git-test# ls
file.txt
root@Git-Ubutntu:/home/git/myworkplace/git-test# git log
commit dfe7feafbe3f95f6217cb59eda3c117e7057e852
Author: user <user@qq.com>
Date: Tue Sep 3 16:25:10 2013 +0800

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e
Author: Jeffery <Jeffery@localhost.localdomain>
Date: Wed Sep 4 00:18:50 2013 +0800

    version 1.0 (zhangwj)
root@Git-Ubutntu:/home/git/myworkplace/git-test# vi file.txt
version 1.0 (zhangwj);
version 1.1 (user.qq);
version 1.2 (user.qq);  Test the Ssh is OK?
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"file.txt" 3L, 90C written
root@Git-Ubutntu:/home/git/myworkplace/git-test# git add file.txt
root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m "test the ssh
is ok"

*** Please tell me who you are.

Run

git config --global user.email "you@example.com"
git config --global user.name "Your Name"

to set your account's default identity.
Omit --global to set the identity only in this repository.

fatal: unable to auto-detect email address (got 'root@Git-Ubutntu.(none)')

#让我设置git的全局配置。。。配置用户名及邮箱

root@Git-Ubutntu:/home/git/myworkplace/git-test# git config --global user.email
"user@qq.com"
root@Git-Ubutntu:/home/git/myworkplace/git-test# git config --global user.name "
user"
root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m"test the ssh is ok"
[master 84386d7] test the ssh is ok
1 file changed, 1 insertion(+)
#以上，提交到本地代码仓库正常。。

下面重点测试是否可以推送到服务器上去。。

root@Git-Ubutntu:/home/git/myworkplace/git-test# git push
warning: push.default is unset; its implicit value is changing in
Git 2.0 from 'matching' to 'simple'. To squelch this message
and maintain the current behavior after the default changes, use:

git config --global push.default matching

To squelch this message and adopt the new behavior now, use:

git config --global push.default simple

See 'git help config' and search for 'push.default' for further information.
(the 'simple' mode was introduced in Git 1.7.11. Use the similar mode
'current' instead of 'simple' if you sometimes use older versions of Git)

git@202.205.161.48's password:
Permission denied, please try again.
git@202.205.161.48's password:
Permission denied, please try again.
git@202.205.161.48's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.

测试失败。。。。不能连接远程代码仓库。。。禁止某些用户使用ssh远程登录

Please make sure you have the correct access rights
and the repository exists.

下面是提交成功了，这是因为我在git server上取消了git用户的SSH登录限制。。
root@Git-Ubutntu:/home/git/myworkplace/git-test# git push
warning: push.default is unset; its implicit value is changing in
Git 2.0 from 'matching' to 'simple'. To squelch this message
and maintain the current behavior after the default changes, use:

git config --global push.default matching

To squelch this message and adopt the new behavior now, use:

git config --global push.default simple

git@202.205.161.48's password:
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 297 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
To git@202.205.161.48:/home/git/git-test
dfe7fea..84386d7 master -> master

root@Git-Ubutntu:/home/git/myworkplace/git-test# git log
commit 84386d7e6c4b4fc506efbd02e402fc993c15e011
Author: user <user@qq.com>
Date: Wed Sep 4 15:16:16 2013 +0800

test the ssh is ok

commit dfe7feafbe3f95f6217cb59eda3c117e7057e852
Author: user <user@qq.com>
Date: Tue Sep 3 16:25:10 2013 +0800

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e
Author: Jeffery <Jeffery@localhost.localdomain>
Date: Wed Sep 4 00:18:50 2013 +0800

version 1.0 (zhangwj)

结论。禁止用户SSH远程登录后，git 使用口令方式验证时，也将无法使用！！

下一步，测试使用公钥私钥方式进行git 登录！

在第一行加入 auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed，注意一定要在第一行，因为pam中执行顺序是上面优先

#查看此服务器下是什么用户

[root@localhost ~]# cd /home/
[root@localhost home]# ls

将此用户的名字加入配置文件
git[root@localhost home]# vi /etc/sshdusers
git
在文件中加入git #git是个本地用户

#重启sshd服务
[root@localhost home]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]

在另一个终端测试

也看到有人这样解决 “在/etc/ssh/sshd_config里，设置DenyUsers” 但是我编辑此文件时没有找到DenyUsers字段呢。。。所以没做成。。

测试结果为用户git 无法进行远程SSH登录。。。

[root@localhost ~]#

以上测试 root 用户已经正常通过SSH远程登录！

################################################################################
下面测试禁用git用户SSH远程登录的情况下，git 客户端使用SSH 是否还可用。

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e
Author: Jeffery <Jeffery@localhost.localdomain>
Date: Wed Sep 4 00:18:50 2013 +0800

*** Please tell me who you are.

Run

git config --global user.email "you@example.com"
git config --global user.name "Your Name"

to set your account's default identity.
Omit --global to set the identity only in this repository.

fatal: unable to auto-detect email address (got 'root@Git-Ubutntu.(none)')

#让我设置git的全局配置。。。配置用户名及邮箱

下面重点测试是否可以推送到服务器上去。。

git config --global push.default matching

To squelch this message and adopt the new behavior now, use:

git config --global push.default simple

测试失败。。。。不能连接远程代码仓库。。。禁止某些用户使用ssh远程登录

Please make sure you have the correct access rights
and the repository exists.

git config --global push.default matching

To squelch this message and adopt the new behavior now, use:

git config --global push.default simple

root@Git-Ubutntu:/home/git/myworkplace/git-test# git log
commit 84386d7e6c4b4fc506efbd02e402fc993c15e011
Author: user <user@qq.com>
Date: Wed Sep 4 15:16:16 2013 +0800

test the ssh is ok

commit dfe7feafbe3f95f6217cb59eda3c117e7057e852
Author: user <user@qq.com>
Date: Tue Sep 3 16:25:10 2013 +0800

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e
Author: Jeffery <Jeffery@localhost.localdomain>
Date: Wed Sep 4 00:18:50 2013 +0800

version 1.0 (zhangwj)

结论。禁止用户SSH远程登录后，git 使用口令方式验证时，也将无法使用！！

下一步，测试使用公钥私钥方式进行git 登录！

本文由 CentOS中文站 - 专注Linux技术作者：centos 发表，其版权均为 CentOS中文站 - 专注Linux技术所有，文章内容系作者个人观点，不代表 CentOS中文站 - 专注Linux技术对观点赞同或支持。如需转载，请注明文章来源。

上一篇：CentOS设置开机自动启动某服务下一篇：CentOS安装中文汉字输入法ibus

CentOS禁止某些用户使用ssh远程登录

相关文章

linux系统安全日志分析

CentOS防火墙的设置与优化

CentOS下SELinux安全系统基础

发表评论取消回复

相关文章

linux系统安全日志分析

CentOS防火墙的设置与优化

CentOS下SELinux安全系统基础

发表评论 取消回复

发表评论取消回复