sshd_config
我正在尝试通过更改系统文件中的几个设置来保护我的 Linux 机器。以下是sshd_config
文件:
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 3
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
首先,我不想允许 root 登录,因此我将该设置更改为no
。然后我将最大登录尝试次数从 6 次减少到 3 次(这是有效的方法)。最后,我禁用通过密码登录的选项,而是要求输入私钥。但是,当我尝试运行ssh root@localhost
以测试更改时,您可以从下面的输出中看到,实际上没有应用任何内容:
ssh root@localhost
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
root@localhost: Permission denied (publickey,password)
以下是输出cat /var/log/syslog | grep ssh
(整个文件大约有 13000 行,我很确定其中包含敏感信息,因此我只包含了 ssh 部分)。在创建此日志时,日志级别设置为信息。我刚刚改成了冗长但下面的日志不是冗长:
Feb 20 14:34:32 kali systemd[1022]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:38:20 kali systemd[1513]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:38:20 kali gpg-agent[1620]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 20 19:38:20 kali gpg-agent[1620]: listening on: std=6 extra=4 browser=5 ssh=3
Feb 20 19:38:20 kali gpg-agent[1623]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 20 19:38:20 kali gpg-agent[1623]: listening on: std=6 extra=4 browser=5 ssh=3
Feb 20 19:38:29 kali systemd[1022]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:54:46 kali systemd[9539]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:59:43 kali systemd[9539]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 14:36:16 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 21 14:36:23 kali systemd[1013]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 14:36:35 kali systemd[1160]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 14:36:36 kali gpg-agent[1269]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 21 14:36:36 kali gpg-agent[1269]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 21 14:36:36 kali gpg-agent[1272]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 21 14:36:36 kali gpg-agent[1272]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 21 14:36:44 kali systemd[1013]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 21:02:14 kali systemd[27772]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:53:51 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 22 18:53:58 kali systemd[1009]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:54:18 kali systemd[1162]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:54:19 kali gpg-agent[1276]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 18:54:19 kali gpg-agent[1276]: listening on: std=3 extra=4 browser=5 ssh=6
Feb 22 18:54:19 kali gpg-agent[1279]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 18:54:19 kali gpg-agent[1279]: listening on: std=3 extra=4 browser=5 ssh=6
Feb 22 18:54:26 kali systemd[1009]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:56:51 kali dbus-daemon[3256]: [session uid=0 pid=3254] Activating service name='org.freedesktop.portal.Desktop' requested by ':1.0' (uid=0 pid=3250 comm="gedit /etc/ssh/sshd_config ")
Feb 22 18:56:51 kali dbus-daemon[3256]: [session uid=0 pid=3254] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=0 pid=3250 comm="gedit /etc/ssh/sshd_config ")
Feb 22 19:13:05 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:15:03 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:16:59 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:18:52 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:20:08 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 22 19:20:13 kali systemd[945]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 19:20:25 kali systemd[1096]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 19:20:26 kali gpg-agent[1203]: using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 19:20:26 kali gpg-agent[1203]: listening on: std=4 extra=6 browser=3 ssh=5
Feb 22 19:20:26 kali gpg-agent[1206]: using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 19:20:26 kali gpg-agent[1206]: listening on: std=4 extra=6 browser=3 ssh=5
Feb 22 19:20:35 kali systemd[945]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 19:28:55 kali dbus-daemon[4386]: [session uid=0 pid=4384] Activating service name='org.freedesktop.portal.Desktop' requested by ':1.0' (uid=0 pid=4380 comm="gedit /etc/ssh/sshd_config ")
Feb 22 19:28:55 kali dbus-daemon[4386]: [session uid=0 pid=4384] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=0 pid=4380 comm="gedit /etc/ssh/sshd_config ")
Feb 22 19:53:22 kali systemd[24743]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:14:28 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 22 20:14:34 kali systemd[947]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:16:59 kali systemd[1385]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:17:00 kali gpg-agent[1493]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 20:17:00 kali gpg-agent[1493]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 22 20:17:00 kali gpg-agent[1496]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 20:17:00 kali gpg-agent[1496]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 22 20:17:09 kali systemd[947]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:23:52 kali dbus-daemon[4653]: [session uid=0 pid=4651] Activating service name='org.freedesktop.portal.Desktop' requested by ':1.0' (uid=0 pid=4647 comm="gedit /etc/ssh/sshd_config ")
Feb 22 20:23:52 kali dbus-daemon[4653]: [session uid=0 pid=4651] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=0 pid=4647 comm="gedit /etc/ssh/sshd_config ")
Feb 22 20:25:04 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 20:52:06 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 21:04:36 kali systemd[16788]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 09:00:30 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 23 09:00:37 kali systemd[1012]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 09:00:55 kali systemd[1095]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 09:00:56 kali gpg-agent[1203]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 09:00:56 kali gpg-agent[1203]: listening on: std=4 extra=5 browser=6 ssh=3
Feb 23 09:00:56 kali gpg-agent[1206]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 09:00:56 kali gpg-agent[1206]: listening on: std=4 extra=5 browser=6 ssh=3
Feb 23 14:01:06 kali systemd[1012]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:09:43 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 23 14:09:49 kali systemd[1006]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:10:20 kali systemd[1383]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:10:21 kali gpg-agent[1491]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 14:10:21 kali gpg-agent[1491]: listening on: std=4 extra=3 browser=5 ssh=6
Feb 23 14:10:21 kali gpg-agent[1494]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 14:10:21 kali gpg-agent[1494]: listening on: std=4 extra=3 browser=5 ssh=6
Feb 23 14:10:29 kali systemd[1006]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:12:56 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 23 14:13:11 kali systemd[1]: ssh.service: Deactivated successfully.
允许 root 登录并要求输入密码。我的sshd_config
文件的位置是/etc/ssh/sshd_config
,这对我来说是一个奇怪的位置,因为我认为它应该位于普通用户的主目录中(例如$HOME/.ssh/sshd_config
)。也许这与此有关?有人能帮助我理解这里的问题并提出解决方案吗?
编辑:@mashuptwice 指出 root 登录提示是一项功能,并且按预期工作。但是,即使我禁用了密码验证,当我尝试以普通用户身份登录时,我仍可以使用我的密码。以下是我运行时发生的输出ssh <username>@localhost
:
ssh johnmap007@localhost
johnmap007@localhost's password:
Linux kali 5.16.0-kali1-amd64 #1 SMP PREEMPT Debian 5.16.7-2kali1 (2022-02-10) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 23 15:12:59 2022 from ::1
Warning: PATH set to RVM ruby but GEM_HOME and/or GEM_PATH not set, see:
https://github.com/rvm/rvm/issues/3212
┌──(johnmap007㉿kali)-[~]
└─$
答案1
禁用 root 登录时,您的输出符合预期。
即使禁用了 root 登录,SSH 仍会显示密码提示。这意味着即使您输入正确的密码,SSH 将仍然给你看Permission denied
。
此功能是为了避免泄露有关已禁用根登录的任何信息。
如果您仍然希望能够通过基于密钥的身份验证以 root 身份登录,但禁用基于密码的登录,则需要将配置更改为PermitRootLogin prohibit-password
。