由于某种原因,SSH 不再受到限制。我可以以任何用户身份登录并选择任何身份验证方法。我创建了一个测试用户,测试用户不在允许列表中,但仍然可以以任何用户身份并使用任何身份验证方法登录。
规则以前曾执行过,但现在已停止。它发生在 AlmaLinux 8 系统上。
以下是现有内容:
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication no
Match User nagios
PasswordAuthentication no
PubkeyAuthentication yes
Match User meta
PasswordAuthentication yes
PubkeyAuthentication yes
Match User yubi Address 10.10.0.201/32
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers yubi
Match Address 10.10.0.0/24
AllowUsers meta
Match Address 22.22.22.22
AllowUsers nagios
AlmaLinux 9 上也出现问题。看来用户覆盖不再有效。这是我的 AlmaLinux 9 文件中的完整条目/etc/ssh/sshd_config.d/sshd_custom_rules.conf
## Custom SSH rules
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication no
Match Address 192.168.68.0/22
AllowUsers yubi repository-admin
Match User yubi
PasswordAuthentication yes
PubkeyAuthentication no
Match User repository-admin
PasswordAuthentication no
PubkeyAuthentication yes
主要sshd_config设置为默认值。未注释的行如下。
Include /etc/ssh/sshd_config.d/*.conf
Port 22
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/openssh/sftp-server
这是文件中的内容/etc/ssh/sshd_config.d/50-redhat.conf
# This system is following system-wide crypto policy. The changes to
# crypto properties (Ciphers, MACs, ...) will not have any effect in
# this or following included files. To override some configuration option,
# write it before this block or include it before this file.
# Please, see manual pages for update-crypto-policies(8) and sshd_config(5).
Include /etc/crypto-policies/back-ends/opensshserver.config
SyslogFacility AUTHPRIV
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd no
如果我从配置文件中删除用户,他们将无法登录。启用后,用户可以使用所有身份验证方法进行访问,尽管只授予他们PubkeyAuthentication或PasswordAuthentication。
答案1
为了禁用密码验证,ChallengeResponseAuthentication需要设置为no。