一、介绍参数
参数 | 解释 |
PermitRootLogin | 是否允许 root 登录。可用值如下:"yes"(默认) 表示允许。 |
PasswordAuthentication | 是否允许使用基于密码的认证。默认为"yes"。 |
PubkeyAuthentication | 是否允许公钥认证。仅可以用于SSH-2。默认值为"yes"。 |
二、测试环境
名称 | 值 |
cpu | Intel(R) Core(TM) i5-1035G1 CPU @ 1.00GHz |
操作系统 | CentOS Linux release 7.9.2009 (Core) |
内存 | 3G |
逻辑核数 | 2 |
节点1-IP | 192.168.142.10(主机名:czg0) |
节点2-IP | 192.168.142.11(主机名:czg1) |
三、小实验
0、准备
两台之间我做了免密。
写了一个测试小程序用的是python的paramiko模块做的,功能很简单,查看每台服务器的内存。正常不做ssh的参数限制,运行结果如下:
[gbase@czg0 br_db_script]$ python3 br_run.py -m=2 -p=a
======================
登录IP:192.168.142.10 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 562 2033 153 1335 2064
======================
内存总大小为:3931 MB
======================
登录IP:192.168.142.11 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 522 2420 146 988 2235
======================
内存总大小为:3931 MB
1、PermitRootLogin
修改节点czg1的此参数,重启ssh服务。
[root@czg1 ~]# cat /etc/ssh/sshd_config |grep PermitRootLogin
PermitRootLogin no
# the setting of "PermitRootLogin without-password".
[root@czg1 ~]# systemctl restart sshd
czg0用root用户登录czg1,由于做了免密不需要密码的,但关闭了PermitRootLogin就需要密码了,密码正确,也会提示你权限不足。
[root@czg0 ~]# ssh czg1
Warning: Permanently added 'czg1,192.168.142.11' (ECDSA) to the list of known hosts.
root@czg1's password:
Permission denied, please try again.
root@czg1's password:
Permission denied, please try again.
python脚本则会提示认证失败。
[gbase@czg0 br_db_script]$ python3 br_run.py -m=2 -p=a
======================
登录IP:192.168.142.10 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 563 2032 153 1335 2063
======================
内存总大小为:3931 MB
paramiko_ssh_remote_exec_command_func方法错误:
Authentication failed.
Traceback (most recent call last):
File "/opt/Developer/br_db_script/public_func.py", line 42, in paramiko_ssh_remote_exec_command_func
ssh.connect(hostname = br_ip_address, port = br_os_port_num, username = br_os_user, password = br_os_user_password)
File "/usr/local/lib/python3.6/site-packages/paramiko/client.py", line 446, in connect
passphrase,
File "/usr/local/lib/python3.6/site-packages/paramiko/client.py", line 764, in _auth
raise saved_exception
File "/usr/local/lib/python3.6/site-packages/paramiko/client.py", line 751, in _auth
self._transport.auth_password(username, password)
File "/usr/local/lib/python3.6/site-packages/paramiko/transport.py", line 1509, in auth_password
return self.auth_handler.wait_for_response(my_event)
File "/usr/local/lib/python3.6/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
raise e
改回yes。
[root@czg1 ~]# cat /etc/ssh/sshd_config |grep PermitRootLogin
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
[root@czg1 ~]# systemctl restart sshd
登录正常
[root@czg0 ~]# ssh czg1
Warning: Permanently added 'czg1,192.168.142.11' (ECDSA) to the list of known hosts.
Last failed login: Wed Jan 4 10:21:23 CST 2023 from czg0 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Wed Jan 4 10:20:38 2023 from czg0
[root@czg1 ~]#
python脚本执行正常。
[gbase@czg0 br_db_script]$ python3 br_run.py -m=2 -p=a
======================
登录IP:192.168.142.10 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 562 2033 153 1335 2064
======================
内存总大小为:3931 MB
======================
登录IP:192.168.142.11 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 522 2420 146 988 2234
======================
内存总大小为:3931 MB
2、PasswordAuthentication
修改节点czg1的此参数,重启ssh服务。
[root@czg1 ~]# cat /etc/ssh/sshd_config |grep PasswordAuthentication
#PasswordAuthentication yes
PasswordAuthentication no
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
[root@czg1 ~]# systemctl restart sshd
由于我做了免密,这个参数并不影响免密,所以ssh可以登录。
[root@czg0 ~]# ssh czg1
Warning: Permanently added 'czg1,192.168.142.11' (ECDSA) to the list of known hosts.
Last login: Wed Jan 4 14:26:42 2023 from czg0
[root@czg1 ~]#
python小程序通过ssh进行密码认证的时候就会提示:Bad authentication type; allowed types: ['publickey', 'gssapi-keyex', 'gssapi-with-mic']。
[gbase@czg0 br_db_script]$ python3 br_run.py -m=2 -p=a
======================
登录IP:192.168.142.10 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 561 2032 153 1337 2065
======================
内存总大小为:3931 MB
paramiko_ssh_remote_exec_command_func方法错误:
Bad authentication type; allowed types: ['publickey', 'gssapi-keyex', 'gssapi-with-mic']
Traceback (most recent call last):
File "/opt/Developer/br_db_script/public_func.py", line 42, in paramiko_ssh_remote_exec_command_func
ssh.connect(hostname = br_ip_address, port = br_os_port_num, username = br_os_user, password = br_os_user_password)
File "/usr/local/lib/python3.6/site-packages/paramiko/client.py", line 446, in connect
passphrase,
File "/usr/local/lib/python3.6/site-packages/paramiko/client.py", line 764, in _auth
raise saved_exception
File "/usr/local/lib/python3.6/site-packages/paramiko/client.py", line 751, in _auth
self._transport.auth_password(username, password)
File "/usr/local/lib/python3.6/site-packages/paramiko/transport.py", line 1509, in auth_password
return self.auth_handler.wait_for_response(my_event)
File "/usr/local/lib/python3.6/site-packages/paramiko/auth_handler.py", line 250, in wait_for_response
raise e
paramiko.ssh_exception.BadAuthenticationType: Bad authentication type; allowed types: ['publickey', 'gssapi-keyex', 'gssapi-with-mic']
改回yes。
[root@czg1 ~]# systemctl restart sshd
[root@czg1 ~]# cat /etc/ssh/sshd_config |grep PasswordAuthentication
#PasswordAuthentication yes
PasswordAuthentication yes
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
[root@czg1 ~]#
python小程序正常。
gbase@czg0 br_db_script]$ python3 br_run.py -m=2 -p=a
======================
登录IP:192.168.142.10 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 561 2033 153 1337 2065
======================
内存总大小为:3931 MB
======================
登录IP:192.168.142.11 ,PORT:22 ,USER:root
执行命令:free -m |grep Mem
执行结果:
Mem: 3931 525 2415 146 990 2230
======================
内存总大小为:3931 MB
3、PubkeyAuthentication
修改节点czg1的此参数,重启ssh服务。
[root@czg1 ~]# cat /etc/ssh/sshd_config |grep PubkeyAuthentication
PubkeyAuthentication no
[root@czg1 ~]# systemctl restart sshd
czg0节点免密登录提示需要密码,输入正确密码后,登录成功。
[root@czg0 ~]# ssh czg1
Warning: Permanently added 'czg1,192.168.142.11' (ECDSA) to the list of known hosts.
root@czg1's password:
Last login: Wed Jan 4 14:26:55 2023 from czg0
[root@czg1 ~]#
改回yes。
[root@czg1 ~]# cat /etc/ssh/sshd_config |grep PubkeyAuthentication
PubkeyAuthentication yes
[root@czg1 ~]# systemctl restart sshd
免密登录回归正常。
[root@czg0 ~]# ssh czg1
Warning: Permanently added 'czg1,192.168.142.11' (ECDSA) to the list of known hosts.
Last login: Wed Jan 4 14:39:38 2023 from czg0
[root@czg1 ~]#