1

这是我需要意识到的:

  1. 用户的基于密钥的无密码身份验证root
  2. 对除 root 以外的任何其他用户进行基于密码的身份验证

我需要访问的服务器正在运行 Debian 9 (stretch)。


在我的客户端上,我创建了一个像这样的密钥对:ssh-keygen

这创建了以下文件~/.ssh/id_rsa~/.ssh/id_rsa.pub.

现在我将内容复制~/.ssh/id_rsa.pub/root/.ssh/authorized_keys服务器上并修改了权限为 600 的密钥 文件。


然后我/etc/ssh/sshd_config通过设置以下值修改了服务器上的内容:

PermitRootLogin without-password PubkeyAuthentication yes

现在我在服务器上重新启动了 ssh 服务并尝试通过ssh root@sub.domain.tld.


它仍然以 user 的密码提示结束root

ssh -vvv root@sub.domain.tld你可以在这里找到结果(Ubuntu Pastebin)。

我错过了什么修改?

亲切的问候//neph

4

1 回答 1

-1

你应该按照这个教程,有很多过时的。它在 Ubuntu 19.04 上对我有用。

All you have to do is:

apt-get install libpam-google-authenticator.

Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).

Edit /etc/ssh/sshd_config. Set:

ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive

In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):

UsePAM yes
PubkeyAuthentication yes

Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.

Edit /etc/pam.d/sshd and replace the line:

@include common-auth

with:

auth required pam_google_authenticator.so

That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.
于 2019-10-11T15:03:02.113 回答