1、安装服务器端软件包
先查看是否已经安装openSSH服务器软件包
# rpm -qa|grep openssh openssh-askpass-5.3p1-104.el6_6.1.x86_64 openssh-server-5.3p1-104.el6_6.1.x86_64 #服务器端软件包 openssh-clients-5.3p1-104.el6_6.1.x86_64 #客户端软件包 openssh-5.3p1-104.el6_6.1.x86_64 #包含服务器端和客户端的核心文件
如果没有安装,挂载光盘,
#mkdir /mnt/local #创建一个目录,用于挂载光盘文件 # mount /dev/cdrom /mnt/local/ mount: block device /dev/sr0 is write-protected, mounting read-only # cd /mnt/local/Packages/ #DVD镜像文件的盛放目录 进入光盘目录,找到并执行执行下列命令: # rpm -ivh openssh-5.3p1-94.el6.x86_64.rpm # rpm -ivh openssh-server-5.3p1-94.el6.x86_64.rpm # rpm -ivh openssh-clients-5.3p1-94.el6.x86_64.rpm # rpm -ivh openssh-askpass-5.3p1-94.el6.x86_64.rpm 按序安装
# ssh -v #版本信息 OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]
2、服务器端配置文件详解
# cat /etc/ssh/sshd_config
一般默认不需要修改就能连接,每一行都是"关键词 值"的格式。
13 #Port 22 #服务器监听的端口号 14 #AddressFamily any 15 #ListenAddress 0.0.0.0 #设置OpenSSH服务器绑定的IP 16 #ListenAddress :: 18 # Disable legacy (protocol version 1) support in the server for new 19 # installations. In future the default will change to require explicit 20 # activation of protocol 1 21 Protocol 2 23 # HostKey for protocol version 1 24 #HostKey /etc/ssh/ssh_host_key #设置包含计算机私有主机秘钥的文件 25 # HostKeys for protocol version 2 26 #HostKey /etc/ssh/ssh_host_rsa_key 27 #HostKey /etc/ssh/ssh_host_dsa_key 29 # Lifetime and size of ephemeral version 1 server key 30 #KeyRegenerationInterval 1h 31 #ServerKeyBits 1024 #设置服务器秘钥的位数,最小值512,默认1024 33 # Logging 34 # obsoletes QuietMode and FascistLogging 35 #SyslogFacility AUTH 36 SyslogFacility AUTHPRIV 37 #LogLevel INFO #设置记录ssh日志消息的级别 39 # Authentication: 41 #LoginGraceTime 2m #设置如果用户不能成功登录,在切断连接之前服务器需要等待的时间 42 #PermitRootLogin yes #设置root用户是否能够使用ssh登录 43 #StrictModes yes 44 #MaxAuthTries 6 45 #MaxSessions 10 #指定允许每个网络连接打开的最大会话数,默认10 47 #RSAAuthentication yes #设置是否允许只有RSA安全验证 48 #PubkeyAuthentication yes 49 #AuthorizedKeysFile .ssh/authorized_keys 50 #AuthorizedKeysCommand none 51 #AuthorizedKeysCommandRunAs nobody 53 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 54 #RhostsRSAAuthentication no #设置是否允许用rhosts或/etc/hosts.equiv加上RSA进行安全验证 55 # similar for protocol version 2 56 #HostbasedAuthentication no 57 # Change to yes if you don't trust ~/.ssh/known_hosts for 58 # RhostsRSAAuthentication and HostbasedAuthentication 59 #IgnoreUserKnownHosts no 60 # Don't read the user's ~/.rhosts and ~/.shosts files 61 #IgnoreRhosts yes #设置RhostsRSA验证和Hostbased验证的时候是否使用.rhosts和.shosts文件 63 # To disable tunneled clear text passwords, change to no here! 64 #PasswordAuthentication yes #设置是否允许口令验证 65 #PermitEmptyPasswords no #设置是否允许用户口令为空字符串的账号登陆,默认no 66 PasswordAuthentication yes #设置是否允许口令验证 68 # Change to no to disable s/key passwords 69 #ChallengeResponseAuthentication yes 70 ChallengeResponseAuthentication no 72 # Kerberos options 73 #KerberosAuthentication no 74 #KerberosOrLocalPasswd yes 75 #KerberosTicketCleanup yes 76 #KerberosGetAFSToken no 77 #KerberosUseKuserok yes 79 # GSSAPI options 80 #GSSAPIAuthentication no 81 GSSAPIAuthentication yes 82 #GSSAPICleanupCredentials yes 83 GSSAPICleanupCredentials yes 84 #GSSAPIStrictAcceptorCheck yes 85 #GSSAPIKeyExchange no 87 # Set this to 'yes' to enable PAM authentication, account processing, 88 # and session processing. If this is enabled, PAM authentication will 89 # be allowed through the ChallengeResponseAuthentication and 90 # PasswordAuthentication. Depending on your PAM configuration, 91 # PAM authentication via ChallengeResponseAuthentication may bypass 92 # the setting of "PermitRootLogin without-password". 93 # If you just want the PAM account and session checks to run without 94 # PAM authentication, then enable this but set PasswordAuthentication 95 # and ChallengeResponseAuthentication to 'no'. 96 #UsePAM no 97 UsePAM yes 99 # Accept locale-related environment variables 100 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 101 AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 102 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 103 AcceptEnv XMODIFIERS 105 #AllowAgentForwarding yes 106 #AllowTcpForwarding yes 107 #GatewayPorts no 108 #X11Forwarding no 109 X11Forwarding yes #设置是否允许X11转发 110 #X11DisplayOffset 10 111 #X11UseLocalhost yes 112 #PrintMotd yes #设置sshd是否在用户登陆的时候显示/etc/motd文件的信息 113 #PrintLastLog yes 114 #TCPKeepAlive yes 115 #UseLogin no 116 #UsePrivilegeSeparation yes 117 #PermitUserEnvironment no 118 #Compression delayed 119 #ClientAliveInterval 0 120 #ClientAliveCountMax 3 #设置允许超时的次数(指定从客户端断开连接之前,在没有接到响应时能够发送客户端活跃消息的次数) 121 #ShowPatchLevel no 122 #UseDNS yes 123 #PidFile /var/run/sshd.pid 124 #MaxStartups 10:30:100 #指定SSH守护进程并未经身份验证连接的最大数量,默认值是10 125 #PermitTunnel no 126 #ChrootDirectory none 128 # no default banner path 129 #Banner none 131 # override default of no subsystems 132 Subsystem sftp /usr/libexec/openssh/sftp-server 134 # Example of overriding settings on a per-user basis 135 #Match User anoncvs 136 # X11Forwarding no 137 # AllowTcpForwarding no 138 # ForceCommand cvs server AllowGroups #设置允许连接的组群 AllowUsers #设置允许连接的用户 DenyGroup #设置拒绝连接的组群 DenyUsers #设置拒绝连接的用户(默认没有这个项,需要手动添加,若模式写成User@Host,则User和Host将同时被检查,限制特定用户在特定主机上连接SSH服务器,例Tom@192.168.10.10,表示拒绝用户Tom在192.168.10.10的主机上连接openSSH服务器