默认是这样的,但是不能自定义配置,经常会被外网爆破。

已知问题:如果关闭“允许SSH登录”,NAS会有后台监控随时关闭所有sshd进程。默认SSH配置文件每次都会自动覆盖,导致无法关闭password登录。

目的:只允许key登录。

#普通linux配置文件路径
/etc/ssh/sshd_config
#威联通配置文件路径
/etc/config/ssh/sshd_config

mkdir /root/.ssh
cd /root/.ssh
echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQnayBGCMOUPVhVNQLue5UeJLN/PSVRYgqAq3F5G92SsQ5YbKs0c+p7cwpm/nFKVbEhMANku+rJOX8q5hgDTZRBe89+pCPgUUswQ/XndKJMzFssLS+U9/lL8d1VV9ih+J7/mQsa4KORy5fXp3oHToImooQpIVVn5KV3u48/WR3JrJrXwDVz2p1EgDWeUyOGy9JE3Ba5j875wt7Sk+IqM8qmPEjiybiEX1e2YmZNhCRsx5G7jyXS0ji0fhdmvF4EZXN/cPw8H0qIIIHRE3aOekXN/J2M1D4Apwnck6w46V0nK3sKKnLGKPWRScaVww/iAZrD9zuAHyNQ+wxBD8TkasKPQkT8YvPAZiqGt/Lix2oLVX0dNKtiXycT0qb9x5pXyD5+ZGxRbcvINYu68eqWvgUkb3syga3NyTMs+yyedJlunl5S+ji4z6+39A5wMSL6DZp7wP708qsTNOVkXRHQJhXcR18zuyKcOq4qCE8Xy9sjQdcoCofERtzROQWWiYD0yU= rsa-key-20200301"> /root/.ssh/authorized_keys

#替换掉文件内的空行,很多人不成功就是吃了这一步的亏。

sed -i -e '/^[ \t]*$/d' /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh

# 然后修改密匙文件的权限,避免被其他用户 修改/删除。 # chmod 600 - 只有属主有读写权限。
# chmod 700 - 只有属主有读、写、执行权限。

#服务器上传登陆密钥文件,可以免密码登陆,第一行不能空格

echo -e "—–BEGIN OPENSSH PRIVATE KEY—–
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA0J2sgRgjDlD1YVTUC7nuVHiSzfz0lUWIKgKtxeRvdkrEOWGyrNHP
qe3MKZv5xSlWxITADZLvqyTl/KuYYA02UQXvPfqQj4FFLMEP153SiTMxbLC0vlPf5S/HdV
VfYofie/5kLGuCjkcuX16d6B06CJqKEKSFVZ+Sld7uPP1kYyaya18A1c9qdRIA1nlMjhsv
SRNwWuY/O+cLe0pPiCjPKpjxI4sm4hF9XtmJmTYQkbMeRu48l0tI4tH4cZrxeBGVzf3D8P
B9KiCCB0RN2jnpFzfydjNQ+AKcJ3JOsOOldJyt7Cipyxij1kUnGlcMP4gGaw/c7gB8jUPs
MQQ/E5GrCj0JE/GLzwGYqhrfy4sdqC1V9HTSrYl8nE9Km/ceaV8g+fmRsUW3LyDWLuvHql
r4FJG97MoGtzckzLPssnnSZbp5eUvo4uM+vt/QOcDEi+g2ae8D+9PKrEzTlZF0R0CYV3Ed
fM7sinDquKghPF8r7I0HXKAqHxEbc0TkFlomA9MlAAAFgNVU1RLVVNUSAAAAB3NzaC1yc2
EAAAGBANCdrIEYIw5Q9WFU1Au57lR4ks389JVFiCoCrcXkb3ZKxDlhsqzFz6ntzCmb+cUp
VsSEwA2S76sk5fyrmGANNlEF7z36kI+BRSzBD9ed0okzMWywtL5T3+Uvx3VVX2KH4nv+ZC
xrgo5HLl9enegdOgiaihCkhVWfkpXe7jz9ZGMmsmtfANXPanUSANZ5TI4bL0kTcFrmPzvn
C3tKT4iozyqY8SOLJuIRfV7ZiZk2EJGzHkbuPJdLSOLR+HGa8XgRlc39w/DwfSogggdETd
o56Rc38nYzUPgCnCdyTrDjpXScrewoqcsYo9ZFJxpXDD+IBmsP3O4AfI1D7DEEPxORqwo9
CRPxi88BmKoa38uLHagtVfR00q2JfJxPSpv3HmlfIPn5kbFFty8g1i7rx6pa+BSRvezKBr
c3JMyz7LJ50mW6eXlL6OLjPr7f0DnAxIvoNmnvA/vTyqxM05WRdEdAmFdxHXzO7Ipw6rio
ITxfK+yNB1ygKh8RG3NE5BZaJgPTJQAAAAMBAAEAAAGAJsipgXaTTd4PQIEcyvFONbYU1O
bqMbYzklvdIqVNc5iC0ogvR6HaEaV8B2BQFy+QSgjEC8H9fLvnZgog0fqi1n1b9RHYPlWy
Hpfl8hgNRCSYU7SmZZwCTAGN+2pbyV2p5ZNt3DRAmWLyZBibEsQcPe09LcroXvrDrck8UW
pqd2SCVyPaa+WbzRgDv9vdN64mJFfQ05VqvCBAKjOuhaGcoja83fbIy86kmDWpNyqt+ehr
AJTZ/uaoLkMLBVPhAImEEiaGlG6+TFFnASEVcP6PzE6RtkPs57fMNG4nWD/qlhYjS3uGC+
JXxD5r6PenRA/R2Ma7eRnzTuWdgT0ARbAZZ6EG68gmmheXpJIQo9l/x0FAQm3i7DCSp3Hl
ekxYq6vLDGbkTCb9T68xyxoJqZJbC5XNzEaX8BERFRJ+5PclB5/Gt21QDgjVjZ4KpUGwRL
4GjoqT/0JsPd6kyRz109WJONdSLshiJWO4IQfMiXFq/tTr1XpS05/AUtPFxXH8+oohAAAA
wQCKbpenSU8xEn9BNqmpK4MgTcIhE9jAy+RJMCwVEUy4T8CI0hnZEsLYgOOqSDGzxo/jIA
1Qu4ffn5ZBZfAVCWe++euO58qht5T07SaB6n4qlmnZj99DniGguFFbCH9TlCFFhWC0bfjb
1/iPD34e6azwA1J1dIMSJhnPgNyMUiF9Pe7/g9uH/te02bPHnuYcPLduNjiVMhC0N8SnHV
t7reb72CYt9ZClXAs04bcGfSnOOu8Ipd2j6T58hWOCF1SrPpkAAADBAPYlGd25Z6T8JCkI
FCKDDsGD/bnlHlyt5tT/jk2rnpd0UzmpRagn2z62KlpofqasAqAgJhvZOlf0p47vRMNVTP
BgO1CVbLxJid8Jb2tELJpblUymKO+6aw56SgGVp5sdw/Ph+LB9QwFE5E1XUSHCSRs4fWrM
yRMq3Sqv1IUykZNyXdF1UO3z7a904sRb+I9pytXXDzbj3ePRyVYK5HOacGe4tp1atEfvj9
e2Mmy9v3mgHo+iOCiVfN3utxEqXrYtBwAAAMEA2Pfp4wegISKdsFhTj0nqEyyEhLew7vDH
5CHSPRP/AXMgAAL5E3fZxE7xKhbjv7UP4fPTvFsbBo+4zpKtRaNs5go35P9JN2Z/fmIuMV
XTSU0j60ACyP9VoTwbErG/loYjiH0b4XMIoT3o7JfkjmUmsmWpWg9OT09SxBAdEBJuZkRx
5vSGPLC0GFMNqZQU+FPTBoneCeMTmwkwEsb2WDNpsYQQArLlxlUIFDa7hImhOUXFyas9JF
EtkrquQV4eyF9zAAAACmFkbWluQFFOQVA=
—–END OPENSSH PRIVATE KEY—–
"> /root/.ssh/id_rsa''

#替换掉文件内的空行,很多人不成功就是吃了这一步的亏。

sed -i -e '/^[ \t]*$/d' /root/.ssh/id_rsa
chmod 600 /root/.ssh/id_rsa

最后在/etc/config/ssh/sshd_config文件内添加一行PasswordAuthentication no禁止用户名密码登录

kill掉sshd进程,重新运行

/usr/sbin/sshd -f /etc/config/ssh/sshd_config -p 22

为了防止系统升级重启等引起禁止用户名密码登录设置失效,附上一个我自己的定时执行文件。

RUNNING=`cat /etc/config/ssh/sshd_config | grep "PasswordAuthentication no" | grep -v grep| wc -l`
if test "$RUNNING" = 1 ;then
    echo "$(date +"%F %H:%M:%S")   ""SSH密码登录已关闭" | tee -a $log
else
    echo -e "\e[33;41m$(date +"%F %H:%M:%S")   ""DIY-SSH 未运行\e[0m" | tee -a $log $errlog -
    pid=$(ps x | grep sshd_config | grep -v grep | awk '{print $1}')
    kill $pid> /dev/null 2>&1
    echo "PasswordAuthentication no">> /etc/config/ssh/sshd_config
    /usr/sbin/sshd -f /etc/config/ssh/sshd_config -p 22
    echo "$(date +"%F %H:%M:%S")   ""DIY-SSH 正常" | tee -a $log
fi
导航

友情链接

群晖&威联通NAS交流

QR Code
QR Code 威联通:自定义ssh登录方式 (generated for current page)