首先我们找到系统下/etc/ssh/sshd_config 文件并用 ee /etc/ssh/sshd_config 打开内容如下:
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.49.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20090522 Port 222 #可修改端口号,防止攻击,默认为22端口 #Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #是否允许ROOT用户直接登陆系统 yes 是 no 否 #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes AuthorizedKeysFile .ssh/id_dsa.pub #修改使用用户目录下KEY公共文件 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. #修改可以密码进行登陆 PasswordAuthentication no # 不允许用户使用密码方式登录 PermitEmptyPasswords no # 禁止空密码的用户进行登录 # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server OK,以上SSH配置修改完成!进行重启SSH服务, leaf# /etc/rc.d/sshd restart Stopping sshd. Starting sshd. 进入下一步生成Key leaf# ssh-keygen -t dsa 输入生成语句 Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): # 默认回车即可,或是选择你要存放的位置 Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): #输入密匙的密码 Enter same passphrase again: #再次输入密匙的密码 Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: 11:d6:63:26:84:fc:4f:6d:c3:9a:fa:50:ff:08:f4:0b root@leaf The key's randomart image is: +--[ DSA 1024]----+ | . o+. | | o...= | | ..+ + | | ... = | | Soo+ . | | o+o | | ..E o | | .. o + | | .. o . | +-----------------+ leaf# ll /root/ #查看root目录是否生成了.ssh目录 total 16 -rw-r--r-- 2 root wheel 812 Mar 9 06:53 .cshrc -rw------- 1 root wheel 2369 Mar 10 07:26 .history -rw-r--r-- 1 root wheel 155 Nov 21 22:57 .k5login -rw-r--r-- 1 root wheel 303 Nov 21 22:57 .login -rw------- 1 root wheel 332 Feb 4 00:55 .mysql_history -rw-r--r-- 2 root wheel 265 Nov 21 22:57 .profile drwx------ 2 root wheel 512 Mar 12 06:37 .ssh leaf# ll /root/.ssh/ #查看.ssh目录下是否有id_dsa 和id_dsa.pub 两个文件 total 4 -rw------- 1 root wheel 736 Mar 12 06:37 id_dsa #确认私钥已经建立 -rw-r--r-- 1 root wheel 603 Mar 12 06:37 id_dsa.pub #确认公钥已经建立 接下去下载id_dsa 文件,并配置到相应的用户SSH登陆软件中。记住下载完id_dsa文件后,记得删除id_dsa文件! 执行以下操作: leaf# rm -r id_dsa