在 ubuntu server 安裝與設定 SSH

SSH：Secure SHell Protocol

1. 安裝的指令：apt-get install ssh
   在執行上述指令時，以下套件(package)，也會一並安裝：libwrap0, openssh-server, ssh-import-id, tcpd...
2. 調整設定： vi /etc/ssh/sshd_config
   # Package generated configuration file
   # See the sshd_config(5) manpage for details
   
   # What ports, IPs and protocols we listen for
   Port 22    #預設的port，可以修改調整
   # Use these options to restrict which interfaces/protocols sshd will bind to
   #ListenAddress ::
   #ListenAddress 0.0.0.0
   Protocol 2
   # HostKeys for protocol version 2
   HostKey /etc/ssh/ssh_host_rsa_key
   HostKey /etc/ssh/ssh_host_dsa_key
   HostKey /etc/ssh/ssh_host_ecdsa_key
   #Privilege Separation is turned on for security
   UsePrivilegeSeparation yes
   
   # Lifetime and size of ephemeral version 1 server key
   KeyRegenerationInterval 3600
   ServerKeyBits 768
   
   # Logging
   SyslogFacility AUTH
   LogLevel INFO
   
   # Authentication:
   LoginGraceTime 120
   PermitRootLogin yes    #允許root直接登入，風險太高了，把yes改為no
   StrictModes yes
   
   RSAAuthentication yes
   PubkeyAuthentication yes
   #AuthorizedKeysFile    %h/.ssh/authorized_keys
   
   # Don't read the user's ~/.rhosts and ~/.shosts files
   IgnoreRhosts yes
   # For this to work you will also need host keys in /etc/ssh_known_hosts
   RhostsRSAAuthentication no
   # similar for protocol version 2
   HostbasedAuthentication no
   # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
   #IgnoreUserKnownHosts yes
   
   # To enable empty passwords, change to yes (NOT RECOMMENDED)
   PermitEmptyPasswords no
   
   # Change to yes to enable challenge-response passwords (beware issues with
   # some PAM modules and threads)
   ChallengeResponseAuthentication no
   
   # Change to no to disable tunnelled clear text passwords
   #PasswordAuthentication yes
   
   # Kerberos options
   #KerberosAuthentication no
   #KerberosGetAFSToken no
   #KerberosOrLocalPasswd yes
   #KerberosTicketCleanup yes
   
   # GSSAPI options
   #GSSAPIAuthentication no
   #GSSAPICleanupCredentials yes
   
   X11Forwarding yes
   X11DisplayOffset 10
   PrintMotd no
   PrintLastLog yes
   TCPKeepAlive yes
   #UseLogin no
   
   #MaxStartups 10:30:60
   #Banner /etc/issue.net
   
   # Allow client to pass locale environment variables
   AcceptEnv LANG LC_*
   
   Subsystem sftp /usr/lib/openssh/sftp-server
   
   # Set this to 'yes' to enable PAM authentication, account processing,
   # and session processing. If this is enabled, PAM authentication will
   # be allowed through the ChallengeResponseAuthentication and
   # PasswordAuthentication.  Depending on your PAM configuration,
   # PAM authentication via ChallengeResponseAuthentication may bypass
   # the setting of "PermitRootLogin without-password".
   # If you just want the PAM account and session checks to run without
   # PAM authentication, then enable this but set PasswordAuthentication
   # and ChallengeResponseAuthentication to 'no'.
   UsePAM yes
   
   #再增加AllowUsers 限制可以SSH登入的使用者
   AllowUsers useraccount
3. 重新啟動SSHD
   /etc/init.d/ssh restart
   
4. 除了上述限制root登入，指定可登入的使用者外，還可以使用TCP wrapper的機制，透過/etc/hosts.allow 或 /etc/hosts.deny的設定檔，來指定可以用sshd服務的來源IP，或限制哪些IP不允許使用sshd服務。