为了服务器和用户的安全，禁止用户密码的认证方式，而基于“钥匙”的方式。

Lastlogin:FriOct1214:14:012012from192.168.7.251root@Cacti.Nagios:[/root]vi/etc/ssh/sshd_config#$OpenBSD:sshd_config,v1.802008/07/0202:24:18djmExp$#Thisisthesshdserversystem-wideconfigurationfile.See#sshd_config(5)formoreinformation.#ThissshdwascompiledwithPATH=/usr/local/bin:/bin:/usr/bin#Thestrategyusedforoptionsinthedefaultsshd_configshippedwith#OpenSSHistospecifyoptionswiththeirdefaultvaluewhere#possible,butleavethemcommented.Uncommentedoptionschangea#defaultvalue.#Port22#AddressFamilyany#ListenAddress0.0.0.0#ListenAddress::#Disablelegacy(protocolversion1)supportintheserverfornew#installations.Infuturethedefaultwillchangetorequireexplicit#activationofprotocol1Protocol2← 修改后变为此状态，仅使用SSH2#HostKeyforprotocolversion1#HostKey/etc/ssh/ssh_host_key#HostKeysforprotocolversion2#HostKey/etc/ssh/ssh_host_rsa_key#HostKey/etc/ssh/ssh_host_dsa_key#Lifetimeandsizeofephemeralversion1serverkey#KeyRegenerationInterval1h#ServerKeyBits1024#Logging#obsoletesQuietModeandFascistLogging#SyslogFacilityAUTHSyslogFacilityAUTHPRIV#LogLevelINFO#Authentication:#LoginGraceTime2m#PermitRootLoginyesPermitRootLoginno← 修改后变为此状态，不允许用root进行登录#StrictModesyes#MaxAuthTries6#MaxSessions10#RSAAuthenticationyes#PubkeyAuthenticationyes#AuthorizedKeysFile.ssh/authorized_keys#AuthorizedKeysCommandnone#AuthorizedKeysCommandRunAsnobody#Forthistoworkyouwillalsoneedhostkeysin/etc/ssh/ssh_known_hosts#RhostsRSAAuthenticationno#similarforprotocolversion2#HostbasedAuthenticationno#Changetoyesifyoudon'ttrust~/.ssh/known_hostsfor#RhostsRSAAuthenticationandHostbasedAuthentication#IgnoreUserKnownHostsno#Don'treadtheuser's~/.rhostsand~/.shostsfiles#IgnoreRhostsyes#Todisabletunneledcleartextpasswords,changetonohere!#PasswordAuthenticationyesPasswordAuthenticationno← 修改后变为此状态，不允许密码方式的登录#PermitEmptyPasswordsnoPermitEmptyPasswordsno← 修改后变为此状态，禁止空密码进行登录"/etc/ssh/sshd_config"141L,3941Cwrittenroot@Cacti.Nagios:[/root]vi/etc/hosts.deny ← 修改屏蔽规则，在文尾添加相应行##hosts.denyThisfilecontainsaccessruleswhichareusedto#denyconnectionstonetworkservicesthateitheruse#thetcp_wrapperslibraryorthathavebeen#startedthroughatcp_wrappers-enabledxinetd.##Therulesinthisfilecanalsobesetupin#/etc/hosts.allowwitha'deny'optioninstead.##See'man5hosts_options'and'man5hosts_access'#forinformationonrulesyntax.#See'mantcpd'forinformationontcp_wrappers#sshd:ALL ← 添加这一行，屏蔽来自所有的SSH连接请求"/etc/hosts.deny"14L,469CwrittenYouhavenewmailin/var/spool/mail/rootroot@Cacti.Nagios:[/root]vi/etc/hosts.allow← 修改允许规则，在文尾添加相应行##hosts.allowThisfilecontainsaccessruleswhichareusedto#allowordenyconnectionstonetworkservicesthat#eitherusethetcp_wrapperslibraryorthathavebeen#startedthroughatcp_wrappers-enabledxinetd.##See'man5hosts_options'and'man5hosts_access'#forinformationonrulesyntax.#See'mantcpd'forinformationontcp_wrappers#sshd:192.168.7.只允许192.168.7。网段的机器ssh登陆~~~"/etc/hosts.allow"11L,386Cwrittenroot@Cacti.Nagios:[/root]su-adminadmin@Cacti.Nagios:[/data]ssh-keygen-trsaGeneratingpublic/privatersakeypair.Enterfileinwhichtosavethekey(/data/.ssh/id_rsa):Createddirectory'/data/.ssh'.Enterpassphrase(emptyfornopassphrase):Entersamepassphraseagain:Youridentificationhasbeensavedin/data/.ssh/id_rsa.Yourpublickeyhasbeensavedin/data/.ssh/id_rsa.pub.Thekeyfingerprintis:e5:15:ba:be:59:ef:2e:74:df:b6:ee:e1:6a:24:be:daadmin@Cacti.NagiosThekey'srandomartp_w_picpathis:+--[RSA2048]----+|.||..||o.||oo||So||.....||o.+.o.||.=.o.=||.+Eo=B*.|+-----------------+admin@Cacti.Nagios:[/data]ls-a....bash_history.bash_logout.bash_profile.bashrclost+found.ssh.viminfoadmin@Cacti.Nagios:[/data]cd.ssh/admin@Cacti.Nagios:[/data/.ssh]lltotal8-rw-------1adminadmin1751Oct1217:19id_rsa-rw-r--r--1adminadmin401Oct1217:19id_rsa.pubadmin@Cacti.Nagios:[/data/.ssh]cat~/.ssh/id_rsa.pub>>~/.ssh/authorized_keysadmin@Cacti.Nagios:[/data/.ssh]ls-a...authorized_keysid_rsaid_rsa.pubadmin@Cacti.Nagios:[/data/.ssh]chmod400authorized_keysadmin@Cacti.Nagios:[/data/.ssh]ll-atotal20drwx------2adminadmin4096Oct1217:20.drwxr-xr-x4adminadmin4096Oct1217:19..-r--------1adminadmin401Oct1217:20authorized_keys-rw-------1adminadmin1751Oct1217:19id_rsa-rw-r--r--1adminadmin401Oct1217:19id_rsa.pub 至此，将私钥id_rsa导出到windows客户端上。然后删除生成的公钥id_rsa.pub。重启sshd服务，使得刚才所做的配置修改生效。root@Cacti.Nagios:[/root]/etc/rc.d/init.d/sshdrestart Stoppingsshd:[OK] Startingsshd:[OK]