ssh 에 root로 접근불가능하게 하기..왜 이렇게 안되죠??

95
points

Submitted by naearu on 화, 2008/06/10 - 10:10pm.

설치 및 활용 QnA

# Authentication:
AllowUsers userid

# 접속된 클라이언트를 인증하기 위해서 SSHD 데몬이 기다려야 할 시간을 초단위로 설정한다. 300초를 허용하는 것이 최대값이다.
LoginGraceTime 300

# 루트로의 로긴을 허용/금지 시킨다. 루트는 원격에서 로긴하는 것은 절대로 허용되지 않는다. 이것은 su에 관한 것이다.
PermitRootLogin no

# 만약 default인 yes로 설정되어 있다면, SSH 데몬은 home 디렉토리가 다른 유저 소유로 되어 있는 유저는 접근을 허락하지 않는다.
StrictModes yes

RSAAuthentication yes
# RSA 인증을 가능, 불가능하게 한다.

PubkeyAuthentication yes

현재 ssh 셋팅 파일은 이렇게 되어있습니다..그리고 restart하면 정상적으로 재실행 되구요..

근데 문제는 root로 걍 들어가진다는거.. ㄱ-;;;;;;

워찌 막아야 하나요???

참고로 서버는 데비안이고.. OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006 쓰고 있습니다.

어디서 셋팅해야 하는지좀 알려주세요.

Login or register to post comments
479번 읽힘

2066
points

PermitRootLogin no 가 root

Submitted by 아주가끔은 on 수, 2008/06/11 - 1:13pm.

PermitRootLogin no 가 root 로그인 막는게 맞을텐데요. no 인데도 root 로 로그인 되던 비슷한 경험이 한번 있어서 한번 남겨봅니다. 무엇때문인지는 기억 안납니다.

예전에 한번 가이드 작성해둔것과 현재 쓰고 있는 sshd_config 파일 내용입니다.
성공하세요!
http://www.suse.or.kr/bbs/board.php?bo_table=tip&wr_id=2173

#       $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
#GSSAPIEnableMITMAttack no


# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp  /usr/lib/ssh/sftp-server

# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
AllowTcpForwarding yes
Compression yes
MaxAuthTries 6
PermitRootLogin no
PrintMotd yes
RSAAuthentication no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ
RME 9636/52, RomIO, ESP 1010, Triton pro, K2600x, JV-80, Yamaha O3D, Tascam DA-30MKII... etc