CentOS Stream 9通过配置sshd_config中AllowUsers实现SSH访问控制
一、CentOS目前主流的几个版本说明
CentOS Linux 与CentOS Stream
- CentOS Linux 目前两个主要版本
-- CentOS Linux 7
-- CentOS Linux 8
- CentOS Stream 目前两个主要版本
-- CentOS Stream 8
-- CentOS Stream 9
二、CentOS Stream 9 系统安装初体验
1、安装过程截图
2、安装后关闭SELINUX
getenforce setenforce 0 sed -i 's/^SELINUX=.*$/SELINUX=disabled/' /etc/selinux/config cat /etc/selinux/config
接下来进行正题
三、CentOS Stream 9通过配置sshd_config中AllowUsers实现SSH访问控制
1、CentOS Stream 9默认无/etc/hosts.allow
在CentOS Stream 9系统中
ll /etc/hosts.allow ldd /usr/sbin/sshd
可以发现无libwrap.so.0库文件
系统中没有/etc/hosts.allow 和/etc/hosts.deny 文件
对比CentOS7系统
具体参考如下两篇文章
2、man sshd_config
man sshd_config查看AllowUsers参数配置说明
AllowUsers This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts. HOST criteria may additionally contain addresses to match in CIDR ad‐ dress/masklen format. The allow/deny users directives are processed in the follow‐ ing order: DenyUsers, AllowUsers.
3、SSH访问控制配置步骤实践
vi /etc/ssh/sshd_config 添加如下一行,只允许192.168.31.100+root用户登录 AllowUsers root@192.168.31.100 systemctl restart sshd
验证:192.168.31.232尝试SSH登录CentOS Stream 9 192.168.31.192
输入正确密码也会提示登录失败
在CentOS Stream 9服务器上查看日志
tail -f /var/log/secure 可以看到如下日志 Jan 24 21:07:47 localhost sshd[1447]: User root from 192.168.31.232 not allowed because not li
这样就可以实现SSH访问控制
当注释掉AllowUsers这一行,重启sshd服务,就可以正常登录
Tips:
CentOS Linux 8以后就不再支持/etc/hosts.allow和/etc/hosts.deny
1、CentOS Linux 8
2、CentOS Stream 9
3、CentOS Stream 8
以上3种系统均可以按本文中方法来实现SSH访问控制