问题描述
我刚刚在我的服务器上安装了Ubuntu 14.04,当我在sshd_config文件中发现此问题时,我正在设置所有配置文件:
# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
这让我非常担心。我认为有人可能会以root用户身份登录到我的服务器,而无需输入密码。
我尝试通过以下方式连接到我的服务器:
johns-mbp:~ john$ ssh root@192.168.1.48
The authenticity of host '192.168.1.48 (192.168.1.48)' can't be established.
RSA key fingerprint is 40:7e:28:f1:a8:36:28:da:eb:6f:d2:d0:3f:4b:4b:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.48' (RSA) to the list of known hosts.
root@192.168.1.48's password:
我输入了一个空白的密码,它不让我进入,这是一种解脱。所以我的问题是:没有密码意味着什么,为什么这是Ubuntu 14.04的默认设置?
最佳解决思路
从manpage:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”. The default is “yes”.
If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the
commandoption has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.If this option is set to “no”, root is not allowed to log in.
因此without-password只允许使用公钥认证进行root登录。这通常用于shell脚本和自动化任务。
次佳解决思路
实际上,如果您使用PAM认证,此设置几乎没有任何功能。在sshd_config配置文件的底部,您会发现:
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
Ubuntu上的默认设置是使用PAM认证:
UsePAM yes
第三种解决思路
请注意,通过root登录有合理的理由(但使用加密密钥并且从不输入密码)。一个典型的例子是远程同步两台服务器(将其中一台用作fail-over)。由于结构必须相同,通常需要root密码。
以下是使用同步进行同步的示例:https://serverfault.com/questions/341985/remotely-use-root-over-ssh-for-unison