• Home
  • Categories
  • WIKI
  • LANGUAGE: en
    • [System Installation] 感觉deepin默认开启ssh有点不安全
    Product Feedback 811 views · 8 replies ·
    Tofloor
    poster avatar
    calvin_lin
    deepin
    2021-02-01 23:49
    Author

    总感觉密码容易给爆破或者偷看然后就被人随意ssh到自己的电脑上

     

    Reply Favorite View the author
    All Replies
    doodo
    deepin
    2021-02-02 00:12
    #1
    It has been deleted!
    Feng Yu
    deepin
    2021-02-02 00:27
    #2

    不会,你这纯粹杞人忧天

    Reply View the author
    剥壳白煮蛋
    deepin
    2021-02-02 00:40
    #3

    不会的, 默认无法用密码连接, 我今天自己加了公钥都因为没注意细节, 折腾好久才用手机连上自己的电脑.

    Reply View the author
    剥壳白煮蛋
    deepin
    2021-02-02 00:52
    #4

    只要 PasswordAuthentication no 就不怕,不放心的可以检查一下 /etc/ssh
    /ssh_config

    ```

    Host *
    #   ForwardAgent no
    #   ForwardX11 no
    #   ForwardX11Trusted yes
        PasswordAuthentication no
    #   HostbasedAuthentication no
    #   GSSAPIAuthentication no
    #   GSSAPIDelegateCredentials no
    #   GSSAPIKeyExchange no
    #   GSSAPITrustDNS no
    #   BatchMode no
    #   CheckHostIP yes
    #   AddressFamily any
    #   ConnectTimeout 0
    #   StrictHostKeyChecking ask
    #   IdentityFile ~/.ssh/id_rsa
    #   IdentityFile ~/.ssh/id_dsa
    #   IdentityFile ~/.ssh/id_ecdsa
    #   IdentityFile ~/.ssh/id_ed25519
    #   Port 22
    #   Protocol 2
    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
    #   EscapeChar ~
    #   Tunnel no
    #   TunnelDevice any:any
    #   PermitLocalCommand no
    #   VisualHostKey no
    #   ProxyCommand ssh -q -W %h:%p gateway.example.com
    #   RekeyLimit 1G 1h
        SendEnv LANG LC_*
        HashKnownHosts yes
        GSSAPIAuthentication yes
        PubkeyAuthentication yes

    ```

    Reply View the author
    蔡EEPIN
    deepin
    2021-02-02 02:08
    #5

    走密钥对要好很多

    Reply View the author
    bluesky_
    deepin
    2021-02-02 05:26
    #6
    剥壳白煮蛋

    只要 PasswordAuthentication no 就不怕,不放心的可以检查一下 /etc/ssh
    /ssh_config

    ```

    Host *
    #   ForwardAgent no
    #   ForwardX11 no
    #   ForwardX11Trusted yes
        PasswordAuthentication no
    #   HostbasedAuthentication no
    #   GSSAPIAuthentication no
    #   GSSAPIDelegateCredentials no
    #   GSSAPIKeyExchange no
    #   GSSAPITrustDNS no
    #   BatchMode no
    #   CheckHostIP yes
    #   AddressFamily any
    #   ConnectTimeout 0
    #   StrictHostKeyChecking ask
    #   IdentityFile ~/.ssh/id_rsa
    #   IdentityFile ~/.ssh/id_dsa
    #   IdentityFile ~/.ssh/id_ecdsa
    #   IdentityFile ~/.ssh/id_ed25519
    #   Port 22
    #   Protocol 2
    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
    #   EscapeChar ~
    #   Tunnel no
    #   TunnelDevice any:any
    #   PermitLocalCommand no
    #   VisualHostKey no
    #   ProxyCommand ssh -q -W %h:%p gateway.example.com
    #   RekeyLimit 1G 1h
        SendEnv LANG LC_*
        HashKnownHosts yes
        GSSAPIAuthentication yes
        PubkeyAuthentication yes

    ```

    额,我的默认是yes咋办

    Host *
    #   ForwardAgent no
    #   ForwardX11 no
    #   ForwardX11Trusted yes
    #   PasswordAuthentication yes
    #   HostbasedAuthentication no
    #   GSSAPIAuthentication no
    #   GSSAPIDelegateCredentials no
    #   GSSAPIKeyExchange no
    #   GSSAPITrustDNS no
    #   BatchMode no
    #   CheckHostIP yes
    #   AddressFamily any
    #   ConnectTimeout 0
    #   StrictHostKeyChecking ask
    #   IdentityFile ~/.ssh/id_rsa
    #   IdentityFile ~/.ssh/id_dsa
    #   IdentityFile ~/.ssh/id_ecdsa
    #   IdentityFile ~/.ssh/id_ed25519
    #   Port 22
    #   Protocol 2
    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
    #   EscapeChar ~
    #   Tunnel no
    #   TunnelDevice any:any
    #   PermitLocalCommand no
    #   VisualHostKey no
    #   ProxyCommand ssh -q -W %h:%p gateway.example.com
    #   RekeyLimit 1G 1h
        SendEnv LANG LC_*
        HashKnownHosts yes
        GSSAPIAuthentication yes

    Reply View the author
    剥壳白煮蛋
    deepin
    2021-02-02 07:01
    #7
    bluesky_

    额,我的默认是yes咋办

    Host *
    #   ForwardAgent no
    #   ForwardX11 no
    #   ForwardX11Trusted yes
    #   PasswordAuthentication yes
    #   HostbasedAuthentication no
    #   GSSAPIAuthentication no
    #   GSSAPIDelegateCredentials no
    #   GSSAPIKeyExchange no
    #   GSSAPITrustDNS no
    #   BatchMode no
    #   CheckHostIP yes
    #   AddressFamily any
    #   ConnectTimeout 0
    #   StrictHostKeyChecking ask
    #   IdentityFile ~/.ssh/id_rsa
    #   IdentityFile ~/.ssh/id_dsa
    #   IdentityFile ~/.ssh/id_ecdsa
    #   IdentityFile ~/.ssh/id_ed25519
    #   Port 22
    #   Protocol 2
    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
    #   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
    #   EscapeChar ~
    #   Tunnel no
    #   TunnelDevice any:any
    #   PermitLocalCommand no
    #   VisualHostKey no
    #   ProxyCommand ssh -q -W %h:%p gateway.example.com
    #   RekeyLimit 1G 1h
        SendEnv LANG LC_*
        HashKnownHosts yes
        GSSAPIAuthentication yes

    # 井号是注释用的,那一行并不真正起效。

    Reply View the author
    deepinuser17
    deepin
    2021-02-02 07:51
    #8

    除了禁用口令, 还可以限制用户, 以及网络地址. 

     

    比如只允许来自本地网192.168.1.0/24和单一地址10.10.10.10的连接, 加入AllowUsers 或者AllowGroup.

    AllowUsers user1@192.168.1.* user1@10.10.10.10
    Reply View the author
    duansk
    deepin
    2021-02-05 19:45
    #9

    如果不需要用ssh的话,可以使用apt-get purge卸载。

    Reply View the author