如何"配置SSH"以仅允许来自特定主机或者IP地址的root登录？
如何配置SSH以仅允许某些用户和/或者组登录？
如何将基于密码的登录名仅限制为某些用户和/或者主机？
如何限制SSH仅通过某些用户登录？
如何仅允许SSH通过root从某些主机登录？

限制通过root特定主机的SSH登录

其中将介绍限制root用户的ssh的步骤，但仅限于node2(10.0.2.31)的用户，以及node3上所有其他主机的ssh作为根用户的限制。
在上一篇文章中，我分享了使用示例检查和列出活动ssh连接的命令。

打开sshd_config文件进行编辑

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'yes' to allow public root login
PermitRootLogin yes
# Add below content to restrict root login from node2 (10.0.2.31)
Match Address 10.0.2.31
        PermitRootLogin no

接下来退出编辑器并重新启动sshd服务

[root@node3 ~]# systemctl restart sshd

现在从'node2(10.0.2.31)'开始，我将尝试ssh到node3，并且按预期它会失败

[root@node2 ~]# ssh node3
root@node3's password:
Permission denied, please try again.
root@node3's password:

如果我们检查node3上的系统日志，我们将获得有关ssh故障原因的更多信息。

[root@node3 ~]# tail -f /var/log/messages
Jan 01 23:00:09 node3.example.com unix_chkpwd[14005]: password check failed for user (root)
Jan 01 23:00:09 node3.example.com sshd[14003]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.31  user=root
Jan 01 23:00:09 node3.example.com sshd[14003]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
Jan 01 23:00:11 node3.example.com sshd[14003]: Failed password for root from 10.0.2.31 port 41534 ssh2

允许仅使用来自特定主机的密码进行SSH登录

要仅使用来自特定主机的密码来允许SSH登录，例如，当对所有用户强制执行严格的基于SSH主机密钥的登录时，同时为特定主机设置例外：

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no
# Add below content to allow password based login from node2 (10.0.2.31)
Match Address 10.0.2.31
        PasswordAuthentication yes

重新启动sshd服务以使更改生效

[root@node3 ~]# systemctl restart sshd

现在尝试从"其他任何主机"(node2除外)执行SSH，并观察结果

[root@node3 ~]# tail -f /var/log/messages
Jan 02 19:51:34 node3.example.com sshd[4482]: error: Received disconnect from 10.0.2.2 port 52068:14: No supported authentication methods available [preauth]
Jan 02 19:51:34 node3.example.com sshd[4482]: Disconnected from 10.0.2.2 port 52068 [preauth]

如预期的那样，不允许使用SSH

现在尝试从node2进行SSH

[root@node2 ~]# ssh root@node3
root@node3's password:
Last login: Thu Jan  2 19:48:16 2019 from 10.0.2.2
[root@node3 ~]#

因此，我们能够成功地从node2 SSH到我们的node3

观察node3上syslog中的消息

[root@node3 ~]# tail -f /var/log/messages
Jan 02 19:54:01 node3.example.com sshd[4510]: Accepted password for root from 10.0.2.31 port 36304 ssh2
Jan 02 19:54:01 node3.example.com systemd[1]: Started Session 3 of user root.
Jan 02 19:54:01 node3.example.com sshd[4510]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 02 19:54:01 node3.example.com systemd-logind[2775]: New session 3 of user root.
Jan 02 19:54:02 node3.example.com dbus[2764]: [system] Activating service name='org.freedesktop.problems' (using servicehelper)
Jan 02 19:54:02 node3.example.com dbus[2764]: [system] Successfully activated service 'org.freedesktop.problems'

允许来自某些用户，主机和子网的SSH

要仅允许用户" hynman"从子网" 10.0.2. *"中的所有主机进行SSH登录，请在" sshd_config"文件中进行以下更改

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no
# Add below content to allow password based login from subnet 10.0.2.*
Match User hynman Address 10.0.2.*
        PasswordAuthentication yes

重新启动sshd服务以使更改生效

[root@node3 ~]# systemctl restart sshd

接下来，尝试以其他任何用户身份从node2到node3 ssh进行SSH，并且可以预期，SSH被拒绝了。

[root@node2 ~]# ssh root@node3
Permission denied (publickey).

检查系统日志，以查找node3上拒绝的原因

Jan 02 20:06:31 node3.example.com sshd[4716]: Connection closed by 10.0.2.31 port 36312 [preauth]

现在尝试从node2以用户'hynman'身份执行SSH

[root@node2 ~]# ssh hynman@node3
hynman@node3's password:
Last login: Mon Nov 25 20:56:05 2019
[hynman@node3 ~]$

正如预期的那样。

在node3上的syslog中观察消息。

[root@node3 ~]# tail -f /var/log/messages
Jan 02 20:07:12 node3.example.com sshd[4718]: Accepted password for hynman from 10.0.2.31 port 36314 ssh2
Jan 02 20:07:13 node3.example.com systemd[1]: Created slice User Slice of hynman.
Jan 02 20:07:13 node3.example.com systemd[1]: Started Session 6 of user hynman.
Jan 02 20:07:13 node3.example.com systemd-logind[2775]: New session 6 of user hynman.
Jan 02 20:07:13 node3.example.com sshd[4718]: pam_unix(sshd:session): session opened for user hynman by (uid=0)

只允许特定组的SSH登录

要只允许属于" techteam"组的用户进行SSH登录，请在" sshd_config"中添加以下更改

[root@node3 ~]# vim /etc/ssh/sshd_config
# Turn this option to 'no' to deny password based login for public
PasswordAuthentication no
# Add below content to password based login for all users part of group 'techteam'
Match Group techteam
        PasswordAuthentication yes

重新启动sshd服务以使更改生效

[root@node3 ~]# systemctl restart sshd

这里的'hynman'在我的'techteam'组中

[root@node2 ~]# ssh hynman@node3
hynman@node3's password:
Last login: Thu Jan  2 20:56:07 2019 from 10.0.2.31

因此，现在'hynman'已经能够成功通过SSH连接到node3

[root@node3 ~]# tail -f /var/log/messages
Jan 02 21:12:44 node3.example.com sshd[5847]: Accepted password for hynman from 10.0.2.31 port 36370 ssh2
Jan 02 21:12:44 node3.example.com systemd[1]: Created slice User Slice of hynman.
Jan 02 21:12:44 node3.example.com systemd[1]: Started Session 17 of user hynman.
Jan 02 21:12:45 node3.example.com systemd-logind[2775]: New session 17 of user hynman.
Jan 02 21:12:45 node3.example.com sshd[5847]: pam_unix(sshd:session): session opened for user hynman by (uid=0)

我将注销" hynman"用户的会话

[hynman@node3 ~]$logout
Connection to node3 closed.

接下来，我将与不属于techteam的另一个用户" sharan"一起尝试SSH

[root@node3 ~]# id sharan
uid=1003(sharan) gid=1003(sharan) groups=1003(sharan)
[root@node3 ~]# ssh sharan@node3
Permission denied (publickey).

与预期的一样，SSH在node3上被以下消息拒绝

[root@node3 ~]# tail -f /var/log/messages
Jan 02 22:47:00 node3.example.com sshd[6938]: Connection closed by 10.0.2.31 port 36396 [preauth]