Hello everyone , I meet you again , I'm your friend, Quan Jun .

PermitRootLogin Options for

as everyone knows ,sshd_config yes sshd Configuration file for , among PermitRootLogin Can limit root User pass ssh Login method of , If login is prohibited 、 No password login 、 Only key login and open login are allowed , The following is a summary of the options ：

Of the above options ,yes and no Its function is obvious , It's just rude permission 、 prohibit root Users log in .without-password stay yes On the basis of , It's forbidden root Users log in with password .

forced-commands-only The function of

At present, only forced-commands-only This parameter is still unknown , The online reference materials only have the following descriptions ：

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

In general, it means setting forced-commands-only after ,root Users are only allowed to log in with a key , Then only allow execution in command Commands allowed in , This mode is usually used for regular needs root The user login , But you only need to execute the specified script 、 Command situation , Such as periodic backup 、 Curing operation . But some of them command How to specify , There is no explanation here , With the attitude of breaking the casserole and asking the end , I searched all kinds of materials , Finally found command Where this option should be filled ： That's it /root/.ssh/ In the catalog authorized_keys file . By default authorized_keys The file of is similar to the following ：

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt0BETg9J6hZb5Kqxy+yfNtKHfwxUELz7PqGtGiM5eNb8DHC8kj02SCFoql5rpaecMGybWRiSK8/k+EsK7TMgd4O+p6WkNyLD3WZrmVzUEPaxAdYf1eeCQooTJ+B1TKXDNlF9t8xTVsHd67HmPWYU6i3+kaDSX7cbrz2ds2zUGSozj1UQ8AJDJMbGOqpjs3nVh2EpSDgY7znqmUDnygVPiM4c3OfEzs5iCxVd4ggpPhH8d0bwy8RmPsooxJYUY4rE1C5iWCvB7P810yUFB0OilxiX9AfZa9shC3n5bqaX0ioY1eC44hFFPL602fJyKMj6w/zxN5aIeFO03Sl9+FU4YQ== [email protected]

that command You need to load the beginning of the file ：

command=”/bin/ps” ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt0BETg9J6hZb5Kqxy+yfNtKHfwxUELz7PqGtGiM5eNb8DHC8kj02SCFoql5rpaecMGybWRiSK8/k+EsK7TMgd4O+p6WkNyLD3WZrmVzUEPaxAdYf1eeCQooTJ+B1TKXDNlF9t8xTVsHd67HmPWYU6i3+kaDSX7cbrz2ds2zUGSozj1UQ8AJDJMbGOqpjs3nVh2EpSDgY7znqmUDnygVPiM4c3OfEzs5iCxVd4ggpPhH8d0bwy8RmPsooxJYUY4rE1C5iWCvB7P810yUFB0OilxiX9AfZa9shC3n5bqaX0ioY1eC44hFFPL602fJyKMj6w/zxN5aIeFO03Sl9+FU4YQ== [email protected]

This completes the configuration , Users who log in with this public key , Only execute /bin/ps Authority , And there is no interaction shell, It can only be executed once command The command .

So here comes the question

Careful friends may find , Because there is no interaction shell, therefore command Only one command can be added to , What should I do if I want to execute multiple commands ？ This time is great shell It's time for the script to appear , Put the order that should be executed , All encapsulated in shell In the script , And then again command Write the absolute path of the script in . for example , Example script hi.sh：

echo This is huigher speaking
echo Now is `date`

Then the actual effect of implementation is （ssh Connect to ssh The goal of the connection is alias）：

[[email protected] .ssh]# ssh huigher
This is huigher speaking
Now is Sat Oct 29 16:13:36 CST 2016
Connection to 121.40.xxx.xxx closed.

Saying without practicing the fake trick

Said so much , Maybe you are still a little confused , Then let's fight it

Configure public key and key

because forced-commands-only Pattern , Only key login is allowed , Then you need to configure the public key and key .

1. On the local computer , Use command ssh-keygen -t rsa To generate a pair of keys and public keys , In the process, you need to select the directory where the key is stored (/YourPath/YourPrivateKey) And password ( In this case, it is empty )
2. Place the generated public key on the remote server , Attach the public key to ~/.ssh/authorized_keys in , Such as cat id_rsa.pub >> ~/.ssh/authorized_keys
3. Make sure ~/.ssh/ Directory permissions 700,~/.ssh/authorized_keys File permissions are 600
4. modify /etc/ssh/sshd_config file , Make sure the following lines are filled in RSAAuthentication yes PubkeyAuthentication yes

Set up forced-commands-only Related parameters

1. modify /etc/ssh/sshd_config file , Add the following line ： PermitRootLogin forced-commands-only
2. open ~/.ssh/authorized_keys, Find the last line of public key added , Add... At the front command="/YourPath/YourFile", Such as ：

command=”/usr/hi.sh” ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt0BETg9J6hZb5Kqxy+yfNtKHfwxUELz7PqGtGiM5eNb8DHC8kj02SCFoql5rpaecMGybWRiSK8/k+EsK7TMgd4O+p6WkNyLD3WZrmVzUEPaxAdYf1eeCQooTJ+B1TKXDNlF9t8xTVsHd67HmPWYU6i3+kaDSX7cbrz2ds2zUGSozj1UQ8AJDJMbGOqpjs3nVh2EpSDgY7znqmUDnygVPiM4c3OfEzs5iCxVd4ggpPhH8d0bwy8RmPsooxJYUY4rE1C5iWCvB7P810yUFB0OilxiX9AfZa9shC3n5bqaX0ioY1eC44hFFPL602fJyKMj6w/zxN5aIeFO03Sl9+FU4YQ== [email protected]

Closeout and testing

1. restart sshd process
2. Use... On the client ssh Connect ：ssh [email protected] -i /YourPath/YourPrivateKey, If it's too much trouble , It can also be directly on the client .ssh New under folder config The configuration file , Fill in ssh The host alias, So you can use it directly ssh huigher To connect ： Host huigher HostName 121.40.xxx.xxx Port 22 User root IdentityFile /YourPath/YourPrivateKey
3. The effect after configuration is as follows ： [[email protected] .ssh]# ssh huigher This is huigher speaking Now is Sat Oct 29 16:13:36 CST 2016 Connection to 121.40.xxx.xxx closed.
4. except command Orders other than , It can't be carried out , Besides, even interactive shell None , Not to mention carrying out orders , Therefore, the security is relatively high .

Last

This article was written in a hurry , There are inevitably mistakes and deficiencies , If you find , Please comment on , Thank you for ！

Reference material

1. https://www.novell.com/support/kb/doc.php?id=7007565
2. http://askubuntu.com/questions/449364/what-does-without-password-mean-in-sshd-config-file

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/131634.html Link to the original text ：https://javaforall.cn