禁止某些用户使用ssh远程登录

[root@localhost ~]# vi /etc/pam.d/sshd

在第一行加入 auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed，注意一定要在第一行，因为pam中执行顺序是上面优先
auth required pam_listfile.so item=user sense=deny file=/etc/sshdusers onerr=succeed
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
#pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

#查看此服务器下是什么用户

[root@localhost ~]# cd /home/
[root@localhost home]# ls

将此用户的名字加入配置文件
git[root@localhost home]# vi /etc/sshdusers
git
在文件中加入git #git是个本地用户

#重启sshd服务
[root@localhost home]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
在另一个终端测试

Last login: Wed Sep

4 14:45:19 2013 from 10.191.197.161
root@Git-Ubutntu:~# ssh git@202.205.161.48
The authenticity of host ‘202.205.161.48 (202.205.161.48)’ can’t be established.
RSA key fingerprint is 40:2a:10:80:c3:20:e6:ea:fe:4a:4d:cd:79:df:86:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘202.205.161.48’ (RSA) to the list of known hosts.
git@202.205.161.48’s password:
Permission denied, please try again.
git@202.205.161.48’s password:
Permission denied, please try again.
git@202.205.161.48’s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
也看到有人这样解决 “在/etc/ssh/sshd_config里，设置DenyUsers” 但是我编辑此文件时没有找到DenyUsers字段呢。。。所以没做成。。

测试结果为用户git 无法进行远程SSH登录。。。

下面再试一下root的SSH远程登录是否正常。。
root@Git-Ubutntu:~# ssh root@202.205.161.48
root@202.205.161.48’s password:
Last login: Wed Sep 4 15:00:45 2013 from 10.191.197.39
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:5D:A1:58:09
inet addr:202.205.161.48 Bcast:202.205.161.255 Mask:255.255.254.0
inet6 addr: fe80::215:5dff:fea1:5809/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11199428 errors:0 dropped:0 overruns:0 frame:0
TX packets:191501 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2603340038 (2.4 GiB) TX bytes:13760114 (13.1 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:226 errors:0 dropped:0 overruns:0 frame:0
TX packets:226 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:29132 (28.4 KiB) TX bytes:29132 (28.4 KiB)

[root@localhost ~]#

以上测试 root 用户已经正常通过SSH远程登录！

##########################################################
下面测试 禁用git用户SSH远程登录的情况下，git 客户端使用SSH 是否还可用。

root@Git-Ubutntu:~# cd /home/git/
root@Git-Ubutntu:/home/git# ls
myworkplace
root@Git-Ubutntu:/home/git# cd myworkplace/
root@Git-Ubutntu:/home/git/myworkplace# ls
git-test
root@Git-Ubutntu:/home/git/myworkplace# cd git-test/
root@Git-Ubutntu:/home/git/myworkplace/git-test# ls
file.txt
root@Git-Ubutntu:/home/git/myworkplace/git-test# git log
commit dfe7feafbe3f95f6217cb59eda3c117e7057e852
Author: user user@qq.com
Date: Tue Sep 3 16:25:10 2013 +0800

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e
Author: Jeffery Jeffery@localhost.localdomain
Date: Wed Sep 4 00:18:50 2013 +0800

version 1.0 (zhangwj)
root@Git-Ubutntu:/home/git/myworkplace/git-test# vi file.txt
version 1.0 (zhangwj);
version 1.1 (user.qq);
version 1.2 (user.qq); Test the Ssh is OK?
~

“file.txt” 3L, 90C written
root@Git-Ubutntu:/home/git/myworkplace/git-test# git add file.txt
root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m “test the ssh
is ok”

*** Please tell me who you are.

Run

git config –global user.email “you@example.com”
git config –global user.name “Your Name”

to set your account’s default identity.
Omit –global to set the identity only in this repository.

fatal: unable to auto-detect email address (got ‘root@Git-Ubutntu.(none)’)

#让我设置git的全局配置。。。配置用户名及邮箱

root@Git-Ubutntu:/home/git/myworkplace/git-test# git config –global user.email
“user@qq.com”
root@Git-Ubutntu:/home/git/myworkplace/git-test# git config –global user.name ”
user”
root@Git-Ubutntu:/home/git/myworkplace/git-test# git commit -a -m”test the ssh is ok”
[master 84386d7] test the ssh is ok
1 file changed, 1 insertion(+)
#以上，提交到本地代码 仓库正常。。

下面重点测试是否可以推送到服务器上去。。

root@Git-Ubutntu:/home/git/myworkplace/git-test# git push
warning: push.default is unset; its implicit value is changing in
Git 2.0 from ‘matching’ to ‘simple’. To squelch this message
and maintain the current behavior after the default changes, use:

git config –global push.default matching

To squelch this message and adopt the new behavior now, use:

git config –global push.default simple

See ‘git help config’ and search for ‘push.default’ for further information.
(the ‘simple’ mode was introduced in Git 1.7.11. Use the similar mode
‘current’ instead of ‘simple’ if you sometimes use older versions of Git)

git@202.205.161.48’s password:
Permission denied, please try again.
git@202.205.161.48’s password:
Permission denied, please try again.
git@202.205.161.48’s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
fatal: Could not read from remote repository.

测试失败。。。。不能连接远程代码仓库。。。禁止某些用户使用ssh远程登录

Please make sure you have the correct access rights
and the repository exists.

下面是提交成功了，这是因为我在git server上取消了git用户的SSH登录限制。。
root@Git-Ubutntu:/home/git/myworkplace/git-test# git push
warning: push.default is unset; its implicit value is changing in
Git 2.0 from ‘matching’ to ‘simple’. To squelch this message
and maintain the current behavior after the default changes, use:

git config –global push.default matching

To squelch this message and adopt the new behavior now, use:

git config –global push.default simple

See ‘git help config’ and search for ‘push.default’ for further information.
(the ‘simple’ mode was introduced in Git 1.7.11. Use the similar mode
‘current’ instead of ‘simple’ if you sometimes use older versions of Git)

git@202.205.161.48’s password:
Counting objects: 5, done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 297 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
To git@202.205.161.48:/home/git/git-test
dfe7fea..84386d7 master -> master

root@Git-Ubutntu:/home/git/myworkplace/git-test# git log
commit 84386d7e6c4b4fc506efbd02e402fc993c15e011
Author: user user@qq.com
Date: Wed Sep 4 15:16:16 2013 +0800

test the ssh is ok

commit dfe7feafbe3f95f6217cb59eda3c117e7057e852
Author: user user@qq.com
Date: Tue Sep 3 16:25:10 2013 +0800

version1.1 user.qq

commit 7fdbd209fa4278d26ac544e6a3ed327129ad236e
Author: Jeffery Jeffery@localhost.localdomain
Date: Wed Sep 4 00:18:50 2013 +0800

version 1.0 (zhangwj)

结论。禁止用户SSH远程登录后，git 使用口令方式验证时，也将无法使用！！

下一步，测试使用公钥 私钥方式进行git 登录！