2014年5月30日星期五

redmine2.5.1 点击我的帐户和个人设置出现500错误


安装redmine 2.5.1,因为之前搭过,所以搭建过程还算顺利,但是搭完之后发现了问题,后台登陆之后,点击“我的帐户”,及“管理”-》“设置”据报错
页面提示Internal error,页面的title是redmine 500 error。

ruby 的版本是 1.9.3

后来查找到另外一种解决方案,终于解决了我的问题,如下,供大家参考。
#cd /var/www/redmine
#vi app/helpers/application_helper.rb
找到以下内容,进行相应的删除或添加。
  def lang_options_for_select(blank=true)
    (blank ? [["(auto)", ""]] : []) + languages_options  //删除此行
    (blank ? [["(auto)", ""]] : []) +                    //添加此行
      valid_languages.collect{|lang| [ ll(lang.to_s, :general_lang_name), lang.to_s]}.sort{|x,y| x.last <=> y.last }  //添加此行
  end

#vi lib/redmine/i18n.rb
找到以下内容,并全部删除。
    # Returns an array of languages names and code sorted by names, example:
    # [["Deutsch", "de"], ["English", "en"] ...]
    #
    # The result is cached to prevent from loading all translations files.
    def languages_options
      ActionController::Base.cache_store.fetch "i18n/languages_options" do
        valid_languages.map {|lang| [ll(lang.to_s, :general_lang_name), lang.to_s]}.sort {|x,y| x.first <=> y.first }
      end     
    end

# vi test/unit/lib/redmine/i18n_test.rb
找到以下内容,并全部删除。
  def test_languages_options
    options = languages_options
    assert options.is_a?(Array)
    assert_equal valid_languages.size, options.size
    assert_nil options.detect {|option| !option.is_a?(Array)}
    assert_nil options.detect {|option| option.size != 2}
    assert_nil options.detect {|option| !option.first.is_a?(String) || !option.last.is_a?(String)}
    assert_include ["English", "en"], options
  end

2014年5月26日星期一

nginx auth basic 认证

有时候需要象Apache那样为指定的目录添加访问验证,一般在Apache下使用htpasswd来添加,而htpasswd是包含在apache2-utils


以一个简单的后台管理为例, 地址:http://xxxx/admin/*, 对admin 下面的文件进行权限管理
1. 使用命令生成passfile 文件: htpasswd -c -d /etc/nginx/pass_file  username
2. 修改ngnix 配置
location ~ /admin {
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/pass_file; //请使用绝对路径
        root   /home/www/admin; //host 地址,不然认证通过之后,找不到对应的文件
}  

htpasswd命令

apache htpasswd 命令选项参数说明

  -c 创建一个加密文件

  -n 不更新加密文件,只将apache htpasswd命令加密后的用户名密码显示在屏幕上

  -m 默认apache htpassswd命令采用MD5算法对密码进行加密

  -d apache htpassswd命令采用CRYPT算法对密码进行加密

  -p apache htpassswd命令不对密码进行进行加密,即明文密码

  -s apache htpassswd命令采用SHA算法对密码进行加密

  -b 在apache htpassswd命令行中一并输入用户名和密码而不是根据提示输入密码
  -D 删除指定的用户


apache htpasswd命令用法实例

1、利用htpasswd命令添加用户

  htpasswd -bc passwd_filename username 123456

2、在原有密码文件中增加下一个用户

  htpasswd -b passwd_filename username 123456

3、如何不更新密码文件,只显示加密后的用户名和密码

  htpasswd -nb username 123456

4、利用htpasswd命令删除用户名和密码

  htpasswd -D passwd_filename username

5、利用htpasswd命令修改密码

  htpasswd -D passwd_filename username

  htpasswd -b passwd_filename username 5678

2014年5月22日星期四

HTTP 错误 403.14 - Forbidden

重新注册asp.net4.0

1、返回的错误表明IIS缺少针对无后缀的MVC请求的映射,ASP.NET处理程序无法接收到请求。

2、要解决这个问题,首先确保ASP.NET MVC3已安装好,然后检查站点的处理程序映射,看是否存在下列映射:
ExtensionlessUrlHandler-Integrated-4.0
ExtensionlessUrlHandler-ISAPI-4.0_32bit
ExtensionlessUrlHandler-ISAPI-4.0_64bit

3、如果映射存在,请检查应用程序是否分配给了.NET Framework4.0的应用程序池。

4、如果映射不存在,你可以以管理员运行下面的命令注册:
32位机器:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe -i
64位机器:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -i

2014年5月19日星期一

MySql.Data.MySqlClient.MySqlException: Too many connections

web程序在访问mysql数据库时报错

MySql.Data.MySqlClient.MySqlException: Too many connections

1、要先关闭IIS进程
2、关闭mysql进程,找到mysql服务,右键转到mysql进程,kill掉。
3、重新启动IIS
4、重新启动mysql服务

customErrors tag should then have its "mode" attribute set to "Off"

测试报错的接口,然后在PC端上访问时,报错为 webconfig 的一些信息。


页面报错信息:

Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine. 

Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".


详细信息: 若要使他人能够从本地服务器计算机上查看此特定错误信息的详细信息,请在位于当前 Web 应用程序根目录下的“web.config”配置文件中创建一个 customErrors 标记。然后应将此 customErrors 标记的“mode”属性设置为“RemoteOnly”。若要使他人能够在远程计算机上查看详细信息,请将“mode”设置为“Off”。
注释: 通过修改应用程序的 customErrors 配置标记的“defaultRedirect”属性,使之指向自定义错误页的 URL,可以用自定义错误页替换所看到的当前错误页


其实际的意思就是,在PC端测试API时,出于安全原因,出现的内部服务器错误无法显示详细的信息,但是你可以在服务器端用浏览器测试API,来查看错误的详细信息。
但是,如果你非要在PC端测试API时,显示错误的详情,你也可以修改webconfig文件,添加 customErrors 标记

当然,这样是很不安全的。

所以,报错页面弹出了webconfig的一些信息,实际上并不是webconfig的问题。



页面报错截图:

2014年5月18日星期日

Ubuntu 安装 OpenERP 7.0

http://www.theopensourcerer.com/2012/12/how-to-install-openerp-7-0-on-ubuntu-12-04-lts/

Introduction

Welcome to the latest of our very popular OpenERP installation “How Tos”.
The new release of OpenERP 7.0 is a major upgrade and a new Long Term Support release; the 7.0 Release Notes extend to over 90 pages! The most noticeable change is a complete re-write of the User Interface that features a much more modern look and feel.
OpenERP 7.0 is not only better looking and easier to use, it also brings many improvements to the existing feature-set and adds a number of brand new features which extend the scope of the business needs covered by OpenERP. Integration of social network capabilities, integration with Google Docs and LinkedIn, new Contract Management, new Event Management, new Point of Sale, new Address Book, new Fleet Management,… are only some of the many enhancements in OpenERP 7.0.

The How To

Following that introduction, I bet you can’t wait to get your hands dirty…
Just one thing before we start: You can simply download a “.deb” package of OpenERP and install that on Ubuntu. Unfortunately that approach doesn’t provide us (Libertus Solutions) with enough fine-grained control over where things get installed, and it restricts our flexibility to modify & customise, hence I prefer to do it a slightly more manual way (this install process below should only take about 10-15 minutes once the host machine has been built).
So without further ado here we go:

Step 1. Build your server

I install just the bare minimum from the install routine (you may want to install the openssh-server during the install procedure or install subsequently depending on your needs).
After the server has restarted for the first time I install the openssh-server package (so we can connect to it remotely) and denyhoststo add a degree of brute-force attack protection. There are other protection applications available: I’m not saying this one is the best, but it’s one that works and is easy to configure and manage. If you don’t already, it’s also worth looking at setting up key-based ssh access, rather than relying on passwords. This can also help to limit the potential of brute-force attacks. [NB: This isn't a How To on securing your server...]
sudo apt-get install openssh-server denyhosts
Now make sure your server has all the latest versions & patches by doing an update:
sudo apt-get update
sudo apt-get dist-upgrade
Although not always essential it’s probably a good idea to reboot your server now and make sure it all comes back up and you can login via ssh.
Now we’re ready to start the OpenERP install.

Step 2. Create the OpenERP user that will own and run the application

sudo adduser --system --home=/opt/openerp --group openerp
This is a “system” user. It is there to own and run the application, it isn’t supposed to be a person type user with a login etc. In Ubuntu, a system user gets a UID below 1000, has no shell (it’s actually /bin/false) and has logins disabled. Note that I’ve specified a “home” of/opt/openerp, this is where the OpenERP server code will reside and is created automatically by the command above. The location of the server code is your choice of course, but be aware that some of the instructions and configuration files below may need to be altered if you decide to install to a different location.
[Note: If you want to run multiple versions of OpenERP on the same server, the way I do it is to create multiple users with the correct version number as part of the name, e.g. openerp70, openerp61 etc. If you also use this when creating the Postgres users too, you can have full separation of systems on the same server. I also use similarly named home directories, e.g. /opt/openerp70, /opt/openerp61 and config and start-up/shutdown files. You will also need to configure different ports for each instance or else only the first will start.]
A question I have been asked a few times is how to run the OpenERP server as the openerp system user from the command line if it has no shell. This can be done quite easily:
sudo su - openerp -s /bin/bash
This will su your current terminal login to the openerp user (the “-” between su and openerp is correct) and use the shell /bin/bash. When this command is run you will be in openerp’s home directory: /opt/openerp.
When you have done what you need you can leave the openerp user’s shell by typing exit.

Step 3. Install and configure the database server, PostgreSQL

sudo apt-get install postgresql
Then configure the OpenERP user on postgres:
First change to the postgres user so we have the necessary privileges to configure the database.
sudo su - postgres
Now create a new database user. This is so OpenERP has access rights to connect to PostgreSQL and to create and drop databases. Remember what your choice of password is here; you will need it later on:
createuser --createdb --username postgres --no-createrole --no-superuser --pwprompt openerp
Enter password for new role: ********
Enter it again: ********
Finally exit from the postgres user account:
exit

Step 4. Install the necessary Python libraries for the server

sudo apt-get install python-dateutil python-docutils python-feedparser python-gdata \
python-jinja2 python-ldap python-libxslt1 python-lxml python-mako python-mock python-openid \
python-psycopg2 python-psutil python-pybabel python-pychart python-pydot python-pyparsing \
python-reportlab python-simplejson python-tz python-unittest2 python-vatnumber python-vobject \
python-webdav python-werkzeug python-xlwt python-yaml python-zsi
With that done, all the dependencies for installing OpenERP 7.0 are now satisfied (note that there are some new packages required since 6.1).

Step 5. Install the OpenERP server

I tend to use wget for this sort of thing and I download the files to my home directory.
Make sure you get the latest version of the application: at the time of writing this it’s 7.0. I got the download links from their download pages(note there are also debrpm and exe builds in this area too). There isn’t a static 7.0 release tarball as such anymore, but there is a nightly build of the 7.0 source tree which should be just as good and will contain patches as and when things get fixed. The link below is to the source tarball for the 7.0 branch.
Note: As an alternative method of getting the code onto your server, Jerome added a very useful comment showing how to get it straight from launchpad. Thanks!
wget http://nightly.openerp.com/7.0/nightly/src/openerp-7.0-latest.tar.gz
Now install the code where we need it: cd to the /opt/openerp/ directory and extract the tarball there.
cd /opt/openerp
sudo tar xvf ~/openerp-7.0-latest.tar.gz
Next we need to change the ownership of all the the files to the OpenERP user and group we created earlier.
sudo chown -R openerp: *
And finally, the way I have done this is to copy the server directory to something with a simpler name so that the configuration files and boot scripts don’t need constant editing (I called it, rather unimaginatively, server). I started out using a symlink solution, but I found that when it comes to upgrading, it seems to make more sense to me to just keep a copy of the files in place and then overwrite them with the new code. This way you keep any custom or user-installed modules and reports etc. all in the right place.
sudo cp -a openerp-7.0 server
As an example, should OpenERP 7.0.1 come out soon, I can extract the tarballs into /opt/openerp/ as above. I can do any testing I need, then repeat the copy command so that the modified files will overwrite as needed and any custom modules, report templates and such will be retained. Once satisfied the upgrade is stable, the older 7.0 directories can be removed if wanted.
That’s the OpenERP server software installed. The last steps to a working system is to set up the configuration file and associated boot script so OpenERP starts and stops automatically when the server itself stops and starts.

Step 6. Configuring the OpenERP application

The default configuration file for the server (in /opt/openerp/server/install/) is actually very minimal and will, with only one small change work fine so we’ll simply copy that file to where we need it and change it’s ownership and permissions:
sudo cp /opt/openerp/server/install/openerp-server.conf /etc/
sudo chown openerp: /etc/openerp-server.conf
sudo chmod 640 /etc/openerp-server.conf
The above commands make the file owned and writeable only by the openerp user and group and only readable by openerp and root.
To allow the OpenERP server to run initially, you should only need to change one line in this file. Toward to the top of the file change the linedb_password = False to the same password you used back in step 3. Use your favourite text editor here. I tend to use nano, e.g.
sudo nano /etc/openerp-server.conf
One other line we might as well add to the configuration file now, is to tell OpenERP where to write its log file. To complement my suggested location below add the following line to the openerp-server.conf file:
logfile = /var/log/openerp/openerp-server.log
Once the configuration file is edited and saved, you can start the server just to check if it actually runs.
sudo su - openerp -s /bin/bash
/opt/openerp/server/openerp-server
If you end up with a few lines eventually saying OpenERP is running and waiting for connections then you are all set.
On my system I noticed the following warning:
2012-12-19 11:53:51,613 6586 WARNING ? openerp.addons.google_docs.google_docs: Please install latest gdata-python-client from http://code.google.com/p/gdata-python-client/downloads/list
The Ubuntu 12.04 packaged version of the python gdata client library is not quite recent enough, so to install a more up-to-date version I did the following (exit from the openerp user’s shell if you are still in it first):
sudo apt-get install python-pip
sudo pip install gdata --upgrade
Going back and repeating the commands to start the server resulted in no further warnings
sudo su - openerp -s /bin/bash
/opt/openerp/server/openerp-server
If there are errors, you’ll need to go back and find out where the problem is.
Otherwise simply enter CTL+C to stop the server and then exit to leave the openerp user account and go back to your own shell.

Step 7. Installing the boot script

For the final step we need to install a script which will be used to start-up and shut down the server automatically and also run the application as the correct user. There is a script you can use in /opt/openerp/server/install/openerp-server.init but this will need a few small modifications to work with the system installed the way I have described above. Here’s a link to the one I’ve already modified for 7.0.
Similar to the configuration file, you need to either copy it or paste the contents of this script to a file in /etc/init.d/ and call it openerp-server. Once it is in the right place you will need to make it executable and owned by root:
sudo chmod 755 /etc/init.d/openerp-server
sudo chown root: /etc/init.d/openerp-server
In the configuration file there’s an entry for the server’s log file. We need to create that directory first so that the server has somewhere to log to and also we must make it writeable by the openerp user:
sudo mkdir /var/log/openerp
sudo chown openerp:root /var/log/openerp

Step 8. Testing the server

To start the OpenERP server type:
sudo /etc/init.d/openerp-server start
You should now be able to view the logfile and see that the server has started.
less /var/log/openerp/openerp-server.log
If there are any problems starting the server you need to go back and check. There’s really no point ploughing on if the server doesn’t start…
OpenERP 7 Database Management Screen
OpenERP 7 Database Management Screen
If the log file looks OK, now point your web browser at the domain or IP address of your OpenERP server (or localhost if you are on the same machine) and use port 8069. The url will look something like this:
http://IP_or_domain.com:8069
What you should see is a screen like this one (it is the Database Management Screen because you have no OpenERP databases yet):
What I do recommend you do at this point is to change the super admin password to something nice and strong (Click the “Password” menu). By default this password is just “admin” and knowing that, a user can create, backup, restore and drop databases! This password is stored in plain text in the /etc/openerp-server.conf file; hence why we restricted access to just openerp and root. When you change and save the new password the /etc/openerp-server.conf file will be re-written and will have a lot more options in it.
Now it’s time to make sure the server stops properly too:
sudo /etc/init.d/openerp-server stop
Check the logfile again to make sure it has stopped and/or look at your server’s process list.

Step 9. Automating OpenERP startup and shutdown

If everything above seems to be working OK, the final step is make the script start and stop automatically with the Ubuntu Server. To do this type:
sudo update-rc.d openerp-server defaults
You can now try rebooting you server if you like. OpenERP should be running by the time you log back in.
If you type ps aux | grep openerp you should see a line similar to this:
openerp 1491 0.1 10.6 207132 53596 ? Sl 22:23 0:02 python /opt/openerp/server/openerp-server -c /etc/openerp-server.conf
Which shows that the server is running. And of course you can check the logfile or visit the server from your web browser too.
OpenERP 70 Main Setup Screen
OpenERP 70 Main Setup Screen
That’s it! Next I would suggest you create a new database filling in the fields as desired. Once the database is initialised, you will be directed straight to the new main configuration screen which gives you a fell for the new User Interface in OpenERP 7 and shows you how easy it is to set up a basic system.

2014年5月17日星期六

SQL Server 无法连接(Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)

.net web程序运行时出错:

A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)

1、查看原因是数据库没有启动,然后尝试启动数据库,无法启动并报错。

2、查看windows日志->应用程序日志,找到SQL Server的错误日志,可以看到错误日志EventID为17058。然后解决EventID:17058的问题。


出现错误:SQL Server默认实例(MSSQLSERVER)无法启动,错误代码:17058


日志错误信息:
initerrlog: Could not open error log file 'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG'. Operating system error = 5(Access is denied.).

The event ID in the application log is 17058. Also the following error message appears in the system log 

The SQL Server (MSSQLSERVER) service terminated with service-specific error 17058 (0x42A2).

分析原因:安装AD后,系统改为使用域用户登陆,原先安装SQL时设置的“本地用户”信息已经修改,当前(域)用户没有权限访问MSSQLSERVER实例文件夹或整个SQL文件夹

解决方法:
1、打开“服务”,找到SQL Server(MSSQLSERVER)服务(或设置实例所对应的服务),查看属性,在“登陆”标签中选择“本地系统账户”


2、为保险起见,进行这步操作:打开SQL Server Configuration Manager(SQL Server配置管理器),在SQL Server Service(SQL Server服务)中找到对应实例(名称和“服务”中的名称相同)。在“登陆”标签中选择“内置账户”,并选择“Local System”(全其他如NETWORK SERVICE也可以,但要保证有权限)

3、启动SQL Server(MSSQLSERVER)服务。

4、如果还是出错(如126错误),那么进入SQL Server的安装目录,给整个安装目录分配NETWORK SERVICE及当前登录用户的权限,特别是实例所在目录,以及数据库文件相关目录,分配写权限。完成后再次启动服务。

结果:成功启动SQL Server(MSSQLSERVER)服务。

2014年5月11日星期日

ssh配置密钥登录

1、在你的mac端,使用ssh-keygen生成一对密钥,一对密钥包含公钥和私钥。
ssh-keygen命令使用:
ssh-keygen -t type -f output_keyfile 

我们可以给密钥起一个名字,因为可能出现不同的密钥登录不同服务器。如果不采用 -f 命名,默认名字为id。 

eg. ssh-keygen -t rsa -f mylinux
如果创建成功会在当前目录下生成 mylinux 和 mylinux.pub 两个文件。


2、在你的mac端,使用ssh-copy-id命令将公钥加入到远程主机的authorized_key上。(默认mac是没有ssh-copy-id命令)。

添加命令如:
ssh-copy-id -i mylinux.pub ywang@10.211.55.4

authorized_key位于你要登录的远程服务器的用户根目录的.ssh文件夹内,如果没有.ssh文件夹,会自动生成相应的文件夹和文件。



3、最后,在你的mac端,直接使用 ssh -i mylinux ywang@10.211.55.4就可以登录,如果密钥有passpharse,会提示你输入。


4、再最后,我不想在登录时候还要指定密钥是什么,想直接使用ssh ywang@10.211.55.4登录,这时候需要配置mac端的 .ssh/config 文件。

添加配置如:
Host 10.211.55.4
User ywang
Port 22
CheckHostIP yes

IdentityFile ~/.ssh/mylinux

这样ssh会自动搜索配置文件,根据不同的Host和User使用不同的密钥文件登录。

2014年5月7日星期三

ssh的scp

scp是secure copy的简写,用于在Linux下进行远程拷贝文件的命令,和它类似的命令有cp,不过cp只是在本机进行拷贝不能跨服务器,而且scp传输是加密的。

用法

传送文件到远程服务器
scp -P 2222 /home/filename root@192.168.1.2:/root/filename

获取远程服务器文件
scp -P 2222 root@192.168.1.2:/root/filename /home/filename

  1. 端口大写P为参数,2222 表示更改SSH端口后的端口,如果没有更改SSH端口可以不用添加该参数。 
  2. /home/filename表示本地上准备上传文件的路径和文件名。
  3. root@ 192.168.1.2 表示使用root用户登录远程服务器192.168.1.2
  4. :/root/filename 表示保存在远程服务器上目录和文件名。

2014年5月5日星期一

useradd 与 adduser

在Ubuntu中创建新用户,通常会用到两个命令:useradd和adduser。虽然作用一样,但用法却不尽相同:

1. 使用useradd时,如果后面不添加任何参数选项,例如:#sudo useradd test创建出来的用户将是默认“三无”用户:一无Home Directory,二无密码,三无系统Shell。

2. 使用adduser时,创建用户的过程更像是一种人机对话,系统会提示你输入各种信息,然后会根据这些信息帮你创建新用户。

useradd是一个ELF可执行程序

useradd会添加用户名,并创建和用户名相同的组名,但它并不在/home目录下创建基于用户名的目录,也不提示创建新的密码。

-b, –base-dir BASE_DIR 指定home目录的base目录

-d, –home-dir HOME_DIR 指定home目录

-g, –gid GROUP 指定gid

-l, –no-log-init do not add the user to the lastlog and

faillog databases

不要把用户添加到lastlog和failog中, 这个用户的登录记录不需要记载

-M, –no-create-home 不要建立home目录

-p, –password PASSWORD 指定新用户的密码

-r, –system 建立一个系统帐号

-s, –shell SHELL 指定shell

adduser -m -d /usr/system -s /bin/bash -p passwd system

adduser是一个perl脚本, 可以交互式地设定一些用户参数

问题:

adduser的-p 参数 并不能shadow密码

/usr/sbin/usermod 与 useradd的参数很类似

usermod –password PASSWORD username

总结上来讲,在Ubuntu中,adduser更适合初级使用者,因为不用去记那些繁琐的参数选项,只要跟着系统的提示一步一步进行下去就行,缺点就是整个创建过程比较复杂而漫长;而useradd比较适合有些高阶经验的使用者,往往一行命令加参数就能解决很多问题,所以创建起来十分方便。

OpenSSH配置文件

工作时电脑经常会存储不同的key,并且使用不同的用户登录linux系统。如:

ssh name@123.123.1.1
ssh user@123.122.1.145

解决方案:在~/.ssh/建立config文件(600权限)

Host *
User www
Port 22
CheckHostIP no
Compression yes
ForwardAgent yes

Host 114.80.119.*
User name
Port 22
IdentityFile ~/.ssh/mylinux


一般不需要修改OpenSSH客户端配置文件。对于给定用户,共有两个配置文件,分别是~/.ssh/config(用户专用)和/etc/ssh/ssh_config(全局共享)。要按照该顺序读取这些文件,对于给定的某个参数,它使用的是读取过程中发现的第一个配置。用户可以通过以下方式将全局参数设置覆盖掉:在自己的配置文件中设置同样的参数。在ssh或scp命令行上给出的参数的优先级要高于这两个文件中所设置的参数的优先级。

用户的~/.ssh/config文件必须由该用户所有(他是目录"~/"的所有者),并且除了所有者之外任何人都不能写入该文件。否则客户端就会给出一条错误消息然后退出。这个文件的模式通常被设为600,这是因为除了它的所有者之外任何人都没有理由能够去读取它。

这些配置文件中的配置行包含着声明,这些声明均以某个关键字(不区分大小写)开头,后面是空白,最后是参数(区分大小写)。


可以使用关键字Host来使声明只作用于特定的系统。Host声明作用于它与下一个Host声明之间的所有配置行。在主机名中,可以使用通配符*和?。

Host hostnames

将下面的声明(直到下一条Host声明)都指定为只适用于hostnames。hostnames采用的格式应该与在命令行上所用的格式一样,而且也能够包含通配符*和?。单个*指定所有主机。

User name

指定登录系统时所用的用户名。用Host声明来指定系统。该选项意味着,在远程系统上登录时,如果使用的用户名不同于在本地系统上登录所用的用户名,那么不必在命令行上输入用户名。

CheckHostIP yes|no

如果将其设置为yes(默认值),那么除了主机名之外,还可以采用IP地址来识别known_hosts文件中的某个系统。若设置为no,则只能使用主机名。

StrictHostKeyChecking yes | no | ask

决定OpenSSH是否将主机密钥添加到用户的known_hosts文件中以及如何添加。如果设置为ask(默认值),那么在连接新系统时会询问是否添加主机密钥;如果设置为no,就会自动添加主机密钥;如果设置为yes,就要求手工添加主机密钥。若将参数设置yes或ask,则当某系统的主机密钥发生改变之后,OpenSSH会拒绝连接到该系统。对于安全性要求较高的系统,请将此参数设置为yes或ask。

HostbasedAuthentication yes | no

若设置为yes,则尝试着进行rhosts身份验证。对于安全要求更高的系统,请将其设置为no(默认值)。

HostKeyAlgorithms algorithms

其中algorithms是一个由逗号隔开的算法列表,客户端按照优先级顺序依次使用这些算法。从ssh-rsa或ssh-dss中选择算法(默认值为"ssh-rsa, ssh-dss")。

ForwardX11 yes|no

如果设置为yes,则自动通过一条安全通道以不可信模式来转发X11连接,并设置shell变量DISPLAY。也可以在命令行上使用选项"-X"以不可信模式重定向X11连接。这个参数的默认值是no。要想让X11转发起作用,还必须将服务器上的/etc/sshd_config文件中的X11Forwarding设置为yes。更多信息请参见1.6节的"X11转发"部分。

ForwardX11Trusted yes | no

如果设置为yes,那么自动通过一条安全通道以可信模式来转发X11连接,并设置shell变量DISPLAY。也可以在命令行上使用选项"-Y"以不可信模式重定向X11连接。这个参数的默认值是no,但是Red Hat Linux将其设置为yes。要想让X11转发起作用,还必须将服务器上的/etc/sshd_config文件中的X11Forwarding设置为yes。更多信息请参见1.6节的"X11转发"部分。

TCPKeepAlive yes | no

如果设置为yes(默认值),就定期检查连接是否存活。如果服务器崩溃或者由于其他原因导致连接死掉,那么这种检查将会导致ssh或scp连接中断,即便只是暂时的。若将这个参数设置为no,则会导致客户端不去检查连接是否存活。

这项声明用到了TCP keepalive选项,它不可加密,并且容易受到IP欺骗(IP Spoofing)。如果希望采用能够防止IP欺骗的替代选项,可以采用基于服务器的相关技术,请参见1.4.6节的"ClientAliveInterval"部分。