使用公钥登录OpenSSH
使用公钥登录OpenSSH
2013年10月24日
16:47
- 生成密钥对
- 使用ssh-keygen生成密钥对
- 使用puttygen生成 密钥对
- 点击【Generate】按钮
- 随意移动一下鼠标
- 设置Key comment
- 设置保护私钥的密码
- 保存公钥和私钥
- 使用SSH Secure Shell生成密钥对
- 点选【Edit】->【Settings…】打开Settings对话框
- 选中左则【Global Settings】->【User Keys】菜单项
- 点击【Generate New Keypair】按钮
- 按向导生成密钥对
- 将公钥上传到服务器
- 更改OpenSSH服务配置文件
- Port 12345 ssh服务的监听端口最好改一下,这样会大大减少/var/log/secure中的垃圾日志
- PubkeyAuthentication yes 公钥认证
- PasswordAuthentication no 禁用密码认证
- 重启OpenSSH服务
- 使用私钥验证登录服务器
- 在GNU/Linux下登录
- 使用putty登录
- 在session面板填写服务器IP及SSH服务监听端口
- 在【Connection -> SSH -> Auth】面板填写私钥路径
我所知道的,有三种生成密钥对的工具,分别为GNU/Linux下的ssh-keygen命令、puttygen、SSH Secure Shell。
[root@ld365 ~]# ssh-keygen -C "Proxy for developers" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 71:b2:a7:45:84:db:b1:99:9c:b7:b3:65:c1:f7:8f:41 Proxy for developers The key‘s randomart image is: +--[ RSA 2048]----+ | .. | | ... | | o+o* . | | .*B . E . | | S o. o o. | | + o + . | | . = o. | | . . . | | | +---------------------+ |
生成的公钥为: /root/.ssh/id_rsa.pub
生成的私钥为:/root/.ssh/id_rsa
生成的公钥保存为:d:\id_rsa_putty.pub
生成的私钥保存为:d:\id_rsa_putty.ppk
这里需要注意的是公钥的格式。我所知道的公钥格式有两种,一种是OpenSSH的格式,另一种是RFC 4716定义的格式。puttygen和SSH Secure Shell生成的公钥格式为RFC 4716规定的格式,ssh-keygen生成的公钥是OpenSSH的格式。所以如果使用的是puttygen或SSH Secure Shell生成的密钥对,那么将公钥上传到服务器之后,需要将公钥的格式转换成OpenSSH的格式。可以在服务器上使用以下命令转换:
[root@ld365 .ssh]# ssh-keygen -i -f id_rsa_putty.pub ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBT2Qdda5Nu7iUL+DQYIcw2waoSYl22j3k4D9/ulJaOk09yAtqylEL85gtsjBiQZGWGJhA2Kz7HwsDhRPJQk/J3MsNGWlzI8Ruf/c2jAQKZiLMjjyKg1ceAMQNVjRR0zBmvJz06Mce2qBbjPoGt3tj1rCo3FP9SnE/ts64ySJJdRFnLfPKnwcE5cPCr1qUYyAMPHucniHUlOHll1lguw1eHRF63nWy8WycKyYAkM5c2yNEd1XMrm0GLPedcIRHi+cyLmIV1c6jwd21XS2F6QJk8yOGbjCBWEU1X1UMsB4FRg8nyQm5Rog+EPAsnOMz4UO7ZIzv+LKsyrGCBFc1fOFsZ |
对于私钥的格式,以上三种方式生成的私钥格式各不相同,但是可以使用puttygen进行转换。方法是先导入,再导出为需要的私钥格式。
/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.
Port 12345 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024
# Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
# Authentication:
#LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10
#RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don‘t trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don‘t read the user‘s ~/.rhosts and ~/.shosts files #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no #PasswordAuthentication yes PasswordAuthentication no
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no
# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes
# GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no
# Set this to ‘yes‘ to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to ‘no‘. #UsePAM no UsePAM yes
# Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS
#AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none
# no default banner path #Banner none
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server |
主要需要改动的就是以上标红的地方:
另外请注意一下以下配置:
#AuthorizedKeysFile .ssh/authorized_keys
这表示上传到服务器的公钥存放在家目录中的.ssh/authorized_keys文件中。
cat id_rsa.pub >> authorized_keys |
service sshd restart |
在GNU/Linux下需要更改一下私钥文件的权限:
[root@ld365 ~]# chmod 600 .ssh/id_rsa_openssh |
登录:
[root@ld365 ~]# ssh root@127.0.0.1 -p 12345 -i .ssh/id_rsa_openssh Enter passphrase for key ‘.ssh/id_rsa_openssh‘: Last login: Thu Oct 24 16:38:11 2013 from 192.168.0.32 [root@ld365 ~]# |
在GNU/Linux下使用sftp命令时没有能够指定私钥的参数,这时候可以在家目录中的.ssh文件夹下建立config文件,内容如下:
IdentityFile ~/.ssh/id_rsa_openssh # 指定私钥文件 Port 12345 # 要登录的服务器上的ssh服务监听端口 |