SSH 使用密钥登录并禁止口令登录实践
前言
无论是个人的VPS还是企业允许公网访问的服务器,如果开放22端口的SSH密码登录验证方式,被众多黑客暴力猜解捅破菊花也可能是经常发生的惨剧。企业可以通过防火墙来做限制,普通用户也可能借助修改22端口和强化弱口令等方式防护,但目前相对安全和简单的方案则是让SSH使用密钥登录并禁止口令登录。
这是最相对安全的登录管理方式
生成PublicKey
建议设置并牢记passphrase密码短语,以Linux生成为例
Linux:ssh-keygen -t rsa
[私钥 (id_rsa) 与公钥 (id_rsa.pub)]
Windows:SecurCRT/Xshell/PuTTY
[SSH-2 RSA 2048]
<span class="com">#生成SSH密钥对</span>
<span class="pln">ssh</span><span class="pun">-</span><span class="pln">keygen </span><span class="pun">-</span><span class="pln">t rsa</span>
<span class="typ">Generating</span><span class="kwd">public</span><span class="pun">/</span><span class="kwd">private</span><span class="pln"> rsa key pair</span><span class="pun">.</span>
<span class="com">#建议直接回车使用默认路径</span>
<span class="typ">Enter</span><span class="pln"> file </span><span class="kwd">in</span><span class="pln"> which to save the key </span><span class="pun">(</span><span class="str">/root/</span><span class="pun">.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">):</span>
<span class="com">#输入密码短语(留空则直接回车)</span>
<span class="typ">Enter</span><span class="pln"> passphrase </span><span class="pun">(</span><span class="pln">empty </span><span class="kwd">for</span><span class="kwd">no</span><span class="pln"> passphrase</span><span class="pun">):</span>
<span class="com">#重复密码短语</span>
<span class="typ">Enter</span><span class="pln"> same passphrase again</span><span class="pun">:</span>
<span class="typ">Your</span><span class="pln"> identification has been saved </span><span class="kwd">in</span><span class="pun">/</span><span class="pln">root</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">.</span>
<span class="typ">Your</span><span class="kwd">public</span><span class="pln"> key has been saved </span><span class="kwd">in</span><span class="pun">/</span><span class="pln">root</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln">pub</span><span class="pun">.</span>
<span class="typ">The</span><span class="pln"> key fingerprint </span><span class="kwd">is</span><span class="pun">:</span>
<span class="pln">aa</span><span class="pun">:</span><span class="lit">8b</span><span class="pun">:</span><span class="lit">61</span><span class="pun">:</span><span class="lit">13</span><span class="pun">:</span><span class="lit">38</span><span class="pun">:</span><span class="pln">ad</span><span class="pun">:</span><span class="pln">b5</span><span class="pun">:</span><span class="lit">49</span><span class="pun">:</span><span class="pln">ca</span><span class="pun">:</span><span class="lit">51</span><span class="pun">:</span><span class="lit">45</span><span class="pun">:</span><span class="pln">b9</span><span class="pun">:</span><span class="lit">77</span><span class="pun">:</span><span class="pln">e1</span><span class="pun">:</span><span class="lit">97</span><span class="pun">:</span><span class="pln">e1 root@localhost</span><span class="pun">.</span><span class="pln">localdomain</span>
<span class="typ">The</span><span class="pln"> key</span><span class="str">'s randomart image is:</span>
<span class="str">+--[ RSA 2048]----+</span>
<span class="str">| .o. |</span>
<span class="str">| .. . . |</span>
<span class="str">| . . . o o |</span>
<span class="str">| o. . . o E |</span>
<span class="str">|o.= . S . |</span>
<span class="str">|.*.+ . |</span>
<span class="str">|o.* . |</span>
<span class="str">| . + . |</span>
<span class="str">| . o. |</span>
<span class="str">+-----------------+</span>
复制密钥对
也可以手动在客户端建立目录和authorized_keys,注意修改权限
<span class="com">#复制公钥到无密码登录的服务器上,22端口改变可以使用下面的命令</span>
<span class="com">#ssh-copy-id -i ~/.ssh/id_rsa.pub "-p 10022 user@server"</span>
<span class="pln">ssh</span><span class="pun">-</span><span class="pln">copy</span><span class="pun">-</span><span class="pln">id </span><span class="pun">-</span><span class="pln">i </span><span class="pun">~</span><span class="str">/.ssh/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln">pub root@192</span><span class="pun">.</span><span class="lit">168.15</span><span class="pun">.</span><span class="lit">241</span>
修改SSH配置文件
<span class="com">#编辑sshd_config文件</span>
<span class="pln">vi </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">sshd_config</span>
<span class="com">#禁用密码验证</span>
<span class="typ">PasswordAuthentication</span><span class="kwd">no</span>
<span class="com">#启用密钥验证</span>
<span class="typ">RSAAuthentication</span><span class="pln"> yes</span>
<span class="typ">PubkeyAuthentication</span><span class="pln"> yes</span>
<span class="com">#指定公钥数据库文件</span>
<span class="typ">AuthorsizedKeysFile</span><span class="pun">.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">authorized_keys</span>
重启SSH服务前建议多保留一个会话以防不测
<span class="com">#RHEL/CentOS系统</span>
<span class="pln">service sshd restart</span>
<span class="com">#Ubuntu系统</span>
<span class="pln">service ssh restart</span>
<span class="com">#debian系统</span>
<span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">init</span><span class="pun">.</span><span class="pln">d</span><span class="pun">/</span><span class="pln">ssh restart</span>
手动增加管理用户
可以在== 后加入用户注释标识方便管理
<span class="pln">echo </span><span class="str">'ssh-rsa XXXX'</span><span class="pun">>></span><span class="str">/root/</span><span class="pun">.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">authorized_keys</span>
<span class="com"># 复查</span>
<span class="pln">cat </span><span class="pun">/</span><span class="pln">root</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">authorized_keys</span>
相关推荐
projava 2020-11-14
WanKaShing 2020-11-12
airfish000 2020-09-11
tryfind 2020-09-14
yegen00 2020-09-10
kkaazz 2020-09-03
风语者 2020-09-02
BraveWangDev 2020-08-19
lichuanlong00 2020-08-15
gsl 2020-08-15
pandaphinex 2020-08-09
yhuihon 2020-08-09
CheNorton 2020-08-02
xiangqiao 2020-07-28
hpujsj 2020-07-26
hpujsj 2020-07-26
sshong 2020-07-19
BraveWangDev 2020-07-19
annan 2020-07-18