centos ssh密钥
介绍 (Introduction)
SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a CentOS server, chances are you will spend most of your time in a terminal session connected to your server through SSH.
SSH(或安全外壳)是用于管理服务器并与服务器通信的加密协议。 当使用CentOS服务器时,您很可能会花费大部分时间在通过SSH连接到服务器的终端会话中。
In this guide, we’ll focus on setting up SSH keys for a CentOS 8 server. SSH keys provide a straightforward, secure method of logging into your server and are recommended for all users.
在本指南中,我们将重点介绍为CentOS 8服务器设置SSH密钥。 SSH密钥提供了一种直接,安全的登录服务器的方法,建议所有用户使用。
步骤1 —创建RSA密钥对 (Step 1 — Creating the RSA Key Pair)
The first step is to create a key pair on the client machine (usually your local computer):
第一步是在客户端计算机(通常是本地计算机)上创建密钥对:
- ssh-keygen ssh-keygen
By default, ssh-keygen will create a 2048-bit RSA key pair, which is secure enough for most use cases (you may optionally pass in the -b 4096 flag to create a larger 4096-bit key).
缺省情况下, ssh-keygen将创建一个2048位RSA密钥对,对于大多数用例来说,这是足够安全的(您可以选择传入-b 4096标志来创建更大的4096位密钥)。
After entering the command, you should see the following prompt:
输入命令后,您应该看到以下提示:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
Press ENTER to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path.
按ENTER将密钥对保存到主目录的.ssh/子目录中,或指定备用路径。
If you had previously generated an SSH key pair, you may see the following prompt:
如果先前已生成SSH密钥对,则可能会看到以下提示:
Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?
If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Be very careful when selecting yes, as this is a destructive process that cannot be reversed.
如果选择覆盖磁盘上的密钥,则将无法再使用先前的密钥进行身份验证。 选择是时要非常小心,因为这是一个破坏性的过程,无法逆转。
You should then see the following prompt:
然后,您应该看到以下提示:
Output
Enter passphrase (empty for no passphrase):
Here you may optionally enter a secure passphrase, which is highly recommended. A passphrase adds an additional layer of security to your key, to prevent unauthorized users from logging in.
在这里,您可以选择输入安全密码,强烈建议您输入该密码。 密码短语为您的密钥增加了一层额外的安全保护,以防止未经授权的用户登录。
You should then see the following output:
然后,您应该看到以下输出:
Output
Your identification has been saved in /your_home/.ssh/id_rsa.
Your public key has been saved in /your_home/.ssh/id_rsa.pub.
The key fingerprint is:
a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 username@remote_host
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+
You now have a public and private key that you can use to authenticate. The next step is to get the public key onto your server so that you can use SSH-key-based authentication to log in.
现在,您具有可用于进行身份验证的公用和专用密钥。 下一步是将公钥放入服务器,以便您可以使用基于SSH密钥的身份验证进行登录。
步骤2 —将公钥复制到您的CentOS服务器 (Step 2 — Copying the Public Key to Your CentOS Server)
The quickest way to copy your public key to the CentOS host is to use a utility called ssh-copy-id. This method is highly recommended if available. If you do not have ssh-copy-id available to you on your client machine, you may use one of the two alternate methods that follow (copying via password-based SSH, or manually copying the key).
将公钥复制到CentOS主机的最快方法是使用名为ssh-copy-id的实用程序。 如果可用,强烈建议使用此方法。 如果客户端计算机上没有可用的ssh-copy-id ,则可以使用以下两种替代方法之一(通过基于密码的SSH复制或手动复制密钥)。
使用ssh-copy-id公钥 (Copying your Public Key Using ssh-copy-id)
The ssh-copy-id tool is included by default in many operating systems, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.
ssh-copy-id工具默认包含在许多操作系统中,因此您可能在本地系统上可以使用它。 为了使此方法起作用,您必须已经具有对服务器的基于密码的SSH访问。
To use the utility, you need only specify the remote host that you would like to connect to and the user account that you have password SSH access to. This is the account to which your public SSH key will be copied:
要使用该实用程序,您只需指定要连接的远程主机和具有密码SSH访问权限的用户帐户即可。 这是将您的公共SSH密钥复制到的帐户:
ssh-copy-id username@remote_host
ssh-copy-id 用户名 @ remote_host
You may see the following message:
您可能会看到以下消息:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type yes and press ENTER to continue.
这意味着您的本地计算机无法识别远程主机。 这将在您第一次连接到新主机时发生。 键入yes ,然后按ENTER继续。
Next, the utility will scan your local account for the id_rsa.pub key that we created earlier. When it finds the key, it will prompt you for the password of the remote user’s account:
接下来,该实用程序将在您的本地帐户中扫描我们之前创建的id_rsa.pub密钥。 找到密钥后,它将提示您输入远程用户帐户的密码:
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.1's password:
Type in the password (your typing will not be displayed for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into the remote account’s ~/.ssh/authorized_keys file.
输入密码(出于安全考虑,您的输入将不会显示),然后按ENTER 。 该实用程序将使用您提供的密码连接到远程主机上的帐户。 然后它将~/.ssh/id_rsa.pub密钥的内容~/.ssh/id_rsa.pub到远程帐户的~/.ssh/authorized_keys文件中。
You should see the following output:
您应该看到以下输出:
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@203.0.113.1'"
and check to make sure that only the key(s) you wanted were added.
At this point, your id_rsa.pub key has been uploaded to the remote account. You can continue on to Step 3.
至此,您的id_rsa.pub密钥已上传到远程帐户。 您可以继续执行步骤3 。
使用SSH复制公钥 (Copying Public Key Using SSH)
If you do not have ssh-copy-id available, but you have password-based SSH access to an account on your server, you can upload your keys using a more conventional SSH method.
如果没有可用的ssh-copy-id ,但是您具有基于密码的SSH访问服务器上的帐户,则可以使用更传统的SSH方法上载密钥。
We can do this by using the cat command to read the contents of the public SSH key on our local computer and piping that through an SSH connection to the remote server.
为此,我们可以使用cat命令读取本地计算机上公共SSH密钥的内容,然后通过SSH连接到远程服务器进行管道传输。
On the other side, we can make sure that the ~/.ssh directory exists and has the correct permissions under the account we’re using.
另一方面,我们可以确保~/.ssh目录存在并且在我们使用的帐户下具有正确的权限。
We can then output the content we piped over into a file called authorized_keys within this directory. We’ll use the >> redirect symbol to append the content instead of overwriting it. This will let us add keys without destroying any previously added keys.
然后,我们可以将通过管道传输的内容输出到此目录中的一个名为authorized_keys的文件中。 我们将使用>>重定向符号来附加内容,而不是覆盖内容。 这将使我们能够添加密钥而不会破坏任何先前添加的密钥。
The full command looks like this:
完整的命令如下所示:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
猫〜/ .ssh / id_rsa.pub | ssh 用户名 @ remote_host “ mkdir -p〜 / .ssh &&触摸〜/ .ssh / authorized_keys && chmod -R go =〜/ .ssh && cat >>〜/ .ssh / authorized_keys”
You may see the following message:
您可能会看到以下消息:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type yes and press ENTER to continue.
这意味着您的本地计算机无法识别远程主机。 这将在您第一次连接到新主机时发生。 键入yes ,然后按ENTER继续。
Afterwards, you should be prompted to enter the remote user account password:
之后,系统将提示您输入远程用户帐户密码:
Output
username@203.0.113.1's password:
After entering your password, the content of your id_rsa.pub key will be copied to the end of the authorized_keys file of the remote user’s account. Continue on to Step 3 if this was successful.
输入密码后, id_rsa.pub密钥的内容将被复制到远程用户帐户的authorized_keys文件的末尾。 如果成功,请继续执行步骤3 。
手动复制公钥 (Copying Public Key Manually)
If you do not have password-based SSH access to your server available, you will have to complete the above process manually.
如果没有对服务器的基于密码的SSH访问,则必须手动完成上述过程。
We will manually append the content of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote machine.
我们将手动将id_rsa.pub文件的内容附加到远程计算机上的~/.ssh/authorized_keys文件中。
To display the content of your id_rsa.pub key, type this into your local computer:
要显示id_rsa.pub密钥的内容,请在本地计算机中键入以下内容:
- cat ~/.ssh/id_rsa.pub 猫〜/ .ssh / id_rsa.pub
You will see the key’s content, which should look something like this:
您将看到密钥的内容,该内容应如下所示:
Output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== sammy@host
Log in to your remote host using whichever method you have available.
使用任何可用的方法登录到远程主机。
Once you have access to your account on the remote server, you should make sure the ~/.ssh directory exists. This command will create the directory if necessary, or do nothing if it already exists:
一旦可以访问远程服务器上的帐户,就应确保~/.ssh目录存在。 如果需要,此命令将创建目录;如果目录已经存在,则不执行任何操作:
- mkdir -p ~/.ssh mkdir -p〜/ .ssh
Now, you can create or modify the authorized_keys file within this directory. You can add the contents of your id_rsa.pub file to the end of the authorized_keys file, creating it if necessary, using this command:
现在,您可以在此目录中创建或修改authorized_keys文件。 您可以将您的内容添加id_rsa.pub文件到结束authorized_keys文件,如果有必要创建它,使用这个命令:
echo public_key_string >> ~/.ssh/authorized_keys
回声public_key_string >>〜/ .ssh / authorized_keys
In the above command, substitute the public_key_string with the output from the cat ~/.ssh/id_rsa.pub command that you executed on your local system. It should start with ssh-rsa AAAA....
在上面的命令中,将public_key_string替换为您在本地系统上执行的public_key_string cat ~/.ssh/id_rsa.pub命令的输出。 它应该以ssh-rsa AAAA...开头。
Finally, we’ll ensure that the ~/.ssh directory and authorized_keys file have the appropriate permissions set:
最后,我们将确保~/.ssh目录和authorized_keys文件具有适当的权限集:
- chmod -R go= ~/.ssh chmod -R go =〜/ .ssh
This recursively removes all “group” and “other” permissions for the ~/.ssh/ directory.
这将递归地删除~/.ssh/目录的所有“组”和“其他”权限。
If you’re using the root account to set up keys for a user account, it’s also important that the ~/.ssh directory belongs to the user and not to root:
如果您使用root帐户设置用户帐户的密钥,则~/.ssh目录属于用户而不是root也很重要:
chown -R sammy:sammy ~/.ssh
chown -R sammy : 萨米 〜/ .ssh
In this tutorial our user is named sammy but you should substitute the appropriate username into the above command.
在本教程中,我们的用户名为sammy,但您应将适当的用户名替换为上述命令。
We can now attempt key-based authentication with our CentOS server.
现在,我们可以使用我们的CentOS服务器尝试基于密钥的身份验证。
步骤3 —使用SSH密钥登录到CentOS服务器 (Step 3 — Logging In to Your CentOS Server Using SSH Keys)
If you have successfully completed one of the procedures above, you should now be able to log into the remote host without the remote account’s password.
如果您已成功完成上述过程之一,则现在无需远程帐户的密码即可登录到远程主机。
The initial process is the same as with password-based authentication:
初始过程与基于密码的身份验证相同:
ssh username@remote_host
ssh 用户名 @ remote_host
If this is your first time connecting to this host (if you used the last method above), you may see something like this:
如果这是您第一次连接到该主机(如果您使用了上面的最后一种方法),则可能会看到以下内容:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. Type yes and then press ENTER to continue.
这意味着您的本地计算机无法识别远程主机。 键入yes ,然后按ENTER继续。
If you did not supply a passphrase when creating your key pair in step 1, you will be logged in immediately. If you supplied a passphrase you will be prompted to enter it now. After authenticating, a new shell session should open for you with the configured account on the CentOS server.
如果在步骤1中创建密钥对时未提供密码短语,则将立即登录。 如果您提供了密码,将提示您立即输入密码。 验证之后,应使用CentOS服务器上配置的帐户为您打开一个新的Shell会话。
If key-based authentication was successful, continue on to learn how to further secure your system by disabling your SSH server’s password-based authentication.
如果基于密钥的身份验证成功,请继续学习如何通过禁用SSH服务器的基于密码的身份验证来进一步保护系统。
步骤4 —在服务器上禁用密码身份验证 (Step 4 — Disabling Password Authentication on your Server)
If you were able to login to your account using SSH without a password, you have successfully configured SSH-key-based authentication to your account. However, your password-based authentication mechanism is still active, meaning that your server is still exposed to brute-force attacks.
如果您能够使用SSH无需密码登录到帐户,则说明您已成功为帐户配置了基于SSH密钥的身份验证。 但是,基于密码的身份验证机制仍然处于活动状态,这意味着您的服务器仍然容易受到暴力攻击。
Before completing the steps in this section, make sure that you either have SSH-key-based authentication configured for the root account on this server, or preferably, that you have SSH-key-based authentication configured for a non-root account on this server with sudo privileges. This step will lock down password-based logins, so ensuring that you will still be able to get administrative access is crucial.
在完成本节中的步骤之前,请确保已为此服务器上的根帐户配置了基于SSH密钥的身份验证,或者最好是为此服务器上的非根帐户配置了基于SSH密钥的身份验证。具有sudo特权的服务器。 此步骤将锁定基于密码的登录,因此确保您仍然能够获得管理访问权限至关重要。
Once you’ve confirmed that your remote account has administrative privileges, log into your remote server with SSH keys, either as root or with an account with sudo privileges. Then, open up the SSH daemon’s configuration file:
确认远程帐户具有管理特权后,请以SSH密钥(具有root用户身份或具有sudo特权的帐户)登录到远程服务器。 然后,打开SSH守护程序的配置文件:
- sudo vi /etc/ssh/sshd_config 须藤vi / etc / ssh / sshd_config
Inside the file, search for a directive called PasswordAuthentication. This may be commented out with a # hash. Press i to put vi into insertion mode, and then uncomment the line and set the value to no. This will disable your ability to log in via SSH using account passwords:
在文件内部,搜索名为PasswordAuthentication的指令。 这可以用#哈希注释掉。 按i将vi置于插入模式,然后取消注释该行并将其值设置为no 。 这将禁用您使用帐户密码通过SSH登录的功能:
...
PasswordAuthentication no
...When you are finished making changes, press ESC and then :wq to write the changes to the file and quit. To actually implement these changes, we need to restart the sshd service:
完成更改后,按ESC ,然后按:wq将更改写入文件并退出。 要实际实现这些更改,我们需要重新启动sshd服务:
- sudo systemctl restart sshd sudo systemctl重新启动sshd
As a precaution, open up a new terminal window and test that the SSH service is functioning correctly before closing your current session:
作为预防措施,在关闭当前会话之前,请打开一个新的终端窗口并测试SSH服务是否正常运行:
ssh username@remote_host
ssh 用户名 @ remote_host
Once you have verified your SSH service is still working properly, you can safely close all current server sessions.
确认SSH服务仍然正常运行后,就可以安全地关闭所有当前服务器会话。
The SSH daemon on your CentOS server now only responds to SSH keys. Password-based authentication has successfully been disabled.
CentOS服务器上的SSH守护程序现在仅响应SSH密钥。 基于密码的身份验证已成功禁用。
结论 (Conclusion)
You should now have SSH-key-based authentication configured on your server, allowing you to sign in without providing an account password.
现在,您应该在服务器上配置了基于SSH密钥的身份验证,从而可以在不提供帐户密码的情况下登录。
If you’d like to learn more about working with SSH, take a look at our SSH Essentials Guide.
如果您想了解有关使用SSH的更多信息,请查看我们的SSH Essentials指南 。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-centos-8
centos ssh密钥
233
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
