介绍 (Introduction)
SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a Debian server, chances are you will spend most of your time in a terminal session connected to your server through SSH.
SSH(或安全外壳)是用于管理服务器并与服务器通信的加密协议。 使用Debian服务器时,您很可能会花费大部分时间在通过SSH连接到服务器的终端会话中。
In this guide, we’ll focus on setting up SSH keys for a vanilla Debian 10 installation. SSH keys provide an easy, secure way of logging into your server and are recommended for all users.
在本指南中,我们将重点介绍为Vanilla Debian 10安装设置SSH密钥。 SSH密钥提供了一种简单,安全的登录服务器的方法,建议所有用户使用。
第1步-创建RSA密钥对 (Step 1 — Create the RSA Key Pair)
The first step is to create a key pair on the client machine (usually your computer):
第一步是在客户端计算机(通常是您的计算机)上创建密钥对:
- ssh-keygen ssh-keygen
By default ssh-keygen will create a 2048-bit RSA key pair, which is secure enough for most use cases (you may optionally pass in the -b 4096 flag to create a larger 4096-bit key).
缺省情况下, ssh-keygen将创建一个2048位RSA密钥对,对于大多数使用情况而言,这对安全性是足够安全的(您可以选择传入-b 4096标志来创建更大的4096位密钥)。
After entering the command, you should see the following output:
输入命令后,您应该看到以下输出:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
Press enter to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path.
按Enter键将密钥对保存到主目录的.ssh/子目录中,或指定备用路径。
If you had previously generated an SSH key pair, you may see the following prompt:
如果先前已生成SSH密钥对,则可能会看到以下提示:
Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?
Warning: If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Be very careful when selecting yes, as this is a destructive process that cannot be reversed.
警告:如果您选择覆盖磁盘上的密钥,则将无法再使用先前的密钥进行身份验证。 选择是时要非常小心,因为这是一个破坏性的过程,无法逆转。
You should then see the following prompt:
然后,您应该看到以下提示:
Output
Enter passphrase (empty for no passphrase):
Here you optionally may enter a secure passphrase, which is highly recommended. A passphrase adds an additional layer of security to prevent unauthorized users from logging in. To learn more about security, consult our tutorial on How To Configure SSH Key-Based Authentication on a Linux Server.
在此处,您可以选择输入安全密码,强烈建议您输入该密码。 密码短语增加了一层额外的安全性,以防止未经授权的用户登录。要了解有关安全性的更多信息,请参阅我们的如何在Linux服务器上配置基于SSH密钥的身份验证的教程。
You should then see the following output:
然后,您应该看到以下输出:
Output
Your identification has been saved in /your_home/.ssh/id_rsa.
Your public key has been saved in /your_home/.ssh/id_rsa.pub.
The key fingerprint is:
a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 username@remote_host
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+
You now have a public and private key that you can use to authenticate. The next step is to place the public key on your server so that you can use SSH-key-based authentication to log in.
现在,您具有可用于进行身份验证的公用和专用密钥。 下一步是将公钥放置在服务器上,以便您可以使用基于SSH密钥的身份验证进行登录。
步骤2 —将公钥复制到Debian服务器 (Step 2 — Copy the Public Key to Debian Server)
The quickest way to copy your public key to the Debian host is to use a utility called ssh-copy-id. Due to its simplicity, this method is highly recommended if available. If you do not have ssh-copy-id available to you on your client machine, you may use one of the two alternate methods provided in this section (copying via password-based SSH, or manually copying the key).
将公钥复制到Debian主机的最快方法是使用名为ssh-copy-id的实用程序。 由于其简单性,强烈建议您使用此方法。 如果客户端计算机上没有可用的ssh-copy-id ,则可以使用本节提供的两种替代方法之一(通过基于密码的SSH复制或手动复制密钥)。
使用ssh-copy-id复制公钥 (Copying Public Key Using ssh-copy-id)
The ssh-copy-id tool is included by default in many operating systems, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.
ssh-copy-id工具默认包含在许多操作系统中,因此您可能在本地系统上可以使用它。 为了使此方法起作用,您必须已经具有对服务器的基于密码的SSH访问。
To use the utility, you simply need to specify the remote host that you would like to connect to and the user account that you have password SSH access to. This is the account to which your public SSH key will be copied.
要使用该实用程序,您只需要指定要连接的远程主机以及具有密码SSH访问权限的用户帐户即可。 这是将您的公共SSH密钥复制到的帐户。
The syntax is:
语法为:
ssh-copy-id username@remote_host
ssh-copy-id 用户名 @ remote_host
You may see the following message:
您可能会看到以下消息:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type “yes” and press ENTER to continue.
这意味着您的本地计算机无法识别远程主机。 这将在您第一次连接到新主机时发生。 键入“是”,然后按ENTER继续。
Next, the utility will scan your local account for the id_rsa.pub key that we created earlier. When it finds the key, it will prompt you for the password of the remote user’s account:
接下来,该实用程序将在您的本地帐户中扫描我们之前创建的id_rsa.pub密钥。 找到密钥后,它将提示您输入远程用户帐户的密码:
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.1's password:
Type in the password (your typing will not be displayed for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into a file in the remote account’s home ~/.ssh directory called authorized_keys.
输入密码(出于安全考虑,您的输入将不会显示),然后按ENTER 。 该实用程序将使用您提供的密码连接到远程主机上的帐户。 然后,它将~/.ssh/id_rsa.pub密钥的内容~/.ssh/id_rsa.pub到远程帐户的主~/.ssh目录中的文件中,该文件称为authorized_keys 。
You should see the following output:
您应该看到以下输出:
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@203.0.113.1'"
and check to make sure that only the key(s) you wanted were added.
At this point, your id_rsa.pub key has been uploaded to the remote account. You can continue on to Step 3.
至此,您的id_rsa.pub密钥已上传到远程帐户。 您可以继续执行步骤3 。
使用SSH复制公钥 (Copying Public Key Using SSH)
If you do not have ssh-copy-id available, but you have password-based SSH access to an account on your server, you can upload your keys using a conventional SSH method.
如果没有可用的ssh-copy-id ,但是您具有基于密码的SSH访问服务器上的帐户,则可以使用传统的SSH方法上载密钥。
We can do this by using the cat command to read the contents of the public SSH key on our local computer and piping that through an SSH connection to the remote server.
为此,我们可以使用cat命令读取本地计算机上公共SSH密钥的内容,然后通过SSH连接到远程服务器进行管道传输。
On the other side, we can make sure that the ~/.ssh directory exists and has the correct permissions under the account we’re using.
另一方面,我们可以确保~/.ssh目录存在并且在我们使用的帐户下具有正确的权限。
We can then output the content we piped over into a file called authorized_keys within this directory. We’ll use the >> redirect symbol to append the content instead of overwriting it. This will let us add keys without destroying previously added keys.
然后,我们可以将通过管道传输的内容输出到此目录中的一个名为authorized_keys的文件中。 我们将使用>>重定向符号来附加内容,而不是覆盖内容。 这将使我们能够添加密钥而不会破坏先前添加的密钥。
The full command looks like this:
完整的命令如下所示:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
猫〜/ .ssh / id_rsa.pub | ssh 用户名 @ remote_host “ mkdir -p〜 / .ssh &&触摸〜/ .ssh / authorized_keys && chmod -R go =〜/ .ssh && cat >>〜/ .ssh / authorized_keys”
You may see the following message:
您可能会看到以下消息:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type “yes” and press ENTER to continue.
这意味着您的本地计算机无法识别远程主机。 这将在您第一次连接到新主机时发生。 键入“是”,然后按ENTER继续。
Afterwards, you should be prompted to enter the remote user account password:
之后,系统将提示您输入远程用户帐户密码:
Output
username@203.0.113.1's password:
After entering your password, the content of your id_rsa.pub key will be copied to the end of the authorized_keys file of the remote user’s account. Continue on to Step 3 if this was successful.
输入密码后, id_rsa.pub密钥的内容将被复制到远程用户帐户的authorized_keys文件的末尾。 如果成功,请继续执行步骤3 。
手动复制公钥 (Copying Public Key Manually)
If you do not have password-based SSH access to your server available, you will have to complete the above process manually.
如果没有对服务器的基于密码的SSH访问,则必须手动完成上述过程。
We will manually append the content of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote machine.
我们将手动将id_rsa.pub文件的内容附加到远程计算机上的~/.ssh/authorized_keys文件中。
To display the content of your id_rsa.pub key, type this into your local computer:
要显示id_rsa.pub密钥的内容,请在本地计算机中键入以下内容:
- cat ~/.ssh/id_rsa.pub 猫〜/ .ssh / id_rsa.pub
You will see the key’s content, which should look something like this:
您将看到密钥的内容,该内容应如下所示:
Output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test
Access your remote host using whichever method you have available.
使用任何可用的方法访问远程主机。
Once you have access to your account on the remote server, you should make sure the ~/.ssh directory exists. This command will create the directory if necessary, or do nothing if it already exists:
一旦可以访问远程服务器上的帐户,就应确保~/.ssh目录存在。 如果需要,此命令将创建目录;如果目录已经存在,则不执行任何操作:
- mkdir -p ~/.ssh mkdir -p〜/ .ssh
Now, you can create or modify the authorized_keys file within this directory. You can add the contents of your id_rsa.pub file to the end of the authorized_keys file, creating it if necessary, using this command:
现在,您可以在此目录中创建或修改authorized_keys文件。 您可以将您的内容添加id_rsa.pub文件到结束authorized_keys文件,如果有必要创建它,使用这个命令:
echo public_key_string >> ~/.ssh/authorized_keys
回声public_key_string >>〜/ .ssh / authorized_keys
In the above command, substitute the public_key_string with the output from the cat ~/.ssh/id_rsa.pub command that you executed on your local system. It should start with ssh-rsa AAAA....
在上面的命令中,将public_key_string替换为您在本地系统上执行的public_key_string cat ~/.ssh/id_rsa.pub命令的输出。 它应该以ssh-rsa AAAA...开头。
Finally, we’ll ensure that the ~/.ssh directory and authorized_keys file have the appropriate permissions set:
最后,我们将确保~/.ssh目录和authorized_keys文件具有适当的权限集:
- chmod -R go= ~/.ssh chmod -R go =〜/ .ssh
This recursively removes all “group” and “other” permissions for the ~/.ssh/ directory.
这将递归地删除~/.ssh/目录的所有“组”和“其他”权限。
If you’re using the root account to set up keys for a user account, it’s also important that the ~/.ssh directory belongs to the user and not to root:
如果您使用root帐户设置用户帐户的密钥,则~/.ssh目录属于用户而不是root也很重要:
chown -R sammy:sammy ~/.ssh
chown -R sammy : 萨米 〜/ .ssh
In this tutorial our user is named sammy but you should substitute the appropriate username into the above command.
在本教程中,我们的用户名为sammy,但您应将适当的用户名替换为上述命令。
We can now attempt passwordless authentication with our Debian server.
现在,我们可以尝试使用Debian服务器进行无密码身份验证。
第3步-使用SSH密钥对Debian服务器进行身份验证 (Step 3 — Authenticate to Debian Server Using SSH Keys)
If you have successfully completed one of the procedures above, you should be able to log into the remote host without the remote account’s password.
如果您已成功完成上述过程之一,则无需使用远程帐户的密码即可登录到远程主机。
The basic process is the same:
基本过程是相同的:
ssh username@remote_host
ssh 用户名 @ remote_host
If this is your first time connecting to this host (if you used the last method above), you may see something like this:
如果这是您第一次连接到该主机(如果您使用了上面的最后一种方法),则可能会看到以下内容:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. Type “yes” and then press ENTER to continue.
这意味着您的本地计算机无法识别远程主机。 键入“是”,然后按ENTER继续。
If you did not supply a passphrase for your private key, you will be logged in immediately. If you supplied a passphrase for the private key when you created the key, you will be prompted to enter it now (note that your keystrokes will not display in the terminal session for security). After authenticating, a new shell session should open for you with the configured account on the Debian server.
如果您未提供私钥的密码短语,则将立即登录。 如果在创建密钥时为私钥提供了密码短语,则会提示您立即输入它(请注意,出于安全性考虑,您的击键将不会显示在终端会话中)。 认证之后,应该使用Debian服务器上配置的帐户为您打开一个新的Shell会话。
If key-based authentication was successful, continue on to learn how to further secure your system by disabling password authentication.
如果基于密钥的身份验证成功,请继续学习如何通过禁用密码身份验证来进一步保护系统。
步骤4 —在您的服务器上禁用密码身份验证 (Step 4 — Disable Password Authentication on your Server)
If you were able to log into your account using SSH without a password, you have successfully configured SSH-key-based authentication to your account. However, your password-based authentication mechanism is still active, meaning that your server is still exposed to brute-force attacks.
如果您可以使用SSH不用密码登录帐户,则说明您已成功为帐户配置了基于SSH密钥的身份验证。 但是,基于密码的身份验证机制仍然处于活动状态,这意味着您的服务器仍然容易受到暴力攻击。
Before completing the steps in this section, make sure that you either have SSH-key-based authentication configured for the root account on this server, or preferably, that you have SSH-key-based authentication configured for a non-root account on this server with sudo privileges. This step will lock down password-based logins, so ensuring that you will still be able to get administrative access is crucial.
在完成本节中的步骤之前,请确保已为此服务器上的根帐户配置了基于SSH密钥的身份验证,或者最好是为此服务器上的非根帐户配置了基于SSH密钥的身份验证。具有sudo特权的服务器。 此步骤将锁定基于密码的登录,因此确保您仍然能够获得管理访问权限至关重要。
Once you’ve confirmed that your remote account has administrative privileges, log into your remote server with SSH keys, either as root or with an account with sudo privileges. Then, open up the SSH daemon’s configuration file:
确认远程帐户具有管理特权后,请以SSH密钥(以root用户或具有sudo特权的帐户)登录到远程服务器。 然后,打开SSH守护程序的配置文件:
- sudo nano /etc/ssh/sshd_config 须藤纳米/ etc / ssh / sshd_config
Inside the file, search for a directive called PasswordAuthentication. This may be commented out. Uncomment the line and set the value to “no”. This will disable your ability to log in via SSH using account passwords:
在文件内部,搜索名为PasswordAuthentication的指令。 这可能会被注释掉。 取消注释该行并将值设置为“ no”。 这将禁用您使用帐户密码通过SSH登录的功能:
...
PasswordAuthentication no
...Save and close the file when you are finished by pressing CTRL + X, then Y to confirm saving the file, and finally ENTER to exit nano. To actually implement these changes, we need to restart the sshd service:
完成后,通过按CTRL + X ,然后按Y确认保存文件,最后按ENTER退出nano,保存并关闭文件。 要实际实现这些更改,我们需要重新启动sshd服务:
- sudo systemctl restart ssh sudo systemctl重新启动ssh
As a precaution, open up a new terminal window and test that the SSH service is functioning correctly before closing this session:
作为预防措施,在关闭此会话之前,请打开一个新的终端窗口并测试SSH服务是否正常运行:
ssh username@remote_host
ssh 用户名 @ remote_host
Once you have verified your SSH service, you can safely close all current server sessions.
验证SSH服务后,就可以安全地关闭所有当前服务器会话。
The SSH daemon on your Debian server now only responds to SSH keys. Password-based authentication has successfully been disabled.
Debian服务器上的SSH守护程序现在仅响应SSH密钥。 基于密码的身份验证已成功禁用。
结论 (Conclusion)
You should now have SSH-key-based authentication configured on your server, allowing you to sign in without providing an account password.
现在,您应该在服务器上配置了基于SSH密钥的身份验证,从而可以在不提供帐户密码的情况下登录。
If you’d like to learn more about working with SSH, take a look at our SSH Essentials Guide.
如果您想了解有关使用SSH的更多信息,请查看我们的SSH Essentials指南 。
翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys-on-debian-10
799
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
