ubuntu ssh密钥
SSH (Secure Shell) is a cryptographic network protocol which is used for establishing secure connections between a remote client and a server, using the TCP protocol for security and reliability.
SSH (安全外壳)是一种加密网络协议,用于使用TCP协议来确保安全性和可靠性,从而在远程客户端和服务器之间建立安全连接。
SSH based connections support various authentication methods, some of them being :
基于SSH的连接支持各种身份验证方法,其中一些包括:
- Password based authentication 基于密码的身份验证
- Key based authentication 基于密钥的身份验证
By default, creating a new SSH connection between two machines will use the password based authentication. But if you are logging onto a server on a frequent basis from the same client, it may be cumbersome and irritating to type the password each time you login to the server.
默认情况下,在两台计算机之间创建新的SSH连接将使用基于密码的身份验证。 但是,如果您经常从同一个客户端登录到服务器,则每次登录服务器时都要输入密码,这可能很麻烦并且令人讨厌。
This tutorial presents the other alternative authentication for logging onto the remote server, using public keys.
本教程介绍了使用公共密钥登录到远程服务器的其他替代身份验证。
Let’s look at how we can set this on our particular client and server machines that we use frequently, so that we can automatically login from this machine securely!
让我们看看如何在经常使用的特定客户端和服务器计算机上进行设置,以便我们可以安全地自动从该计算机登录!
检查客户端计算机上的现有SSH密钥 (Check for existing SSH Keys on the Client Machine)
The first part deals with generating a private-public key pair in the client machine. The public key is later on copied to the server and is used for authentication.
第一部分处理在客户端计算机中生成私钥-公钥对。 公用密钥稍后将复制到服务器,并用于身份验证。
Before setting any SSH Key, let’s ensure that there aren’t any existing keys already present for this client-server combination.
在设置任何SSH密钥之前,让我们确保此客户端-服务器组合不存在任何现有密钥。
Let’s run this bash script to check if the file exists(you can alternatively type this directly on the terminal)
让我们运行此bash脚本来检查文件是否存在(您也可以直接在终端上键入此文件)
if test -f ~/.ssh/id_*.pub; then
echo "Found"
else
echo "Not Found"
fi
If you get “Not Found”, this means that no such file exists, and we are ready to create a new key for this connection.
如果显示“未找到”,则表明该文件不存在,我们已准备好为此连接创建新密钥。
Otherwise, you can directly use the existing keys and skip the next step. But if you don’t want to use the old keys, you can remove the old keys and generate new ones by following the next step.
否则,您可以直接使用现有键并跳过下一步。 但是,如果您不想使用旧密钥,则可以按照下一步操作删除旧密钥并生成新密钥。
为客户端服务器计算机生成新的SSH密钥对 (Generate a new SSH key pair for the client-server machines)
The below command will generate a new 4096 bits SSH key pair with your id (can be anything identifiable!) as a comment:
下面的命令将生成一个新的4096位SSH密钥对,其ID为id(可以是任何可识别的!)作为注释:
ssh-keygen -t rsa -b 4096 -C "id@domain.com"
After configuring the key location and passphrases by running this command, we will now have the new key generated for us, along with the key fingerprint.
通过运行此命令配置密钥位置和密码短语后,我们现在将为我们生成新的密钥以及密钥指纹。
Now, let’s check if the private-public key is actually there, using ls.
现在,让我们使用ls检查私有公钥是否确实存在。
ls ~/.ssh/id_*
You should get the below output:
您应该获得以下输出 :
/root/.ssh/id_rsa /root/.ssh/id_rsa.pub
This means that id_rsa is your private key, and id_rsa.pub is your public key.
这意味着id_rsa是您的私钥,而id_rsa.pub是您的公钥。
NOTE: Never share your private key across machines. This is why you have a public key. So we can copy the same public key to multiple servers to ssh to, while maintaining the added security using the private key on your local machine.
注意 : 切勿在多台计算机之间共享您的私钥。 这就是为什么您拥有公用密钥的原因。 因此,我们可以将同一公钥复制到ssh到多台服务器,同时使用本地计算机上的私钥维护增加的安全性。
将公钥复制到服务器 (Copy the public key to the Server)
Since we have our SSH key pair on our client, to be able to login to the remote server, we need to copy the public key there.
由于我们在客户端上具有SSH密钥对,因此要登录到远程服务器,我们需要在此复制公共密钥。
We can use scp to copy files to our server, but there is a better alternative for ssh keys, using ssh-copy-id.
我们可以使用scp将文件复制到我们的服务器,但是使用ssh-copy-id更好地替代ssh密钥。
You can install ssh-copy-id using your package manager if it is not available.
您可以使用软件包管理器安装ssh-copy-id (如果不可用)。
ssh-copy-id server_username@server_ip
After entering the server username password, we will now be authenticated to login to the server using the public keys.
输入服务器用户名密码后,我们现在将通过公共密钥通过身份验证以登录到服务器。
The output will be similar to this:
输出将类似于以下内容:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/client_user/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
SERVER_USER@SERVER_IP's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'SERVER_USER@SERVER_IP'"
and check to make sure that only the key(s) you wanted were added.
This means that we can use ssh to this particular machine from our client with the extra key-based authentication!
这意味着我们可以通过额外的基于密钥的身份验证从客户的特定计算机上使用ssh !
To test it, try sshing to the server now!
要对其进行测试,请立即尝试将其ssh服务器!
ssh server_user@server_ip
调试潜在问题 (Debugging Potential Problems)
But some of you may still get the password prompt to show up, along with the key-based passphrase! What is going on?
但是,有些人可能仍然会看到密码提示以及基于密钥的密码短语! 到底是怎么回事?
A potential reason is detailed here. It seems we may not have proper permissions on our ~/.ssh directory on the remote server. The contents of the HOME directory ~, the ~/.ssh directory, and the ~/.ssh/authorized_keys file must be writable only by us. Otherwise, it senses that other users can gain access, and that is why the password is also requested.
这里详细说明了潜在原因。 看来我们对远程服务器上的~/.ssh目录可能没有适当的权限。 HOME目录~ , ~/.ssh目录和~/.ssh/authorized_keys文件的内容只能由我们写。 否则,它将感觉其他用户可以访问,这就是为什么还要求输入密码的原因。
Let’s check the permissions of our home directory first.
让我们先检查主目录的权限。
Since we can only write, we don’t need to change permissions for this directory. Similarly, look at the modes and change the mode using chmod.
因为我们只能写,所以我们不需要更改该目录的权限。 同样,查看模式并使用chmod更改模式。
Let’s change permissions to these files and directories using chmod -R ~/.ssh 700 recursively.
让我们使用chmod -R ~/.ssh 700递归更改这些文件和目录的权限。
Now, test it to see if this works.
现在,对其进行测试以查看是否可行。
调试潜在问题–第2部分 (Debugging Potential Problems – Part 2)
If you still aren’t able to get it working, this thread mentions that some of the options in the ssh config file may be disabled.
如果您仍然无法使其正常运行,则该线程会提到ssh配置文件中的某些选项可能已被禁用。
Check /etc/ssh/sshd_config in the server to ensure that RSAAuthentication, PubkeyAuthentication and UsePAM options aren’t disabled.
在服务器中检查/etc/ssh/sshd_config ,以确保未禁用RSAAuthentication , PubkeyAuthentication和UsePAM选项。
Also, make sure that you explicitly set PasswordAuthentication no in the config, to disable Password-based Authentication for our user.
另外,请确保您在配置中明确将PasswordAuthentication no设置为PasswordAuthentication no ,以为我们的用户禁用基于密码的身份验证。
As you can see, this was indeed the case for me! The PubKeyAuthentication was also disabled, and hence it prompted me for the password, as the session didn’t use this as the primary mode of authentication!
如您所见,对我而言确实如此! PubKeyAuthentication也被禁用,因此它提示我输入密码,因为会话未将其用作主要的身份验证模式!
I un-commented this line, and restarted ssh to apply changes.
我取消注释此行,然后重新启动ssh以应用更改。
sudo systemctl restart ssh
Now, this made the passwordless authentication finally work for me! Hopefully, you’ve also found a solution by this time.
现在,这使得无密码身份验证终于对我有用! 希望您这次也找到了解决方案。
We’ve finally configured ssh to work without a password!
我们终于将ssh配置为无需密码即可工作!
结论 (Conclusion)
In this tutorial, we showed you how you could setup ssh public key based authentication method, and login to a server without a password!
在本教程中,我们向您展示了如何设置基于ssh公钥的身份验证方法,并且无需密码即可登录服务器!
翻译自: https://www.journaldev.com/34140/generate-ssh-keys-for-passwordless-login-in-ubuntu
ubuntu ssh密钥
5838
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
