ssh 无密码登录
没有密码? (Passwordless?)
Yes, you heard it right: passwordless. Using it, you are able to just run:
是的,您没听错:无密码。 使用它,您可以运行:
user@client:$ ssh user@server
// connectinguser@server:$Sure, it is convenient. But it is not just about convenience and security: One task that absolutely needs it is automation. If you want your scripts (deployment, maintenance, etc.) to perform any SSH-related tasks, you will need this enabled.
当然,这很方便。 但这不仅涉及便利性和安全性:绝对需要的一项任务是自动化。 如果您希望脚本(部署,维护等)执行任何与SSH相关的任务,则需要启用此功能。
But you might be wondering how it can ever be secure. Surely nothing can protect you more than a long password? In theory, yes. In practice, it’s really easy to leak the password, forget it, use it elsewhere, or use a common one that can easily be hacked.
但是您可能想知道它如何安全。 当然,除了长密码,没有什么可以保护您的? 从理论上讲,是的。 实际上,泄漏密码,忘记密码,在其他地方使用密码或使用容易被黑客入侵的通用密码确实很容易。
Passwordless, on the other hand, is immune to all kinds of attacks, as long as your own system is not compromised or your attackers don’t have a quantum computer. Fair to say, nothing is going to be secure when we get quantum computers, so let’s just ignore that for now.
另一方面,只要您的系统没有受到威胁或攻击者没有量子计算机,无密码就可以抵抗各种攻击。 可以说,当我们获得量子计算机时,没有什么是安全的,所以让我们暂时忽略它。
它是如何工作的? (How Does It Work?)
Firstly, you have to understand what public/private keys are. A private key is a very long, random stream of bits (2,048 is used most often). A private key is kept secret and never leaves the client (your PC). A public key is another stream of bits, and it is derivative of the private key. That is, you can generate a unique public key from the private key, but cannot get the private key from a public key: This is a one-way process.
首先,您必须了解什么是公钥/私钥。 私钥是一个非常长的随机位流(最经常使用2,048)。 私钥是秘密的,永远不会离开客户端(您的PC)。 公钥是另一比特流,它是私钥的派生 键。 也就是说,您可以从私钥生成唯一的公钥,但不能从公钥获取私钥:这是一个单向过程。
Think of it as a human fingerprint. A fingerprint can be used to (somewhat) uniquely identify humans, but you cannot recreate a human from their fingerprint only. Thus your public key is available for everyone and is stored both on client and server.
可以将其视为人类指纹。 指纹可以用来(某种程度上)唯一地识别人,但是您不能仅根据他们的指纹来重新创建人。 因此,您的公钥可供所有人使用,并且存储在客户端和服务器上。
Why do you need these pairs, though? I will not go into advanced mathematics here, and it’s not necessary. What you need to understand, though, is that these pairs have a unique feature. Using the public key, you can encrypt (or sign) any message, and it will only be possible to decrypt it using the private key. In other words, anyone with your public key can send you encrypted messages that only you will be able to read.
但是,为什么需要这些对呢? 在这里,我将不涉及高级数学,也没有必要。 但是,您需要了解的是这些对具有独特的功能。 使用公共密钥,您可以加密(或签名)任何消息,并且只能使用私有密钥对其进行解密。 换句话说,拥有公共密钥的任何人都可以向您发送加密的消息,只有您才能阅读。
Sounds cool, doesn’t it? Moreover, it’s not limited to SSH. This principle is used in many applications around us, including HTTPS, FTPS, PGP (email encryption), and many others.
听起来不错,不是吗? 此外,它不仅限于SSH。 此原理已在我们周围的许多应用程序中使用,包括HTTPS,FTPS,PGP(电子邮件加密)以及许多其他应用程序。
So, if the SSH server has your public key saved (this is important), it can authenticate you like this:
因此,如果SSH服务器保存了您的公共密钥(这很重要),它可以像这样对您进行身份验证:
- Encrypt a message using your public key and send it to the client. 使用您的公共密钥加密消息,然后将其发送给客户端。
- The client decrypts the message using its private key and sends it back. 客户端使用其私钥解密消息并将其发回。
- The server ensures the message is decrypted correctly, and, if it is, authenticates the user. 服务器确保消息被正确解密,如果是,则对用户进行身份验证。
In the end, you are still using a password, just a more sophisticated one (more on that later).
最后,您仍在使用密码,只是一种更复杂的密码(稍后再介绍)。
如何设置无密码的SSH (How to Set Up Passwordless SSH)
Firstly, you have to create a public/private key pair. Before we do that, let’s first make sure you do not overwrite any existing ones.
首先,您必须创建一个公钥/私钥对。 在执行此操作之前,首先请确保您不会覆盖任何现有的。
$ ls ~/.sshIf in the output you see any id_rsa.pub files, skip to the next step. If not, or if you see an error, you will need to generate a key pair. Do this by running:
如果在输出中看到任何id_rsa.pub文件,请跳到下一步。 如果不是,或者看到错误,则需要生成密钥对。 通过运行以下操作:
$ ssh-keygenDepending on your distro, this tool may or may not be included. If not, just install it using your package manager of choice. ssh-keygen will ask you a number of things:
根据您的发行版,可能会或可能不会包含此工具。 如果没有,请使用您选择的软件包管理器进行安装。 ssh-keygen会问您一些问题:
- The filename to save — Leave it at default. 要保存的文件名-保留默认值。
- Passphrase — This can be used to protect the private key with a password. This will help you achieve the highest security as the cost of convenience and automation. Leave empty for no password, or enter one. Passphrase(密码)—可以用来通过密码保护私钥。 作为便利和自动化的成本,这将帮助您获得最高的安全性。 保留空白以保留密码,或输入一个。
Once done, your public key will be saved in ~/.ssh/id_rsa.pub, and you can proceed to the next step.
完成后,您的公钥将保存在~/.ssh/id_rsa.pub ,您可以继续进行下一步。
将公钥复制到SSH服务器 (Copy Public Key to SSH Server)
There are a number of approaches here. The easiest one is using the ssh-copy-id tool. If it is not installed, install it using your package manager of choice or proceed to the second method. Once available, you can use this tool like this:
这里有很多方法。 最简单的一种是使用ssh-copy-id工具。 如果尚未安装,请使用您选择的软件包管理器进行安装,或者继续第二种方法。 一旦可用,您可以使用以下工具:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@serverReplace user and server with username and host, respectively. Then you will be prompted for your password on the server, just like a regular SSH connection. Once that’s done, the tool will copy your public key to the server and SSH passwordless authentication now works!
分别用user名和主机替换user和server 。 然后,将提示您在服务器上输入密码,就像常规的SSH连接一样。 完成后,该工具会将您的公钥复制到服务器,并且现在可以使用SSH无密码身份验证!
If ssh-copy-id is not available on your system, there is another way, using only built-in commands. Firstly, ensure that the .ssh folder exists on the server:
如果ssh-copy-id在您的系统上不可用,则有另一种方法,仅使用内置命令。 首先,确保服务器上存在.ssh文件夹:
$ ssh user@server mkdir -p .sshThis will execute mkdir -p .ssh on the remote server. -p argument means to create if it does not exist, which is precisely what we want. Once the folder is created, you can upload your keys like this:
这将在远程服务器上执行mkdir -p .ssh 。 -p参数意味着创建它(如果不存在),这正是我们想要的。 创建文件夹后,您可以像这样上载密钥:
$ cat ~/.ssh/id_rsa.pub | ssh user@server 'cat >> .ssh/authorized_keys'This command will take the contents of ~/.ssh/id_rsa.pub and pipe them to the command cat >> .ssh/authorized_keys that is executed on the server. In it, cat will forward the key to the .ssh/authorized_keys file. If it does not exist, it will be created, and if it exists, a line will be appended to it. This is it — you can start using the passwordless SSH login now!
此命令将获取~/.ssh/id_rsa.pub的内容,并将其通过管道传递到在服务器上执行的命令cat >> .ssh/authorized_keys 。 在其中, cat会将密钥转发到.ssh/authorized_keys文件。 如果不存在,将创建它,如果存在,将在其后附加一行。 就是这样-您可以立即开始使用无密码的SSH登录!
禁用密码登录 (Disable Password Login)
Even though you have enabled passwordless login, you are not secure yet. To be truly secure, you need to disable the password login altogether.
即使您启用了无密码登录,您也不安全。 为了真正安全,您需要完全禁用密码登录。
Proceed with caution. If you disable passwords and lose your private key, you will not be able to log in. A good practice is printing out your private key and storing it someplace safe.
请谨慎操作。 如果禁用密码并丢失了私钥,则将无法登录。一个好的做法是打印出私钥并将其存储在安全的地方。
To do this, open and edit /etc/ssh/sshd_config and make these changes:
为此,请打开并编辑/etc/ssh/sshd_config并进行以下更改:
ChallengeResponseAuthentication noThis disables the challenge response.
这将禁用质询响应。
PasswordAuthentication noThis disables password.
这将禁用密码。
UsePAM noThis disables PAM (pluggable authentication modules).
这将禁用PAM(可插拔身份验证模块)。
PermitRootLogin noThis disables logging in as root (make sure you are in the sudoers group!)
这将禁用以root身份登录(确保您属于sudoers组!)
Once you are done, reload the config by running:
完成后,通过运行以下命令重新加载配置:
$ systemctl reload sshIf that does not work, replace ssh with sshd (on CentOS/RHEL/Fedora). That's it, your SSH connection is as secure as it gets!
如果这样不起作用,请用sshd替换ssh (在CentOS / RHEL / Fedora上)。 就是这样,您的SSH连接就已经安全了!
结束语 (Closing Notes)
Thank you for reading, I hope you liked this article.
感谢您的阅读,希望您喜欢这篇文章。
资源资源 (Resources)
翻译自: https://medium.com/better-programming/how-passwordless-ssh-login-works-711cb9af235
ssh 无密码登录
543
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
