ssh无密码访问_对无密码的SSH访问说“是”！

最新推荐文章于 2022-09-11 18:48:55 发布

weixin_26722031

最新推荐文章于 2022-09-11 18:48:55 发布

阅读量163

点赞数

文章标签： ssh git https linux python

原文链接：https://medium.com/100-days-of-linux/say-yes-to-password-free-ssh-access-c7a7fa315cd7

版权

ssh无密码访问

介绍： (Introduction:)

SSH (Secure Shell ) is an application layer networking protocol that is used to establish a secure connection between two systems. Using a password to establish a secure connection, is defeating the whole purpose of a secure connection. Passwords can be tricky, they are seldom used properly. They are either used repeatedly for multiple accounts or they are too easy to guess or they are super complicated that you end up forgetting. If a password is the only thing that is securing your data transfer, it isn’t protected. This article is all about discovering a better way to establish a secure connection.

SSH(安全外壳)是一种应用程序层网络协议，用于在两个系统之间建立安全连接。使用密码建立安全连接将破坏安全连接的全部目的。密码可能很棘手，很少正确使用。它们要么重复用于多个帐户，要么太容易猜测，要么变得极其复杂，以致您最终忘记了。如果只有密码是确保数据传输安全的唯一手段，那么它就不受保护。本文都是关于发现建立安全连接的更好方法的。

配置文件： (Config files :)

On a Linux system, OpenSSH is the most common tool used for remote logins with SSH protocol. Like any other package, the config files for OpenSSH are located in the /etc directory. By default the OpenSSH server runs on port 22, you can choose to use any other open port for SSH and this can be set up in the config files below.

在Linux系统上，OpenSSH是用于通过SSH协议进行远程登录的最常用工具。与其他任何软件包一样，OpenSSH的配置文件位于/etc目录中。默认情况下，OpenSSH服务器在端口22上运行，您可以选择对SSH使用任何其他开放端口，并且可以在下面的配置文件中进行设置。

There are two files of interest in the /etc/ssh directory

/etc/ssh目录中有两个有趣的文件

sshd_config: This config is specific to the OpenSSH server. It controls how remote clients can log in on to the machine.
sshd_config：此配置特定于OpenSSH服务器。它控制远程客户端如何登录到计算机。
ssh_config: This is an OpenSSH client-specific configuration file. It controls how the users on this machine can connect to a remote server as a client.
ssh_config：这是OpenSSH客户端特定的配置文件。它控制此计算机上的用户如何作为客户端连接到远程服务器。

生成SSH密钥： (Generating SSH Keys:)

The alternative and secure option to establish an SSH connection is by using a special key-pair, which includes two parts, the private key, and the public key.

建立SSH连接的另一种安全选择是使用特殊的密钥对，其中包括两部分：私钥和公钥。

The private key stays on the client machine (the machine where the key is generated) and the public key has to be copied and pasted to a special location on the server. With encryption keys now being available on both the ends, OpenSSH uses these keys over using the password.

私钥保留在客户端计算机(生成密钥的计算机)上，而公钥必须复制并粘贴到服务器上的特定位置。现在两端都可以使用加密密钥，OpenSSH会使用这些密钥而不是使用密码。

To make the connection even more secure, you can add in a passphrase, which is used for accessing the private key. This is two-step authentication

为了使连接更加安全，您可以添加密码短语，该密码短语用于访问私钥。这是两步验证

step 1: Enter the passphrase to access the private key on the client host
步骤1：输入密码以访问客户端主机上的私钥
step 2: Regular Key verification on the server-side to check if the client key is included in the list of authorized_keys.
步骤2：在服务器端进行常规密钥验证，以检查客户端密钥是否包含在authorized_keys列表中。

Client-side:

客户端：

To generate a public-private key pair, the ssh-keygen command is the go-to option. It supports key creation for use by SSH version 2.

要生成公私钥对， ssh-keygen命令是转到选项。它支持密钥创建以供SSH版本2使用。

The two options that are worth noting

值得注意的两个选择

The key type
钥匙类型
The key size
密钥大小

Key type:

密钥类型：

There are 4 types supported by the ssh-keygen command. The -t option facilitates passing the key type to the ssh-keygen command

ssh-keygen命令支持4种类型。 -t选项有助于将密钥类型传递给ssh-keygen命令

DSA — It is an old Digital Signature Algorithm. A key size of 1024 would normally be used with it. DSA is no longer recommended.
DSA —它是一种古老的数字签名算法。密钥大小通常为1024。不再建议使用DSA。
ECDSA — It is an algorithm based on Elliptical curves, that is standardized by the US Government. It supports only a specific set of key sizes. Although it’s relatively new, it is supported by most SSH clients.
ECDSA —这是一种基于椭圆曲线的算法，已由美国政府标准化。它仅支持一组特定的密钥大小。尽管它相对较新，但大多数SSH客户端都支持它。
ED25519 — This algorithm is the most recent addition to OpenSSH. Support for this algorithm is not universal yet. Hence this is not recommended for general purpose applications.
ED25519 —该算法是OpenSSH的最新添加。目前尚不支持该算法。因此，不建议将其用于一般用途。
RSA RSA is one of the oldest and most widely used public-key cryptosystems. With the advancements being made in factoring, RSA can be breakable soon since it’s based on it. Increasing the size of the key is recommended.
RSA RSA是最古老和使用最广泛的公钥密码系统之一。随着分解方面的进步，基于RSA的RSA很快就会被破坏。建议增加密钥的大小。

Key size:

密钥大小：

Each key type has a specific default value for the key size, although this option is ignored for the ED25519 key type.

每种密钥类型都有一个特定的密钥大小默认值，尽管ED25519密钥类型会忽略此选项。

ECDSA — the key size can only be one of 256 384, 521
ECDSA —密钥大小只能是256384、521中的一种
ED25519 — key length is fixed
ED25519 —密钥长度是固定的
RSA — the minimum and default key-size is 1024, 4096 is recommended
RSA-最小和默认密钥大小为1024，建议使用4096
DSA — The key size must be exactly 1024 bits as specified by FIPS 186–2
DSA —密钥大小必须恰好是FIPS 186–2指定的1024位

Below is an example of the key-generation process. When the ssh-keygen command is run, it first asks for the location in which the key is to be saved. The second prompt asks for the passphrase and to repeat the passphrase for confirmation, it is good to have a passphrase for the key. You can keep pressing enter if you want to default all the options ( the default option is no passphrase)

以下是密钥生成过程的示例。运行ssh-keygen命令时，它首先询问要保存密钥的位置。第二个提示要求输入密码并重复密码以进行确认，最好为密钥输入密码。如果要默认所有选项，则可以按住Enter键(默认选项是无密码)。

$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test_user/.ssh/id_rsa): /home/test_user/.ssh/id_test
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/test_user/.ssh/id_test.
Your public key has been saved in /home/test_user/.ssh/id_test.pub.
The key fingerprint is:
SHA256:X7sJY+eXGEQ1x48pQVbb+3rAJucww16yViyb8Z1nkwg test_user@test_vm
The key's randomart image is:
+---[RSA 4096]----+
|           .oo+..|
|           .o  =.|
|           . ..oo|
|            o o o|
|        S  o.+ . |
|         . E@.O .|
|          =.+^.++|
|         . =B+===|
|           .+..oo|
+----[SHA256]-----+

Now the public and private keys are in the desired location on the client machine. The public key has to be dropped on the server, to enable SSH access with the key-pair that is generated. Note that, it is recommended to generate the private key on the client machine itself and not transfer the private key from one host to another for security reasons.

现在，公钥和私钥位于客户端计算机上的所需位置。必须将公用密钥放在服务器上，才能使用生成的密钥对启用SSH访问。请注意，出于安全原因，建议在客户端计算机本身上生成私钥，不要将私钥从一台主机转移到另一台主机。

Server-side:

服务器端：

The public key that is generated on the client-side has to be dropped on the server. The following steps are involved in this process

客户端生成的公共密钥必须放在服务器上。此过程涉及以下步骤

creating a directory .ssh in the users home directory
在用户主目录中创建目录.ssh
create a file called authorized_keys with file permission of 600
创建一个文件名为600的名为authorized_keys的文件
Copying the key into the file
将密钥复制到文件中

$ ssh test_user@test-server.com
# on the server
$ mkdir -p /home/test_user/.ssh
# creating authorized_keys file with read, write permission only to the owner
$ 
# copy and paste the public key from the client on to the authorized_keys file on the server.

To have a one-liner and avoid copy-pasting, this command comes in handy

要使用单线并避免复制粘贴，此命令非常方便

cat .ssh/id_rsa.pub | ssh test_user@test-server.com | "cat  >> .ssh/authorized_keys"
test_user@test-server.com's password

There is one more easy and official option to copy the public file on to the server of interest. The below command copies the public key to the desired location on the server.

还有另一种简便且正式的选项，可以将公用文件复制到目标服务器上。以下命令将公用密钥复制到服务器上的所需位置。

ssh-copy-id -i /home/test_user/.ssh/id_test.pub test_user@test-server.com

After adding in the public key into the authorized_keys, you can now login into the server without a password

在将公共密钥添加到authorized_keys中之后，您现在无需密码即可登录服务器

ssh test_user@test-server.com
# Welcome screen on the server

If you have multiple keys on the client, you can choose to use a specific key with the -ioption

如果客户端上有多个密钥，则可以选择将特定密钥与-i选项一起使用

ssh -i /home/test_user/.ssh/id_test test-server.com

在文件传输期间传递自定义SSH选项： (Passing custom SSH options during file transfer:)

SCP and Rsync are the most commonly used tools for file transfer between systems. The underlying protocol to set up a secure connection for these tools is SSH. You can pass in custom SSH options to SCP and Rsync with the following parameters

SCP和Rsync是在系统之间传输文件的最常用工具。为这些工具建立安全连接的基础协议是SSH。您可以使用以下参数将自定义SSH选项传递给SCP和Rsync

Specifying a different port, the path to the key
指定其他端口，即密钥的路径

# copying a file from server to the client
scp -i /home/test_user/test_key -P 2001 test_user@test_server.com:/home/test_user/backup.tar .rsync -avz -e "ssh -i $HOME/.ssh/id_test -p 2001" test_user@test-server.com:/from/dir/ /to/dir/

All these can be added to the ~/.ssh/config file as well, the details about which I will include in my future posts along with an introduction to ssh-agent.

所有这些都可以添加到〜/ .ssh / config文件中，有关这些细节，我将在以后的文章中包括ssh-agent的介绍。

最后的话： (Final Words:)

That’s my take on using a public-private key pair to establish a secure connection with SSH and moving towards a password-free SSH connection. I hope you enjoyed this article as much as I enjoyed writing it.

这就是我使用公私钥对建立与SSH的安全连接并转向无密码SSH连接的观点。希望您喜欢我喜欢写这篇文章。

If you are interested in knowing more about SSH port forwarding, feel free to have a look at an article I published recently.

如果您想了解有关SSH端口转发的更多信息，请随时阅读我最近发表的文章。