客户需求:
1、禁止通过密码的方式登录
2、ssh端口要大于10000
3、不限区域
需求分析
本质上就是对ssh服务的安全相关的运用,基于ssh密钥可以实现
操作
syep1:生成公私钥
[root@wangkx ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:f9/1yMDd79XkSZc/C70BpDEM4LU7LcJ4VwlhHd8KFGo root@wangkx
The key's randomart image is:
+---[RSA 2048]----+
| ..*o+o |
| . o B.o . |
| . E B o . |
| o . + * . .|
| . +S= o o oo|
| . o.o. .++=|
| . +..=B|
| . +.oX|
| ++=|
+----[SHA256]-----+
step2:生成authorized_keys文件
[root@wangkx ~]# cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
step3:将私钥发送给客户
[root@wangkx ~]# sz ~/.ssh/id_rsa #下载到本地后,提供给客户即可
rz
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring id_rsa...
100% 1 KB 1 KB/sec 00:00:01 0 Errors
step4:修改ssh配置
将PasswordAuthentication yes改为 PasswordAuthentication no
将Port 改为 10086
systemctl restart sshd
step5:测试验证
命令行ssh登录:无法登录
本地通过私钥:可以登录
服务端验证:将私钥拷贝到别的服务中,权限为600
vim /mnt/my_secrest #将私钥信息粘贴进去即可
chmod 600 /mnt/my_secrest
报错处理
报错1:这个意思是说密钥的文件权限太大了,需要调整
处理办法:chmod 600 /mnt/my_secrest