简介
SSH为Secure Shell的缩写,是建立在应用层和传输层基础上的安全管理协议,是目前较为可靠的传输协议,专为远程登录会话和其他网络服务提供安全性;利用SSH协议可以有效防止远程管理过程中的信息泄露问题。
SSH可用于大多数UNIX和类UNIX操作系统中,能够实现字符界面的远程登录管理,它默认使用22端口,采用密文的形式在网络中传输数据,相对于通过明文传输的Telnet协议,具有更高的安全性。
基于Password认证请参考文件:
OpenSSH Service(SSH Service)-基于Password认证
SSH为Sec […]
基于Key秘钥对验证: #优先级高于账户密码验证
原理:
1. 首先需要在Client上创建一对密钥,并且需要把公钥放在需要访问的Server 上。
2. 当Client需要连接Server时,Client端就会向Server端发出登录请求,请求使用密钥对中的的公钥进行安全验证。
3. Server收到请求之后,会在该用户的家目录下查询公钥文件,拿Client端发送过来的公钥和自己家目录下的公钥进行比较。
4. 如果两个公钥一致,Server端就用公钥加密”challenge(质疑)”,并把它发送给Client端。Client端收到加密内容之后,使用本地的私钥进行解密,再把解密结果发送给Server端,Server端验证成功后,允许登录。
配置方法:
1、登陆服务器利用命令(ssh-keygen)生成密钥对,默认回车直到结束;在登录用户家目录(/UserHome/.ssh)下生成公钥(id_rsa.pub)文件和私钥(id_rsa)文件;公钥文件是用于服务器端,私钥文件是用于客户端;将私钥下载至本地电脑上(第三方软件登录时会用到)。
[root@localhost ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:nvp8CzSb43wQnBa14gL42Q6FBp2XurM028XWo8i/Tec root@localhost.localdomain The key's randomart image is: +---[RSA 2048]----+ | .. . . .. | | oo.o . . | | . +o...o. | | o.= .=. | | +.ooSo | | =o +==o | | . B.+Bo... | | o +=.=oo | | .oB+o.E | +----[SHA256]-----+
[root@localhost ~]# ll .ssh/ total 8 -rw------- 1 root root 1679 Mar 8 00:30 id_rsa -rw-r--r-- 1 root root 408 Mar 8 00:30 id_rsa.pub
2、将公钥文件上传至服务器端:ssh-copy-id UserName@Server-IP #自动创建密钥验证文件(authorized_keys)并把公钥信息写入进该文件内
[root@localhost ~]# ssh-copy-id root@192.168.80.247 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.80.247 (192.168.80.247)' can't be established. ECDSA key fingerprint is SHA256:2Eo2WLWyofiltEAs4nLUFLOcXLFD6YvsuPSDlEDUZGk. ECDSA key fingerprint is MD5:3c:b0:5f:a8:af:6a:15:45:eb:a9:2a:b0:20:21:65:04. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.80.247's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.80.247'" and check to make sure that only the key(s) you wanted were added.
3、编辑修改SSH服务端配置文件(/etc/ssh/sshd_config)确保参数开启无误:
RSAAuthentication yes 开启RSA验证
PubkeyAuthentication yes 是否使用公钥验证
PS:
1、CentOS7系列系统默认已开启了相关配置可忽略此步骤
2、如修改了配置文件请重启服务生效:systemctl restart sshd.service
4、验证登录:此时已无需密码验证直接登录了
[root@localhost ~]# ssh root@192.168.80.247 Last login: Sun Mar 7 23:29:42 2021 from 192.168.80.105 [root@ceph3 ~]#
SSH公钥生效需满足下面条件
1) .ssh目录的权限必须是700
2) .ssh/authorized_keys文件权限必须是600
1) .ssh目录的权限必须是700
2) .ssh/authorized_keys文件权限必须是600
[root@ceph3 ~]# ll -d .ssh/ drwx------ 2 root root 29 Feb 26 02:41 .ssh/ [root@ceph3 ~]# ll .ssh/authorized_keys -rw------- 1 root root 1003 Mar 8 00:36 .ssh/authorized_keys