測試環境 CentOS 9 Stream (虛擬機)
如果需要用於常連線的 SSH Server ,我們可以設定基於 Public / Prive Key 的驗證來實現免密碼的登入方式.
- SSH Client IP: 192.168.31.133
- SSH Server IP: 192.168.31.177
更多關於 SSH (Secure SHell) 的加解密請參考 – https://benjr.tw/301
SSH Client (root)
透過 ssh-keygen 建立公私鑰 (Public / Prive Key)
[root@localhost ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:7gd7fiGVRC+qb3Uq8RpoUPWmVc6nVA4sgyjgdNW4xMs root@localhost.localdomain The key's randomart image is: +---[RSA 3072]----+ | o..o.+.o..o .| | o .. =.o.+=.+ | | . +.o .=+= o| | .E =oo o | | . S o. . | | o.oo o . | | =o.= + | | o..=.+ | | .=++ | +----[SHA256]-----+
鑰匙預設至於使用者 .ssh 目錄(. 開頭是隱藏目錄)
[root@localhost ~]# ll .ssh/ total 16 -rw-------. 1 root root 2610 Mar 11 16:07 id_rsa -rw-r--r--. 1 root root 580 Mar 11 16:07 id_rsa.pub -rw-------. 1 root root 840 Mar 11 17:50 known_hosts
只需要透過 ssh-copy-id 指令 將 id_rsa.pub (Public 公鑰) 傳給 SSH Server 192.168.31.177 的 .ssh/authorized_keys 即可.
[root@localhost ~]# ssh-copy-id ben@192.168.31.177 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '192.168.31.177 (192.168.31.177)' can't be established. ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys ben@192.168.31.177's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'ben@192.168.31.177'" and check to make sure that only the key(s) you wanted were added.
現在登入 SSH Server 就不需要密碼了.
[root@localhost ~]# ssh ben@192.168.31.177 Activate the web console with: systemctl enable --now cockpit.socket [ben@localhost ~]$ exit logout Connection to 192.168.31.133 closed.
SSH Client (一般使用者 ben)
剛剛 SSH Client root 建立的公私鑰 無法給一般使用者使用,一般使用者一樣的方式來建立公私鑰即可.
PS C:\Users\Ben> ssh ben@192.168.31.133 ben@192.168.31.133's password: Activate the web console with: systemctl enable --now cockpit.socket
無法使用 root 建立的 公私鑰 (root 可以透過 -i 參數指定 SSH Key 的路徑+檔案).
[ben@localhost ~]$ ssh ben@192.168.31.177 The authenticity of host '192.168.31.177 (192.168.31.177)' can't be established. ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.31.177' (ED25519) to the list of known hosts. ben@192.168.31.177's password: Activate the web console with: systemctl enable --now cockpit.socket Last login: Mon Mar 11 17:53:26 2024 from 192.168.31.133 [ben@localhost ~]$ exit 登出 Connection to 192.168.31.177 closed.
跟 root 一樣的步驟.
[ben@localhost ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ben/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ben/.ssh/id_rsa Your public key has been saved in /home/ben/.ssh/id_rsa.pub The key fingerprint is: SHA256:0zCKwbmPS9nmn9nup9vxo6faiGws+pyEppp5BWuLkJ0 ben@localhost.localdomain The key's randomart image is: +---[RSA 3072]----+ | | | . . | | + o | | . + . + | | o +o . S . | |o E .* . | |.o o* =. . | |.oo+ *.oo= +.oo | |+o. oo=+*oO==+.. | +----[SHA256]-----+
[ben@localhost ~]$ ssh-copy-id ben@192.168.31.177 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ben/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys ben@192.168.31.177's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'ben@192.168.31.177'" and check to make sure that only the key(s) you wanted were added.
[ben@localhost ~]$ ssh ben@192.168.31.177 Activate the web console with: systemctl enable --now cockpit.socket Last login: Tue Mar 12 10:28:22 2024 from 192.168.31.133 [ben@localhost ~]$ exit 登出 Connection to 192.168.31.177 closed. [ben@localhost ~]$
SSH Server
我們可以看一下 .ssh 目錄內 authorized_keys 檔案內容.
[root@localhost ~]# cat /home/ben/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCttbkqV8fUQAWUFlDYi2qz2NSx0v0c3NaAVXzgv6SebM/H6gGZK96Wpmoen/SXFcCINJ0TwFJRRRZBCPWrKkRmDTitsnegygBe0aQFF+oc5Kvy1Kjjr6IAcHJFd0FmdUKO/KKgfke2l5m5NPfRkM2FqtzcSF58dKhj7Qgm2kVhIvx9M0s97B7GVEUKXuabBmX1ta44aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaLKQkdFyhnFVkPua0uGLq+HQnfItaj2HITH5SOWUKo0WNWWsl94ZukBK/tJyfNkCw4tA4d5HrxK60GbxySa8DTYhAiZCWXCndO5D0cl++eBk= root@localhost.localdomain ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1+rsGe7c3/PQsIErqnjzMXgm/4gw/6gvT9L3908qKmzlMbsIbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/T/haN0DhEGt7nwyC4Ad8HLnAd3kGj0WYGKmI7ZM4GrM8mN604CVqCg3/79YWi273eQg5wiPr9dU/VF8d6MJCyX+5KDSDlmbXagmlQdhd72ZWDRO+of8eCVQVXBhpqbIFWAxwM8pzOgMIv2R73Fc4vGMabUjk1+oZYHElZWzpGoKLxiduBam/URuByt13BS83RbflDrObE3xyXn1+egNNLZJqIZ0GWhy8D9Ii169T3Bx5FxoOKnHkw39Bkgt9lgZxbh8dNihttKoBLKAlUwc8= ben@localhost.localdomain
有兩筆資料 root 跟 ben.
遇過的問題
# tail -f /var/log/secure Authentication refused: bad ownership or modes for file authorized_keys
有些系統會要求修改 home , .ssh 目錄與裡面的檔案權限要符合以下規則
# chmod go-w /home/user # chmod 700 /home/user/.ssh # chmod 600 /home/user/.ssh/authorized_keys
沒有解決問題,試試搜尋本站其他內容