SSH 基於 Key 的驗證

Loading

測試環境 CentOS 9 Stream (虛擬機)

如果需要用於常連線的 SSH Server ,我們可以設定基於 Public / Prive Key 的驗證來實現免密碼的登入方式.

  • SSH Client IP: 192.168.31.133
  • SSH Server IP: 192.168.31.177

更多關於 SSH (Secure SHell) 的加解密請參考 – https://benjr.tw/301

SSH Client (root)

透過 ssh-keygen 建立公私鑰 (Public / Prive Key)

[root@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:7gd7fiGVRC+qb3Uq8RpoUPWmVc6nVA4sgyjgdNW4xMs root@localhost.localdomain
The key's randomart image is:
+---[RSA 3072]----+
|    o..o.+.o..o .|
|   o .. =.o.+=.+ |
|    .  +.o .=+= o|
|       .E  =oo o |
|      . S o.  .  |
|       o.oo o .  |
|        =o.= +   |
|       o..=.+    |
|        .=++     |
+----[SHA256]-----+

鑰匙預設至於使用者 .ssh 目錄(. 開頭是隱藏目錄)

[root@localhost ~]# ll .ssh/
total 16
-rw-------. 1 root root 2610 Mar 11 16:07 id_rsa
-rw-r--r--. 1 root root  580 Mar 11 16:07 id_rsa.pub
-rw-------. 1 root root  840 Mar 11 17:50 known_hosts

只需要透過 ssh-copy-id 指令 將 id_rsa.pub (Public 公鑰) 傳給 SSH Server 192.168.31.177 的 .ssh/authorized_keys 即可.

[root@localhost ~]# ssh-copy-id ben@192.168.31.177
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.31.177 (192.168.31.177)' can't be established.
ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ben@192.168.31.177's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'ben@192.168.31.177'"
and check to make sure that only the key(s) you wanted were added.

現在登入 SSH Server 就不需要密碼了.

[root@localhost ~]# ssh ben@192.168.31.177
Activate the web console with: systemctl enable --now cockpit.socket

[ben@localhost ~]$ exit
logout
Connection to 192.168.31.133 closed.

SSH Client (一般使用者 ben)

剛剛 SSH Client root 建立的公私鑰 無法給一般使用者使用,一般使用者一樣的方式來建立公私鑰即可.

PS C:\Users\Ben> ssh ben@192.168.31.133
ben@192.168.31.133's password:
Activate the web console with: systemctl enable --now cockpit.socket

無法使用 root 建立的 公私鑰 (root 可以透過 -i 參數指定 SSH Key 的路徑+檔案).

[ben@localhost ~]$ ssh ben@192.168.31.177
The authenticity of host '192.168.31.177 (192.168.31.177)' can't be established.
ED25519 key fingerprint is SHA256:PgFJeh+W+iNzarxpeUxtVg1ewnvb3GZTAt87Oxq260E.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.31.177' (ED25519) to the list of known hosts.
ben@192.168.31.177's password:
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Mon Mar 11 17:53:26 2024 from 192.168.31.133

[ben@localhost ~]$ exit
登出
Connection to 192.168.31.177 closed.

跟 root 一樣的步驟.

[ben@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ben/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ben/.ssh/id_rsa
Your public key has been saved in /home/ben/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:0zCKwbmPS9nmn9nup9vxo6faiGws+pyEppp5BWuLkJ0 ben@localhost.localdomain
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|   . .           |
|    +   o        |
|  .  + . +       |
| o +o . S .      |
|o E .*   .       |
|.o o* =.    .    |
|.oo+ *.oo= +.oo  |
|+o. oo=+*oO==+.. |
+----[SHA256]-----+
[ben@localhost ~]$ ssh-copy-id ben@192.168.31.177
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/ben/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ben@192.168.31.177's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'ben@192.168.31.177'"
and check to make sure that only the key(s) you wanted were added.
[ben@localhost ~]$ ssh ben@192.168.31.177
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Tue Mar 12 10:28:22 2024 from 192.168.31.133
[ben@localhost ~]$ exit
登出
Connection to 192.168.31.177 closed.
[ben@localhost ~]$

SSH Server

我們可以看一下 .ssh 目錄內 authorized_keys 檔案內容.

[root@localhost ~]# cat /home/ben/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCttbkqV8fUQAWUFlDYi2qz2NSx0v0c3NaAVXzgv6SebM/H6gGZK96Wpmoen/SXFcCINJ0TwFJRRRZBCPWrKkRmDTitsnegygBe0aQFF+oc5Kvy1Kjjr6IAcHJFd0FmdUKO/KKgfke2l5m5NPfRkM2FqtzcSF58dKhj7Qgm2kVhIvx9M0s97B7GVEUKXuabBmX1ta44aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaLKQkdFyhnFVkPua0uGLq+HQnfItaj2HITH5SOWUKo0WNWWsl94ZukBK/tJyfNkCw4tA4d5HrxK60GbxySa8DTYhAiZCWXCndO5D0cl++eBk= root@localhost.localdomain
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1+rsGe7c3/PQsIErqnjzMXgm/4gw/6gvT9L3908qKmzlMbsIbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/T/haN0DhEGt7nwyC4Ad8HLnAd3kGj0WYGKmI7ZM4GrM8mN604CVqCg3/79YWi273eQg5wiPr9dU/VF8d6MJCyX+5KDSDlmbXagmlQdhd72ZWDRO+of8eCVQVXBhpqbIFWAxwM8pzOgMIv2R73Fc4vGMabUjk1+oZYHElZWzpGoKLxiduBam/URuByt13BS83RbflDrObE3xyXn1+egNNLZJqIZ0GWhy8D9Ii169T3Bx5FxoOKnHkw39Bkgt9lgZxbh8dNihttKoBLKAlUwc8= ben@localhost.localdomain

有兩筆資料 root 跟 ben.

遇過的問題

# tail -f /var/log/secure
Authentication refused: bad ownership or modes for file authorized_keys

有些系統會要求修改 home , .ssh 目錄與裡面的檔案權限要符合以下規則

# chmod go-w /home/user
# chmod 700 /home/user/.ssh
# chmod 600 /home/user/.ssh/authorized_keys
沒有解決問題,試試搜尋本站其他內容

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料