★ SSH 密钥身份验证

4年前 (2019-03-04) Rain-li ★ 防护, 攻击防护 已收录 709℃

SSH 密钥身份验证

一、环境要求

准备
1、Linux客户机(Desktop)
2、Linux服务器(Server)
思路
1、在Desktop客户机生成密钥(密钥:一个公钥,一个私钥)
2、把公钥传到服务器端/root/.ssh/authorized_keys
3、验证结果

一、在Desktop客户机上生成SSH密钥。

[root@desktop ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): //回车
Enter passphrase (empty for no passphrase): //回车
Enter same passphrase again: //回车
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fd:ed:7f:50:f3:46:63:97:54:e1:2b:14:aa:ef:a5:01 root@desktop
The key's randomart image is:
+--[ RSA 2048]----+
| . .+|
| . o. |
| . ....|
| .. . ==|
| SE. ..+=|
| o. .o o|
| o...o |
| . +. .|
| o ..o|
+-----------------+
[root@desktop ~]#

二、在Desktop客户机上把公钥上传到Server服务器上。

[root@desktop ~]# ssh-copy-id root@server
The authenticity of host 'server0 (172.25.0.11)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@server's password: //输入服务器root密码

 

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@server'"
and check to make sure that only the key(s) you wanted were added.

[root@desktop ~]#

验证:
通过Desktop直接SSH登录到Server上

[root@desktop ~]# ssh root@server
Last login: Thu Oct 5 14:49:34 2017 from 172.25.0.1
[root@server ~]#

扩展要点
一、禁止root用户远程登录

修改Server服务器上的/etc/ssh/sshd_config 文件
1、把PermitRootLogin yes 改为 PermitRootLogin no
2、重启SSH服务 systemctl restart sshd

二、禁用密码认证

修改Server服务器上的/etc/ssh/sshd_config 文件
1、把PasswordAuthentication yes 改为 PasswordAuthentication no
2、重启SSH服务 systemctl restart sshd

三、修改默认登录端口

修改Server服务器上的/etc/ssh/sshd_config 文件
★ 配置后需重启服务:systemctl restart sshd
Port 22
建议改成多位数端口,例如:7755,8833
#登录格式
ssh root@xx.xx.xx.xx -p 8833

四、访问控制

修改Server服务器上的/etc/ssh/sshd_config 文件
★ 配置后需重启服务:systemctl restart sshd
1、#允许指定ip访问
AllowUsers root@xx.xx.xx.xx
2、#允许指定用户访问
AllowUsers mysql@xx.xx.xx.xx

博主

流星,因为短暂而美丽,划过黑寂的夜空,释放出那一闪而逝的光芒,虽然微弱,但却没有人能无视它的存在。人生如同流星,充满了精彩与传奇,如同一支美丽的传说,究竟是否会象流星那样短暂,别人决定不了,上天也决定不了,只有自己来掌握。如果愿意,流星也可以变成永恒。

相关推荐

评论已关闭!