安全密钥验证步骤
的有关信息介绍如下:
日常生产环境中使用密码进行口令验证终归存在着被骇客暴力破解或嗅探截获的风险,如果正确的配置密钥验证方式,那么一定会让您的sshd服务程序更加的安全。详情参考《Linux就该这么学》。
在本地主机中生成“密钥对”并将公物兼凤钥传送到远程服务器中:
[root@linuxprobe ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):直接敲击回车或设置密钥的存储路径
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 直接敲击回车或设置密钥的密码
Enter same passphrase again: 再次敲击回车或设置密钥的密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
40:32:48:18:e4:ac:c0:c3:c1:ba:7c:6c:3a:a8:b5:22 root@linuxprobe.com
The key's randomart image is:
+--[ RSA 2048]----+
|+*..o . 鬼罩 |
|*.o + 露肤 |
|o* . |
|+ . . |
|o.. S |
|.. + |
|. = |
|E+ . |
|+.o |
+-----------------+
将生成好的公钥文件传送至远程主机:
[root@linuxprobe ~]# ssh-copy-id 192.168.10.20
The authenticity of host '192.168.10.20 (192.168.10.20)' can't be established.
ECDSA key fingerprint is 4f:a7:91:9e:8d:6f:b9:48:02:32:61:95:48:ed:1e:3f.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.10.20's password:此处输入远程服务器主机密码
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.10.20'"
and check to make sure that only the key(s) you wanted were added.
设置服务器主机只允许密钥验证,拒绝传统口令验证方式,记得修改配置文件后保存并重启sshd服务程序哦~:
[root@linuxprobe ~]# vim /etc/ssh/sshd_config
………………省略部分输出信息………………
74
75 # To disable tunneled clear text passwords, change to no here!
76 #PasswordAuthentication yes
77 #PermitEmptyPasswords no
78 PasswordAuthentication no
79
………………省略部分输出信息………………
[root@linuxprobe ~]# systemctl restart sshd
在客户端主机尝试登陆到服务端主机,此时无需输入密码口令也可直接验证登陆成功:
[root@linuxprobe ~]# ssh 192.168.10.20
Last login: Mon Apr 13 19:34:13 2017
