使用公钥登录OpenSSH

使用公钥登录OpenSSH

2013年10月24日

16:47

 

1. 生成密钥对

我所知道的，有三种生成密钥对的工具，分别为GNU/Linux下的ssh-keygen命令、puttygen、SSH Secure Shell。

• 使用ssh-keygen生成密钥对

[root@ld365 ~]# ssh-keygen -C "Proxy for developers" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 71:b2:a7:45:84:db:b1:99:9c:b7:b3:65:c1:f7:8f:41 Proxy for developers The key‘s randomart image is: +--[ RSA 2048]----+ |         ..                  | |        ...                  | |        o+o* .          | |        .*B . E .        | |        S o. o o.       | |         +  o + .        | |        .    = o.         | |            . . .           | |                             | +---------------------+

生成的公钥为： /root/.ssh/id_rsa.pub

生成的私钥为：/root/.ssh/id_rsa

 

• 使用puttygen生成 密钥对



• 点击【Generate】按钮
• 随意移动一下鼠标
• 设置Key comment
• 设置保护私钥的密码
• 保存公钥和私钥

生成的公钥保存为：d:\id_rsa_putty.pub

生成的私钥保存为：d:\id_rsa_putty.ppk

 

• 使用SSH Secure Shell生成密钥对



 



• 点选【Edit】->【Settings…】打开Settings对话框
• 选中左则【Global Settings】->【User Keys】菜单项
• 点击【Generate New Keypair】按钮
• 按向导生成密钥对

 

2. 将公钥上传到服务器

这里需要注意的是公钥的格式。我所知道的公钥格式有两种，一种是OpenSSH的格式，另一种是RFC 4716定义的格式。puttygen和SSH Secure Shell生成的公钥格式为RFC 4716规定的格式，ssh-keygen生成的公钥是OpenSSH的格式。所以如果使用的是puttygen或SSH Secure Shell生成的密钥对，那么将公钥上传到服务器之后，需要将公钥的格式转换成OpenSSH的格式。可以在服务器上使用以下命令转换：

[root@ld365 .ssh]# ssh-keygen -i -f id_rsa_putty.pub ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQBT2Qdda5Nu7iUL+DQYIcw2waoSYl22j3k4D9/ulJaOk09yAtqylEL85gtsjBiQZGWGJhA2Kz7HwsDhRPJQk/J3MsNGWlzI8Ruf/c2jAQKZiLMjjyKg1ceAMQNVjRR0zBmvJz06Mce2qBbjPoGt3tj1rCo3FP9SnE/ts64ySJJdRFnLfPKnwcE5cPCr1qUYyAMPHucniHUlOHll1lguw1eHRF63nWy8WycKyYAkM5c2yNEd1XMrm0GLPedcIRHi+cyLmIV1c6jwd21XS2F6QJk8yOGbjCBWEU1X1UMsB4FRg8nyQm5Rog+EPAsnOMz4UO7ZIzv+LKsyrGCBFc1fOFsZ

 

对于私钥的格式，以上三种方式生成的私钥格式各不相同，但是可以使用puttygen进行转换。方法是先导入，再导出为需要的私钥格式。

 

3. 更改OpenSSH服务配置文件

/etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $   # This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information.   # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin   # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options change a # default value.   Port 12345 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress ::   # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2   # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key   # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024   # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO   # Authentication:   #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10   #RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile     .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody   # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don‘t trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don‘t read the user‘s ~/.rhosts and ~/.shosts files #IgnoreRhosts yes   # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no #PasswordAuthentication yes PasswordAuthentication no   # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no   # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes   # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no   # Set this to ‘yes‘ to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication.  Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to ‘no‘. #UsePAM no UsePAM yes   # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS   #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no #ChrootDirectory none   # no default banner path #Banner none   # override default of no subsystems Subsystem       sftp    /usr/libexec/openssh/sftp-server   # Example of overriding settings on a per-user basis #Match User anoncvs #       X11Forwarding no #       AllowTcpForwarding no #       ForceCommand cvs server

 

主要需要改动的就是以上标红的地方：

• Port 12345  ssh服务的监听端口最好改一下，这样会大大减少/var/log/secure中的垃圾日志
• PubkeyAuthentication yes  公钥认证
• PasswordAuthentication no  禁用密码认证

另外请注意一下以下配置：

#AuthorizedKeysFile     .ssh/authorized_keys

这表示上传到服务器的公钥存放在家目录中的.ssh/authorized_keys文件中。

cat id_rsa.pub >> authorized_keys

 

4. 重启OpenSSH服务

service sshd restart

 

5. 使用私钥验证登录服务器
• 在GNU/Linux下登录

 

在GNU/Linux下需要更改一下私钥文件的权限：

[root@ld365 ~]# chmod 600 .ssh/id_rsa_openssh

登录：

[root@ld365 ~]# ssh root@127.0.0.1 -p 12345 -i .ssh/id_rsa_openssh Enter passphrase for key ‘.ssh/id_rsa_openssh‘: Last login: Thu Oct 24 16:38:11 2013 from 192.168.0.32 [root@ld365 ~]#

 

在GNU/Linux下使用sftp命令时没有能够指定私钥的参数，这时候可以在家目录中的.ssh文件夹下建立config文件，内容如下：

IdentityFile ~/.ssh/id_rsa_openssh    # 指定私钥文件 Port 12345                                              # 要登录的服务器上的ssh服务监听端口

 

 

• 使用putty登录
• 在session面板填写服务器IP及SSH服务监听端口
• 在【Connection -> SSH -> Auth】面板填写私钥路径