SSH生成证书登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
[root@lavm-36z141uod3 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root
/root already exists.
Overwrite (y/n)? n
[root@lavm-36z141uod3 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /root/.ssh/id_rsa
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:KaNfbBnxQ7/4UAY/vj5p0McgcCqSCMsBABOrgjvDrUE root@lavm-36z141uod3
The key's randomart image is:
+---[RSA 2048]----+
|X.               |
|.+      . .      |
|oo.. .  .+o      |
|+.. o . .=.+.    |
|+E   .o.S oo*o   |
|+..  . + o.*.oo  |
|+o ..   = o.oo   |
| oo  . o   o+.   |
| .    .    o+.   |
+----[SHA256]-----+

[root@lavm-36z141uod3 ~]# ll -a
total 845492
dr-xr-x---. 10 root    root      4096 Feb  5 14:57 .
dr-xr-xr-x. 21 root    root      4096 Dec 16 17:21 ..
-rw-r--r--   1 root    root       640 Aug  9 14:41 ?۸????.txt
drwxr-xr-x   2 root    root      4096 Aug 30 16:12 app
-rw-r--r--   1 root    root      6050 Oct 18 16:45 auto_mount.sh
-rw-r--r--.  1 root    root     15137 Jan 14 15:02 .bash_history
-rw-r--r--.  1 root    root        18 Dec 29  2013 .bash_logout
-rw-r--r--.  1 root    root       176 Dec 29  2013 .bash_profile
-rw-r--r--.  1 root    root       373 Jul  4  2024 .bashrc
-rw-r--r--   1 root    root 149554917 Dec  2 09:17 bookmarks-12-02.html
-rw-r--r--   1 root    root 226848969 Nov 30 21:56 bookmarks-2024-11-30.json
-rw-r--r--   1 root    root 407356388 Nov 30 21:57 bookmarks.html
-rw-r--r--.  1 root    root       100 Dec 29  2013 .cshrc
drwxr-xr-x  13 root    root      4096 Nov 21 21:50 huasenjio-compose
-rw-r--r--   1 root    root       150 Oct 18 16:43 install_panel.sh
-rw-r--r--   1 root    root       150 Oct 18 16:43 install_panel.sh.checksum.txt
-rwxrwxrwx   1 root    root      3561 Dec  3 16:09 install.sh
-rwxr-xr-x   1 root    root    276500 Dec  2 16:31 kejilion.sh
drwx------  19 polkitd root      4096 Aug 30 16:56 .maxkb
-rw-r--r--   1 root    root      9116 Apr 11  2016 mysql57-community-release-el7-8.noarch.rpm
-rw-r--r--   1 root    root     26024 Apr 25  2019 mysql80-community-release-el7-3.noarch.rpm
drwxr-xr-x   5 root    root      4096 Jul  4  2024 .nvm
-rw-r--r--   1 root    root   1405376 Sep 12  2023 openvpn-2.2.1-install.exe
-rw-r--r--   1 root    root   5177344 Aug 14  2023 OpenVPN-2.6.5-I001-amd64.msi
-rw-r--r--   1 root    root  71000064 Apr 10  2024 openvpn-connect-3.3.6.2752_signed.msi
-rw-r--r--   1 root    root   3859718 Sep 12  2023 openvpn.zip
-rw-r--r--   1 root    root    133608 Jan 14 11:44 passwords.csv
drwxr-----   3 root    root      4096 Jun 19  2024 .pki
drwxr-xr-x   9 root    root      4096 Dec  9 14:39 QAnything
drwx------   2 root    root      4096 Feb  5 14:58 .ssh
-rw-r--r--.  1 root    root       129 Dec 29  2013 .tcshrc
-rw-------   1 root    root      4311 Dec  9 16:22 .viminfo
drwxr-xr-x   3 root    root      4096 Aug  6  2024 .xterminal
[root@lavm-36z141uod3 ~]# cd .ssh
[root@lavm-36z141uod3 .ssh]# ll
total 8
-rw------- 1 root root 1766 Feb  5 14:58 id_rsa
-rw-r--r-- 1 root root  402 Feb  5 14:58 id_rsa.pub
[root@lavm-36z141uod3 .ssh]# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[root@lavm-36z141uod3 .ssh]# sz id_rsa

[root@lavm-36z141uod3 .ssh]# ll
total 12
-rw-r--r-- 1 root root  402 Feb  5 14:59 authorized_keys
-rw------- 1 root root 1766 Feb  5 14:58 id_rsa
-rw-r--r-- 1 root root  402 Feb  5 14:58 id_rsa.pub
[root@lavm-36z141uod3 .ssh]# vim /etc/ssh/sshd_config
[root@lavm-36z141uod3 .ssh]# systemctl restart sshd.service
cat ~/.ssh/id_rsa_uC.pub >> ~/.ssh/authorized_keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
使用证书登录到Linux
首先需要生成SSH密钥和公钥,这个步骤即可在客户端完成,也可以在服务端完成,在这里我们直接在服务端完成。
使用以下命令生成SSH密钥和公钥:
ssh-keygen -t rsa
根据提示选择保存的位置、设置密码生就会成功生成并显示最终的结果。
如果对安全强度有要求,可使用相应的参数:
1 -t rsa:指定密钥算法 RSA。
2 -b 4096:指定密钥的位数是4096位。安全性要求不高的场合,这个值可以小一点,但是不应小于1024。
3 -f ~/.ssh/user_ca:指定生成密钥的位置和文件名。
4 -C user_ca:指定密钥的识别字符串,相当于注释,可以随意设置。

例如,我们可使用一些参数:
ssh-keygen -t rsa -b 4096 -f ~/.ssh/user_ca -C user_ca

接下来我们需要将公钥添加到 ~/.ssh/authorized_keys 文件中,你可以使用vi完成,也可以直接cat追加:

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

之后将密钥文件 ~/.ssh/id_rsa 下载到本地并保存备用

配置sshd_config文件,可以使用vi命令
vi /etc/ssh/sshd_config
修改以下项目:
PubkeyAuthentication yes                      #允许公钥认证                    
AuthorizedKeysFile  ~/.ssh/authorized_keys       #指定包含用于用户身份验证的公钥的文件

#可以根据需要决定是否禁用root账户登录
PermitRootLogin no      #选项前面可以加#号注释掉,同样会禁用root用户
#可以根据需要决定是否禁用密码登录  
PasswordAuthentication no        #选项前面可以加#号注释掉,同样会禁用密码登录

配置完比后重启一下ssh服务,使之生效:
systemctl restart sshd.service