一般使用SSH進行遠程登錄時需要提供密碼,這也是我們所熟知的一種方式。
另外,就是通過公鑰登錄的方式,本文將簡要介紹公鑰登錄的兩種方法,建議使用方法二。本文也將簡單演示公鑰登錄過程,以及強制使用公鑰和密碼的雙因子認證。
公鑰登錄:法一
Step 1:創建公鑰/私鑰對ssh-keygen
$ ssh-keygen Generating public/private rsa key pair. ... $ ls id_rsa id_rsa.pub known_hosts
Step 2:將id_rsa.pub上傳到要遠程登錄到的機器上
$ scp id_rsa.pub root@142.93.198.56:/tmp root@142.93.198.56's password: id_rsa.pub 100% 405 1.5KB/s 00:00
Step 3:將公鑰添加到authorized_keys中
首先,遠程登錄到目標機器,在遠程進行操作。
$ ssh root@142.93.198.56 ... root@ubuntu-s-1vcpu-1gb-nyc1-01:~# cd /tmp/ root@ubuntu-s-1vcpu-1gb-nyc1-01:/tmp# cat id_rsa.pub >> ~/.ssh/authorized_keys
Step 4:更改文件權限
root@ubuntu-s-1vcpu-1gb-nyc1-01:/tmp# chmod 600 ~/.ssh/authorized_keys
Step 5:查看配置
查看和更改配置文件:/etc/ssh/sshd_config
root@ubuntu-s-1vcpu-1gb-sfo2-01:~# vim /etc/ssh/sshd_config
PasswordAuthentication yes # 口令登錄
RSAAuthentication yes # RSA認證
PubkeyAuthentication yes # 公鑰登錄
然后重啟sshd服務。如果不想使用口令登錄,可以修改PasswordAuthentication 為no。不過還是建議保留這項配置,如果一不下心執行了一下ssh-keygen命令,那這台遠程服務器就真的離你有點遠了。
Step 6:ssh公鑰登錄
現在便能使用私鑰登錄到遠程機器了。
$ ssh -i id_rsa root@142.93.198.56 Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 0 packages can be updated. 0 updates are security updates. New release '18.04.1 LTS' available. Run 'do-release-upgrade' to upgrade to it.
vps :142.93.198.56僅供測試,已銷毀。
公鑰登錄:法二
在接觸Hadoop環境搭建的過程中,由於Hadoop集群之間是使用公鑰直接進行數據傳輸。接觸和使用了ssh-copy-id命令,該命令可輕松完成上述方法一的所有步驟。
root@kali:~# ssh-keygen # 生成公鑰 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:+E2PL7KFGu9pdzg9gEkg5OhMToGQxvMipMkXgBNub/k root@kali The key's randomart image is: +---[RSA 2048]----+ |*=o.. | |*= =. . | |==* o. . | |=O.o. .. | |. *+ ..So. | | . . .o+.o | | E. o ++. | | +oo=.+ | | .o=+ +.. | +----[SHA256]-----+ root@kali:~# root@kali:~# ssh-copy-id root@172.16.82.136 # ssh-copy-id 命令 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '172.16.82.136 (172.16.82.136)' can't be established. ECDSA key fingerprint is SHA256:buanLhYcZbfmeZ2rRECFo5K1v2EcfUAutraLAIQH/yU. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@172.16.82.136's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@172.16.82.136'" and check to make sure that only the key(s) you wanted were added. root@kali:~# ssh root@172.16.82.136 # 可直接公鑰登錄,無需輸入密碼 Last failed login: Mon Mar 4 08:50:43 CST 2019 from 172.16.83.136 on ssh:notty There was 1 failed login attempt since the last successful login. Last login: Mon Mar 4 08:50:28 2019 [root@hadoop ~]#
強制需要同時使用公鑰和密碼登錄
在公鑰登錄的基礎之上,需要增加如下配置:
[lz@mail ~]$ sudo vim /etc/ssh/sshd_config ... AuthenticationMethods publickey,password
重啟SSHD服務:
[lz@mail ~]$ sudo service sshd restart
具體展示如下如所示:
需要公鑰和輸入密碼才能登錄。
以上!
Reference: