安全密钥验证

加密算法是对信息进行编码和解码的技术，它能够将原本可直接阅读的明文信息通过一定的加密算法译成密文形式。密钥即是密文的钥匙，包括有私钥和公钥之分，在日常工作中如果担心传送的数据被他人监听截获到，就可以在传送前先使用公钥进行加密处理，然后再进行数据传送，这样只有掌握私钥的用户才能解密这段数据，除此之外其他人即便截获了数据内容一般也很难再破译成明文信息。总结来说，日常生产环境中使用密码进行口令验证终归存在着被骇客暴力破解或嗅探截获的风险，如果正确的配置密钥验证方式，那么一定会让您的sshd服务程序更加的安全。详情请关注《linux就该这么学》。

操作方法

• 01

  在客户端主机中生成“密钥对”并把公钥传送到远程服务器中： [root@linuxprobe ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):直接敲击回车或设置密钥的存储路径 Created directory ‘/root/.ssh’. Enter passphrase (empty for no passphrase): 直接敲击回车或设置密钥的密码 Enter same passphrase again: 再次敲击回车或设置密钥的密码 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 40:32:48:18:e4:ac:c0:c3:c1:ba:7c:6c:3a:a8:b5:22 root@linuxprobe.com The key’s randomart image is: +–[ RSA 2048]—-+ |+*..o .                | |*.o  +                 | |o*    .                  | |+ .    .                  | |o..     S                | |.. +                      | |. =                       | |E+ .                     | |+.o                      | +—————–+

• 02

  把客户端主机中生成好的公钥文件传送至远程主机： [root@linuxprobe ~]# ssh-copy-id 192.168.10.10 The authenticity of host ‘192.168.10.20 (192.168.10.10)’ can’t be established. ECDSA key fingerprint is 4f:a7:91:9e:8d:6f:b9:48:02:32:61:95:48:ed:1e:3f. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys root@192.168.10.10’s password:此处输入远程服务器主机密码 Number of key(s) added: 1 Now try logging into the machine, with: “ssh ‘192.168.10.10’” and check to make sure that only the key(s) you wanted were added.

• 03

  设置服务器主机只允许密钥验证，拒绝传统口令验证方式，记得修改配置文件后保存并重启sshd服务程序哦~： [root@linuxprobe ~]# vim /etc/ssh/sshd_config ………………省略部分输出信息……………… 74 75 # To disable tunneled clear text passwords, change to no here! 76 #PasswordAuthentication yes 77 #PermitEmptyPasswords no 78 PasswordAuthentication no 79 ………………省略部分输出信息……………… [root@linuxprobe ~]# systemctl restart sshd

• 04

  在客户端主机尝试登陆到服务端主机，此时无需输入密码口令也可直接验证登陆成功： [root@linuxprobe ~]# ssh 192.168.10.10 Last login: Mon Apr 13 19:34:13 2017