在OpenBSD上通过密钥来远程连接服务器
1. 安装OpenBSD。关于安装OpenBSD的方法就不在此说明,网上有很多教程。
2. 生成认证密钥
正常安装OpenBSD的话,Openssh是默认被安装的。用ssh-keygen在客户端的openbsd系统上生成认证密钥对。
语法:ssh-keygen [-b bits] -t type
说明:-b 后面接数字 1024,2048,3072,4096 数字越大破解更困难,1024 基本可以满足网上商业活动。-t 后面接加密算法类型,详情请看Openssh manual 页。
例:
先用一个用户登录到客户端。再这里我是用root。
# ssh-keygen -b 1024 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): (输入存储路径,一般默认即可)
Enter passphrase (empty for no passphrase): (输入密码来保护私钥,针对私钥暴露的情况)
Enter same passphrase again: (重新输入密码)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fc:cc:ab:48:68:b1:e2:13:ab:91:d9:89:47:ad:85:18 root@bnn.my.domain
3 使用公钥
现在~/.ssh/目录里面已经生成了此用户的认证密钥对。(id_rsa和 id_rsa.pub)id_rsa.pub就是公钥。把这个公钥复制到要登录的远程服务器的~/.ssh/目录里 ,改文件名为authorized_keys 。在这里我用的是root。
# scp /root/.ssh/id_rsa.pub root@192.168.0.30:/root/.ssh/authorized_keys
RSA key fingerprint is ef:05:e5:1c:26:31:59:b8:fb:3f:50:55:67:dd:3f:9e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.30' (RSA) to the list of known hosts.
root@192.168.0.30's password: (输入远程服务器用户密码)
id_rsa.pub 100% 229 0.2KB/s 00:00
现在可以用密钥来登录
# ssh root@192.168.0.30
Enter passphrase for key '/root/.ssh/id_rsa': (输入私钥密码)
Last login: Fri May 19 09:54:03 2006
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
Terminal type? [vt100]
Read the afterboot(8) man page for administration advice.
#
现在用密钥可以登录到远程服务器。但是假如没有密钥,有用户密码也可以登录到远程服务器。那么我们修改一下/etc/ssh/sshd_config 来禁止用密码远程登录。在远程服务器
# vi /etc/ssh/sshd_config
#PasswordAuthentication yes 改成 去掉注释#号 PasswordAuthentication no 然后重新启动远程服务器。
现在我们作一个实验。在客户端先备份认证密钥对,然后删除,再用ssh远程登录到远程服务器。
# cd /root/.ssh/
# mkdir /root/.ssh/backup
# cp id_rsa* backup
# rm id_rsa*
# ssh 192.168.0.30
Permission denied (publickey,keyboard-interactive).
服务器不答应登录。
再恢复备份
# cd /root/.ssh/
# ls
backup
# cp ./backup/id_rsa* ./
再用ssh远程登录到远程服务器。
# ssh root@192.168.0.30
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Fri May 19 10:14:36 2006
Welcome to OpenBSD: The proactively secure Unix-like operating system.
Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.
Terminal type? [vt100]
Read the afterboot(8) man page for administration advice.
#
又可以登录了。但是只能用密钥来登录。修改sshd_config 后,服务器上所有用户都必须有自己的认证密钥对才能登录服务器了。
这里还有一个思路,觉得很有趣就写在这里。 用VMWARE 安装一个OpenBSD 虚拟机。 然后设置好nat。能使虚拟机OpenBSD上网,然后用上述方法设置。用虚拟机来治理远程服务器。在windows用ssh客户端软件来治理OpenBSD虚拟机。这样一来整个操作过程是用ssh客户端程序登录到OpenBSD虚拟机,然后再用密钥登录到远程服务器。
这只是本人一个想法,不知道能不能起到防御黑客一点作用呢? 错误之处,请各位不惜指正。