Skip to content

antony@notes:~/container$ cat "Alpine-Linux-SSH-僅允許透過憑證連線.md"

Alpine Linux SSH **僅允許透過憑證連線**

2022-08-07· container ·Alpine

Alpine Linux SSH 僅允許透過憑證連線

:::warning

:::spoiler 目錄

[TOC]

:::

重點觀念

  • a2 要連到 a1 ,a1 需有 a2 的公鑰

變數說明

  • $a1ip ,a1 主機的 ip

a1 主機設定

# 修改 ssh 設定檔
$ sudo nano /etc/ssh/sshd_config
PasswordAuthentication no ## 不允許透過密碼登入系統
PermitEmptyPasswords no   ## 不允許空密碼登入系統
PubkeyAuthentication yes  ## 允許透過公鑰登入

# 重啟 ssh 服務
$ sduo service sshd restart

# 透過 rsa 加密演算法產生私鑰和公鑰,並且不要密碼
$ ssh-keygen -t rsa -P ''

# 檢查
$ ls -al .ssh/
total 16
drwx--S---    2 bigred   bigred        4096 Jun 21 09:16 .
drwxr-sr-x    8 bigred   bigred        4096 Jun 21 09:16 ..
-rw-------    1 bigred   bigred        2590 Jun 21 09:16 id_rsa      ## 私鑰
-rw-r--r--    1 bigred   bigred         563 Jun 21 09:16 id_rsa.pub  ## 公鑰

補充說明/etc/ssh/sshd_config :

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
  AuthorizedKeysFile      .ssh/authorized_keys
  • AuthorizedKeysFile用來設定公鑰驗證檔案的路徑
  • .ssh/authorized_keys系統驗證公鑰的檔案路徑 ( 系統預設 )

補充說明 : ssh-keygen

Description: 

authentication key generation, management and conversion
生成、管理和轉換,身份驗證的密鑰

-t type
Specifies the type of key to create.
透過甚麼加密演算法來生成密鑰

-P passphrase
Provides the (old) passphrase.
給(舊)密碼

補充說明 : ssh-copy-id

Description : 

install your public key in a remote machines authorized_keys
把你的公鑰安裝到指定主機的使用者家目錄裡 .ssh 目錄下的 "authorized_keys"

-i [identity_file]
指定要把哪一把密鑰 append 到 使用者家目錄的.ssh/authorized_keys 的檔案裡

a2 主機設定

# 將公鑰複製到 a1 主機
$ ssh-copy-id bigred@$a1ip

# 看自己的公鑰
$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUIHhk3PGxWKKNa/gTBzIVQAk5n2zWUZAg3Z10aIO/l0RGTlTXApcylKjGHFwHTJN5AE7YnjE/V1XiwkUGyaYK18Mih7sNI4E/BDIBZV3h41hX6imvqtLJrlcH6dNFRQJWvMF0DbjkIkAG7ubBHEtmqXlmo1XUGh+Og+bBvYfzOA7nmV1LUblN8trOZvFQlzWKCJ+yQLQrAsPqFsyUT5Z4VaN0JG/8vT7euyUwwDeGApMDVISejaZIfQHbXHDUzQ+Vm+xSfBU9zDpfVDN4Y+Hiwrr/8uheDNXbnX0BrL92cLNmKGed82LxxEJ55KVWMSjvilPGoxug2Fh0vbAhszUKU+tdTRMuLZUw0f5B40lDi5JRrfn1Eb9y/oY2x/Nc4Psz82sH+m21jA+rY2YPpmY4Iar1iJh7KqtAt228PIaBPsLlhZAuFsfDi7NmDv+ZUm96nrJiRZ3dVvQeMJLloA/FH1jjgtmTX8Vch+yRtHDxeXIPNcNEKoJWOlL1A1O8lYs= bigred@a2

在 a1 電腦檢查有無收到 a2 的公鑰

$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUIHhk3PGxWKKNa/gTBzIVQAk5n2zWUZAg3Z10aIO/l0RGTlTXApcylKjGHFwHTJN5AE7YnjE/V1XiwkUGyaYK18Mih7sNI4E/BDIBZV3h41hX6imvqtLJrlcH6dNFRQJWvMF0DbjkIkAG7ubBHEtmqXlmo1XUGh+Og+bBvYfzOA7nmV1LUblN8trOZvFQlzWKCJ+yQLQrAsPqFsyUT5Z4VaN0JG/8vT7euyUwwDeGApMDVISejaZIfQHbXHDUzQ+Vm+xSfBU9zDpfVDN4Y+Hiwrr/8uheDNXbnX0BrL92cLNmKGed82LxxEJ55KVWMSjvilPGoxug2Fh0vbAhszUKU+tdTRMuLZUw0f5B40lDi5JRrfn1Eb9y/oY2x/Nc4Psz82sH+m21jA+rY2YPpmY4Iar1iJh7KqtAt228PIaBPsLlhZAuFsfDi7NmDv+ZUm96nrJiRZ3dVvQeMJLloA/FH1jjgtmTX8Vch+yRtHDxeXIPNcNEKoJWOlL1A1O8lYs= bigred@a2

在 a2 端登入 a1 測試是否符合預期

$ ssh bigred@$a1ip
tags: Alpine