antony@notes:~/container$ cat "Alpine-Linux-SSH-僅允許透過憑證連線.md"
Alpine Linux SSH **僅允許透過憑證連線**
Alpine Linux SSH 僅允許透過憑證連線
:::warning
:::spoiler 目錄
[TOC]
:::
重點觀念
- a2 要連到 a1 ,a1 需有 a2 的公鑰
變數說明
$a1ip,a1 主機的 ip
a1 主機設定
# 修改 ssh 設定檔
$ sudo nano /etc/ssh/sshd_config
PasswordAuthentication no ## 不允許透過密碼登入系統
PermitEmptyPasswords no ## 不允許空密碼登入系統
PubkeyAuthentication yes ## 允許透過公鑰登入
# 重啟 ssh 服務
$ sduo service sshd restart
# 透過 rsa 加密演算法產生私鑰和公鑰,並且不要密碼
$ ssh-keygen -t rsa -P ''
# 檢查
$ ls -al .ssh/
total 16
drwx--S--- 2 bigred bigred 4096 Jun 21 09:16 .
drwxr-sr-x 8 bigred bigred 4096 Jun 21 09:16 ..
-rw------- 1 bigred bigred 2590 Jun 21 09:16 id_rsa ## 私鑰
-rw-r--r-- 1 bigred bigred 563 Jun 21 09:16 id_rsa.pub ## 公鑰補充說明/etc/ssh/sshd_config :
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keysAuthorizedKeysFile,用來設定公鑰驗證檔案的路徑.ssh/authorized_keys,系統驗證公鑰的檔案路徑 ( 系統預設 )
補充說明 : ssh-keygen
Description:
authentication key generation, management and conversion
生成、管理和轉換,身份驗證的密鑰
-t type
Specifies the type of key to create.
透過甚麼加密演算法來生成密鑰
-P passphrase
Provides the (old) passphrase.
給(舊)密碼補充說明 : ssh-copy-id
Description :
install your public key in a remote machines authorized_keys
把你的公鑰安裝到指定主機的使用者家目錄裡 .ssh 目錄下的 "authorized_keys"
-i [identity_file]
指定要把哪一把密鑰 append 到 使用者家目錄的.ssh/authorized_keys 的檔案裡a2 主機設定
# 將公鑰複製到 a1 主機
$ ssh-copy-id bigred@$a1ip
# 看自己的公鑰
$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUIHhk3PGxWKKNa/gTBzIVQAk5n2zWUZAg3Z10aIO/l0RGTlTXApcylKjGHFwHTJN5AE7YnjE/V1XiwkUGyaYK18Mih7sNI4E/BDIBZV3h41hX6imvqtLJrlcH6dNFRQJWvMF0DbjkIkAG7ubBHEtmqXlmo1XUGh+Og+bBvYfzOA7nmV1LUblN8trOZvFQlzWKCJ+yQLQrAsPqFsyUT5Z4VaN0JG/8vT7euyUwwDeGApMDVISejaZIfQHbXHDUzQ+Vm+xSfBU9zDpfVDN4Y+Hiwrr/8uheDNXbnX0BrL92cLNmKGed82LxxEJ55KVWMSjvilPGoxug2Fh0vbAhszUKU+tdTRMuLZUw0f5B40lDi5JRrfn1Eb9y/oY2x/Nc4Psz82sH+m21jA+rY2YPpmY4Iar1iJh7KqtAt228PIaBPsLlhZAuFsfDi7NmDv+ZUm96nrJiRZ3dVvQeMJLloA/FH1jjgtmTX8Vch+yRtHDxeXIPNcNEKoJWOlL1A1O8lYs= bigred@a2在 a1 電腦檢查有無收到 a2 的公鑰
$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUIHhk3PGxWKKNa/gTBzIVQAk5n2zWUZAg3Z10aIO/l0RGTlTXApcylKjGHFwHTJN5AE7YnjE/V1XiwkUGyaYK18Mih7sNI4E/BDIBZV3h41hX6imvqtLJrlcH6dNFRQJWvMF0DbjkIkAG7ubBHEtmqXlmo1XUGh+Og+bBvYfzOA7nmV1LUblN8trOZvFQlzWKCJ+yQLQrAsPqFsyUT5Z4VaN0JG/8vT7euyUwwDeGApMDVISejaZIfQHbXHDUzQ+Vm+xSfBU9zDpfVDN4Y+Hiwrr/8uheDNXbnX0BrL92cLNmKGed82LxxEJ55KVWMSjvilPGoxug2Fh0vbAhszUKU+tdTRMuLZUw0f5B40lDi5JRrfn1Eb9y/oY2x/Nc4Psz82sH+m21jA+rY2YPpmY4Iar1iJh7KqtAt228PIaBPsLlhZAuFsfDi7NmDv+ZUm96nrJiRZ3dVvQeMJLloA/FH1jjgtmTX8Vch+yRtHDxeXIPNcNEKoJWOlL1A1O8lYs= bigred@a2在 a2 端登入 a1 測試是否符合預期
$ ssh bigred@$a1ip