我正在 Ubuntu 14.04.1 伺服器版上配置 SSH 伺服器。目標是僅使用公鑰身份驗證並僅允許某些使用者名稱。
我的公鑰和私鑰已創建,並在私鑰上設定了密碼。我將公鑰複製到伺服器(具體過程如下所述),並且能夠使用此命令首次透過 SSH 連接到伺服器
ssh -i /path/to/id_rsa -p 50000 [email protected]
系統提示我輸入私鑰密碼並允許登入。
但是,每次我透過 SSH 返回伺服器時,系統將不再提示我輸入私鑰密碼。我甚至可以在不指定私鑰路徑的情況下登錄,如下所示:
ssh -p 50000 [email protected]
我甚至可以刪除客戶端 (Mac OS X 10.8) 上的 ~/.ssh/known_hosts 並透過 SSH 成功連接到伺服器
ssh -p 50000 [email protected]
所以,我的問題是:
- 如果伺服器不使用我的私鑰、金鑰的密碼或用戶端的 ~/.ssh/known_hosts 的內容,則使用什麼來對我進行身份驗證?
- 我的 SSH 伺服器不安全嗎?下麵包含 sshd_config 的副本。
感謝您的幫助。
密鑰建立過程
- at your computer (not the server) do
- generate the keys: ssh-keygen -t rsa -b 4096
- public key is saved at ~/.ssh/id_rsa.pub
- private key is saved at ~/.ssh/id_rsa
- copy id_rsa.pub to server and append to ~/.ssh/authorized_keys
- ssh-copy-id username@remotehost
- a more secure method is to copy via usb drive
- make a backup: cp authorized_keys authorized_keys.original
- add public key to file: cat id_rsa.pub >> authorized_keys
- if your home directory is encrypted (mine is)
- in sshd_config: AuthorizedKeysFile /etc/ssh/%u/authorized_keys
- move the authorized_keys file to /etc/ssh/me/authorized_keys
- mkdir /etc/ssh/me
- chmod u=rwx,go= /etc/ssh/me
- chown me /etc/ssh/me
- mv ~/.ssh/authorized_keys /etc/ssh/me/authorized_keys
- chmod u=rw,go= /etc/ssh/me/authorized_keys
- chown me /etc/ssh/me/authorized_keys
sshd_配置
# User modified sshd_config.
# See the sshd_config(5) manpage for details.
#### Networking options ####
# Listen on a non-standard port > 1024. Default is 22.
Port 50000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
# Only use protocol version 2.
Protocol 2
X11Forwarding no
X11DisplayOffset 10
# Helps the server recognize problems and the connection will be killed.
TCPKeepAlive yes
#### Networking options ####
#### Key Configuration ####
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Privilege Separation is turned on for security.
UsePrivilegeSeparation yes
# Use public key authentication
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
#### Key Configuration ####
### Authentication ###
# 30 seconds to enter your key passphrase.
LoginGraceTime 30
# No root login.
PermitRootLogin no
# Force permissions checks on keyfiles and directories.
StrictModes yes
HostbasedAuthentication no
# Don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED).
PermitEmptyPasswords no
# Disable challenge and response auth. Unnecessary when using keys.
ChallengeResponseAuthentication no
# Disable the use of passwords completly, only use public/private keys.
PasswordAuthentication no
# Using keys, no need for PAM (Pluggable Authentication Modules).
# Also allows SSHD to be run as a non-root user.
UsePAM no
# Don't use login(1)
UseLogin no
AllowUsers me
### Authentication ###
### Misc ###
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Print the last time the user logged in.
PrintLastLog yes
# Maximum number of concurrent unauthenticated connections to the SSH daemon (the number of users still logging in).
MaxStartups 10:30:60
# Display login banner.
Banner /etc/issue.net
# Allow client to pass locale environment variables.
# Accept language variables to help the shell session display properly for the client.
AcceptEnv LANG LC_*
# External file transfer daemon to use for sftp requests.
Subsystem sftp /usr/lib/openssh/sftp-server
# Should the SSH daemon itself read and display the message of the day file.
PrintMotd no
### Misc ###
防火牆配置
- allow incoming connections to port 50000
- sudo ufw allow in 50000
- Rate-limit the connections
For example, deny connections if an IP address has attempted to initiate
6 or more connections in the last 30 seconds.
- sudo ufw limit ssh
答案1
您的客戶端電腦可能快取了憑證,因此它可能仍在使用您的私鑰。如果重新啟動計算機,則必須再次輸入密碼。 (另外,如果您的金鑰位於
~/.ssh/,那麼這是檢查它們的預設位置ssh)您的 SSH 配置看起來很好,您的防火牆設定也很好(假設它設定為預設拒絕)。我無法評論您整個系統的安全性。
如果這遺漏了什麼,請告訴我。