9.2.2 安全密鑰驗證

加密是對信息進(jìn)行編碼和解碼的技術(shù)，它通過一定的算法（密鑰）將原本可以直接閱讀的明文信息轉(zhuǎn)換成密文形式。密鑰即是密文的鑰匙，有私鑰和公鑰之分。在傳輸數(shù)據(jù)時，如果擔(dān)心被他人監(jiān)聽或截獲，就可以在傳輸前先使用公鑰對數(shù)據(jù)加密處理，然后再行傳送。這樣，只有掌握私鑰的用戶才能解密這段數(shù)據(jù)，除此之外的其他人即便截獲了數(shù)據(jù)，一般也很難將其破譯為明文信息。

一言以蔽之，在生產(chǎn)環(huán)境中使用密碼進(jìn)行口令驗證終歸存在著被暴力破解或嗅探截獲的風(fēng)險。如果正確配置了密鑰驗證方式，那么sshd服務(wù)程序?qū)⒏影踩Ｎ覀兿旅孢M(jìn)行具體的配置，其步驟如下。

第1步：在客戶端主機(jī)中生成“密鑰對”。

    [root@linuxprobe ~]# ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa):按回車鍵或設(shè)置密鑰的存儲路徑
    Created directory '/root/.ssh'.
    Enter passphrase (empty for no passphrase):直接按回車鍵或設(shè)置密鑰的密碼
    Enter same passphrase again:再次按回車鍵或設(shè)置密鑰的密碼
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    40:32:48:18:e4:ac:c0:c3:c1:ba:7c:6c:3a:a8:b5:22 root@linuxprobe.com
    The key's randomart image is:
    +--[ RSA 2048]----+
    |+*..o .          |
    |*.o  +           |
    |o*    .          |
    |+ .    .         |
    |o..     S        |
    |.. +             |
    |. =              |
    |E+ .             |
    |+.o              |
    +-----------------+

    

第2步：把客戶端主機(jī)中生成的公鑰文件傳送至遠(yuǎn)程主機(jī)：

    [root@linuxprobe ~]# ssh-copy-id 192.168.10.10
    The authenticity of host '192.168.10.20 (192.168.10.10)' can't be established.
    ECDSA key fingerprint is 4f:a7:91:9e:8d:6f:b9:48:02:32:61:95:48:ed:1e:3f.
    Are you sure you want to continue connecting (yes/no)? yes
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    root@192.168.10.10's password:此處輸入遠(yuǎn)程服務(wù)器密碼
    Number of key(s) added: 1
    Now try logging into the machine, with: "ssh '192.168.10.10'"
    and check to make sure that only the key(s) you wanted were added.

第3步：對服務(wù)器進(jìn)行設(shè)置，使其只允許密鑰驗證，拒絕傳統(tǒng)的口令驗證方式。記得在修改配置文件后保存并重啟sshd服務(wù)程序。

    [root@linuxprobe ~]# vim /etc/ssh/sshd_config 
     ………………省略部分輸出信息………………
     74 
     75 # To disable tunneled clear text passwords, change to no here!
     76 #PasswordAuthentication yes
     77 #PermitEmptyPasswords no
     78 PasswordAuthentication no
     79 
     ………………省略部分輸出信息………………
    [root@linuxprobe ~]# systemctl restart sshd

第4步：在客戶端嘗試登錄到服務(wù)器，此時無須輸入密碼也可成功登錄。

    [root@linuxprobe ~]# ssh 192.168.10.10
    Last login: Mon Apr 13 19:34:13 2017