標題: 如何使用公鑰/私鑰登入 Linux 系統? [打印本頁] 作者: wc_big_pig天尊 時間: 2007-12-5 17:45 標題: 如何使用公鑰/私鑰登入 Linux 系統? How to use Authorized Key by ssh for login?
如何使用公鑰/私鑰登入 Linux 系統?
====[Root篇---開始]=========================================================================
以下的 config 檔,為 FC4 的 /etc/ssh/sshd_config 的內容
--------------------------------------------------------------------------------------
代碼:
# $OpenBSD: sshd_config,v 1.70 2004/12/23 23:11:00 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
#Protocol 2,1
#Because Portocol 1 is not safe ,so I don't use, and avoid attack.
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
---------------------------------------------------------------------------------------
以上內容為 FC4 的 /etc/ssh/sshd_config 的內容,但僅供參考,我不敢保證完全對,
所以照抄不一定 OK,所以請依您系統的實際狀況及週遭的情況去調整。
=======================================================
0.事前準備:
Puttygen.exe → http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
Putty.exe → http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
Pietty.exe(建議使用,有支援中文輸入,SCP 檔案上傳.)
→ http://ntu.csie.org/~piaip/pietty/stable/pietty0327.exe
WinSCP3 → http://winscp.net/eng/
==============================================
1.修改 /etc/ssh/sshd_config
#在 sshd_config 裡,找到與下列相符的選項,就將選項前的 # 號拿掉:
Protocol 2
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PermitRootLogin yes
#找到 ChallengeResponseAuthentication yes 的選項,改成 no ,如下:
#(選項解釋:密碼登入選項,一定要改成 no,這樣子沒有擁有私鑰的人就會無法登入了)
# Change to no to disable s/key passwords
#修改成 no 來停用 s/key 密碼
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
還有把 PasswordAuthentication yes
改成 PasswordAuthentication no
#以下為非必要選項
SyslogFacility AUTHPRIV(或 SyslogFacility AUTH)
LogLevel INFO
當你用 root 登入時,執行 ssh-keygen 會出現下列顯示的路徑
Enter file in which to save the key (/root/.ssh/id_dsa):
當你用 splin 登入時,執行 ssh-keygen 會出現下列顯示的路徑
Enter file in which to save the key (/home/splin/.ssh/id_dsa):
所以以上不管出現何種,如果出現的是預設的路徑(/home/splin/.ssh/id_dsa)就按 Enter 跳過,
則不用輸入→ /home/splin/.ssh/id_dsa (要含路徑和檔名),以上跟你用那個 ID 登入系統有關係。
Enter passphrase (empty for no passphrase):
輸入要保護私鑰的密碼,這裡跟系統的密碼不用一樣,而且密碼千萬是不要一樣。