Public Key(非对称,asymmetric)认证使用一对相关联的 Key Pair(一个公钥 Public Key,一个私钥 Private Key)来代替传统的密码(或我们常说的口令,Password)。顾名思义,Public Key 是用来公开的,可以将其放到 SSH 服务器自己的帐号中,而 Private Key 只能由自己保管,用来证明自己身份。
使用 Public Key 加密过的数据只有用与之相对应的 Private Key 才能解密。这样在认证的过程中,Public Key 拥有者便可以通过Public Key 加密一些东西发送给对应的 Private Key 拥有者,如果在通信的双方都拥有对方的 Public Key(自己的 Private Key 只由自己保管),那么就可以通过这对 Key Pair 来安全地交换信息,从而实现相互认证。在使用中,我们把自己的 Public Key 放在通过安全渠道放到服务器上,Private Key 自己保管(用一个口令把 Private Key 加密后存放),而服务器的 Public Ke y一般会在第一次登录服务器的时候存放到本地客户端(严格地说来服务器的 Public Key 也应该通过安全渠道放到本地客户端,以防止别人用他自己的 Public Key 来欺骗登录)。
二、Public Key 认证相对于 Password 认证的优点
常用的 SSH 认证方式有:
a. 基于主机 IP(rhost)的认证:对于某个主机(IP)信任并让之登录,这种认证容易受到 IP 欺骗攻击。
b. Kerberos 认证:一个大型的基于域的认证,这种认证安全性高,但是太大、太复杂不方便部署。
c. PAM 认证:类似于传统的密码认证,是绝大多数 Unix/Linux 系统自带的一个认证和记帐的模块,它的功能比较复杂,配置起来比较麻烦。而且,容易由于配置失误而引起安全问题。
d. 传统的 Unix/Linux 口令(或密码 Password)认证:在客户端直接输入帐号密码,然后让 SSH 加密传输到服务器端验证。
在众多 SSH 登录认证中,传统的单口令(Password)认证用得比较多,所以在这里我们主要对比一下 SSH 认证中的口令(Password)认证和 Public Key 认证的区别。这种认证方式有着如下明显的缺点:
SYSIN-SRV# ssh-keygen -t rsa #可选参数 -b 2048,CentOS7 中默认 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:MfZHl/b8XhGTU59fhLHptmzNFnhCrorySvGojyb69dM root@SYSIN-SRV #root@SYSIN-SRV 这里是当前用户名@主机名,公钥文件中可以删除 The key's randomart image is: +---[RSA 2048]----+ |+= = . . .... | |O.E + o . | |*+ o . . | |+o. . . o. . . | |+ o o .SBo . | | . + oo++=+ | | o +. o.+. | | . o.. o . | | . ... .. | +----[SHA256]-----+
SYSIN-SRV# ssh-keygen -t rsa #可选参数 -b 2048,CentOS7 中默认 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:MfZHl/b8XhGTU59fhLHptmzNFnhCrorySvGojyb69dM root@SYSIN-SRV #root@SYSIN-SRV 这里是当前用户名@主机名,公钥文件中可以删除 The key's randomart image is: +---[RSA 2048]----+ |+= = . . .... | |O.E + o . | |*+ o . . | |+o. . . o. . . | |+ o o .SBo . | | . + oo++=+ | | o +. o.+. | | . o.. o . | | . ... .. | +----[SHA256]-----+
## Cisco does not accept the entire key pasted into one long line, so you need to break it into multiple lines. The maximum line length at the Cisco CLI is 254 characters, but it's convenient to wrap smaller than this so that it fits on a terminal line. $ fold -b -w 72 ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDefQcDto4gCHqf0umUCAY1O7GHPwU+Se92 aUHVkVI4Kd8sJVFoQKjvMga9dRm12zGDDO/wM9tSHWKc+msARsz2m6h1HbsiR7CoOTPtTuDc /BN3m7Q7SGXzf51AI3tvOQ4IhlDwRMFBLGTFVVDjpYMDZjwZNEwCBbeZMETNUedCvbyduEmO aZIm5LzCQ5upPG+uEMsP5Sh8XQX5vK8P5P04EmCAEqned5FmHMrPI3kGfabxRhiLa7Ujv3gM h4z59tKmVsoMyKXU3gf+561D9BdvuTo+gvtUElghBvz3wiPA45KW7LL2INBXiJ89p0iOmkiA EnxkDdsXpq+GEj2PaiE9
在 Cisco IOS 上配置
1 2 3 4 5 6 7
conf t username admin privilege 15//创建一个没有密码的账号admin ip ssh pubkey-chain username admin key-string << paste your multi-line public key here >> exit
验证
1
show run | beg pubkey
2. 其他配置
Security settings
1 2 3 4 5
## 禁用SSH v1 ip ssh version 2 ## 禁用telnet line vty 0 15 transport input ssh
Multiple keys
1 2 3 4 5 6
## It is possible to have multiple public keys against the same user in the configuration, so that multiple people can login using the same account. Just add further keys as shown above. When you show the configuration, it will look like this:
## You can remove passwords from users in the configuration; this will force those users to use ssh key authentication. If these people require admin rights they will either still need to know the enable secret, or their login can drop them directly into enable mode: username foo privilege 15 示例: no username admin username admin privilege 15
Disable passwords entirely
全局设定,无法通过密码远程访问!!!
1 2 3 4
## If you wish to disable password authentication entirely over ssh, but leave passwords on user accounts for other purposes (e.g. console access), then use: ## 禁用SSH的密码认证,但是保留用户密码用于console登录 no ip ssh server authenticate user password no ip ssh server authenticate user keyboard
安全建议:
有公网 IP 访问建议启用,特别是设定的用户名比较敏感比如 root、admin 等,取消密码,直接使用 public key 认证
SYSIN-SRV# ssh-keygen -t rsa #可选参数 -b 2048,CentOS7 中默认 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:MfZHl/b8XhGTU59fhLHptmzNFnhCrorySvGojyb69dM root@SYSIN-SRV #root@SYSIN-SRV 这里是当前用户名@主机名,公钥文件中可以删除 The key's randomart image is: +---[RSA 2048]----+ |+= = . . .... | |O.E + o . | |*+ o . . | |+o. . . o. . . | |+ o o .SBo . | | . + oo++=+ | | o +. o.+. | | . o.. o . | | . ... .. | +----[SHA256]-----+
N9K# show user-account sysin user:sysin this user account has no expiry date roles:network-admin no password set. Local login not allowed //没有设置密码只能远程登录 Remote login through RADIUS/TACACS+ is possible ssh public key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDefQcDto4gCHqf0umUCAY1O7GHPw U+Se92aUHVkVI4Kd8sJVFoQKjvMga9dRm12zGDDO/wM9tSHWKc+msARsz2m6h1HbsiR7CoOTPtTuDc/BN3 m7Q7SGXzf51AI3tvOQ4IhlDwRMFBLGTFVVDjpYMDZjwZNEwCBbeZMETNUedCvbyduEmOaZIm5LzCQ5upPG+uEMsP5Sh8XQX5vK8P5P04EmCAEqned5FmHMrPI3kGfabxRhiLa7Ujv3gMh4z59tKmVsoMyKXU3gf+561D 9BdvuTo+gvtUElghBvz3wiPA45KW7LL2INBXiJ89p0iOmkiAEnxkDdsXpq+GEj2PaiE9
4. 验证
使用 Linux 主机 SSH 登录到交换机上并执行命令,没有任何密码提示:
1 2 3 4 5
SYSIN-SRV# ssh [email protected]"sh system uptime" Warning: the output may not have all the roles System start time: Tue May 29 17:51:30 2012 System uptime: 7 days, 19 hours, 42 minutes, 15 seconds Kernel uptime: 7 days, 19 hours, 45 minutes, 17 seconds
Do not manually change the files in this directory! The ssh keys in this directory are generated at first boot and are unique to your machine. These keys are needed for communication with the SCCP.
To generate new keys, please run `keyswap.sh sccp`.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
[root@localhost:Active:Standalone] config # find / -name authorized_keys /shared/ssh/root/authorized_keys /root/.ssh/authorized_keys find: '/proc/13236': No such file or directory find: '/proc/13267': No such file or directory find: '/opt/.sdm/proc/13324': No such file or directory
SYSIN-SRV# ssh-keygen -t rsa #可选参数 -b 2048,CentOS7 中默认 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:MfZHl/b8XhGTU59fhLHptmzNFnhCrorySvGojyb69dM root@SYSIN-SRV #root@SYSIN-SRV 这里是当前用户名@主机名,公钥文件中可以删除 The key's randomart image is: +---[RSA 2048]----+ |+= = . . .... | |O.E + o . | |*+ o . . | |+o. . . o. . . | |+ o o .SBo . | | . + oo++=+ | | o +. o.+. | | . o.. o . | | . ... .. | +----[SHA256]-----+
勾选 Use only client certificate authentication (Web),则不需要为账号创建密码(编辑原有用户勾选此选项,原用户密码继续有效)。
此时该用户无法使用 SSH 密码登录,因为没有密码,Web 界面也将无法登录。
2.2 使用 CLI
创建一个同时使用密码和 key 认证的用户账号 sa1
1 2 3 4 5 6
set mgt-config users sa1 password Enter password : Confirm password : set mgt-config users sa1 permissions role-based superuser yes set mgt-config users sa1 public-key c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDbjRLMy9Ld1VNZkdJVm4xbDYxNTZOTDR2WHl0T3FORHJUZ2FWb05lcEZuL2tuaE9FOGR4YW1pWWNNK0xJMVU5aksvOVdjeTd0Q2tCeUR3YWs5RjBnS1NVUUlURWpJZTkzNytNQ1NxQU4xR1MxTlNsa2IvcmZjUEs1dGIyam9TejFyb3cyTXl6WDZLVGZDVkc0eVN6UWFTeDRnZmg0d0ZJb3poejdyVFB3YlQ0cjRtejVCaEdKRklBRzAyeUNMdVZNbkhVN0VPdVFmaDI5WTN1cjhOcWdJdnY2UXRTUHN0a0N5dzdrOXNaWmMyZitVVmtTK0FOZVN0dnpXR2JuZ0V0OFlaQjRlRTN1RzRwVWJxbEFXenJjbXVXVmZZRXR6Wkh6VVVtSFlPb1poRVdXbzQ4OER1VXF1NUEvZVJkK1RaZE42WUdMZkliT3dxcG9GVFJyNXc0VEggcm9vdEBTU0xYMTIxCg== ## 注意 public-key 使用Base64编码格式,可以通过Web界面转换
创建一个仅仅使用 key 认证的用户账号 sa2(该用户无法登录 GUI)
1 2 3 4
set mgt-config users sa2 permissions role-based superuser yes set mgt-config users sa2 client-certificate-only yes set mgt-config users sa2 public-key c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFDbjRLMy9Ld1VNZkdJVm4xbDYxNTZOTDR2WHl0T3FORHJUZ2FWb05lcEZuL2tuaE9FOGR4YW1pWWNNK0xJMVU5aksvOVdjeTd0Q2tCeUR3YWs5RjBnS1NVUUlURWpJZTkzNytNQ1NxQU4xR1MxTlNsa2IvcmZjUEs1dGIyam9TejFyb3cyTXl6WDZLVGZDVkc0eVN6UWFTeDRnZmg0d0ZJb3poejdyVFB3YlQ0cjRtejVCaEdKRklBRzAyeUNMdVZNbkhVN0VPdVFmaDI5WTN1cjhOcWdJdnY2UXRTUHN0a0N5dzdrOXNaWmMyZitVVmtTK0FOZVN0dnpXR2JuZ0V0OFlaQjRlRTN1RzRwVWJxbEFXenJjbXVXVmZZRXR6Wkh6VVVtSFlPb1poRVdXbzQ4OER1VXF1NUEvZVJkK1RaZE42WUdMZkliT3dxcG9GVFJyNXc0VEggcm9vdEBTU0xYMTIxCg== ## 注意 public-key 使用Base64编码格式,可以通过Web界面转换
九、Fortinet FortiOS
以下在 FortiOS 6.0 下测试通过
生成密钥
一般使用 RSA 2048-bit key,参考 Linux 生成方式
语法
1 2 3 4 5
config system admin edit admin set ssh-public-key1 "<key-type> <key-value>" next end
示例
注意格式:不要用开头和结尾的 ---- BEGIN SSH2 PUBLIC KEY ---- 或者注释"[2048-bit dsa,…]" 或者 ---- END SSH2 PUBLIC KEY ---- 等内容
示例,同时删除已经设置的密码,新账号不用设置密码:
1 2 3 4 5 6
config system admin edit admin set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDefQcDto4gCHqf0umUCAY1O7GHPwU+Se92aUHVkVI4Kd8sJVFoQKjvMga9dRm12zGDDO/wM9tSHWKc+msARsz2m6h1HbsiR7CoOTPtTuDc/BN3m7Q7SGXzf51AI3tvOQ4IhlDwRMFBLGTFVVDjpYMDZjwZNEwCBbeZMETNUedCvbyduEmOaZIm5LzCQ5upPG+uEMsP5Sh8XQX5vK8P5P04EmCAEqned5FmHMrPI3kGfabxRhiLa7Ujv3gMh4z59tKmVsoMyKXU3gf+561D9BdvuTo+gvtUElghBvz3wiPA45KW7LL2INBXiJ89p0iOmkiAEnxkDdsXpq+GEj2PaiE9" unset password "要删除的账号的密码" next end
## Enable SSH service on the switch using the following command: root@Juniper# set system services ssh ## Generate the SSH key on a device running Junos OS by logging into the shell prompt as a root user: root@Juniper>start shell root@Juniper% ssh-keygen -t rsa ## Once the keys are generated we can associate the key with the "userid" using the following command. root@Juniper#set system login user <userid> uid 2000 root@Juniper#set system login user <userid> class super-user root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/id_rsa.pub
After running the above configuration commands, it will create a directory with <userid> in /var/home and the authorized_key for SSH will be created.
When an upgrade/downgrade is performed, the files id_rsa and id_rsa.pub, which are locally created and are not part of configuration, will not be restored. Hence we will have to copy the contents of the /root/.ssh directory and put them back after the upgrade/downgrade is complete. We also will have to associate the user with the key using the following CLI command: root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/id_rsa.pub
## 使用root账号登录,将公钥文件id_rsa.pub上传到/root/.ssh/下面(默认需要创建.ssh文件夹) start shell cd /root mkdir .ssh cd .ssh ## Cluster环境,将id_rsa.pub上传到另外一个节点node1 rcp -T /root/.ssh/id_rsa.pub node1:/root/.ssh/ rlogin -T node1 ls /root/.ssh/id_rsa.pub ## 新建账号,若账号已经创建并使用密码认证,将同时使用pub认证 set system login user <username> class super-user authentication load-key-file /root/.ssh/id_rsa.pub ## 示例 使用key认证并取消密码认证 set system login user sysin class super-user authentication load-key-file /root/.ssh/id_rsa.pub delete system login user sysin authentication encrypted-password #删除已有账号密码认证 ## 示例 同时使用密码和key认证 set system login user sysin class super-user authentication plain-text-password set system login user sysin class super-user authentication load-key-file /root/.ssh/id_rsa.pub ## 删除用户命令为:delete system login user <username> ## 禁用root账号ssh登录 set system services ssh root-login deny ## 恢复 set system services ssh root-login allow