0. ssh-keygen?
- ssh를 통한 서버 접속시 다양한 인증 방법으로 접속가능.
- 제일 간단한것은 pw를 이용하는것임. 하진만 보안에 취약.
- ssh-keygen은 ssh접속을 위한 인증 키 생성,관리,변환을 한다.
- key생성시 public Key, Private Key가 생성되며 이는 한 쌍으로 동작
- 두개의 키로 모두 지닌 client가 public key를 접속할 서버로 전달하고 서버는 이를 암호화 하여 client에게 전송하면 , client는 이를 private Key로 복호화하여 인증.
- client가 server로 ssh접속 요청
- server에서 client로 message전송
- client가 message를 private key를 이용하여 encrypt 한 뒤 server에게 전송
- server에서 public key를 이용해서 message를 decrypt한 뒤 message비교 후 접속 허용
1. server는 우선 openssh-server를 설치해야 함
root@9f04b88fd5c9:~/.ssh# apt install openssh-server
.......
Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:T8fDeZzwh3pewr1wKAZfr+10/VUKi8jOaiD6rPEFqm4 root@9f04b88fd5c9 (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:Yg4bhoYAjeOMELL8rzr3qB21DW/VJMoFHCpTCo41FiI root@9f04b88fd5c9 (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:+of2GRnu56b74hHC5B8Vh0PvARTv7dioVUT2V4rmxeQ root@9f04b88fd5c9 (ED25519)
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of start.
Created symlink /etc/systemd/system/sockets.target.wants/ssh.socket → /usr/lib/systemd/system/ssh.socket.
Created symlink /etc/systemd/system/ssh.service.requires/ssh.socket → /usr/lib/systemd/system/ssh.socket.
=====================================================================
# 서버는 openssh-server를 설치하는 과정에서 자신의 개인키 공개키를 자동 생성 함
# client가 server에 처음 연결 시도 시 해당 공개키를 client에게 제공.
# 클라이언트는 known_hosts파일에 서버의 공개키를 저장
=====================================================================
==========================아래는 openssh-server설치 시 자동으로 생성된 키===========================================
root@9f04b88fd5c9:/etc/ssh# ll | grep ssh_host
-rw------- 1 root root 513 Jul 6 02:06 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 179 Jul 6 02:06 ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Jul 6 02:06 ssh_host_ed25519_key
-rw-r--r-- 1 root root 99 Jul 6 02:06 ssh_host_ed25519_key.pub
-rw------- 1 root root 2602 Jul 6 02:06 ssh_host_rsa_key
-rw-r--r-- 1 root root 571 Jul 6 02:06 ssh_host_rsa_key.pub
=====================================================================
2. ssh server설정
mkdir -p /run/sshd
# ssh 서버 실행 시 필요한 디렉토리 생성
/usr/sbin/sshd
# ssh서버 시작
root@9f04b88fd5c9:/etc/ssh# ps aux | grep sshd
root 4202 0.0 0.0 12020 1132 ? Ss 02:19 0:00 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
root 4204 0.0 0.0 3528 1672 pts/0 S+ 02:19 0:00 grep --color=auto sshdapt install net-tools
root@9f04b88fd5c9:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
8: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:acff:fe11:2/64 scope link
valid_lft forever preferred_lft forever
root@9f04b88fd5c9:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:acff:fe11:2 prefixlen 64 scopeid 0x20<link>
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 51630 bytes 63312532 (63.3 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17608 bytes 1181314 (1.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3689 bytes 422236 (422.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3689 bytes 422236 (422.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0sudo vi /etc/ssh/sshd_config
# 다음 파일에서 PasswordAuthentication , PubkeyAuthentication 을 활성화
sudo systemctl restart sshd
# 그리고 재시작root@jeongjihong:/etc/ssh# ssh root@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:Rc27DtY2DktvdBLniVfTF3VLmh2W6TN0vXKcaQVEBpo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.146.1-microsoft-standard-WSL2 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Last login: Sat Jul 6 01:28:01 2024
# 이렇게 접속 가능3. key생성
sudo yum install -y openssh-clients
sudo apt-get update
sudo apt-get install -y openssh-client
root@9f04b88fd5c9:/# ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa
Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:rW4ye+OswGV1BnC3MBvaPaC0FrO3rwJA3vCWr7Z7HMA root@9f04b88fd5c9
The key's randomart image is:
+---[RSA 3072]----+
| =.B . |
| o . X X . |
| o = .* = * |
| o E. o = . |
| o oo S . |
| ..oo o |
| o+ .. . |
| o.*o+. |
| .o+oX=. |
+----[SHA256]-----+
=====================================================
rsa key를 생성하였다.
-t rsa -> RSA 알고리즘을 사용하여 키를 생성
-N '' -> 패스프레이즈를 빈 문자열로 설정
-f ~/.ssh/id_rsa -> 키 파일을 저장할 위치와 이름을 지정
=====================================================
패스프레이스
-> 암호화된 데이터나 시스템을 보호하기 위해 사용되는 암호와 유사한 문자열
-> 키를 사용할 때마다 패스프레이즈를 입력해야 함
=====================================================
root@9f04b88fd5c9:~/.ssh# cat id_rsa.pub
ssh-rsa publickey
=====================================================
root@9f04b88fd5c9:~/.ssh# cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
ngSQ5rWEfTckkAAAARcm9vdEA5ZjA0Yjg4ZmQ1YzkBAg==
-----END OPENSSH PRIVATE KEY-----
=====================================================root@9f04b88fd5c9:~/.ssh# ssh-keygen -t rsa -N '' -f ~/.ssh/id_rsa
Generating public/private rsa key pair.
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:HtcSuKI+OxvgNhF8SMux3/bwIZVvS7D2XUMtE6Fs1jY root@9f04b88fd5c9
The key's randomart image is:
+---[RSA 3072]----+
| o o. |
| + = o . o o |
| B . = . = E .|
| + . . = = o + |
| o . * S * . o |
| . o o O B + . . |
| + o + o . |
| . oo. |
| += |
+----[SHA256]-----+
덮어쓰는 경우. 위에서 볼수있듯이 다시 물어봄.
덮어쓰면 기존에 인증했던 서버들에게 public key를 다시 배포해서 다시 인증해야 함touch ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keysroot@9f04b88fd5c9:~# ssh root@172.18.202.25
The authenticity of host '172.18.202.25 (172.18.202.25)' can't be established.
ED25519 key fingerprint is SHA256:Rc27DtY2DktvdBLniVfTF3VLmh2W6TN0vXKcaQVEBpo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type 'yes', 'no' or the fingerprint: yes
Warning: Permanently added '172.18.202.25' (ED25519) to the list of known hosts.
root@172.18.202.25's password:
Permission denied, please try again.
root@a3c9b78eb2ef:~/.ssh# ssh root@172.18.202.25
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.146.1-microsoft-standard-WSL2 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Last login: Sat Jul 6 09:25:45 2024 from 172.18.192.1
# 접속은 ssh root@ipAddress -p portNumber 형식으로 하면 된다.root@jeongjihong:~# vi ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6AE13fYr+oXmo2pNvz59qGiEA3gibASbt2bSQlTS0F5Mo76/6qxJ4VEXJLdqxuLiSSUd0p7HZJ4oG+BFi79zOAly8QUEQcf4LvjtuSNkMTRkTK6aka8LmwPl5sfCqMjwGxjknuKqbJtNoPknh9bzsLpUmUt8kUznQ3/F5PtL9/EUAv7sN7FBEfew2DHNRgPeAIqXlocXhLdkom3DLaAFBrpurPmBmr1IiQolmGZvTYFfP3UHMCZeYdXvY78lqlqV7EuRr+s1IoigVerrJcB7BR7Bp14TteNWavJtJnzPGu9TwTa0492QeNNUkcvjYB4kBHvLYsUkk8sS/29I4ej5OLhUYwur9DHVrHxGlPR+YkilYFDE2HcsllUQdV6+2oPwiE+kmeq3/SDRrNkHDm/+TzKgMOii9qGrHM31Rqnd5Sh7wkS19r3vzYCrAbFBI8XtiugkvNt2E2xjmJhXytpWK3nh7Ug2Zs1KNAql/vCNjA1UblnIRSbOf3ZuvJYtJHjU= root@jeongjihong
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDdhV1zg4mRmHpGIoDyIIOqmSKqWE2BkvJqWkbrY5UzXno/lWq2pfZGphiu/OId6NEwjrBGj2elBF6W2hWY5mBTRjx+GpFlzh9eZNAHJTSyR1KS8F/h9xC/Eui200lBLMdqcywvYuQ5kIJbLqUZeHWzDR4DPJJh1lNeic0zjBPj8YrFNDJcl1rhdIn+CDvgmXMq/sjZxDVZJatSwInMtsZY7wlQABHzFvAldBu5lgnqE7rZwNAjdoW12cpPOR/DoKmkgjw8IjZ9jKycOMPnVZstkBBgVeTrBTyM+T7w9nhdGw9BEqZRo5unDmLHRnk8oFxQtNiET5LoQctgRSFyFZA2BER6MNSouHwpbLN3ktJ3cpC4NjTbYz4O3zoEu1K48n1UCA/MFLWHf7FnAp69/jlzVmGfm0e6MbdHAPc4h6+ShTdwfA1ZR/22847MjXEPxTkFE5FFDjcXqrdq5yXd2COyc1NCvWzKc50Tc41WiZ6tFG6dEJb/xmu1ct3bOOTj5/U= root@a3c9b78eb2ef
# 위에처럼 서버의 authorized_keys에 나의 공개키를 추가해준다...
# 원래는....
root@a3c9b78eb2ef:~/.ssh# ssh-copy-id root@172.18.202.25
#이렇게 하는건데 하려고 하면 root@172.18.202.25's password: 라면서 비밀번호를 입력해야한다.
# 서버의 루트 로그인 비밀번호 입력하면 안된다..... 왜 인지 모르겠다.....저거 공개키 복붙해도 안됨....ls -l ~/.ssh/id_*.pub
'리눅스' 카테고리의 다른 글
| hostnamectl set-hostname <HOSTNAME> (0) | 2024.08.03 |
|---|---|
| /etc/security/limits.conf , /etc/security/limits.d/* (0) | 2024.08.03 |
| /etc/profile , /etc/bashrc , ~/.bashrc , ~/bash_profile (0) | 2024.07.31 |
| redirect , sed , awk (Aho Weinberger Kernighan) , xargs (0) | 2024.07.31 |
| locate , whereis , which , cat , touch , cp , mv, find , grep , wc (word count) , pipe (0) | 2024.07.31 |