建立 ssh 使用金鑰及免詢問連線

Posted on 2019-05-24 Edited on 2024-04-20 In DevOps

假如我新開一台機器, 除了基本初始化後, 還需要有個執行應用的專門帳號來佈署使用

建立受控主機帳密

新增帳號密碼並設置可提權

1 2	useradd devops passwd devops

密碼設定部分可化成一行指令

1
2
3

[root@samchu ~]# echo "1qaz2wsx" | passwd --stdin devops
Changing password for user devops.
passwd: all authentication tokens updated successfully.

加入 sudo

1	usermod -aG wheel devops

設定成免密碼執行 sudo

1	sudo visudo

開啟了 /etc/sudoers

加上

1	devops ALL=NOPASSWD: ALL

修改 ssh 閒置時間

如果安裝到一半被踢掉, 可能是被當作閒置

1	sed -i "s/ClientAliveInterval 300/ClientAliveInterval 1800/g" /etc/ssh/sshd_config

重啟 bash

1	systemctl restart sshd.service

產生金鑰

如果你拿到的是 pem 格式的可以這樣轉
PuTTYgen -> Load existing private key -> Parameters (RSA 2048) -> Converdions -> Export OpenSSH Key

如果你不確定機器上有沒有可以檢查

1 2	$ ls ~/.ssh/id_rsa* ls: cannot access /home/sam/.ssh/id_rsa*: No such file or directory

如果沒有可以用的, 那就直接自己產生吧

$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sam/.ssh/id_rsa):
Created directory '/home/sam/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sam/.ssh/id_rsa.
Your public key has been saved in /home/sam/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:H39JL7jENrRFYoKGhssbyZrpDvJPqASPc1elEvkMrCw sam@localhost.localdomain
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|   . o . .       |
|    * o + . o .  |
| . + O +   o o   |
|E o B = S . . o  |
|.+ = =   . = = o |
|=.B +     . O + .|
|oB o       o + . |
|..+..       .    |
+----[SHA256]-----+

這樣你就有公私鑰了

1 2	$ ls ~/.ssh/id_rsa* /home/sam/.ssh/id_rsa /home/sam/.ssh/id_rsa.pub

設定受控主機的公鑰

複製公鑰過去

1	scp ~/.ssh/id_rsa.pub devops@${TARGET_IP}:~/.ssh/authorized_keys

在受控主機上變更一下存取權限

1	sudo chmod 700 -R ~/.ssh && chmod 600 ~/.ssh/authorized_keys

已經有固定的金鑰

開完新機器建完帳密你直接做這些事就結束了
linode 主機上執行(root)

mkdir -p /home/devops/.ssh

cat << 'EOF' > /home/devops/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNx0v6+eftUgswdJaNyafRpK4mO2+D93FYOT10k+7KHSAacgkd4n/L7M0qlvb066RahCsuiowmEtp9kjLxVlqF9uQDlRMVN+Yorduui  +8A3mXvqNPfMYvCYVinP6adl/+9SrOadSP20bBXQHXBpgz0q1SHBTsI4ETfplBKwfAx2hCy08IcZwcafITVOSRa5/SN+w== sam@zhushanglide-MacBook-Air.local
EOF

chown devops:devops /home/devops/.ssh -R
chmod 700 -R /home/devops/.ssh && chmod 600 /home/devops/.ssh/authorized_keys

Disallow root logins over SSH

設定好 devops 帳號免密碼登入後 root 就可以關避遠端登入了

1	sed -i "s/#PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config

Disable SSH password authentication

1	sed -i "s/PasswordAuthentication yes/PasswordAuthentication no/g" /etc/ssh/sshd_config

SAM的程式筆記由朱尚禮製作，以創用CC 姓名標示-非商業性-相同方式分享 4.0 國際授權條款釋出。