Sécurisation SSH : Utilization de clés à la place de password.
Pourquoi des clés ssh et pas des 암호 ?
I y a deux raisons d'utiliser des clés et pas des password pour le SSH, l'une est bonne et l'autre mauvaise. La mauvaise raison est gérer, mémoriser et taper des password. Ce n'est pas le but de la vie car cela est pénible. La bonne est que les passowrd, sur internet, ça ne résiste pas aux attaques de force brute. Un password de 8 caractères, même complexe, est bien moins sécurisé qu'une clé de 4096 bits.
Dans le cloud quand vous laissez un serveur SSH 액세스 가능, en quelques minutes c'est the final bot attaque !!!
J'aime bien dire que la clé privée est une clé, et que la clé publique est une serrure. La clé privée permet d'ouvrir les portes sécurisée avec la clé publique. Évidement si vous pouvez partager la clé publique, il faut précieusement garder secrète la clé privée. La passphrase, est le code secret nécessaire à l’utilisation de la clé privée.
코멘트 empêcher les password dans SSH
Il suffit de mettre à no
le paramètre de PasswordAuthentication
du fichier /etc/ssh/sshd_config
:
pi@pi3:~/.ssh $ grep PasswordAuthentication /etc/ssh/sshd_config
PasswordAuthentication no
Et de redémarrer le serveur ssh ( sshd
)
root@pi3:~> systemctl restart sshd
코멘트 faire une clé ?
Avec puttygen
sous Windows c'est simplissime, il ne faut juste pas oublier de bouger la souris sous la barre verte pour générer de l'aléatoire.
Avec openssh, c'est encore plus simple :
pi@pi3:~/.ssh $ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WJfG2b35KlyIkbY+jo+H3dyMKrtJiSoC0JRyIe9ptlw pi@pi3
The keys randomart image is:
+---[RSA 4096]----+
|. .o |
|.o+ . + . |
| =. . *.. . |
|.... o o+ o |
|. = E . S. + .o |
|.+ o . .o . .. |
|. o . o+ + = .|
|. . . .o+= * o. |
| . .. *B+o .. |
+----[SHA256]-----+
pi@pi3:~/.ssh $ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0g4DwF...LUSQeFGB7NrP0R9F3A4ose01JCX5kbXp91W6R7Q== pi@pi3
pi@pi3:~/.ssh $ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,91FE4EEA4EF377C38F0D56DC7BE40B3F
XgeIahCfT+cL/4tUgUDrPY7p3+b5imo/0FGwLLmX3U9pPY6AlbhOksAaglXYUP/r
Q3dGNBO7zDYiiMB3ZIn2rRYlmVShlLT1xCSryFDy/BEnGDPFA8QSVxD+EnOcevtj
akFbUfC2RYBxMMN4/e1mHK00ILUFqGmCYVR0qFU0SH8QB5BrKXbBfYK7LVQxKrKs
...
...
...
GGR/SS22KBTs4KksYPtgYvOu/cxV4LLdNDS0zBGC89txFhSvsfT/+SwC6vyfaf9G
vqbQ59U8VvNQFPkU9v0DfN6lg5/4mFhbDncc92yGqouXEGS/YVwXUx/BCVaYAadd
Ue+B5sxn6T+0VypJK/0cQvnLZ8o2d2SekAde3lMRLP/Bn4VHt/6S5XfY1z1ILnvB
pFmgdzSEzY37bHQedPcqqSqVposf9dZ1zLRHhLyqcKKx7xRLBX7oY4EPSaT8VwvF
7z16A4Fjrkc4twARvpyIRbX2CYqa7ZELo83tIvWTFzZKA99tL6p0upAOME+0zFwm
-----END RSA PRIVATE KEY-----
댓글 pousser sa clé sur un serveur ?
La clé publique doit être mise dans la liste des clés du compte que l’on souhaite accéder. 분류 /home/<<user>>/.ssh/authorized_keys
. Il faut mettre, dans le fichier /etc/ssh/sshd_config
, la clé AuthorizedKeysFile
par défaut à %h/.ssh/authorized_keys
.
Copie de la clé sur un server
pi@pi3:~/.ssh $ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/pi/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)
pi@pi3:~/.ssh $ ssh [email protected] -i id_rsa
Linux pi4b 4.19.75-v7l+ #1270 SMP Tue Sep 24 18:51:41 BST 2019 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 7 11:05:33 2020 from 192.168.1.29
pi@pi4b:~ $
카피 드 라 클레 마누엘망
pi@pi3:~/.ssh $ cat id_rsa.pub >> /home/pi/.ssh/authorized_keys
aux autorisations sur le fichier authorized_keys 주의
pi@pi3:~/.ssh $ ls -l /home/pi/.ssh/authorized_keys
-rw------- 1 pi pi 3505 mars 7 12:01 /home/pi/.ssh/authorized_keys
Reference
이 문제에 관하여(Sécurisation SSH : Utilization de clés à la place de password.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://dev.to/tommoulard/securisation-ssh-utilisation-de-cles-a-la-place-de-password-21m5
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
pi@pi3:~/.ssh $ grep PasswordAuthentication /etc/ssh/sshd_config
PasswordAuthentication no
root@pi3:~> systemctl restart sshd
Avec
puttygen
sous Windows c'est simplissime, il ne faut juste pas oublier de bouger la souris sous la barre verte pour générer de l'aléatoire.Avec openssh, c'est encore plus simple :
pi@pi3:~/.ssh $ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:WJfG2b35KlyIkbY+jo+H3dyMKrtJiSoC0JRyIe9ptlw pi@pi3
The keys randomart image is:
+---[RSA 4096]----+
|. .o |
|.o+ . + . |
| =. . *.. . |
|.... o o+ o |
|. = E . S. + .o |
|.+ o . .o . .. |
|. o . o+ + = .|
|. . . .o+= * o. |
| . .. *B+o .. |
+----[SHA256]-----+
pi@pi3:~/.ssh $ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC0g4DwF...LUSQeFGB7NrP0R9F3A4ose01JCX5kbXp91W6R7Q== pi@pi3
pi@pi3:~/.ssh $ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,91FE4EEA4EF377C38F0D56DC7BE40B3F
XgeIahCfT+cL/4tUgUDrPY7p3+b5imo/0FGwLLmX3U9pPY6AlbhOksAaglXYUP/r
Q3dGNBO7zDYiiMB3ZIn2rRYlmVShlLT1xCSryFDy/BEnGDPFA8QSVxD+EnOcevtj
akFbUfC2RYBxMMN4/e1mHK00ILUFqGmCYVR0qFU0SH8QB5BrKXbBfYK7LVQxKrKs
...
...
...
GGR/SS22KBTs4KksYPtgYvOu/cxV4LLdNDS0zBGC89txFhSvsfT/+SwC6vyfaf9G
vqbQ59U8VvNQFPkU9v0DfN6lg5/4mFhbDncc92yGqouXEGS/YVwXUx/BCVaYAadd
Ue+B5sxn6T+0VypJK/0cQvnLZ8o2d2SekAde3lMRLP/Bn4VHt/6S5XfY1z1ILnvB
pFmgdzSEzY37bHQedPcqqSqVposf9dZ1zLRHhLyqcKKx7xRLBX7oY4EPSaT8VwvF
7z16A4Fjrkc4twARvpyIRbX2CYqa7ZELo83tIvWTFzZKA99tL6p0upAOME+0zFwm
-----END RSA PRIVATE KEY-----
댓글 pousser sa clé sur un serveur ?
La clé publique doit être mise dans la liste des clés du compte que l’on souhaite accéder. 분류 /home/<<user>>/.ssh/authorized_keys
. Il faut mettre, dans le fichier /etc/ssh/sshd_config
, la clé AuthorizedKeysFile
par défaut à %h/.ssh/authorized_keys
.
Copie de la clé sur un server
pi@pi3:~/.ssh $ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/pi/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)
pi@pi3:~/.ssh $ ssh [email protected] -i id_rsa
Linux pi4b 4.19.75-v7l+ #1270 SMP Tue Sep 24 18:51:41 BST 2019 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 7 11:05:33 2020 from 192.168.1.29
pi@pi4b:~ $
카피 드 라 클레 마누엘망
pi@pi3:~/.ssh $ cat id_rsa.pub >> /home/pi/.ssh/authorized_keys
aux autorisations sur le fichier authorized_keys 주의
pi@pi3:~/.ssh $ ls -l /home/pi/.ssh/authorized_keys
-rw------- 1 pi pi 3505 mars 7 12:01 /home/pi/.ssh/authorized_keys
Reference
이 문제에 관하여(Sécurisation SSH : Utilization de clés à la place de password.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://dev.to/tommoulard/securisation-ssh-utilisation-de-cles-a-la-place-de-password-21m5
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
pi@pi3:~/.ssh $ ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/pi/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)
pi@pi3:~/.ssh $ ssh [email protected] -i id_rsa
Linux pi4b 4.19.75-v7l+ #1270 SMP Tue Sep 24 18:51:41 BST 2019 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 7 11:05:33 2020 from 192.168.1.29
pi@pi4b:~ $
pi@pi3:~/.ssh $ cat id_rsa.pub >> /home/pi/.ssh/authorized_keys
pi@pi3:~/.ssh $ ls -l /home/pi/.ssh/authorized_keys
-rw------- 1 pi pi 3505 mars 7 12:01 /home/pi/.ssh/authorized_keys
Reference
이 문제에 관하여(Sécurisation SSH : Utilization de clés à la place de password.), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/tommoulard/securisation-ssh-utilisation-de-cles-a-la-place-de-password-21m5텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)