Keychain
本文档描述了如何将 SSH 共享密钥与钥匙串程序一起使用。它假定你具备公钥密码学的基本知识。
Keychain is a frontend to ssh-agent and ssh-add, allowing long running sessions and letting the user enter passphases just once. It can also be used to allow scripts access to SSH connections.
背景
手头问题
必须在每个系统上输入登录密码很不方便,尤其是在管理多个系统的情况下。一些管理员甚至可能需要一个脚本或定时任务,或需要一种便捷方法使用 ssh 连接。无论哪种方式,这个问题都有一个解决方案,它从公钥认证开始。
公钥认证是如何工作的?
假设客户端想要连接到服务器上的 ssh 守护程序。客户端首先生成一个密钥对并将公钥提供给服务器。之后,每当客户端尝试连接时,服务器都会发送一个使用该公钥加密的质询。只有相应私钥的持有者(客户端)才能对其进行解密,正确的响应才能成功通过身份验证。
如何使用公钥认证
生成密钥对
第一步是创建密钥对。为此,请使用 ssh-keygen 命令:
user $ssh-keygen接受默认值,并确保输入强密码。
务必选择一个强密码,尤其是当这个密钥用于 root 登录时!
生成结束后,私钥应位于 ~/.ssh/id_rsa,公钥应位于 ~/.ssh/id_rsa.pub。现在可以将公钥复制到远程主机。
Adding or changing a passphrase for the private key can be done as follows:
user $ssh-keygen -p -f ~/.ssh/id_rsa准备服务器
The ~/.ssh/id_rsa.pub file needs to be copied over to the server running sshd. It has to be added to the ~/.ssh/authorized_keys file that belongs the connecting user on the remote server. After ssh access to the server has been granted by infrastructure personnel, the following steps can be used to setup automatic login using a public key on the remote server:
user $ssh-copy-id server_user@server -i ~/.ssh/id_rsa.pubssh-copy-id 是这些步骤的包装脚本。如果此包装脚本不可用,则使用以下步骤:
user $scp ~/.ssh/id_rsa.pub server_user@server:~/myhost.pub
user $ssh server_user@server "cat ~/myhost.pub >> ~/.ssh/authorized_keys"
user $ssh server_user@server "cat ~/.ssh/authorized_keys"最后一行的输出应显示 ~/.ssh/authorized_keys 文件的内容。确保输出看起来正确。
测试设置
从理论上讲,如果一切顺利,并且服务器上的 sshd 守护程序允许(因为可以配置),那么现在应该可以在服务器上访问 ssh 而无需输入密码。客户端上的私钥仍需使用之前的密码解密,但这不应与服务器上用户的密码混淆。
user $ssh <server_user>@<server>It should have asked for a passphrase for id_rsa, and then grant access via ssh as the user <server_user> on the server. If not, login as <server_user>, and verify that the contents of ~/.ssh/authorized_keys has each entry (which is a public key) on a single line. It is also a good idea to check the sshd configuration to make sure that it allows to use public key authorization when available.
At this point, readers might be thinking, "What's the point, I just replaced one password with another?!" Relax, the next section will show exactly how we can use this to only enter the passphrase once and re-use the (decrypted) key for multiple logins.
方便的公钥认证
使用 ssh-agent 进行典型的密钥管理
下一步是解密私钥一次即可自由获取 ssh 的能力而无需任何密码。这正是程序 ssh-agent 的用途。
ssh-agent is usually started at the beginning of the X session, or from a shell startup script like ~/.bash_profile. It works by creating a UNIX socket, and registering the appropriate environment variables so that all subsequent applications can take advantage of its services by connecting to that socket. Clearly, it only makes sense to start it in the parent process of an X session to use the set of decrypted private keys in all subsequent X applications.
user $eval `ssh-agent`这个 ssh-agent 将保持密钥解密,直到它被终止。为密钥设置生命周期,请如 man ssh-agent 中所述使用
-t 参数。When running ssh-agent, it should output the PID of the running ssh-agent, and also set a few environment variables, namely SSH_AUTH_SOCK and SSH_AGENT_PID. It should also automatically add ~/.ssh/id_rsa to its collection and ask the user for the corresponding passphrase. If other private keys exist which need to be added to the running ssh-agent, use the ssh-add command:
user $ssh-add somekeyfile魔法时刻。准备好解密的私钥后,ssh 进入(配置了公钥)服务器而无需输入任何密码:
user $ssh server为了关闭 ssh-agent(这样需要稍后再次输入密码):
user $ssh-agent -kIt is possible to have multiple ssh-agent processes running, especially when configuring it initially took some effort and trials. These processes can be killed like any other process by running killall ssh-agent.
To get even more convenience from ssh-agent, proceed to the next section on using keychain. Be sure to kill the running ssh-agent as keychain will handle the ssh-agent sessions itself.
Squeezing the last drop of convenience out of ssh-agent
Keychain will allow to reuse an ssh-agent between logins, and optionally prompt for passphrases each time the user logs in. Let's emerge it first:
root #emerge --ask net-misc/keychainAssuming that was successful, keychain can now be used.
Add the following to the shell initialization file (~/.bash_profile, ~/.zshrc, or similar) to enable it:
~/.bash_profileEnabling Keychain in Bashkeychain ~/.ssh/id_rsa
. ~/.keychain/${HOSTNAME}-sh
. ~/.keychain/${HOSTNAME}-sh-gpg
~/.zshrcEnabling Keychain in zshkeychain ~/.ssh/id_rsa
. ~/.keychain/${HOST}-sh
. ~/.keychain/${HOST}-sh-gpg
More keys can be appended to the command line as desired. Also, to have it ask for passphrases each time a shell is spawned, add the
--clear option.When not using Bash or zsh, check the EXAMPLES section of man keychain for examples of use in other shells. The idea is to get those commands to run each time a shell is used.
Now test it. First make sure the ssh-agent processes from the previous section are killed, then start up a new shell, usually by just logging in, or spawning a new terminal. It should prompt for the password for each key specified on the command line.
All shells opened after that point should reuse the ssh-agent, allowing to use passwordless SSH connections over and over.
在 Plasma 5 中使用钥匙串
对于 Plasma 5 用户,相比使用 ~/.bash_profile,可以让 Plasma 为他们管理 ssh-agent。为此,请编辑在 Plasma 启动期间读取的 /etc/plasma/startup/10-agent-startup.sh 和在其关闭期间执行的 /etc/plasma/shutdown/10-agent -shutdown.sh 文件。以下是编辑这些文件的方法:
Here is how one could edit those files:
/etc/plasma/startup/10-agent-startup.shPlasma 5 的编辑SSH_AGENT=true
/etc/plasma/shutdown/10-agent-shutdown.shPlasma 5 的编辑if [ -n "${SSH_AGENT_PID}" ]; then
eval "$(ssh-agent -k)"
fi
现在,要做的就是选择启动一个终端,类似 kde-apps/konsole,并加载正确的密钥集以供使用。例如:
user $keychain ~/.ssh/id_rsaThe keys will be remembered until the end of the Plasma session (or until the ssh-agent process is killed manually).
Alternatively use KWallet with kde-plasma/ksshaskpass under Plasma 5
You can also have Plasma automatically ask you for your passphrase upon desktop login. Emerge kde-plasma/ksshaskpass, which will set up an environment variable to use the ksshaskpass application whenever ssh-add is run outside of a terminal. Then create a script as follows, and install it via the Plasma -> System Settings -> Startup and Shutdown -> Autostart.
~/ssh.shCreate ssh.sh script#!/bin/sh
ssh-add < /dev/null
Recent versions of plasma seem to require autostart scripts to have user-only permissions. You may need to
chmod 700 ssh.sh before adding the script via the Autostart GUI结束语
安全注意事项
当然,使用 ssh-agent 可能会使系统略微不安全。如果其他用户获得了使用活动 Shell 的权利,该用户将可以不使用密码登录到所有服务器。因此,这是对服务器的风险。如有必要,使用者应该求助于本地安全策略(若有的话)。记得采取适当的行动来确保每个会话都足够安全。
故障排除
其中大部分应该工作得很好,但如果确实出现问题,那么以下条目可能会有所帮助。
- If connecting without ssh-agent does not seem to work, consider using ssh with the
-vvvoptions to find out what's happening. Sometimes the server is not configured to use public key authentication, sometimes it is configured to ask for local passwords anyway! If that is the case, try using the-ooption with ssh, or change the server's sshd_config. - If connecting with ssh-agent or keychain does not seem to work, then it may be that the current shell does not understand the commands used. Consult the man pages for ssh-agent and keychain for details on working with other shells.
See also
- SSH — 用来安全地远程操作计算机的标配工具
外部资源
- The official Keychain project page at Funtoo.org.
- IBM developerWorks article series introducing the concepts behind Keychain.
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Eric Brown, Marcelo Goes,
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.