大佬们,咨询下 ssh 免密登录的问题

  •   dtgxx · 2020-09-18 17:15:56 +08:00 · 516 次点击
    这是一个创建于 1464 天前的主题,其中的信息可能已经有所发展或是发生改变。


    为了提高安全性,修改了 /etc/ssh/sshd_config 文件,要求登录方式为 AuthenticationMethods publickey,password 意思是秘钥+密码同时才能登录。

    这种安全方式,之前集群之间互相的免密登录就不好使了。有没有什么配置,可以在此前提之下,设置某一个 ip 访问,不需要验证呢?

    1 条回复    2020-09-18 17:33:31 +08:00
       2020-09-18 17:33:31 +08:00


    In the file ~/.ssh/authorized_keys on the server, each entry now probably looks like

    ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment
    (or similar)

    There is an optional first column that may contain options. These are described in the sshd manual.

    One of the options is

    Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns.

    In addition to the wildcard matching that may be applied to hostnames or addresses, a from stanza may match IP addresses using CIDR address/masklen notation.

    The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key).

    This means that you should be able to modify ~/.ssh/authorized_keys from

    ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment

    from="pattern" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment
    Where pattern is a pattern matching the client host that you're connecting from, for example by its public DNS name, IP address, or some network block:

    from="" ssh-ed25519 AAAAC3NzaC1lZSOMEKEYFINGERPRINT comment
    (this would only allow the use of this key from a host in the 192.168.1.* network)
