内容纲要

文章目录[隐藏]

SSH 服务开启步骤

使用 apt install 安装 SSH 的服务端和客户端

sudo apt install openssh-client
sudo apt install openssh-server

如果你只是想登录别的机器，SSH 只需要安装 client 端，如果你要使本机开启 SSH 服务需要安装 server 端。

开启 SSH 服务

sudo systemctl start ssh.service  //开启服务
ps aux|grep ssh  //查看是否开启

如果有 sshd 这个字段出现，说明 SSH 服务已经开启了。

看到服务 starting 了，服务成功开启。另外，还有几条命令需要记住：

sudo service ssh status 查看服务状态：

sudo service ssh stop  关闭服务：
sudo service ssh restart  重启服务

可选：设置可以 root 登录 ssh

sudo vim /etc/ssh/sshd_config
把 PermitRootLogin prohibit-password 改成 PermitRootLogin yes

记得重启 ssh

sudo systemctl restart sshd

Smart card authentication with SSH

One of the authentication methods supported by the SSH protocol is public key authentication. A public key is copied to the SSH server where it is stored and marked as authorized. The owner of the corresponding private key in the smart card can then SSH login to the server.

We will use opensc-pkcs11 on the client to access the smart card drivers, and we will copy the public key from the smart card to the SSH server to make the authentication work.

The following instructions apply to Ubuntu 18.04 later.

Server configuration

The SSH server and client must be configured to permit smart card authentication.

Configure the SSH server

The SSH server needs to allow public key authentication set in its configuration file and it needs the user’s public key.

Ensure the server has the PubkeyAuthentication option set to ‘yes’ in its /etc/ssh/sshd_config file. In a default /etc/ssh/sshd_config in Ubuntu, the
PubkeyAuthentication option is commented out. However, the default is ‘yes’. To ensure the setting, edit the sshd_config file and set accordingly.

PubkeyAuthentication yes

Restart the SSH server

sudo systemctl restart sshd

Set the public key on the server

Extract the user’s public key from the smart card on the SSH client. Use sshkeygen to read the public key from the smart card and into a format consumable
for SSH.

ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so > smartcard.pub

Copy this key to the SSH server.

ssh-copy-id -f -i smartcard.pub ubuntu@server-2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “smartcard.pub”
ubuntu@server-2’s password:
Number of key(s) added: 1
Now try logging into the machine, with: “ssh ‘ubuntu@server-2’”
and check to make sure that only the key(s) you wanted were added.

Client configuration

The SSH client needs to identify its PKCS#11 provider. To do that set the PKCS11Provider option in the ~/.ssh/config file of each user desiring to use SSH smart card login.

PKCS11Provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Use this method to enforce SSH smart card login on a per user basis.

After this step you can SSH into the server using the smart card for authentication.

Last updated a month ago. Help improve this document in the forum.