Take cybersecurity seriously and use SSH keys to access remote logins. They’re a more secure way to connect than passwords. We show you how to generate, install, and use SSH keys in Linux.

认真对待网络安全，并使用SSH密钥访问远程登录。 与密码相比，它们是一种更安全的连接方式。 我们向您展示了如何在Linux中生成，安装和使用SSH密钥。

密码有什么问题？ (What’s Wrong With Passwords?)

Secure shell (SSH) is the encrypted protocol used to log in to user accounts on remote Linux or computers. Typically such user accounts are secured using passwords. When you log in to a remote computer, you must provide the user name and password for the account you are logging in to.

安全外壳(SSH)是用于在远程Linux或计算机上登录用户帐户的加密协议。 通常，此类用户帐户使用密码保护。 登录到远程计算机时，必须提供您要登录的帐户的用户名和密码。

Passwords are the most common means of securing access to computing resources. Despite this, password-based security does have its flaws. People choose weak passwords, share passwords, use the same password on multiple systems, and so on.

密码是保护对计算资源的访问的最常用方法。 尽管如此，基于密码的安全性确实存在缺陷。 人们选择弱密码，共享密码，在多个系统上使用相同的密码，依此类推。

SSH keys are much more secure, and once they’re set up, they’re just as easy to use as passwords.

SSH密钥更加安全，一旦设置好，它们就和密码一样容易使用。

是什么使SSH密钥安全？ (What Makes SSH Keys Secure?)

SSH keys are created and used in pairs. The two keys are linked and cryptographically secure. One is your public key, and the other is your private key. They are tied to your user account. If multiple users on a single computer use SSH keys, they will each receive their own pair of keys.

SSH密钥是成对创建和使用的。 这两个密钥是链接的，并且是加密安全的。 一个是您的公钥，另一个是您的私钥。 它们与您的用户帐户绑定。 如果一台计算机上的多个用户使用SSH密钥，则他们每个人都会收到自己的一对密钥。

Your private key is installed in your home folder (usually), and the public key is installed on the remote computer—or computers—that you will need to access.

您的私钥通常安装在主文件夹中，而公钥则安装在需要访问的远程计算机上。

Your private key must be kept safe. If it is accessible to others, you are in the same position as if they had discovered your password. A sensible—and highly recommended—precaution is for your private key to be encrypted on your computer with a robust .

您的私钥必须妥善保管。 如果其他人可以访问它，则您所处的位置与他们发现密码的位置相同。 明智的做法(强烈建议)是使用可靠的在计算机上加密您的私钥。

The public key can be shared freely without any compromise to your security. It is not possible to determine what the private key is from an examination of the public key. The private key can encrypt messages that only the private key can decrypt.

可以自由共享公共密钥，而不会影响您的安全性。 无法通过检查公共密钥来确定什么是私人密钥。 私钥可以加密仅私钥可以解密的消息。

When you make a connection request, the remote computer uses its copy of your public key to create an encrypted message. The message contains a session ID and other metadata. Only the computer in possession of the private key—your computer—can decrypt this message.

当您发出连接请求时，远程计算机将使用其公用密钥的副本来创建加密的消息。 该消息包含会话ID和其他元数据。 只有拥有私钥的计算机(您的计算机)才能解密此消息。

Your computer accesses your private key and decrypts the message. It then sends its own encrypted message back to the remote computer. Amongst other things, this encrypted message contains the session ID that was received from the remote computer.

您的计算机访问您的私钥并解密该消息。 然后，它将自己的加密消息发送回远程计算机。 除其他外，此加密的消息包含从远程计算机接收到的会话ID。

The remote computer now knows that you must be who you say you are because only your private key could extract the session Id from the message it sent to your computer.

远程计算机现在知道您必须是您的真实身份，因为只有您的私钥才能从发送给计算机的消息中提取会话ID。

确保您可以访问远程计算机 (Make Sure You Can Access The Remote Computer)

Make sure you can . This proves that your user name and password have a valid account set up on the remote computer and that your credentials are correct.

确保可以。 这证明您的用户名和密码在远程计算机上设置了有效的帐户，并且您的凭据正确。

Don’t try to do anything with SSH keys until you have verified you can use SSH with passwords to connect to the target computer.

在确认可以使用带有密码的SSH连接到目标计算机之前，请勿尝试对SSH密钥执行任何操作。

In this example, a person with a user account called dave is logged in to a computer called howtogeek . They are going to connect to another computer called Sulaco.

在此示例中，具有用户帐户dave的人登录到名为howtogeek的计算机。 他们将连接到另一台名为Sulaco计算机。

They enter the following command:

他们输入以下命令：

ssh dave@sulaco

They are asked for their password, they enter it, and they are connected to Sulaco. Their command line prompt changes to confirm this.

要求他们输入密码，输入密码，然后将其连接到Sulaco。 他们的命令行提示符更改以确认这一点。

That’s all the confirmation we need. So user dave can disconnect from Sulaco with the exit command:

这就是我们需要的所有确认。 因此，用户dave可以使用exit命令与Sulaco断开连接：

exit

They receive the disconnect message and their command line prompt returns to dave@howtogeek.

他们收到断开连接消息，命令行提示符返回到dave@howtogeek 。

创建一对SSH密钥 (Creating a Pair of SSH Keys)

These instructions were tested on Ubuntu, Fedora, and Manjaro distributions of Linux. In all cases the process was identical, and there was no need to install any new software on any of the test machines.

这些说明已在Linux的Ubuntu，Fedora和Manjaro发行版上进行了测试。 在所有情况下，过程都是相同的，并且不需要在任何测试计算机上安装任何新软件。

To generate your SSH keys, type the following command:

要生成SSH密钥，请输入以下命令：

ssh-keygen

The generation process starts. You will be asked where you wish your SSH keys to be stored. Press the Enter key to accept the default location. The permissions on the folder will secure it for your use only.

生成过程开始。 系统将询问您希望将SSH密钥存储在何处。 按Enter键接受默认位置。 文件夹上的权限将保护它仅供您使用。

You will now be asked for a passphrase. We strongly advise you to enter a passphrase here. And remember what it is! You can press Enter to have no passphrase, but this is not a good idea. A passphrase made up of three or four unconnected words, strung together will make a very robust passphrase.

现在将要求您输入密码。 我们强烈建议您在此处输入密码。 并记住它是什么！ 您可以按Enter键没有密码短语，但这不是一个好主意。 由三个或四个未连接的单词组成的密码短语串在一起将构成非常强大的密码短语。

You will be asked to enter the same passphrase once more to verify that you have typed what you thought you had typed.

系统将要求您再次输入相同的密码，以验证您是否键入了您认为已键入的内容。

The SSH keys are generated and stored for you.

会为您生成并存储SSH密钥。

You can ignore the “randomart” that is displayed. Some remote computers might show you their random art each time you connect. The idea is that you will recognize if the random art changes, and be suspicious of the connection because it means the SSH keys for that server have been altered.

您可以忽略显示的“ randomart”。 每次连接时，某些远程计算机可能会向您显示其随机图片。 这样的想法是，您将识别出随机图样是否发生了变化，并对连接产生怀疑，因为这意味着该服务器的SSH密钥已被更改。

安装公钥 (Installing the Public Key)

We need to install your public key on Sulaco , the remote computer, so that it knows that the public key belongs to you.

我们需要在远程计算机Sulaco上安装您的公钥，以便它知道该公钥属于您。

We do this using the ssh-copy-id command. This command makes a connection to the remote computer like the regular ssh command, but instead of allowing you to log in, it transfers the public SSH key.

我们使用ssh-copy-id命令执行此操作。 该命令像常规的ssh命令一样建立到远程计算机的连接，但是它代替了您的登录，而是传输公共SSH密钥。

ssh-copy-id dave@sulaco

Although you are not logging in to the remote computer, you must still authenticate using a password. The remote computer must identify which user account the new SSH key belongs to.

尽管您没有登录到远程计算机，但仍必须使用密码进行身份验证。 远程计算机必须标识新SSH密钥属于哪个用户帐户。

Note that the password you must provide here is the password for the user account you are logging into. This is not the passphrase you have just created.

请注意，您必须在此处提供的密码是您要登录的用户帐户的密码。 这不是您刚刚创建的密码。

When the password has been verified, ssh-copy-id transfers your public key to the remote computer.

验证密码后， ssh-copy-id会将您的公钥转移到远程计算机。

You are returned to the command prompt of your computer. You are not left connected to the remote computer.

您将返回到计算机的命令提示符。 您没有连接到远程计算机。

使用SSH密钥连接 (Connecting Using SSH Keys)

Let’s follow the suggestion and try to connect to the remote computer.

让我们按照建议尝试连接到远程计算机。

ssh dave@sulaco

Because the process of connection will require access to your private key, and because you safeguarded your SSH keys behind a passphrase, you’ll need to provide your passphrase so that the connection can proceed.

因为连接过程将需要访问您的私钥，并且由于您在密码短语后面保护了SSH密钥，所以您需要提供密码短语才能继续进行连接。

Enter your passphrase and click on the Unlock button.

输入密码，然后单击解锁按钮。

Once you’ve entered your passphrase in a terminal session, you will not have to enter it again for as long as you have that terminal window open. You can connect and disconnect from as many remote sessions as you like, without entering your passphrase again.

在终端会话中输入密码后，只要打开该终端窗口，就不必再次输入密码。 您可以根据需要连接和断开多个远程会话，而无需再次输入密码。

You could tick the checkbox for the “Automatically unlock this key whenever I’m logged in” option, but it will reduce your security. If you leave your computer unattended, anyone can make connections to the remote computers that have your public key.

您可以在“我登录时自动解锁”复选框中打勾，但这会降低您的安全性。 如果您的计算机处于无人看管的状态，则任何人都可以连接到具有您的公钥的远程计算机。

Once you enter your passphrase, you are connected to the remote computer.

输入密码后，您将连接到远程计算机。

To verify the process once more end to end, disconnect with the exit command and reconnect to the remote computer from the same terminal window.

要再次验证该过程，请使用exit命令断开连接，然后从同一终端窗口重新连接到远程计算机。

ssh dave@sulaco

You will be connected to the remote computer without the need for a password or passphrase.

您将无需密码或密码即可连接到远程计算机。

没有密码，但增强了安全性 (No Passwords, But Enhanced Security)

Cybersecurity experts talk about a thing called security friction. That’s the minor pain that you need to put up with to get the gain of additional security. There’s usually some extra step or two required to adopt a more secure method of working. And most people don’t like it. They actually prefer lower security and the lack of friction. That’s human nature.

网络安全专家谈论一种称为安全摩擦的事情。 这是您需要忍受的小痛苦，以获得额外的安全性。 通常，需要采取额外的一两个步骤才能采用更安全的工作方法。 而且大多数人不喜欢它。 他们实际上更喜欢较低的安全性和缺乏摩擦。 那是人的本性。

With SSH keys, you get increased security and an increase in convenience. That’s a definite win-win.

使用SSH密钥，可以提高安全性并增加便利性。 那是绝对的双赢。

翻译自: