ssh-keygen:密码是什么?

信息安全 SSH RSA 密钥生成 密码
2021-09-06 01:38:28

使用时ssh-keygen
密码是什么?
为什么它是可选的?

指定(或不指定)一个的安全隐患是什么?

下面是一个 shell 会话的摘录(一些细节可能已经改变):

user@localhost:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /user/.ssh/id_rsa.
Your public key has been saved in /user/.ssh/id_rsa.pub.
The key fingerprint is:
60:8b:50:1e:0f:bc:5a:2a:13:1e:83:2b:d9:95:38:9e user@localhost
The key's randomart image is:
+---[RSA 2048]----+
|   .+            |
|   o.+           |
|. ...o+          |
|ooo.=o o         |
|.*oB. . S        |
|*.E              |
|.o               |
|                 |
|                 |
+-----------------+
2个回答
$ man ssh-keygen
[...]
It is possible to specify a passphrase when generating the
key; that passphrase will be used to encrypt the private
part of this file using 128-bit AES.

所以这个密码短语只是在本地加密密钥。有权访问您系统的攻击者将无法读取私钥,因为它已加密。(不过,他们可以安装键盘记录器。)例如,如果您的笔记本电脑被盗,如果您有一个强密码,您的 ssh 密钥可能仍然是安全的。或者即使使用相当弱的密码短语(只要它不是微不足道的),它也会为您赢得一些时间来撤销密钥并滚动到新的密钥,然后攻击者可以破解它。

它是可选的,因为您可以选择接受在存储中未加密的风险。或者您可能启用了磁盘加密,这可以缓解一些相同的攻击(但不是全部,例如:恶意软件仍然可以窃取密钥,即使使用磁盘加密;另一方面,被盗的笔记本电脑仍然是安全的,除非在运行时被盗用记忆中的钥匙)。

服务器可以要求同时使用公钥和密码才能登录。其安全性不同于使用密码加密的公钥。如果您使用加密密钥,则:

  • 您无法在服务器端更改密码,您必须生成一个新密钥;
  • 有人可能会在不被发现的情况下破解密钥的密码,因为他们可以离线进行(如果服务器需要密码,他们必须询问服务器“aaaa 正确吗?aaab 正确吗?”等等);
  • 有人可以更快地破解密钥,因为它是一种没有网络限制的离线攻击;
  • 服务器不能使用类似fail2ban的东西来拒绝太多的登录尝试,因为破解是离线发生的。

这是我一直在寻找的答案,直到我尝试了有和没有密码短语才找到:

私钥加密后,每次需要使用时都必须输入密码。

然后我了解了“ssh-agent”守护进程/服务,它可以在每次登录时缓存一次凭据。当我经历这个时,我正在建立我的 Gitlab.com 连接。

这是我尝试两者的脚本。

Microsoft Windows [Version 10.0.19042.985]
(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator>where ssh-keygen
C:\Windows\System32\OpenSSH\ssh-keygen.exe

C:\Users\Administrator>ssh-keygen -t rsa -b 2048 -C "XXXXXXXXXXXX"
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\Administrator/.ssh/id_rsa):
Created directory 'C:\Users\Administrator/.ssh'.
Enter passphrase (empty for no passphrase):           <=====  here I did NOT use a passphrase
Enter same passphrase again:
Your identification has been saved in C:\Users\Administrator/.ssh/id_rsa.
Your public key has been saved in C:\Users\Administrator/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:------------------------------------------- XXXXXXXXXXXX
The key's randomart image is:
+---[RSA 2048]----+
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
|  xxxxxxxxxxxxx  |
+----[SHA256]-----+

C:\Users\Administrator>cat %userprofile%/.ssh/id_rsa.pub | clip

    NOTE:
    NOTE:   at this point I navigated to gitlab in my browser, and pasted the key
    NOTE:

C:\Users\Administrator>ssh -T git@gitlab.com
The authenticity of host 'gitlab.com (172.65.251.78)' can't be established.
ECDSA key fingerprint is SHA256:-------------------------------------------.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'gitlab.com,172.65.251.78' (ECDSA) to the list of known hosts.
Welcome to GitLab, @<username>!

C:\Users\Administrator>ssh -T git@gitlab.com
Welcome to GitLab, @<username>!

C:\Users\Administrator>ssh-keygen -p
Enter file in which the key is (C:\Users\Administrator/.ssh/id_rsa):
Key has comment 'XXXXXXXXXXXX'
Enter new passphrase (empty for no passphrase):       <=====  here I DID use a passphrase
Enter same passphrase again:
Your identification has been saved with the new passphrase.

    NOTE:
    NOTE:   now I'm prompted every time
    NOTE:

C:\Users\Administrator>ssh -T git@gitlab.com
Enter passphrase for key 'C:\Users\Administrator/.ssh/id_rsa':
Welcome to GitLab, @<username>!

C:\Users\Administrator>ssh -T git@gitlab.com
Enter passphrase for key 'C:\Users\Administrator/.ssh/id_rsa':
Welcome to GitLab, @<username>!

    NOTE:
    NOTE:   set up the service to run (it is disabled by default)
    NOTE:

C:\Users\Administrator>sc config ssh-agent start= auto
[SC] ChangeServiceConfig SUCCESS

C:\Users\Administrator>sc start ssh-agent

SERVICE_NAME: ssh-agent
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 9508
        FLAGS              :

    NOTE:
    NOTE:   will still get prompt, until 'ssh-add' (which itself prompts)
    NOTE:

C:\Users\Administrator>ssh -T git@gitlab.com
Enter passphrase for key 'C:\Users\Administrator/.ssh/id_rsa':
Welcome to GitLab, @<username>!

C:\Users\Administrator>ssh-add .ssh\id_rsa
Enter passphrase for .ssh\id_rsa:
Identity added: .ssh\id_rsa (XXXXXXXXXXXX)

    NOTE:
    NOTE:   no more prompting until I reboot :D 
    NOTE:

C:\Users\Administrator>ssh -T git@gitlab.com
Welcome to GitLab, @<username>!

C:\Users\Administrator>echo Tada!
Tada!

C:\Users\Administrator>
其它你可能感兴趣的问题
上一篇PowerShell 的 RemoteSigned 执行策略与 AllSigned 有何不同? 下一篇API 密钥应该如何生成?