这是我需要实现的:
root的我需要访问的服务器正在运行Debian 9(拉伸)。
在我的客户端上,我已经创建了一个像这样的密钥对:ssh-keygen
这创建了以下文件~/.ssh/id_rsa和~/.ssh/id_rsa.pub。
现在,我将~/.ssh/id_rsa.pub的内容复制到服务器上的/root/.ssh/authorized_keys中,并使用权限600修改了密钥文件。
然后,通过设置以下值来修改服务器上的/etc/ssh/sshd_config:
PermitRootLogin without-password
PubkeyAuthentication yes
现在,我在服务器上重新启动了ssh服务,并通过ssh root@sub.domain.tld尝试了连接。
仍然以用户root的密码提示结束。
ssh -vvv root@sub.domain.tld的结果可以找到here(Ubuntu Pastebin)。
我错过了哪些修改?
亲切的问候 // neph
答案 0 :(得分:-1)
您应该遵循this教程,其中有很多过时的教程。它在Ubuntu 19.04上对我有用。
All you have to do is:
apt-get install libpam-google-authenticator.
Users who want to continue using ssh must each run the command google-authenticator. This tool interatively helps you to create the file ~/.google_authenticator, which contains a shared secret and emergency passcodes. It's a terminal application, but it does still display a QR code for quick loading of the shared secret into your two factor device (in my case, this is the Google Authenticator app on my Android smartphone).
Edit /etc/ssh/sshd_config. Set:
ChallengeResponseAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey,keyboard-interactive
In case you have changed them in the past, you should also check the following two settings (these are both defaults on Ubuntu):
UsePAM yes
PubkeyAuthentication yes
Run sudo service ssh reload to pick up your changes to /etc/ssh/sshd_config.
Edit /etc/pam.d/sshd and replace the line:
@include common-auth
with:
auth required pam_google_authenticator.so
That's it! Now ssh logins will require a key, and after your key is verified will additionally require proof that you hold your second factor device.