好几台vps用同一个镜像生成,里面的软件配置都一样。省事的地方是可以用同一个ssh密钥直接登录,不安全的点则是SSH服务端共用密钥,万一某个vps出事了,其他也容易崩盘。安全起见,应该重新生成服务端密钥。
打开/etc/ssh/sshd_config,搜索”host”,发现有如下配置:
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key
ssh 1协议基本淘汰了,重点是ssh 2协议配置的rsa和dsa两个密钥。先mv备份一下: mkdir sshbak && mv /etc/ssh/ssh_host* sshbak
。然后重新重启ssh server: service sshd restart
,输出如下:
Stopping sshd: [ OK ] Generating SSH2 RSA host key: [ OK ] Generating SSH1 RSA host key: [ OK ] Generating SSH2 DSA host key: [ OK ] Starting sshd: [ OK ]
这说明在CentOS 6下,ssh服务器会检测host key是否存在,如果不存在则重新生成。
CentOS 7上应该禁用DSA密钥,其它配置建议参考 [cipherlist]:
Protocol 2 HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
以上配置在CentOS 7上生效,CentOS 6由于open ssh版本过低(需要OpenSSH 6.6+, ssh -V可查看版本信息),将无法启动。
Ubuntu/Debian用户可参考:http://serverfault.com/questions/471327/how-to-change-a-ssh-host-key
参考
- http://serverfault.com/questions/471327/how-to-change-a-ssh-host-key
- http://www.kaijia.me/2015/09/regenerate-ssh-host-key-server-side/
- https://cipherli.st/
- https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys
发表回复