树莓派2 ssh设置
I recently used some spare hardware to create a little file server on a Raspberry Pi, and I wanted to be able to log in to the Pi when I am away from home to check on things. This little document describes how I set that up. If you are curious about how I set up the file server, I wrote an article on that, too.
我最近使用一些备用硬件在Raspberry Pi上创建了一个小的文件服务器,并且我希望能够在出门在外时检查事物。 这个小文件描述了我的设置方法。 如果您对如何设置文件服务器感到好奇,我也写了一篇文章。
I started with a Raspberry Pi 3 running Raspbian, and I am going to assume you can get up and running with Raspbian, too. These instructions are going to be Raspbian-specific in some places, but most of this is also applicable to other Linux-based operating systems on the Pi.
我从运行Raspbian的Raspberry Pi 3开始,我将假设您也可以使用Raspbian并开始运行。 这些说明在某些地方将是特定于Raspbian的,但是大多数说明也适用于Pi上的其他基于Linux的操作系统。
You can enable SSH graphically, or from the command prompt.
您可以以图形方式或在命令提示符下启用SSH。
Click the icon in the top left to open the menu, and then select “Preferences…” and then “Raspberry Pi Configuration.”
单击左上角的图标以打开菜单,然后选择“首选项...”,然后选择“ Raspberry Pi配置”。
Open the configuration dialog 打开配置对话框In the Raspberry Pi Configuration dialog, switch to the “Interfaces” tab, enable SSH, and click OK. That’s it!
在“ Raspberry Pi配置”对话框中,切换到“接口”选项卡,启用SSH,然后单击“确定”。 而已!
Enable SSH 启用SSHEnabling SSH from the prompt is also pretty simple. The following two commands will do it.
从提示中启用SSH也非常简单。 以下两个命令将完成此操作。
sudo systemctl enable sshsudo systemctl start sshAn alternate way to enable SSH from the prompt is to use the raspi-config system. Type sudo raspi-config at the prompt and press Enter. You’ll find SSH under “Interfacing Options.” Use the arrow and Tab keys to navigate.
从提示符启用SSH的另一种方法是使用raspi-config系统。 在提示符下键入sudo raspi-config ,然后按Enter。 您会在“接口选项”下找到SSH。 使用箭头和Tab键进行导航。
At this point, you should be able to log in to your Pi from another machine on the same network using your username (likely pi) and password.
此时,您应该可以使用用户名(可能是pi )和密码从同一网络上的另一台计算机登录到Pi。
Sweet success! 祝您成功!(You might notice that my Pi is named raspberrypi4. I have a lot of these doing various things. Yours may be named just raspberrypi, or you may have changed the name to something else, like dave. Just substitute the correct name whenever you need to.)
(您可能会注意到,我的Pi命名为raspberrypi4 。我有很多类似的东西在做您的事情。您的Pi可能被命名为raspberrypi ,或者您可能已经将名称更改为dave类的其他名称。只要需要,请使用正确的名称替换至。)
Unfortunately, everyone knows that SSH lives on port 22, and this makes it a target for scanning. We can get a little bit of security by changing the port to something else. In this case, let’s use port 2222.
ünfortunately,每个人都知道在端口22 SSH的生活,这使得它的目标进行扫描。 通过将端口更改为其他端口,我们可以获得一点安全性。 在这种情况下,让我们使用端口2222。
At the prompt, type the following.
在提示符下,键入以下内容。
sudo cp /etc/sshd/sshd_config !#$.distsudo nano /etc/ssh/sshd_configThe first line makes a backup of the unmodified (“distribution”) SSH daemon configuration file, while the second line will open the SSH daemon configuration file for editing. It is good practice to always make a backup of a critical system configuration file before you edit it!
第一行备份未修改(“分发”)的SSH守护程序配置文件,而第二行将打开SSH守护程序配置文件进行编辑。 优良作法是始终在编辑关键系统配置文件之前对其进行备份!
In the editor, you should see a line that reads something like #Port 22. The first symbol, the hash mark (#), makes this a comment; delete it and change the 22 to 2222.
在编辑器中,您应该看到一行显示类似#Port 22 。 第一个符号,井号( # ),使其成为注释; 删除它,并将22更改为2222。
Setting the port number 设置端口号Next find the line that starts ChallengeResponseAuthentication and make sure it is set to yes. (It is no by default on the current release of Raspbian.)
接下来找到启动ChallengeResponseAuthentication的行,并确保将其设置为yes 。 (在当前版本的Raspbian中默认为no 。)
Enabling challenge-response authentication 启用质询响应认证Once you have made these changes, type CTRL+x to exit, answer y to save changes, and then press Enter to overwrite the original file.
进行这些更改后,键入CTRL + x退出,回答y保存更改,然后按Enter覆盖原始文件。
You should check to make sure the SSH daemon can read the configuration file. Do this with the following command.
您应该检查以确保SSH守护程序可以读取配置文件。 使用以下命令执行此操作。
sudo sshd -tIf any errors are reported, fix them. If nothing happens, great! You’re ready to restart the SSH daemon with the following command.
如果报告任何错误,请修复它们。 如果什么都没发生,那就太好了! 您可以使用以下命令重新启动SSH守护程序。
sudo systemctl restart ssh(If you are doing this while logged in remotely via SSH, don’t worry. This won’t affect your current SSH session.)
(如果您通过SSH远程登录时正在执行此操作,请不要担心。这不会影响您当前的SSH会话。)
Test it out by logging in and specifying the new port number. (You can do this with -p 2222 for the usual ssh command.)
通过登录并指定新的端口号对其进行测试。 (您可以使用-p 2222来执行通常的ssh命令。)
Sweet success! Again! 祝您成功! 再次!Used properly, two-factor authentication (2FA) can be much more secure. Let’s set up 2FA using Google Authenticator, an open-source token generator. You can find documentation on Google Authenticator on its wiki.
的高墙得当,双因素认证(2FA)可以更安全。 让我们使用开源令牌生成器Google Authenticator设置2FA。 您可以在其Wiki上的Google Authenticator中找到文档。
Before I get too far into this, I will note that some object to the way that 2FA is implemented by Google and by similar systems. You can read these objections in the article below. I don’t want to use additional dedicated hardware (I already have a phone) and feel that this approach is sufficient. But it’s your network; you be the judge.
在深入探讨这一点之前,我会指出一些反对Google和类似系统实现2FA的方式。 您可以在下面的文章中阅读这些异议。 我不想使用其他专用硬件(我已经有一部电话),并且觉得这种方法就足够了。 但这是您的网络; 你是法官。
These instructions will set up the Pi to require both a password and a 2FA token. I prefer this approach because it requires (1) something you know and (2) something you have. That is, it really is two-factor authentication.
这些指令将设置曹丕同时需要密码和 2FA令牌。 我更喜欢这种方法,因为它需要(1)您知道的东西和(2)您拥有的东西。 也就是说,它实际上是两因素身份验证。
When you want to log in to your Raspberry Pi using SSH, you will now need to have your phone or tablet running the Google Authenticator app. This app will give you a six-digit “token” to use when logging in. Each token is good for a limited amount of time, and then a new one is generated.
当您想使用SSH登录到Raspberry Pi时,现在需要让您的手机或平板电脑运行Google Authenticator应用程序。 该应用程序将为您提供一个六位数的“令牌”,以便在登录时使用。每个令牌在有限的时间内有效,然后生成一个新的令牌。
Logging in from the console, or by any other method than SSH, won’t change.
从控制台或通过SSH以外的任何其他方式登录将保持不变。
Grab your phone, head to the app store of your choice, and install Google Authenticator. If you are using an iOS device, you can find it here. If you are using an Android device, you can find it here.
拿起手机,前往您选择的应用商店,然后安装Google Authenticator。 如果您使用的是iOS设备,则可以在此处找到它。 如果您使用的是Android设备,则可以在此处找到它。
The Authenticator app with some of its friends Authenticator应用程序及其一些朋友Install Google Authenticator by running the following command at the prompt on the Raspberry Pi.
通过在Raspberry Pi上的提示符处运行以下命令来安装Google Authenticator。
sudo apt install libpam-google-authenticatorThe next part is going to generate a quick response (QR) code, so make your terminal window as large as you can so the code isn’t mangled by wrapping. (If the code is mangled by wrapping, that’s okay. You can manually enter the information. But using the camera on your phone is much simpler!)
下一部分将生成快速响应(QR)代码,因此,请使您的终端窗口尽可能大,以免包装引起代码混乱。 (如果代码是通过换行来修饰的,那没关系。您可以手动输入信息。但是在手机上使用摄像头要简单得多!)
From the prompt on the Pi, as the user you want to log in as (probably pi), run the following command. (NB: If you’ve gotten used to typing sudo in front of commands, be aware that you don’t do that here.)
在Pi上的提示符下,以您要登录的用户身份(大概是pi ),运行以下命令。 (注意:如果您已经习惯在sudo前键入sudo ,请注意,您在这里不必这样做。)
google-authenticatorThis will ask if you want authentication to be time-based. You do, so answer y. At that point, you’ll get a URL, followed by a QR code, followed by your secret key, the first verification code, and your emergency scratch codes.
这将询问您是否希望身份验证基于时间。 是的,所以回答y 。 届时,您将获得一个URL,一个QR码,一个私钥,第一个验证码和您的紧急暂存码。
Congratulations! It’s a QR code 恭喜你! 这是一个二维码Before you do anything else, copy your scratch codes and save them in a file somewhere safe. These codes will let you log in (via SSH) if you lose your phone. Of course, you can still log in through the console or any other way. If you are already logged in, you can also see your scratch codes in the ~/.google_authenticator file that will be created.
在执行其他任何操作之前 ,请复制您的暂存代码并将其保存在安全的文件中。 如果您丢失了手机,这些代码将使您(通过SSH)登录。 当然,您仍然可以通过控制台或任何其他方式登录。 如果您已经登录,则还可以在将要创建的~/.google_authenticator文件中看到您的暂存代码。
There are more questions to answer, but first, let’s add the code to the Authenticator app before it scrolls off the screen.
还有更多问题要回答,但首先,让我们将代码添加到Authenticator应用中,然后滚动出屏幕。
Time to find your phone again. Open the Google Authenticator app on your phone and tap the little plus sign (+) at the top right. You should get a little menu popping up at the bottom with two choices.
是时候再次找到您的手机了。 打开手机上的Google Authenticator应用,然后点击右上角的小加号(+)。 您应该在底部弹出一个带有两个选项的小菜单。
Scan barcode. If the QR code is unmangled, this is what you want. Touch it, and then point the camera at the QR code. If the app recognizes it, great! If not, then try the manual entry method.
扫描条形码 。 如果QR码是正确的,这就是您想要的。 触摸它,然后将相机对准QR码。 如果应用程序识别出它,那就太好了! 如果不是,请尝试手动输入方法。
Manual entry. If your QR code scrolled off the screen or was too wide for your window, you need to select this.
手动输入 。 如果您的QR码滚动离开屏幕或对于窗口而言太宽,则需要选择此选项。
For manual entry, you need to do the following.
对于手动输入,您需要执行以下操作。
Enter your account name. For my example this is pi@raspberrypi4. Your computer’s name (the part after the at symbol) may be different; substitute the correct name (possibly just raspberrypi).
输入您的帐户名。 对于我的示例,这是pi@raspberrypi4 。 您的计算机名称(“ @”符号后的部分)可能会有所不同; 替换正确的名称(可能只是raspberrypi )。
For key, enter the secret key displayed under the QR code. In this example it is S5NIHPEZN3ACB36OD2ZJSP6D3M.
对于密钥,请输入显示在QR码下的秘密密钥。 在此示例中为S5NIHPEZN3ACB36OD2ZJSP6D3M 。
Leave “time-based” enabled, and click the checkmark at the top right. 保持“基于时间”处于启用状态,然后单击右上角的复选标记。You should see a new entry in the Authenticator app for your Raspberry Pi. The current six-digit token will be shown and will be blue. After a few seconds, the token will flash red, then change.
您应该在树莓派的Authenticator应用程序中看到一个新条目。 当前的六位数令牌将显示为蓝色。 几秒钟后,令牌将闪烁红色,然后进行更改。
Back on the Pi, answer y to update the .google_authenticator file. Next you will be asked if you want to disallow multiple uses of the same authentication token. You should, so answer y.
返回.google_authenticator派,回答y以更新.google_authenticator文件。 接下来,将询问您是否要禁止多次使用同一身份验证令牌。 您应该,所以回答y 。
For the “time skew” questions, it is unlikely you will need to increase the window of permitted codes above three, so you should answer n. The next question is about rate limiting. You should enable this, so answer y.
对于“时间偏差”问题,不太可能需要将允许的代码窗口增加到三个以上,因此您应该回答n 。 下一个问题是有关速率限制的。 您应该启用它,所以回答y 。
Now you’re done! If you need to change anything or want to see your scratch codes, you can look in your ~/.google_authenticator file.
现在您完成了! 如果您需要更改任何内容或想查看您的临时代码,可以在~/.google_authenticator文件中查找。
We need to tell the Linux Pluggable Authentication Module (PAM) that we want to use Google Authenticator. Edit the /etc/pam.d/sshd file, making a backup copy of the file first.
我们需要告知Linux可插拔身份验证模块(PAM)我们要使用Google Authenticator。 编辑/etc/pam.d/sshd文件,首先制作该文件的备份副本。
sudo cp /etc/pam.d/sshd !#$.distsudo nano /etc/pam.d/sshdAdd the following line at the top.
在顶部添加以下行。
auth required pam_google_authenticator.so The updated PAM configuration file for the SSH daemon SSH守护程序的更新的PAM配置文件Save and exit with CTRL+x, y, and Enter.
保存并使用CTRL + x, y和Enter退出。
I prefer that the auth required pam_google_authenticator.so line comes before the @include common-auth line. This means you must first enter the token and then enter your password. If you ever wish to disable 2FA, just add a hash mark (#) before the auth required pam_google_authenticator line in /etc/pam.d/sshd.
我希望auth required pam_google_authenticator.so行位于@include common-auth行之前。 这意味着您必须首先输入令牌,然后输入密码。 如果您希望禁用2FA,只需在/etc/pam.d/sshd的auth required pam_google_authenticator行之前添加一个auth required pam_google_authenticator号( # )。
Now try to log in from another computer. You still need to specify your username and the port number you chose. When you try to log in now, you should be asked for a verification code. Check the Authenticator app on the phone for the correct code. As I write this, it is 982657, so I enter that. Next I am asked for my password, and then I’m in!
现在尝试从另一台计算机登录。 您仍然需要指定用户名和选择的端口号。 现在尝试登录时,将要求您输入验证码。 检查电话上的Authenticator应用,以获取正确的密码。 在我撰写本文时,它是982657 ,所以我输入了它。 接下来,我被要求输入密码,然后我就进入了!
Sweet success! So much winning! 祝您成功! 如此多的胜利!The whole reason for doing all this was to allow me to remotely access the Raspberry Pi when I’m not home, so now I need to make sure that connection attempts to my home network are directed to the Pi. Doing this is specific to your router, but the basic steps should be the same.
吨他全部理由做这一切是为了让我远程访问树莓派时,我不在家,所以现在我需要确保尝试连接到我的家庭网络被定向到皮。 这样做特定于您的路由器,但是基本步骤应该相同。
These steps are going to assume you know your home IP address. Ideally, you have a hostname that is resolved by the internet domain name service (DNS) to your actual IP address. Often your service provider will assign your home a name from their domain, and you can use that (but you will probably have to ask them what it is). It is also possible to register with a dynamic DNS service, such as DYN or No-IP. You can then configure your router to update the service whenever it gets a new IP address.
这些步骤将假定您知道您的家庭IP地址。 理想情况下,您具有一个主机名,该主机名由Internet域名服务(DNS)解析为您的实际IP地址。 通常,您的服务提供商会从他们的域名中为您的家分配一个名称,您可以使用它(但是您可能不得不问他们这是什么)。 还可以向动态DNS服务注册,例如DYN或No-IP 。 然后,您可以配置路由器以在服务获得新IP地址时对其进行更新。
First I recommend you give your Pi a reserved IP address. On my router, there is a DHCP reservation page where I can check a box to add a reserved IP address. IP addresses are reserved by the network interface’s media access control (MAC) address, which your router knows about. This is a unique 48-bit number assigned to every network interface.
首先,我建议您为Pi提供一个保留的IP地址。 在我的路由器上,有一个DHCP保留页面,可以在其中选中一个复选框以添加保留的IP地址。 IP地址由路由器知道的网络接口的媒体访问控制(MAC)地址保留。 这是分配给每个网络接口的唯一48位数字。
Reserving some IP addresses for fictional MAC addresses 为虚拟MAC地址保留一些IP地址If you need to find the MAC address of your particular interface, it’s easy. At the prompt on the Pi, enter the following command to see the MAC address for the wireless interface (wlan0).
如果您需要查找特定接口的MAC地址,这很容易。 在Pi上的提示符下,输入以下命令以查看无线接口的MAC地址( wlan0 )。
cat /sys/class/net/wlan0/addressLikewise, if you have the Pi plugged into a wired connection, do the following to see the MAC address for the wired interface (eth0).
同样,如果您将Pi插入有线连接,请执行以下操作以查看有线接口的MAC地址( eth0 )。
cat /sys/class/net/eth0/addressThis is another router-specific action, but it is often located in a section on “Apps and Gaming.” Look for “single port forwarding,” and forward your SSH port (2222 in this case) to the correct port on your Pi’s reserved IP address.
这是另一种特定于路由器的操作,但通常位于“应用程序和游戏”一节中。 查找“单端口转发”,然后将SSH端口(在这种情况下为2222)转发到Pi的保留IP地址上的正确端口。
Forward packets on 2222 to the Pi 将2222上的数据包转发到PiNow if you know your home IP address, you should be able to SSH into your Pi using your port, the current token, and your password. Congratulations! You can reach your Pi from (almost) anywhere in the world.
现在,如果您知道自己的家庭IP地址,则应该可以使用端口,当前令牌和密码通过SSH进入Pi。 恭喜你! 您可以从(几乎)世界任何地方到达您的Pi。
翻译自: https://medium.com/swlh/setting-up-ssh-and-2fa-on-a-raspberry-pi-4cd7b2f6f4ef
树莓派2 ssh设置
相关资源:树莓派远程登录软件ssh