更安全地使用密钥 -- SSH Agent

越来越多的应用使用非对称加密来传输数据,例如我经常会用到的OpenSSH。它提供一组私钥和公钥。公钥就像是一把锁,用来加密数据,不能用来解密数据,可以随便交给他人。私钥就像钥匙,可以解密数据,但无法加密数据。

但在使用远程主机的某些程序时,我却经常需要本地机器的密钥来授权。最简单的做法就是将密钥手动粘贴过去,但这种做法却很危险。首先,远程主机暴露在公网中,会遭受大量攻击,而本地主机几乎不会被攻击。再者,粘贴行为需要进行网络传输,那么它就并不能保证绝对安全。最后也是最危险的一点,这么做会在剪贴板留下痕迹,而现在很多APP会监听剪贴板,你无法保证这些应用不含恶意代码。

推荐的做法

1.添加代理密钥

1
$ ssh-add -K ~/.ssh/id_rsa

2.使用Agent

1
$ ssh -A root@remotehost

翻开 man ssh,可以看到对这个参数的详细描述

1
2
3
4
5
6
7

 -A     Enables forwarding of connections from an authentication agent such as ssh-agent(1).  This can also be specified on a per-host basis in a configuration file.

        Agent forwarding should be enabled with caution.  Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection.  An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.  A safer alternative may be to use a jump host (see -J).

-a      Disables forwarding of the authentication agent connection.

或者,在 ~/.ssh/config 进行以下配置,以省略 -A 参数:

1
2
3
4
5
Host Robert
 HostName remotehost
 User root
 ...
 forwardAgent yes

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

                  jsonContent:
                meta: false
                pages: false
                posts:
                  title: true
                  date: true
                  path: true
                  text: false
                  raw: false
                  content: false
                  slug: false
                  updated: false
                  comments: false
                  link: false
                  permalink: false
                  excerpt: false
                  categories: false
                  tags: true