如何用PuTTY建立SSH連線來免密碼登入Juniper SRX100/210設備

如何用PuTTY建立SSH連線來免密碼登入Juniper SRX100/210設備

建立SSH RSA/DSA金鑰來登入設備的好處：

藉由己方的私鑰與伺服器方的公鑰來檢驗您是否為系統允許的系統管理者，這樣可提高伺服器身分認證的安全性，同時您也可以享有免輸入密碼來登入系統的方便性，而這個功能在當您需要頻繁的登入登出系統時會很好用。

我們要如何建立SSH RSA/DSA 金鑰(keys)?

請用root帳號來登入，以避免檔案路徑錯誤而找不到檔案。

root@srx100# set system services ssh   ##啟動SSH服務

root@srx100> start shell   ##進入freeBSD殼層

root@srx100% ssh-keygen -t rsa   ##建立RSA金鑰

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Created directory '/root/.ssh'.

Enter passphrase (empty for no passphrase):    ##請在此處為金鑰設定金鑰密碼，也可不需輸入直接按兩下Enter(這樣才能免密碼登入)

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.

Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:

91:6e:b9:52:fd:14:85:1e:8c:40:9a:7c:2d:c7:d4:0d root@SW_Jaffa_Monitor_104

root@srx100% exit

root@srx100> file list /root/.ssh

/root/.ssh:

id_rsa         ##私鑰

id_rsa.pub     ##公鑰

known_hosts   ##存放一些認證主機資訊

指令所產生的檔案私鑰會用在client端，公鑰會用在主機端。

root@srx100> file show /root/.ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhWSRlTWogc6XC8JwpL7eHItrkjfb1q1lBIRUOoXgk

DLwCrikhNLntEM21gnpYtQYiFzfEraqmFFtjLU8pwJu3dcIqRBxHuqDnFJivqAIwvCD2kUlk9p7AB1Kb

rlGz3CUrNZ7b3VNsgzDg4SN9jsWsTyty/QxXUvXWanCiw4Zgrg5o+o3IY9EMOjG/vu7SHpv0uHKHlm77

hssOsKp/77VNn+wDDOFrS8gd5M9PpnUVSo3QeNHsUbtWFb66neRxJu6ZyE2sD1I4/4j+TLoWHQ7J6JPI

5IGbkmzIQtkww06nqpuMrYnZYD1+KbcUTDcoml0zE3KSAhK/iGJNn+gmB8Ol root@srx100

root@srx100> file show /root/.ssh/known_hosts

2.2.2.2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABB

BEQb1tCmqPQH6v7k0KjBP2IdQ/3wOTsxFXXOqF+gqc5oCDfMrujX1U1MEJhX0N+opYXc+NHxQZj+i6k9

OM9l3fk=

55.55.55.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAA

ABBBEQb1tCmqPQH6v7k0KjBP2IdQ/3wOTsxFXXOqF+gqc5oCDfMrujX1U1MEJhX0N+opYXc+NHxQZj+i

6k9OM9l3fk=

10.94.167.179 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNT

YAAABBBHjIQzzZg3AwzRmqDw2Xm3Gg0c+TSBYA8sHL6M+VyLpvDpix6OV98vzko1DiJGWgauGIoPNQZN

7BgVWanqu3+OI=

172.17.29.23 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAr/1tFtjkpyLZv1/YI0cBPFCdW3BB/oQ

t25yIZ0ZySr8Vmh32vdDlSYl4KEYBsrhDTvg0GOeN0cv3PIZUnOMiNjFFbKTMWv6MIaPI85PW88AI+3Z

QD+MFW4bj5XEtUBYIdNsnvZMaNz+/MjrOMGxlZzwHDs7Yycb9aGntzoevbNs=

172.17.26.220 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEA1ggIAblzfun1ibv0THcEDtpiWgAz5N

UOLgVBq9HgRYBvRdsO/dDs5uRDHETWdhLP62lMA1Xw/k8opYNKHYKG5Do4izP+zhNzqDFcJYDIQYHKQB

uZByi4qrYiWtE0JVvH

root@srx100>

一旦有了金鑰, 我們就可以使用以下命令將金鑰與 "使用者 id" 關聯起來。

下列命令會建立一個叫做admin的帳號，並將RSA公鑰跟帳號admin連結。

root@srx100# set system login user admin uid 2002

root@srx100# set system login user admin class super-user

root@srx100# set system login user admin authentication plain-text-password

root@srx100# set system login user admin authentication load-key-file /root/.ssh/id_rsa.pub

After running the above configuration commands, it will create a directory with <userid> in /var/home and the authorized_key for SSH will be created.

root@srx100> file list /cf/var/home/admin/.ssh

/cf/var/home/admin/.ssh:

authorized_keys

authorized_keys2

root@srx100>

[edit]

root@srx100> file show /cf/var/home/admin/.ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA5/qxR+0CXtENlubfdV2NNdYd9c4097V6Vrfklfn8qQaj

43jVeabNqoLbBZalo83lq4bXwNX59v+pp1b+gG5RMeqE20N9tJ4WYcHbuqjOfCvfLmFlFxeskitrv+lc

0teAmrWmVRJK+Z9XVW000rr/nZf6ZTKtRIPRHs9GzB5X6t+4Wz9atRwkZBrN7HY+YNfwxiALIE3UNM8W

DX/kR3zmuPKfmvSPM/jn5zwFjBIfoSsbyVwR3fLm5uE/2EKdkzJl0raayWIzmTQCrBrxNN85IIlttaPe

9NCH2ShNKWrOuVnMxYRSMj2/XOxXK2NTtTsiH8H/qCzosYwBhlaT0ESZ6w== rsa-key-20180215

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhWSRlTWogc6XC8JwpL7eHItrkjfb1q1lBIRUOoXgk

DLwCrikhNLntEM21gnpYtQYiFzfEraqmFFtjLU8pwJu3dcIqRBxHuqDnFJivqAIwvCD2kUlk9p7AB1Kb

rlGz3CUrNZ7b3VNsgzDg4SN9jsWsTyty/QxXUvXWanCiw4Zgrg5o+o3IY9EMOjG/vu7SHpv0uHKHlm77

hssOsKp/77VNn+wDDOFrS8gd5M9PpnUVSo3QeNHsUbtWFb66neRxJu6ZyE2sD1I4/4j+TLoWHQ7J6JPI

5IGbkmzIQtkww06nqpuMrYnZYD1+KbcUTDcoml0zE3KSAhK/iGJNn+gmB8Ol root@srx100

[edit]

root@srx100>

現在我們已經將金鑰建好並跟admin用戶連結了，但是當我們用putty來登入時卻出現錯誤訊息：

Unable to use key file "D:\Juniper Firewalls-new-data\ssh\PuTTY\ssh\ppk\id_rsa.ppk" (not a private key)

login as:

上網搜尋原因，上述的方法可以用在SCP上面(另一種連線軟體)，而若要使用putty來進行ssh金鑰登入驗證，您就必須使用puttygen.exe所產生的金鑰來進行ssh金鑰登入驗證，您可以上putty官網去下載此程式。

當我們使用puttygen來載入srx100設備所產生的私鑰id_rsa時，會出現以下訊息：訊息中顯示puttygen無法辨識載入的檔案之格式。

 

除了上述方法之外，我們還可以利用以下的方式來建立金鑰，而用puttygen所產生的公鑰可用此方法來載入設備。

[edit]

root@srx100# edit system login user admin authentication

[edit system login user admin authentication]

root@srx100# set ssh-rsa “ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA5/qxR+0CXtENlubfdV2NNdYd9c4097V6Vrfklfn8qQaj43jVeabNqoLbBZalo83lq4bXwNX59v+pp1b+gG5RMeqE20N9tJ4WYcHbuqjOfCvfLmFlFxeskitrv+lc0teAmrWmVRJK+Z9XVW000rr/nZf6ZTKtRIPRHs9GzB5X6t+4Wz9atRwkZBrN7HY+YNfwxiALIE3UNM8WDX/kR3zmuPKfmvSPM/jn5zwFjBIfoSsbyVwR3fLm5uE/2EKdkzJl0raayWIzmTQCrBrxNN85IIlttaPe9NCH2ShNKWrOuVnMxYRSMj2/XOxXK2NTtTsiH8H/qCzosYwBhlaT0ESZ6w== rsa-key-20180215”

 [edit system login user admin authentication]

root@srx100# commit

commit complete

[edit system login user admin authentication]

root@srx100# top

[edit]

其中雙引號“ssh-rsa ……. rsa-key-20180215”之中的內容為公鑰檔案內的文字內容，這整段內容必須是一整行，中間不可以有換行符號(文字編輯中按enter後產生，我們可以利用windows word來看到此符號)，我們可以用puttygen來查看公鑰檔案內的文字內容。

我們也可以使用下列命令來查看srx100設備中的RSA公鑰內容：

root@srx100# run file show /cf/root/.ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDhWSRlTWogc6XC8JwpL7eHItrkjfb1q1lBIRUOoXgk

DLwCrikhNLntEM21gnpYtQYiFzfEraqmFFtjLU8pwJu3dcIqRBxHuqDnFJivqAIwvCD2kUlk9p7AB1Kb

rlGz3CUrNZ7b3VNsgzDg4SN9jsWsTyty/QxXUvXWanCiw4Zgrg5o+o3IY9EMOjG/vu7SHpv0uHKHlm77

hssOsKp/77VNn+wDDOFrS8gd5M9PpnUVSo3QeNHsUbtWFb66neRxJu6ZyE2sD1I4/4j+TLoWHQ7J6JPI

5IGbkmzIQtkww06nqpuMrYnZYD1+KbcUTDcoml0zE3KSAhK/iGJNn+gmB8Ol root@srx100

[edit]

root@srx100#

[edit]

root@srx100# show system login | no-more

user admin {

    uid 2002;

    class super-user;

    authentication {

        encrypted-password "$1$aHoc40rA$s9KPuwPOuq/fQugx/lVv1."; ## SECRET-DATA

        ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA5/qxR+0CXtENlubfdV2NNdYd9c4097V6Vrfklfn8qQaj43jVeabNqoLbBZalo83lq4bXwNX59v+pp1b+gG5RMeqE20N9tJ4WYcHbuqjOfCvfLmFlFxeskitrv+lc0teAmrWmVRJK+Z9XVW000rr/nZf6ZTKtRIPRHs9GzB5X6t+4Wz9atRwkZBrN7HY+YNfwxiALIE3UNM8WDX/kR3zmuPKfmvSPM/jn5zwFjBIfoSsbyVwR3fLm5uE/2EKdkzJl0raayWIzmTQCrBrxNN85IIlttaPe9NCH2ShNKWrOuVnMxYRSMj2/XOxXK2NTtTsiH8H/qCzosYwBhlaT0ESZ6w== rsa-key-20180215"; ## SECRET-DATA

        ssh-dsa "ssh-dss AAAAB3NzaC1kc3MAAAEBAMWkdQEv6Wicn+OKT0r3RggXP4dGE2vkVhiiDc+7Nw3004bgOeOOZqkJa/2Iwg8nxMEG/JCJSxWhrmwId0/Y2nPoUnMW7ldBabPfiWeOYhkiLLCnn+fKcZ/ko6RM2u0HV03PMhDftP+h0rrx/FsFKnaQ6SsNYvJzu2cM3LV+4ybDcLE4hLl/TuBajYWGjwbNUZ2D1GMOmhOW9UJF7m63BbrRdOGpagP8wVgRr1WMIRlU0r7/NFeLzQ+df1JzSO4uFXmFHJDL101GC1iXQRQ34E8lYvvNi5QxMp2WK6tOuaRl9hvzgEGVoZLznkPWwSgDPAIXmDkuzcC7g9xQAL3XO3UAAAAVAMtSJkVPLeLnz/17SIRwm+KMwcb1AAABAEwVz1tLDie7rauhOhdmnPIWnWNh38M3Nv6HL65tvp1p4fKWTyNjl3F7lzjAegZpiLOn2M397/9HBh2ySSl88L8cMfwT2nqKKOHsQ/WUVa3Y3IY1QWphMU8fCFoEXIrv2AEqt0Z+UzYlmXSmTIx5FtBS1+E4sWzvJvnrgcyQ1NonlgbYwETmw5pGvluCt/RrTu7U2Y8JjWz/di3xb63rrURdQgEgdm4TXjNCZVeLRMwr3RKUgtlCqQfiaLIHpmAL7KePrW2e+Ku0Ixnhx0vOAiqZDGmzPxTDTA0WFkQXfGstM0LqLPkhVwsKwMeo+Rog7J4Uh7IVEzmYs56XmBvfthkAAAEAORl2ID7W6gWp+bMkr0IqfA7ri0xh+gPWX8ufBJuHp7lnRqP8YB44jYExad/Srn2/HHYLQ75DLUTSg38rXMrwvTcvv1Y2LENOGxYkSPuX5KCc2GRaVKuCqc7ZO2GiwOO1LKLSsvvPLUjHlIjjazx00syfG6W08Yra5Vh9sXsG4070UKYwMhrZift/mG+MYLjKtbe86UhVxWiCVkRqnnw3AoBS8ss7Mrg3HzWk+e9/XEKzp4vTBXORrLuISLgBtX95aE9Q8q0HhIoxGTmobbqMiwmmhLqCI2bbQX6OkUXv/5iwDFPWi/MA0B2ccOAyoGP7OL9Wf+M3NxgxIzyXae0SNg== dsa-key-20180215"; ## SECRET-DATA

    }

}

[edit]

root@srx100#

上面內容顯示了一個帳號內可以載入多個公鑰來使用。

示範用puttygen來產生RSA金鑰。

示範用putty來載入rsa私鑰。

當您使用SSH RSA/DSA金鑰來登入設備時所顯示的訊息：
login as: admin

Authenticating with public key "rsa-key-20180215"

--- JUNOS 12.1X44-D15.5 built 2013-06-06 18:07:29 UTC

admin@srx100>       ##只要輸入帳號，無須輸入密碼即可登入

login as: admin

Authenticating with public key "rsa-key-20180215"

Passphrase for key "rsa-key-20180215":       ##在此輸入金鑰密碼

--- JUNOS 12.1X44-D15.5 built 2013-06-06 18:07:29 UTC

admin@srx100>       ##當您在建立金鑰時為金鑰建立密碼(Passphrase)，則必須輸入密碼才可登入

login as: admin

Authenticating with public key "dsa-key-20180215"

--- JUNOS 12.1X44-D15.5 built 2013-06-06 18:07:29 UTC

admin@srx100>

login as: admin

Authenticating with public key "dsa-key-20180215"

Passphrase for key "dsa-key-20180215":

Wrong passphrase      ##當您密碼輸入錯誤時

Passphrase for key "dsa-key-20180215":

--- JUNOS 12.1X44-D15.5 built 2013-06-06 18:07:29 UTC

admin@srx100>

在升級/降級過程中, SSH RSA/DSA 金鑰將被刪除。

當執行升級/降級時, 將不會恢復檔-id_rsa 和 id_rsa, 它們是本地創建的, 並且不是配置的一部分。因此, 我們必須複製/root/. ssh目錄的內容, 並在升級/降級完成後將它們放回。我們還必須使用以下 CLI 命令將使用者與金鑰關聯:

root@Juniper# set system login user <userid> authentication load-key-file /root/.ssh/id_rsa.pub

限制ssh、telnet服務只能從ip 192.168.10.10以及網段192.168.11.0/24來登入。

我們設定firewall filter來達成此目的。

edit firewall filter deny-ssh

## term 1說明：除了ip 192.168.10.10以及網段192.168.11.0/24之外的所有要去訪問ssh、telnet服務的來源ip位址，全部中斷(阻擋)

set term 1 from source-address 0/0

set term 1 from source-address 192.168.10.10 except

set term 1 from source-address 192.168.11.0/24 except

set term 1 from destination-port ssh

set term 1 from destination-port telnet

set term 1 then log discard

## term 2說明：凡是不符合term 1條件的流量，全部放行

set term 2 then accept

##將firewall filter deny-ssh套用在介面fe-0/0/0.0上

set interfaces fe-0/0/0 unit 0 family inet filter input deny-ssh  

##開放介面fe-0/0/0.0上的ssh服務流量進入

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh

要為 Telnet 和 SSH 訪問配置密碼重試限制以防止密碼暴力破解:

user@host# edit system login retry-options

user@host# set tries-before-disconnect 6  (1-10)可以嘗試登入的次數

user@host# set backoff-factor 5  (5-10，預設5)登入失敗後每次加5秒

user@host# set maximum-time 30   在登入時等候您30來輸入帳號密碼，超過沒輸入就斷線。

user@host# top

user@host# commit

變更http與https的port numbers:

set system services web-management http port 1180    ##預設80

set system services web-management https port 11443    ##預設443

限制ssh、telnet服務只能從ip 192.168.10.10以及網段192.168.11.0/24來登入。

我們設定firewall filter來達成此目的。

edit firewall filter deny-ssh

## term 1說明：除了ip 192.168.10.10以及網段192.168.11.0/24之外的所有要去訪問ssh、telnet服務的來源ip位址，全部中斷(阻擋)

set term 1 from source-address 0/0

set term 1 from source-address 192.168.10.10 except

set term 1 from source-address 192.168.11.0/24 except

set term 1 from destination-port ssh

set term 1 from destination-port telnet

set term 1 then log discard

## term 2說明：凡是不符合term 1條件的流量，全部放行

set term 2 then accept

##將firewall filter deny-ssh套用在介面fe-0/0/0.0上

set interfaces fe-0/0/0 unit 0 family inet filter input deny-ssh  

##開放介面fe-0/0/0.0上的ssh服務流量進入

set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh

要為 Telnet 和 SSH 訪問配置密碼重試限制以防止密碼暴力破解:

user@host# edit system login retry-options

user@host# set tries-before-disconnect 6  (1-10)可以嘗試登入的次數

user@host# set backoff-factor 5  (5-10，預設5)登入失敗後每次加5秒

user@host# set maximum-time 30   在登入時等候您30來輸入帳號密碼，超過沒輸入就斷線。

user@host# top

user@host# commit

變更http與https的port numbers:

set system services web-management http port 1180    ##預設80

set system services web-management https port 11443    ##預設443

關於telnet與ssh變更port number的部分，在ScreenOS(ssg、netscreen)裡有明確的指令可以變更，但是在JUNOS(SRX、J系列產品)就沒有相對應的指令，但是我們可以利用destination nat的功能，來將外部網址映射到telnet與ssh的port number之上，而達到變更port number的目的。

其他SSH安全性設定:

以下設定可在PuTTY上執行。

set system services ssh root-login deny

set system services ssh connection-limit 5

set system services ssh protocol-version v2

set system services ssh key-exchange ecdh-sha2-nistp521

set system services ssh hostkey-algorithm ssh-rsa

set system services ssh ciphers aes256-cbc

set system services ssh macs hmac-sha2-256

set system ports console log-out-on-disconnect

commit

請參考下列網頁連結：

ConfiguringSSH Service to Protect Remote Management Connections