快速步骤:创建和使用适用于 Azure 中 Linux VM 的 SSH 公钥-私钥对Quick steps: Create and use an SSH public-private key pair for Linux VMs in Azure

使用安全外壳 (SSH) 密钥对,可以创建使用 SSH 密钥进行身份验证的 Azure 虚拟机 (VM)。With a secure shell (SSH) key pair, you can create virtual machines (VMs) in Azure that use SSH keys for authentication. 本文介绍如何快速生成和使用适用于 Linux VM 的 SSH 公钥-私钥文件对。This article shows you how to quickly generate and use an SSH public-private key file pair for Linux VMs. 可以使用 Azure 本地 Shell、macOS 或 Linux 主机完成这些步骤。You can complete these steps with the Azure local Shell, a macOS or Linux host.

备注

使用 SSH 密钥创建的 VM 默认配置为禁用密码,这极大地增加了暴力破解猜测攻击的难度。VMs created using SSH keys are by default configured with passwords disabled, which greatly increases the difficulty of brute-force guessing attacks.

有关详细背景和示例,请参阅创建 SSH 密钥对的详细步骤For more background and examples, see Detailed steps to create SSH key pairs.

有关在 Windows 计算机上生成和使用 SSH 密钥的其他方式,请参阅如何在 Azure 上将 SSH 密钥与 Windows 配合使用For additional ways to generate and use SSH keys on a Windows computer, see How to use SSH keys with Windows on Azure.

受支持的 SSH 密钥格式Supported SSH key formats

Azure 目前支持最小长度为 2048 位的 SSH 协议 2 (SSH-2) RSA 公钥-私钥对。Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. 不支持其他密钥格式(如 ED25519 和 ECDSA)。Other key formats such as ED25519 and ECDSA are not supported.

创建 SSH 密钥对Create an SSH key pair

使用 ssh-keygen 命令生成 SSH 公钥和私钥文件。Use the ssh-keygen command to generate SSH public and private key files. 默认情况下,这些文件在 ~/.ssh 目录中创建。By default, these files are created in the ~/.ssh directory. 可以指定不同的位置,并指定可选的密码(通行短语)用于访问私钥文件。You can specify a different location, and an optional password (passphrase) to access the private key file. 如果给定的位置存在同名的 SSH 密钥对,则会覆盖这些文件。If an SSH key pair with the same name exists in the given location, those files are overwritten.

以下命令使用 RSA 加密和 4096 位长度创建 SSH 密钥对:The following command creates an SSH key pair using RSA encryption and a bit length of 4096:

ssh-keygen -m PEM -t rsa -b 4096

如果通过 Azure CLI 使用 az vm create 命令创建 VM,可以使用 --generate-ssh-keys 选项生成 SSH 公钥和私钥文件。If you use the Azure CLI to create your VM with the az vm create command, you can optionally generate SSH public and private key files using the --generate-ssh-keys option. 除非使用 --ssh-dest-key-path 选项另行指定,否则将在 ~/.ssh 目录中存储密钥文件。The key files are stored in the ~/.ssh directory unless specified otherwise with the --ssh-dest-key-path option. 如果已存在 ssh 密钥对且使用的是 --generate-ssh-keys 选项,则不会生成新的密钥对,而是会使用现有的密钥对。If an ssh key pair already exists and the --generate-ssh-keys option is used, a new key pair will not be generated but instead the existing key pair will be used. 在以下命令中,请将 VMnameRGname 替换为自己的值:In the following command, replace VMname and RGname with your own values:

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

az vm create --name VMname --resource-group RGname --image UbuntuLTS --generate-ssh-keys 

部署 VM 时提供 SSH 公钥Provide an SSH public key when deploying a VM

若要创建使用 SSH 密钥进行身份验证的 Linux VM,请在使用 Azure 门户、Azure CLI、Azure 资源管理器模板或其他方法创建 VM 时指定 SSH 公钥:To create a Linux VM that uses SSH keys for authentication, specify your SSH public key when creating the VM using the Azure portal, Azure CLI, Azure Resource Manager templates, or other methods:

如果你不熟悉 SSH 公钥的格式,可使用以下 cat 命令显示公钥(请根据需要,将 ~/.ssh/id_rsa.pub 替换为自己的公钥文件的路径和文件名):If you're not familiar with the format of an SSH public key, you can display your public key with the following cat command, replacing ~/.ssh/id_rsa.pub with the path and filename of your own public key file if needed:

cat ~/.ssh/id_rsa.pub

典型的公钥值如此示例所示:A typical public key value looks like this example:

ssh-rsa AAAAB3NzaC1yc2EAABADAQABAAACAQC1/KanayNr+Q7ogR5mKnGpKWRBQU7F3Jjhn7utdf7Z2iUFykaYx+MInSnT3XdnBRS8KhC0IP8ptbngIaNOWd6zM8hB6UrcRTlTpwk/SuGMw1Vb40xlEFphBkVEUgBolOoANIEXriAMvlDMZsgvnMFiQ12tD/u14cxy1WNEMAftey/vX3Fgp2vEq4zHXEliY/sFZLJUJzcRUI0MOfHXAuCjg/qyqqbIuTDFyfg8k0JTtyGFEMQhbXKcuP2yGx1uw0ice62LRzr8w0mszftXyMik1PnshRXbmE2xgINYg5xo/ra3mq2imwtOKJpfdtFoMiKhJmSNHBSkK7vFTeYgg0v2cQ2+vL38lcIFX4Oh+QCzvNF/AXoDVlQtVtSqfQxRVG79Zqio5p12gHFktlfV7reCBvVIhyxc2LlYUkrq4DHzkxNY5c9OGSHXSle9YsO3F1J5ip18f6gPq4xFmo6dVoJodZm9N0YMKCkZ4k1qJDESsJBk2ujDPmQQeMjJX3FnDXYYB182ZCGQzXfzlPDC29cWVgDZEXNHuYrOLmJTmYtLZ4WkdUhLLlt5XsdoKWqlWpbegyYtGZgeZNRtOOdN6ybOPJqmYFd2qRtb4sYPniGJDOGhx4VodXAjT09omhQJpE6wlZbRWDvKC55R2d/CSPHJscEiuudb+1SG2uA/oik/WQ== username@domainname

如果复制并粘贴要在 Azure 门户或资源管理器模板中使用的公钥文件的内容,请务必不要复制任何尾部空格。If you copy and paste the contents of the public key file to use in the Azure portal or a Resource Manager template, make sure you don't copy any trailing whitespace. 若要在 macOS 中复制公钥,可以通过管道将公钥文件传递给 pbcopyTo copy a public key in macOS, you can pipe the public key file to pbcopy. 类似地,在 Linux 中,可以通过管道将公钥文件传递给 xclip 等程序。Similarly in Linux, you can pipe the public key file to programs such as xclip.

放置在 Azure 中 Linux VM 上的公钥默认存储在 ~/.ssh/id_rsa.pub 中,除非在创建密钥对时指定了不同的位置。The public key that you place on your Linux VM in Azure is by default stored in ~/.ssh/id_rsa.pub, unless you specified a different location when you created the key pair. 若要借助现有公钥使用 Azure CLI 2.0 创建 VM,请结合 --ssh-key-values 选项使用 az vm create 命令,来指定此公钥的值和(可选的)位置。To use the Azure CLI 2.0 to create your VM with an existing public key, specify the value and optionally the location of this public key using the az vm create command with the --ssh-key-values option. 在下面的命令中,将 myVM、myResourceGroup、UbuntuLTS、azureuser 和 mysshkey.pub 替换为自己的值 :In the following command, replace myVM, myResourceGroup, UbuntuLTS, azureuser, and mysshkey.pub with your own values:

az vm create \
  --resource-group myResourceGroup \
  --name myVM \
  --image UbuntuLTS \
  --admin-username azureuser \
  --ssh-key-values mysshkey.pub

如果希望在 VM 中使用多个 SSH 密钥,可以空格分隔列表的形式输入它们,如此 (--ssh-key-values sshkey-desktop.pub sshkey-laptop.pub) 所示。If you want to use multiple SSH keys with your VM, you can enter them in a space-separated list, like this --ssh-key-values sshkey-desktop.pub sshkey-laptop.pub.

通过 SSH 连接到 VMSSH into your VM

凭借部署在 Azure VM 上的公钥和本地系统上的私钥,使用 VM 的 IP 地址或 DNS 名称通过 SSH 连接到 VM。With the public key deployed on your Azure VM, and the private key on your local system, SSH into your VM using the IP address or DNS name of your VM. 在以下命令中,请将 azureusermyvm.chinanorth.cloudapp.chinacloudapi.cn 替换为管理员用户名和完全限定的域名(或 IP 地址):In the following command, replace azureuser and myvm.chinanorth.cloudapp.chinacloudapi.cn with the administrator user name and the fully qualified domain name (or IP address):

ssh azureuser@myvm.chinanorth.cloudapp.chinacloudapi.cn

如果在创建密钥对时指定了通行短语,则在登录过程中看到提示时,请输入该通行短语。If you specified a passphrase when you created your key pair, enter that passphrase when prompted during the login process. VM 将添加到 ~/.ssh/known_hosts 文件。系统不会要求再次进行连接,除非更改了 Azure VM 上的公钥,或者从 ~/.ssh/known_hosts 中删除了服务器名称。The VM is added to your ~/.ssh/known_hosts file, and you won't be asked to connect again until either the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts.

如果 VM 使用的是实时访问策略,则需要先请求访问权限,然后才能连接到 VM。If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. 有关实时策略的详细信息,请参阅使用实时策略管理虚拟机访问For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.

后续步骤Next steps