如何在 Azure 上将 SSH 密钥与 Windows 配合使用How to use SSH keys with Windows on Azure

本文适用于希望创建并使用安全外壳 (SSH) 密钥以连接到 Azure 中的 Linux 虚拟机 (VM) 的 Windows 用户。This article is for Windows users who want to create and use secure shell (SSH) keys to connect to Linux virtual machines (VMs) in Azure.

若要从 Linux 或 macOS 客户端使用 SSH 密钥,请参阅快速步骤To use SSH keys from a Linux or macOS client, see the quick steps. 有关 SSH 的更详细概述,请参阅详细步骤:创建和管理用于在 Azure 中对 Linux VM 进行身份验证的 SSH 密钥For a more detailed overview of SSH, see Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure.

SSH 和密钥概述Overview of SSH and keys

SSH 是一种加密的连接协议,利用该协议可以通过未受保护的连接进行安全登录。SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH 是在 Azure 中托管的 Linux VM 的默认连接协议。SSH is the default connection protocol for Linux VMs hosted in Azure. 虽然 SSH 本身提供加密连接,但是将密码用于 SSH 仍会使 VM 易受到暴力攻击。Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. 建议使用公钥-私钥对(也称为“SSH 密钥”)通过 SSH 连接到 VM。We recommend connecting to a VM over SSH using a public-private key pair, also known as SSH keys.

公钥-私钥对类似于你前门的锁。The public-private key pair is like the lock on your front door. 锁是向外界公开的,任何拥有正确钥匙的人都可以打开门。The lock is exposed to the public, anyone with the right key can open the door. 钥匙是专用的,且仅提供给你信任的人,因为可以用它打开门锁。The key is private, and only given to people you trust because it can be used to unlock the door.

  • 创建 VM 时,会将公钥放置在 Linux VM 上。The public key is placed on your Linux VM when you create the VM.

  • 私钥 仍保留在本地系统上。The private key remains on your local system. 请保护好私钥,Protect this private key. 不要透露给其他人。Do not share it.

连接到 Linux VM 时,VM 会测试 SSH 客户端,以确保其具有正确的私钥。When you connect to your Linux VM, the VM tests the SSH client to make sure it has the correct private key. 如果客户端具有私钥,则授予其访问 VM 的权限。If the client has the private key, it's granted access to the VM.

根据组织的安全策略,可重复使用单个密钥对来访问多个 Azure VM 和服务。Depending on your organization's security policies, you can reuse a single key pair to access multiple Azure VMs and services. 无需对每个 VM 使用单独的密钥对。You do not need a separate pair of keys for each VM.

可与任何人共享公钥;但只有你(或本地安全基础结构)才应具有对私钥的访问权限。Your public key can be shared with anyone, but only you (or your local security infrastructure) should have access to your private key.

受支持的 SSH 密钥格式Supported SSH key formats

Azure 目前支持最小长度为 2048 位的 SSH 协议 2 (SSH-2) RSA 公钥-私钥对。Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. 不支持其他密钥格式(如 ED25519 和 ECDSA)。Other key formats such as ED25519 and ECDSA are not supported.

SSH 客户端SSH clients

最新版本的 Windows 10 包括 OpenSSH 客户端命令用于创建和使用 SSH 密钥,以及通过 PowerShell 或命令提示符建立 SSH 连接。Recent versions of Windows 10 include OpenSSH client commands to create and use SSH keys and make SSH connections from PowerShell or a command prompt. 这是从 Windows 计算机创建到 Linux VM 的 SSH 连接的最简单方法。This is the easiest way to create an SSH connection to your Linux VM, from a Windows computer.

你还可以安装适用于 Linux 的 Windows 子系统,以通过 SSH 连接到 VM,并在 Bash shell 中使用其他本机 Linux 工具。You can also install the Windows Subsystem for Linux to connect to your VM over SSH and use other native Linux tools within a Bash shell.

创建 SSH 密钥对Create an SSH key pair

使用 ssh-keygen 命令创建 SSH 密钥对。Create an SSH key pair using the ssh-keygen command. 输入文件名,或使用括号中显示的默认值(例如 C:\Users\username/.ssh/id_rsa)。Enter a filename, or use the default shown in parenthesis (for example C:\Users\username/.ssh/id_rsa). 输入文件的密码,如果不想使用密码,请将密码留空。Enter a passphrase for the file, or leave the passphrase blank if you do not want to use a passphrase.

ssh-keygen -m PEM -t rsa -b 4096

使用密钥创建 VMCreate a VM using your key

若要创建使用 SSH 密钥进行身份验证的 Linux VM,请在创建 VM 时提供 SSH 公钥。To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM.

使用 Azure CLI,可以使用 az vm create--ssh-key-value 参数指定公钥的路径和文件名。Using the Azure CLI, you specify the path and filename for the public key using az vm create and the --ssh-key-value parameter.

az vm create \
   --resource-group myResourceGroup \
   --name myVM \
   --image UbuntuLTS\
   --admin-username azureuser \
   --ssh-key-value ~/.ssh/id_rsa.pub

通过 PowerShell,使用 New-AzVM 并使用 ` 将 SSH 密钥添加到 VM 配置。With PowerShell, use New-AzVM and add the SSH key to the VM configuration using`. 有关示例,请参阅快速入门:使用 PowerShell 在 Azure 中创建 Linux 虚拟机For an example, see Quickstart: Create a Linux virtual machine in Azure with PowerShell.

连接到 VMConnect to your VM

凭借部署在 Azure VM 上的公钥和本地系统上的私钥,使用 VM 的 IP 地址或 DNS 名称通过 SSH 连接到 VM。With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. 将以下命令中的 azureuser 和 10.111.12.123 替换为管理员用户名、IP 地址(或完全限定的域名)以及指向私钥的路径 :Replace azureuser and 10.111.12.123 in the following command with the administrator user name, the IP address (or fully qualified domain name), and the path to your private key:

ssh -i ~/.ssh/id_rsa.pub azureuser@10.111.12.123

如果创建密钥对时配置了密码,请在出现提示时输入该密码。If you configured a passphrase when you created your key pair, enter the passphrase when prompted.

如果 VM 使用的是实时访问策略,则需要先请求访问权限,然后才能连接到 VM。If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. 有关实时策略的详细信息,请参阅使用实时策略管理虚拟机访问For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.

后续步骤Next steps