如何在 Azure 上搭配 Windows 使用 SSH 金鑰How to use SSH keys with Windows on Azure

本文描述各種方法讓您能在 Windows 電腦上產生及使用「安全殼層」(SSH) 金鑰,以在 Azure 中建立並連線到 Linux 虛擬機器 (VM)。This article describes ways to generate and use secure shell (SSH) keys on a Windows computer to create and connect to a Linux virtual machine (VM) in Azure. 若要從 Linux 或 macOS 用戶端使用 SSH 金鑰,請參閱快速詳細指南。To use SSH keys from a Linux or macOS client, see the quick or detailed guidance.

SSH 和金鑰的概觀Overview of SSH and keys

SSH 是允許透過不安全連線進行安全登入的已加密連線通訊協定。SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH 是 Azure 中裝載 Linux VM 的預設連線通訊協定。SSH is the default connection protocol for Linux VMs hosted in Azure. 雖然 SSH 本身提供加密的連線,但使用密碼搭配 SSH 連線仍會讓 VM 容易遭受暴力密碼破解攻擊或密碼猜測。Although SSH itself provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks or guessing of passwords. 使用公開/私密金鑰組 (也就是 SSH 金鑰) 連線至 VM 是更安全且慣用的方法。A more secure and preferred method of connecting to a VM using SSH is by using a public-private key pair, also known as SSH keys.

  • 公開金鑰會置於您的 Linux VM 或任何您要搭配公開金鑰加密使用的其他服務上。The public key is placed on your Linux VM, or any other service that you wish to use with public-key cryptography.

  • 「私密金鑰」會保留在您的本機系統上。The private key remains on your local system. 保護此私密金鑰。Protect this private key. 不要共用它。Do not share it.

當您使用 SSH 用戶端連線到您的 Linux VM (其有公開金鑰) 時,遠端 VM 會測試用戶端以確保它擁有私密金鑰。When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it possesses the private key. 如果用戶端具有私密金鑰,則會獲得 VM 的存取權。If the client has the private key, it's granted access to the VM.

根據組織的安全性原則,您可以重複使用單一公用/私密金鑰組來存取多個 Azure VM 和服務。Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. 您想要存取的每個 VM 或服務都不需要各有一對金鑰。You do not need a separate pair of keys for each VM or service you wish to access.

公開金鑰可以與任何人共用;但應該只有您 (或您的本機安全性基礎結構) 擁有私密金鑰。Your public key can be shared with anyone, but only you (or your local security infrastructure) should possess your private key.

支援的 SSH 金鑰格式Supported SSH key formats

Azure 目前支援 SSH 通訊協定 2 (SSH-2) RSA 公開/私密金鑰組,最小長度為 2048 位元。Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. 不支援其他金鑰格式,例如 ED25519 和 ECDSA。Other key formats such as ED25519 and ECDSA are not supported.

Windows 套件和 SSH 用戶端Windows packages and SSH clients

您可使用 SSH 用戶端來連線及管理 Azure 中的 Linux VM。You connect to and manage Linux VMs in Azure using an SSH client. 執行 Linux 或 macOS 的電腦通常有一組 SSH 命令,可用來產生和管理 SSH 金鑰以及建立 SSH 連線。Computers running Linux or macOS usually have a suite of SSH commands to generate and manage SSH keys and to make SSH connections.

Windows 電腦不一定會安裝類似的 SSH 命令。Windows computers do not always have comparable SSH commands installed. 最新版本的 Windows 10 提供 OpenSSH 用戶端命令,可用來建立並管理 SSH 金鑰,也可從命令提示字元進行 SSH 連線。Recent versions of Windows 10 provide OpenSSH client commands to create and manage SSH keys and make SSH connections from a command prompt. 最的 Windows 10 新版本也包含 Windows Subsystem for Linux,可在 Bash 殼層內以原生方式執行和存取公用程式 (例如 SSH 用戶端)。Recent Windows 10 versions also include the Windows Subsystem for Linux to run and access utilities such as an SSH client natively within a Bash shell.

您可以在本機安裝的其他常見 Windows SSH 用戶端包含在下列套件中:Other common Windows SSH clients you can install locally are included in the following packages:

您也可以使用從 Azure Cloud Shell Bash 獲得的 SSH 公用程式。You can also use the SSH utilities available in Bash in the Azure Cloud Shell.

建立 SSH 金鑰組Create an SSH key pair

下列各節描述在 Windows 上建立 SSH 金鑰組的兩個選項。The following sections describe two options to create an SSH key pair on Windows. 您可以使用殼層命令 (ssh-keygen) 或 GUI 工具 (PuTTYgen)。You can use a shell command (ssh-keygen) or a GUI tool (PuTTYgen). 另請注意,使用 Powershell 建立金鑰時,請將公開金鑰上傳為 ssh .com (SECSH)格式。Also note, when using Powershell to create a key, upload the public key as ssh.com(SECSH) format. 使用 CLI 時,請在上傳之前,將金鑰轉換為 OpenSSH 格式。When using CLI, convert the key into OpenSSH format prior to uploading.

利用 ssh-keygen 建立 SSH 金鑰Create SSH keys with ssh-keygen

如果您在支援 SSH 用戶端工具的 Windows 上執行命令殼層 (或使用 Azure Cloud Shell),可使用 ssh-keygen 命令來建立 SSH 金鑰組。If you run a command shell on Windows that supports SSH client tools (or you use Azure Cloud Shell), create an SSH key pair using the ssh-keygen command. 輸入下列命令並回答提示。Type the following command, and answer the prompts. 如果所選位置中存在 SSH 金鑰組,則系統會覆寫這些檔案。If an SSH key pair exists in the chosen location, those files are overwritten.

ssh-keygen -t rsa -b 2048

如需詳細的背景和資訊,請參閱快速詳細步驟,使用 ssh-keygen 來建立 SSH 金鑰。For more background and information, see the quick or detailed steps to create SSH keys using ssh-keygen.

利用 PuTTYgen 建立 SSH 金鑰Create SSH keys with PuTTYgen

如果您想使用 GUI 工具來建立 SSH 金鑰,則可以使用 PuTTY 下載套件隨附的 PuTTYgen 金鑰產生器。If you prefer to use a GUI-based tool to create SSH keys, you can use the PuTTYgen key generator, included with the PuTTY download package.

若要使用 PuTTYgen 建立 SSH RSA 金鑰組:To create an SSH RSA key pair with PuTTYgen:

  1. 啟動 PuTTYgen。Start PuTTYgen.

  2. 按一下 [產生]。Click Generate. 根據預設,PuTTYgen 會產生 2048 位元 SSH-2 RSA 金鑰。By default PuTTYgen generates a 2048-bit SSH-2 RSA key.

  3. 在空白區域中四處移動滑鼠來提供隨機金鑰。Move the mouse around in the blank area to provide randomness for the key.

  4. 產生公開金鑰之後,選擇性地輸入並確認複雜密碼。After the public key is generated, optionally enter and confirm a passphrase. 當您使用私密 SSH 金鑰向 VM 進行驗證時,系統會提示您輸入複雜密碼。You will be prompted for the passphrase when you authenticate to the VM with your private SSH key. 若沒有複雜密碼,如果有人取得您的私密金鑰,他們即可登入使用該金鑰的任何 VM 或服務。Without a passphrase, if someone obtains your private key, they can sign in to any VM or service that uses that key. 我們建議您建立複雜密碼。We recommend you create a passphrase. 不過如果您忘記此複雜密碼,將無法加以復原。However, if you forget the passphrase, there is no way to recover it.

  5. 公開金鑰會顯示在視窗的頂端。The public key is displayed at the top of the window. 當您建立 Linux VM 時,可以複製這整個公開金鑰,然後貼到 Azure 入口網站或 Azure Resource Manager 範本中。You can copy this entire public key and then paste it into the Azure portal or an Azure Resource Manager template when you create a Linux VM. 您也可以選取 [儲存公開金鑰],將複本儲存到您的電腦:You can also select Save public key to save a copy to your computer:

    儲存 PuTTY 公用金鑰檔案

  6. (選擇性) 若要將私密金鑰儲存成 PuTTy 私密金鑰格式 (.ppk 檔案),請選取 [儲存私密金鑰]。Optionally, to save the private key in PuTTy private key format (.ppk file), select Save private key. 稍後您將需要 .ppk 檔案,才能使用 PuTTY 來建立 VM 的 SSH 連線。You will need the .ppk file later to use PuTTY to make an SSH connection to the VM.

    儲存 PuTTY 私密金鑰檔案

    如果您想要將私密金鑰儲存成 OpenSSH 格式 (許多 SSH 用戶端使用的私密金鑰格式),請選取 [轉換] > [匯出 OpenSSH 金鑰]。If you want to save the private key in the OpenSSH format, the private key format used by many SSH clients, select Conversions > Export OpenSSH key.

部署 VM 時,提供 SSH 公開金鑰Provide an SSH public key when deploying a VM

若要建立使用 SSH 金鑰進行驗證的 Linux VM,請在使用 Azure 入口網站或其他方法建立 VM 時,提供您的 SSH 公開金鑰。To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal or other methods.

下列範例顯示當您建立 Linux VM 時,如何複製此公開金鑰並貼到 Azure 入口網站中。The following example shows how you would copy and paste this public key into the Azure portal when you create a Linux VM. 此公開金鑰通常會接著儲存在新 VM 上的 ~/.ssh/authorized_key 目錄中。The public key is typically then stored in the ~/.ssh/authorized_key directory on your new VM.

當您在 Azure 入口網站建立 VM 時使用公開金鑰

連接到您的 VMConnect to your VM

要從 Windows 建立與 Linux VM 的 SSH 連線,有一個方法是使用 SSH 用戶端。One way to make an SSH connection to your Linux VM from Windows is to use an SSH client. 如果您已在 Windows 系統上安裝 SSH 用戶端,或使用 Azure Cloud Shell Bash 的 SSH 工具,則這是慣用的方法。This is the preferred method if you have an SSH client installed on your Windows system, or if you use the SSH tools in Bash in Azure Cloud Shell. 如果您偏好 GUI 工具,可以使用 PuTTY 來連線。If you prefer a GUI-based tool, you can connect with PuTTY.

使用 SSH 用戶端Use an SSH client

公開金鑰已部署到您的 Azure VM 且私密金鑰儲存在本機系統中,此時可以使用 VM 的 IP 位址或 DNS 名稱,透過 SSH 連線到您的 VM。With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. 將下列命令中的 azureusermyvm.westus.cloudapp.azure.com 換成系統管理員使用者名稱和完整網域名稱 (或 IP 位址):Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):

ssh azureuser@myvm.westus.cloudapp.azure.com

如果您在建立金鑰組時設定了複雜密碼,請在登入程序期間出現提示時輸入複雜密碼。If you configured a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process.

如果 VM 使用 Just-In-Time 存取原則,您必須先要求權限,才能連線到 VM。If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. 如需 Just-In-Time 原則的詳細資訊,請參閱使用 Just-In-Time 原則管理虛擬機器存取For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.

使用 PuTTY 進行連線Connect with PuTTY

如果您已安裝 PuTTY 下載套件而且之前產生了 PuTTY 私密金鑰 (.ppk) 檔案,便可以使用 PuTTY 連線至 Linux VM。If you installed the PuTTY download package and previously generated a PuTTY private key (.ppk) file, you can connect to a Linux VM with PuTTY.

  1. 啟動 PuTTY。Start PuTTy.

  2. 從 Azure 入口網站填入 VM 的主機名稱或 IP 位址:Fill in the host name or IP address of your VM from the Azure portal:

    開啟新的 PuTTY 連線

  3. 選取 [連線] > [SSH] > [驗證] 類別。Select the Connection > SSH > Auth category. 瀏覽至您的 PuTTY 私密金鑰 (.ppk 檔案) 並加以選取︰Browse to and select your PuTTY private key (.ppk file):

    選取您的 PuTTY 私密金鑰進行驗證

  4. 按一下 [開啟] 來連線到 VM。Click Open to connect to your VM.

後續步驟Next steps