安全之opssh篇

基于key验证
1.生成key的密钥对

ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):  使用算法默认rsa算法
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y由于之前做过key这里是问是否覆盖
Enter passphrase (empty for no passphrase): 设置对称密码加密
Enter same passphrase again: 确认对称密码加密
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a5:2f:5d:1e:02:de:44:7c:99:7a:ee:ab:d7:e6:73:c8 root@chenxi
The key's randomart image is:
+--[ RSA 2048]----+
|         ..  o   |
|         .. +    |
|        . oo     |
|       . *. .    |
|        S ooo    |
|         o +..   |
|        . o..o . |
|         .  o E .|
|          .o.+.o |
+-----------------+
[root@chenxi ~]# 

把公钥传入另一台主机 root的家目录下的.ssh/目录

[root@chenxi ~]# ssh-copy-id -i .ssh/id_rsa.pub 172.16.251.154
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: 172.16.251.154主机root 输入密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.251.154'"
and check to make sure that only the key(s) you wanted were added.

[root@chenxi ~]# 

使用key登陆172.16.251.154 主机

[root@chenxi ~]# ssh 172.16.251.154
Enter passphrase for key '/root/.ssh/id_rsa':  输入密钥的对称加密密码，每次登陆都需要登陆
Last failed login: Wed Jul 19 15:31:15 CST 2017 from 172.16.251.203 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Wed Jul 19 15:10:58 2017 from 172.16.250.137
[root@centos7 ~]# 

使用ssh程序来保证

[root@chenxi ~]# ssh-agent bash
[root@chenxi ~]# ssh-add
Enter passphrase for /root/.ssh/id_rsa: 
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)