scp免秘钥认证
https://www.cnblogs.com/wayne173/p/5505863.html
https://blog.csdn.net/nfer_zhuang/article/details/42646849
(一)交互式秘钥生成ssh-rsa(推荐此方法)
##################交互式秘钥生成ssh-rsa#######################
1、创建普通用户及密码(在所有分发机和远端机上面操作),尽量不用root账号分发秘钥,因为root权限太大了,不安全。
useradd sysadmin echo 123456|passwd --stdin sysadmin id sysadmin su - sysadmin
2、在分发机m01上切换到普通用户账号生成RSA秘钥对,root账号权限太大了,所有用普通账号
切换到普通账号sysadmin
[root@m01 ~]# su - sysadmin
使用命令ssh-keygen -t rsa #一路按回车即可生产rsa秘钥对
[sysadmin@m01 ~]$ ssh-keygen -t rsa 命令和ssh-keygen是等效的 #一路按回车即可生产rsa秘钥对,可以直接输入ssh-keygen默认也是rsa格式的 Generating public/private rsa key pair. Enter file in which to save the key (/home/sysadmin/.ssh/id_rsa): Created directory '/home/sysadmin/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/sysadmin/.ssh/id_rsa. Your public key has been saved in /home/sysadmin/.ssh/id_rsa.pub. The key fingerprint is: d1:43:1d:70:dc:92:10:e1:97:66:6c:a1:ff:8c:0a:3e [email protected] The key's randomart image is: +--[ RSA 2048]----+ | *B++ | | + +=o. | | . = B. | | . B | | S . | | + | | . . o | | .E. . | | ... | +-----------------+
查看生成的rsa密钥对:公钥和私钥
[sysadmin@m01 ~]$ ll .ssh/ 总用量 8 -rw------- 1 sysadmin sysadmin 1675 8月 3 08:04 id_rsa #私钥 -rw-r--r-- 1 sysadmin sysadmin 410 8月 3 08:04 id_rsa.pub #公钥
3、在分发机m01上用普通账号sysadmin分发公钥到远端机器的普通账号sysadmin上
还是切到在分发机m01上切换到普通账号sysadmin下面执行:
如果ssh服务端口22没修改,执行如下命令分发公钥:
ssh-copy-id -i .ssh/id_rsa.pub [email protected]
如果ssh服务端口被修改为其他端口,例如52113,执行如下命令分发公钥:
ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
实战:
[sysadmin@m01 ~]$ ssh-copy-id -i .ssh/id_rsa.pub [email protected] [email protected]'s password: Now try logging into the machine, with "ssh '[email protected]'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
公钥被分发到远端机器普通账号sysadmin 家目录下的.ssh/authorized_keys目录下面了,分发后会自动改名为authorized_keys
[root@szxjdw01-web-27 ~]# su - sysadmin [sysadmin@szxjdw01-web-27 ~]$ ll .ssh/ total 4 -rw-------. 1 sysadmin sysadmin 820 Aug 3 16:12 authorized_keys
4、测试是否免秘钥
验证方法:在管理机器m01上执行如下命令,如果现实IP地址正确即可。如果远端机器ssh端口不是默认的22,那么举例带端口。
ssh -p52113 [email protected] /sbin/ifconfig eth0
scp如果scp -r 递归,复制目录,-p保持属性,-P远端机器ssh端口,拷贝远端机器家目录[email protected]:~,或者其他目录[email protected]:/data/backup/
不带-r是指拷贝文件。
scp -P52113 fenfa-test [email protected]:~
实战验证远程执行命令或远程复制
[sysadmin@office ~]$ ssh [email protected] /sbin/ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:50:56:95:5D:5B inet addr:10.68.8.27 Bcast:10.68.8.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fe95:5d5b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:25085720 errors:0 dropped:0 overruns:0 frame:0 TX packets:2287033 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:5820439437 (5.4 GiB) TX bytes:1012895731 (965.9 MiB) [sysadmin@office ~]$ scp fenfa-test [email protected]:~ fenfa-test 100% 11 0.0KB/s 00:00
备注:经过测试公钥分发完成后,远端机器普通账号sysadmin修改了密码后,照样可以在分发机上面免秘钥远程远端机器。
即只需要一次分发公钥即可。
(二)交互式秘钥生成ssh-dsa(不推荐此方法)
##################交互式秘钥生成ssh-dsa#######################
1、创建用户及密码(在上图4台机器上面操作)
useradd oldgirl
echo 123456|passwd --stdin oldgirl
id oldgirl
su - oldgirl
2、在m01机器生成秘钥对,一路回车
[oldgirl@m01 ~]$ ssh-keygen -t dsa #一路回车就生成了秘钥
Your identification has been saved in /home/oldgirl/.ssh/id_dsa.
Your public key has been saved in /home/oldgirl/.ssh/id_dsa.pub.
[oldgirl@m01 ~]$ ll .ssh/
total 8
-rw------- 1 oldgirl oldgirl 668 Feb 7 14:30 id_dsa #钥匙,私钥
-rw-r--r-- 1 oldgirl oldgirl 601 Feb 7 14:30 id_dsa.pub #锁,公钥
3、m01分发公钥
如果ssh服务没有优化(端口没修改):执行如下命令分发公钥
[oldgirl@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
[oldgirl@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub [email protected]
如果ssh服务端口修改过:执行如下命令分发公钥
[oldgirl@m01 ~]$ ssh-copy-id -i .ssh/id_dsa.pub "-p 52113 [email protected]"
4、测试
验证方法:在管理机器m01上执行如下命令,如果现实IP地址正确即可。
ssh -p52113 [email protected] /sbin/ifconfig eth0
ssh -p52113 [email protected] /sbin/ifconfig eth0
ssh -p52113 [email protected] /sbin/ifconfig eth0