Linux:ssh 信任免密登录
Linux:ssh 信任免密登录
ssh 登录通常需要输入 remote 的用户名和密码。
可以通过在 local 和 remote 两侧进行一些信任配置,使得 local 通过 ssh 登录 remote 时不需要输入密码而直接登录。
主机:
local:
client@192.168.44.150
[client@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[client@localhost ~]$ cat /etc/redhat-release
CentOS release 6.8 (Final)
[client@localhost ~]$ ifconfig | grep "inet addr"
inet addr:192.168.44.150 Bcast:192.168.44.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0
remote:
server@192.168.44.151
[server@localhost ~]$ uname -a
Linux localhost.localdomain 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[server@localhost ~]$ cat /etc/redhat-release
CentOS release 6.8 (Final)
[server@localhost ~]$ ifconfig | grep "inet addr"
inet addr:192.168.44.151 Bcast:192.168.44.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0目的:
通过配置 ssh 信任,使得 [email protected] 登录到 [email protected] 免密。
配置:
操作:
[client@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/client/.ssh/id_rsa):
Created directory '/home/client/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/client/.ssh/id_rsa.
Your public key has been saved in /home/client/.ssh/id_rsa.pub.
The key fingerprint is:
06:9c:eb:74:72:f9:6d:f6:8b:6b:26:6e:82:54:29:bb [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . . |
| + . |
| .oo. |
| ++S |
| oo= . . |
| ..o . + |
| E . oooo |
| +.+o.o. |
+-----------------+解释:
在 client 中使用 ssh-keygen 生成一对 RSA 算法密钥:
[client@localhost ~]$ ll .ssh/
total 8
-rw-------. 1 client client 1675 Jul 17 14:00 id_rsa
-rw-r--r--. 1 client client 410 Jul 17 14:00 id_rsa.pub其中,id_rsa 是私钥,id_rsa.pub 是公钥。
注:$HOME/.ssh 目录为 ssh-keygen 自动生成。
操作:
[server@localhost ~]$ mkdir .ssh
[server@localhost ~]$ ls -ld .ssh
drwxrwxr-x. 2 server server 4096 Jul 17 14:05 .ssh
[server@localhost ~]$ chmod 700 .ssh
[server@localhost ~]$ ls -ld .ssh
drwx------. 2 server server 4096 Jul 17 14:05 .ssh解释:
在 server 中创建 $HOME/.ssh 目录,并将 .ssh 目录权限修改为700。
操作:
[server@localhost ~]$ touch .ssh/authorized_keys
[server@localhost ~]$ ll .ssh/authorized_keys
-rw-rw-r--. 1 server server 0 Jul 17 14:08 .ssh/authorized_keys
[server@localhost ~]$ chmod 600 .ssh/authorized_keys
[server@localhost ~]$ ll .ssh/authorized_keys
-rw-------. 1 server server 0 Jul 17 14:08 .ssh/authorized_keysserver 中创建 $HOME/.ssh/authorized_keys,并将 authorized_keys 文件权限修改为600。
注:如果已有 $HOME/.ssh/authorized_keys,则检查文件权限是否为600即可,不必重建此文件。
4)
[email protected]:/home/client/.ssh/id_rsa.pub
append to (追加)
[email protected]:/home/server/.ssh/authorized_keys
[client@localhost ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApYwFh17O0N6+PYctKdUP8cFPF4RSCWl/Flr19riquqt7NVhyXZdDsxLJTH3SV8U5ty2wIavLTWprwjXzVOpO9Vho0huTJBTjaN8qxC2AvK/WyvpBRgWTBNXzHTNlEuvDdESP8sSLzW1n4UwSJvgmLou31fl2TPj/6jOtO8ivLp0mHi/lATCdXynYR2jBweK7U6P47K1SZh6Hm2i6T/nOtMl7sLI5oZGYD+rhrmfO6QQh1GXNxSlmqU6lI7lMHpyRhLvY4sd/+3LNQHOxII29tKwPzub2vo/ncGZufIkqY/hPp0SnVUg66nMGNMp972iTL28wbMdaR4yvl6P1dvtQxQ== client@localhost.localdomain[server@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApYwFh17O0N6+PYctKdUP8cFPF4RSCWl/Flr19riquqt7NVhyXZdDsxLJTH3SV8U5ty2wIavLTWprwjXzVOpO9Vho0huTJBTjaN8qxC2AvK/WyvpBRgWTBNXzHTNlEuvDdESP8sSLzW1n4UwSJvgmLou31fl2TPj/6jOtO8ivLp0mHi/lATCdXynYR2jBweK7U6P47K1SZh6Hm2i6T/nOtMl7sLI5oZGYD+rhrmfO6QQh1GXNxSlmqU6lI7lMHpyRhLvY4sd/+3LNQHOxII29tKwPzub2vo/ncGZufIkqY/hPp0SnVUg66nMGNMp972iTL28wbMdaR4yvl6P1dvtQxQ== client@localhost.localdomain注:
将 rsa.pub 中的文本追加(末尾,新起一行)到 authorized_keys 即可(如果已存在 authorized_keys 并且已有数据)。
测试:
[client@localhost ~]$ ssh server@192.168.44.151
The authenticity of host '192.168.44.151 (192.168.44.151)' can't be established.
RSA key fingerprint is c8:36:ca:50:29:24:18:f8:51:02:69:2f:b8:f3:b7:d3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.44.151' (RSA) to the list of known hosts.
Last login: Tue Jul 17 14:13:54 2018 from 192.168.44.150
[server@localhost ~]$ ifconfig | grep "inet addr"
inet addr:192.168.44.151 Bcast:192.168.44.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0直接输入 ssh 登录命令可以免密登录 remote。
并非每次都需要输入 yes ,当输入 yes 时 ssh 将对应 remote 信息加入到了 $HOME/.ssh/known_hosts 中。
[client@localhost ~]$ cat .ssh/known_hosts
192.168.44.151 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2n/QCrL8C0hYo6wuhm+8M5vnl1+2OJ6kA9BEBD7UGgYCdAmnuTsie8PIUn+0CpzAC2L/zYvMcXt8SHyYTyp1zhg4+Ucn5p4OR3qTK6Qge8sDPAb2zrYtaOiCCMsSzYeFDyD4vk5wrEY0gZTNfyDrVMLijo3uhzOBreN4eApeGwQd6kpoZ+lTgr1iTBFJf3RgIOzzF9R10xs7oBpreV7hrODDMp1In6RexByCqWP3Dq1p1ldW4Dzi19VR1TOHrcRmok0xd0SYxz6hzG+/mdXonGAmQEeQlF920413zEkjkIKnap3NhZIAaEkJ5Vl/Vs94QkADWXNnDY0MQdVi04Mtyw==以后 local 登录 remote 就不必重复输入 yes 啦!
[client@localhost ~]$ ssh server@192.168.44.151
Last login: Tue Jul 17 14:20:33 2018 from 192.168.44.150
[server@localhost ~]$ 密钥算法:
默认情况下,ssh-keygen 生成的是 RSA 密钥对。
[clientx@localhost ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/clientx/.ssh/id_rsa):注意发现 rsa 提示。
我们可以使用另一种 DSA 算法生成密钥对。
[clientx@localhost ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/clientx/.ssh/id_dsa):
Created directory '/home/clientx/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/clientx/.ssh/id_dsa.
Your public key has been saved in /home/clientx/.ssh/id_dsa.pub.
The key fingerprint is:
28:96:46:3c:e7:a6:a1:fb:aa:0c:94:80:71:80:5f:4f [email protected]
The key's randomart image is:
+--[ DSA 1024]----+
|+.. |
|oo .. E |
|o. .+o. |
|. o. =.. |
| o * + S |
|. + = |
|. . . |
|o . |
|.ooo. |
+-----------------+查看 DSA 密钥对:
[clientx@localhost ~]$ ll .ssh/*
-rw-------. 1 clientx clientx 668 Jul 17 14:26 .ssh/id_dsa
-rw-r--r--. 1 clientx clientx 619 Jul 17 14:26 .ssh/id_dsa.pub公钥:id_dsa.pub
私钥:id_dsa
将 DSA 密钥对中的 public key 追加到 [email protected] 的鉴权文件(~/.ssh/authorized_keys)中:
[clientx@localhost ~]$ cat .ssh/id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAJZ8GY2pWSiCJptRS7UyvEoLjtETPGlVk/kW1G+TATi5LRtTKfakbB1g1YAfdGvuKo7uDZF0PcnlVVylHtuKb9msWRElKRZwWOOK+sTP6HzXjF9Nu8psDFnjuSxcvZBrH94+zfFTtYn5gTex5xm6Fsab1/Hn1PI9x+7Fgf+OTacxAAAAFQD1mL80DgGkwrokptBZiEkCDvixMwAAAIBdqIY85ZAspmbiDIneADxj1Db7vuE3JuYfekp3GvERKrUZ82j1JFC3WAEi/vDgqNunTKygMiVXdSbElM8GLYvVMywwk0mC9cG/I2w8WM47V7mYFUJQuqdWxoPN7h+M7168cxeFVVO/sRNpZdA4KD/e4X5+4kaaqC2q9xJc520bNAAAAIB6BxiIY+/+Kpte+odA6gM9TS6Q8rfBtuv9OGwxoPHK/SgzrZ+GwHCxwXsQmHAFKKPAbD3T6nR91+TGd02APXBNS5T5xqSDkWO8FLAWXTwzziH+p4DnkRIOLfj114oaE9KMsmLJgGIKpRthnt0QJ49/WM8fXkLzFdVux2lk7cmXiw== clientx@localhost.localdomain[server@localhost ~]$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApYwFh17O0N6+PYctKdUP8cFPF4RSCWl/Flr19riquqt7NVhyXZdDsxLJTH3SV8U5ty2wIavLTWprwjXzVOpO9Vho0huTJBTjaN8qxC2AvK/WyvpBRgWTBNXzHTNlEuvDdESP8sSLzW1n4UwSJvgmLou31fl2TPj/6jOtO8ivLp0mHi/lATCdXynYR2jBweK7U6P47K1SZh6Hm2i6T/nOtMl7sLI5oZGYD+rhrmfO6QQh1GXNxSlmqU6lI7lMHpyRhLvY4sd/+3LNQHOxII29tKwPzub2vo/ncGZufIkqY/hPp0SnVUg66nMGNMp972iTL28wbMdaR4yvl6P1dvtQxQ== [email protected]
ssh-dss AAAAB3NzaC1kc3MAAACBAJZ8GY2pWSiCJptRS7UyvEoLjtETPGlVk/kW1G+TATi5LRtTKfakbB1g1YAfdGvuKo7uDZF0PcnlVVylHtuKb9msWRElKRZwWOOK+sTP6HzXjF9Nu8psDFnjuSxcvZBrH94+zfFTtYn5gTex5xm6Fsab1/Hn1PI9x+7Fgf+OTacxAAAAFQD1mL80DgGkwrokptBZiEkCDvixMwAAAIBdqIY85ZAspmbiDIneADxj1Db7vuE3JuYfekp3GvERKrUZ82j1JFC3WAEi/vDgqNunTKygMiVXdSbElM8GLYvVMywwk0mC9cG/I2w8WM47V7mYFUJQuqdWxoPN7h+M7168cxeFVVO/sRNpZdA4KD/e4X5+4kaaqC2q9xJc520bNAAAAIB6BxiIY+/+Kpte+odA6gM9TS6Q8rfBtuv9OGwxoPHK/SgzrZ+GwHCxwXsQmHAFKKPAbD3T6nR91+TGd02APXBNS5T5xqSDkWO8FLAWXTwzziH+p4DnkRIOLfj114oaE9KMsmLJgGIKpRthnt0QJ49/WM8fXkLzFdVux2lk7cmXiw== clientx@localhost.localdomain在 authorized_keys 中,第一行是 [email protected] 的 ssh 公钥,第二行是 [email protected] 的 ssh 公钥。
测试:
[clientx@localhost ~]$ ssh server@192.168.44.151
Last login: Tue Jul 17 14:30:58 2018 from 192.168.44.150
[server@localhost ~]$ ifconfig | grep "inet addr"
inet addr:192.168.44.151 Bcast:192.168.44.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0至此,我们不论是在 [email protected] 亦或是 [email protected] 中,
都可以直接免密登录到 [email protected]。
如果是双机互为 ssh 信任,则应当在 remote 端生成 public key,并将其追加到 local 端的鉴权文件中即可。
注意:
若配置 ssh 信任失败(例如 ssh 登录依旧需要密码),请检查 local 和 remote 的 .ssh 以及相关配置文件权限是否合规。
local:
[client@localhost ~]$ ll -d .ssh
drwx------. 2 client client 4096 Jul 17 14:20 .ssh
[client@localhost ~]$ ll .ssh/*
-rw-------. 1 client client 1675 Jul 17 14:00 .ssh/id_rsa
-rw-r--r--. 1 client client 410 Jul 17 14:00 .ssh/id_rsa.pub
-rw-r--r--. 1 client client 396 Jul 17 14:20 .ssh/known_hosts.ssh 目录是 700 权限。
.ssh 目录中的密钥对分别是 600 权限以及 644 权限。
remote:
[server@localhost ~]$ ll -d .ssh
drwx------. 2 server server 4096 Jul 17 14:30 .ssh
[server@localhost ~]$ ll .ssh/*
-rw-------. 1 server server 1029 Jul 17 14:30 .ssh/authorized_keys.ssh 目录是 700 权限。
.ssh 目录中的鉴权文件是 600 权限。
参考:
https://www.cnblogs.com/iamlight/p/5019333.html
https://blog.csdn.net/franktan2010/article/details/41908083