(一)ssh客户端操作
添加需要免密码登录的用户
[root@open ~]# useradd admin -d /data/admin
[root@open ~]# su - admin
[admin@open ~]$ pwd
/data/admin
1、生成客户端密钥文件
[admin@open ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/data/admin/.ssh/id_rsa):
Created directory '/data/admin/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /data/admin/.ssh/id_rsa.
Your public key has been saved in /data/admin/.ssh/id_rsa.pub.
The key fingerprint is:
6c:9e:5e:15:91:df:60:fe:d8:a5:cc:22:2b:dd:77:77 [email protected]
The key's randomart p_w_picpath is:
+--[ RSA 2048]----+
| .. |
| ..o |
| .+ o |
| . .o o|
| S .o =.|
| o .... = o|
| o..+ . |
| ...o . . E|
| .. . .o|
+-----------------+
[admin@open ~]$ ll .ssh/
总用量 8
-rw------- 1 admin admin 1675 8月 20 14:16 id_rsa
-rw-r--r-- 1 admin admin 398 8月 20 14:16 id_rsa.pub
2、发送公钥文件到服务器端
[admin@open ~]$ scp .ssh/id_rsa.pub [email protected]:/tmp/
The authenticity of host '192.168.1.250 (192.168.1.250)' can't be established.
RSA key fingerprint is be:82:1e:ac:79:ab:4e:40:86:2e:38:cc:5b:73:90:7e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.250' (RSA) to the list of known hosts.
[email protected]'s password:
id_rsa.pub 100% 398 0.4KB/s 00:00
确保服务器端有公钥,客户端上有私钥,这样就可以实现无密码验证登录了。
(二)sshd服务端操作
1、建立.ssh目录,并修改权限为700
[admin@localhost ~]$ mkdir .ssh
[admin@localhost ~]$ chmod 700 .ssh/
2、在.ssh目录下建立authorized_keys文件,导入客户端密钥文件内容后,修改权限为400
[admin@localhost .ssh]$ vi .ssh/authorized_keys
[admin@localhost .ssh]$ chmod 700 authorized_keys
[admin@localhost .ssh]$ cat /tmp/id_rsa.pub >>authorized_keys
[admin@localhost .ssh]$ chmod 400 authorized_keys
[root@localhost ~]# vi /etc/ssh/sshd_config
3、禁止用户使用口令登录,修改/etc/ssh/sshd_conf
PasswordAuthentication yes 改为
PasswordAuthentication no
也即只能使用密匙认证的openssh,禁止使用口令认证。
4、禁止root用户的登陆,修改/etc/ssh/sshd_config
permitrootlogin yes 改为
permitrootlogin no
5、重启sshd服务
[root@localhost ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
(三)从客户端使用密钥文件认证登录测试
[admin@open ~]$ ssh [email protected]
[admin@localhost ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:59:01:ED
inet addr:192.168.1.250 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe59:1ed/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3395 errors:0 dropped:0 overruns:0 frame:0
TX packets:631 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:273572 (267.1 KiB) TX bytes:83330 (81.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[admin@localhost ~]$
(四)其他说明
在windows的客服端上使用putty登陆,需要把生成的秘钥文件进行转换后才可以使用秘钥连接,步骤如下:
a.将私钥复制到windows客户端,使用puttygen导入私钥,点击“save private key”进行私钥的转换
b.打开putty,添入“hostname”、“port”,然后选择左面导航里的“Connection”->“Data”,在“Auto-login username”里添入你要登陆的用户名;在“SSH”->“Auth”里导入转换后的秘钥文件。
c.单击“open”登陆。
6.另外,限制某个用户或者用户组的登陆,使用"denyusers"和"denygroups"即可。