在linux系统中,ssh是远程登录的默认工具,因为该工具的协议使用了RSA/DSA的加密算法.该工具做linux系统的远程管理是非常安全的。ssh有一套很有用的工具,其中的
ssh-keygen可以用来生成private和public密钥.将生成的public密钥拷贝到远程机器后,可以使ssh到另外一台机器的登陆不用密码.具体方法如下.1) 在本地机器中的~/.ssh/目录下执行下命令,
ssh-keygen -t dsa将生成两个文件,id_dsa和id_dsa.pub.2) 将id_dsa.pub拷贝到远程机器,并且将id_dsa.pub的内容添加到~/.ssh/authorized_keys中.cat id_dsa.pub >>authorized_keys注意:目录.ssh和文件authorized_keys的权限必须是600.完成这些工作后,用户从本地机器到远程机器的登录就不用密码了.该设置简单实用.
以下是dsa加密算法实验过程,rsa 的一模一样。
[root@test3 .ssh]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
24:cb:cb:9f:29:48:60:fc:b2:a6:93:0a:f8:00:6f:60
[email protected]
[root@test3 .ssh]# scp ~/.ssh/id_dsa.pub 10.32.184.234:~/.ssh/
[email protected]'s password:
id_dsa.pub 100% 614 0.6KB/s 00:00
[root@test3 .ssh]# ssh 10.32.184.234
[email protected]'s password:
Last login: Sat Jan 2 16:07:32 2010 from 10.32.184.233
[root@test4 ~]# cd .ssh/
[root@test4 .ssh]# ls
authorized_keys id_dsa.pub id_rsa id_rsa.pub known_hosts
[root@test4 .ssh]# cat id_dsa.pub >authorized_keys
[root@test4 .ssh]# exit
logout
Connection to 10.32.184.234 closed.
[root@test3 .ssh]# ssh 10.32.184.234
Last login: Sat Jan 2 16:08:59 2010 from 10.32.184.233
[root@test4 ~]#
以下是rsa实验:
[root@test4 ~]# vim .ssh/authorized_keys
[root@test4 ~]# exit
logout
Connection to 10.32.184.234 closed.
[root@test3 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
b4:6a:da:19:b7:62:5a:8c:8c:b0:75:a9:b9:40:09:7e
[email protected]
[root@test3 .ssh]# scp ~/.ssh/id_rsa.pub 10.32.184.234:~/
[root@test3 .ssh]# ls
id_dsa id_dsa.pub id_rsa id_rsa.pub known_hosts
[root@test3 .ssh]# scp ~/.ssh/id_rsa.pub 10.32.184.234:~/
[email protected]'s password:
id_rsa.pub 100% 406 0.4KB/s 00:00
[root@test3 .ssh]# ssh 10.32.184.234
[email protected]'s password:
Last login: Sat Jan 2 16:09:43 2010 from 10.32.184.233
[root@test4 ~]# cp ~/id_rsa.pub ~/.ssh/authorized_keys
cp:是否覆盖“/root/.ssh/authorized_keys”? y
[root@test4 ~]#
[root@test4 ~]# exit
logout
Connection to 10.32.184.234 closed.
[root@test3 .ssh]# ssh 10.32.184.234
Last login: Sat Jan 2 16:13:25 2010 from 10.32.184.233
[root@test4 ~]#
如果要多台主机都这样无须通过密码直接登陆,只需将自己的rsa 或者是dsa 公钥附加到~/.ssh/authorized_keys文件中即可。
看下面例子:
[root@test3 ~]# ssh 10.32.184.232
The authenticity of host '10.32.184.232 (10.32.184.232)' can't be established.
RSA key fingerprint is 60:19:ce:e5:82:ff:aa:04:d5:a3:0c:36:40:bf:e3:51.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.32.184.232' (RSA) to the list of known hosts.
[email protected]'s password:
Last login: Fri Jan 1 17:59:43 2010 from test0.yuhang.gov.cn
[root@test2 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
55:f9:02:15:b8:5e:3b:37:dd:0b:57:1e:b8:21:18:d5
[email protected]
[root@test2 ~]# scp .ssh/id_dsa.pub 10.32.184.234:~/
The authenticity of host '10.32.184.234 (10.32.184.234)' can't be established.
RSA key fingerprint is 60:19:ce:e5:82:ff:aa:04:d5:a3:0c:36:40:bf:e3:51.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.32.184.234' (RSA) to the list of known hosts.
[email protected]'s password:
id_dsa.pub 100% 614 0.6KB/s 00:00
[root@test2 ~]# ssh 10.32.184.234
[email protected]'s password:
Last login: Sat Jan 2 16:14:42 2010 from 10.32.184.233
[root@test4 ~]# cat id_dsa.pub >> ~/.ssh/authorized_keys
[root@test4 ~]# exit
logout
Connection to 10.32.184.234 closed.
[root@test2 ~]# ssh 10.32.184.234
Last login: Sat Jan 2 16:21:25 2010 from 10.32.184.232
[root@test4 ~]#
注意:目录.ssh和文件authorized_keys的权限必须是600.
完成这些工作后,用户从本地机器到远程机器的登录就不用密码了.
该设置简单实用.
补充说明:
做完了刚才才发现openssh-clients安装包中还有一个工具自动的将客户端的public-key 复制到服务器端的authorized_keys文件中,相当方便。
工具名:ssh-copy-id
使用说明可以看man ssh-copy-id 手册