基于linux下的ssh服务的远程免密配置
什么是openssh?OpenSSH是SSH(Secure SHell)协议的免费开源实现。SSH协议族可以用来进行远程控制,或在计算机之间传送文件。而实现此功能的传统方式,如telnet(终端仿真协议)、 rcp ftp、rlogin、rsh都是极为不安全的,并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据,并由此来代替原...
·
实验前提:
打开两台虚拟机分别配置IP为172.25.254.121和172.25.254.221,只要不同即可。
服务端:
hostnamectl set-hostname service.com 更改名字方便区分
[root@service ~]# ifconfig 查看IP
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.121 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe0f:48bf prefixlen 64 scopeid 0x20<link>
ether 52:54:00:0f:48:bf txqueuelen 1000 (Ethernet)
RX packets 101 bytes 11691 (11.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 59 bytes 8702 (8.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客户端:
hostnamectl set-hostname client.com 更改名字方便区分
[root@client ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.221 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe41:fe50 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:41:fe:50 txqueuelen 1000 (Ethernet)
RX packets 1818 bytes 444942 (434.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1530 bytes 4472387 (4.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
客户端连接需要密码:
[root@client ~]# rm -fr /root/.ssh/ 删除.ssh目录
[root@client ~]# ssh root@172.25.254.121 连接服务端,目录会自动生成
The authenticity of host '172.25.254.121 (172.25.254.121)' can't be established.
ECDSA key fingerprint is b1:05:1c:1c:99:8d:fd:26:e7:d9:62:3c:32:4d:91:66.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.121' (ECDSA) to the list of known hosts.
root@172.25.254.121's password: 需要输入密码
Last login: Thu Jun 14 08:33:55 2018 from 172.25.254.221
[root@service ~]# exit
logout
Connection to 172.25.254.121 closed.
[root@client ~]# cd /root/.ssh/ 切换到.ssh路径
[root@client .ssh]# ls 查看已经有了连接
known_hosts
在服务端:
[root@service ~]# rm -fr /root/.ssh/ 删除.ssh目录
[root@service ~]# ssh root@172.25.254.221 连接客户端生成目录
The authenticity of host '172.25.254.221 (172.25.254.221)' can't be established.
ECDSA key fingerprint is 1c:8a:8c:8e:fe:33:f3:7a:9d:70:11:f9:9a:57:6c:23.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.254.221' (ECDSA) to the list of known hosts.
root@172.25.254.221's password:
Last login: Thu Jun 14 08:21:20 2018 from 172.25.254.84
[root@client ~]# exit
logout
Connection to 172.25.254.221 closed.
[root@service ~]# cd /root/.ssh/ 切换到.ssh路径
[root@service .ssh]# ls 已经有了连接
known_hosts
在服务端生成锁和钥匙:
[root@service .ssh]# ssh-keygen 生成密钥的命令
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 保存加密字符的文件用默认
Enter passphrase (empty for no passphrase): 可以为空,如果不想为空必须大于4位
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. 私钥
Your public key has been saved in /root/.ssh/id_rsa.pub. 公钥
The key fingerprint is:
4c:ce:8b:d0:98:b5:c5:5c:e3:72:a9:11:9b:e0:b6:ce root@service.com
The key's randomart image is:
+--[ RSA 2048]----+
| . . o |
| . + * o |
| + X + |
| * O = |
| + + S |
| + . . |
| E . |
| |
| |
+-----------------+
[root@service .ssh]# ls
id_rsa id_rsa.pub known_hosts
加密ssh用户的认证:
[root@service .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.25.254.121 对服务端进行加密
ssh-copy-id 加密命令
-i 指定密钥
/root/.ssh/id_rsa.pub 密钥
root 加密用户
172.25.254.121 主机ip
[root@service .ssh]# ls 已经生成锁文件
authorized_keys id_rsa id_rsa.pub known_hosts
传输密钥:
[root@service .ssh]# scp /root/.ssh/id_rsa root@172.25.254.221:/root/.ssh/
root@172.25.254.221's password:
id_rsa 100% 1675 1.6KB/s 00:00 解密文件传输到客户端
在客户端可以免密连接:
[root@client .ssh]# ls 查看已经有了私钥
id_rsa known_hosts
[root@client .ssh]# ssh root@172.25.254.121 可以免密连接
Last login: Thu Jun 14 08:41:02 2018 from 172.25.254.221
[root@service ~]# exit 退出
logout
Connection to 172.25.254.121 closed.
在服务端删除解密文件:
[root@service .ssh]# rm -fr authorized_keys 当此文件被删除,客户端解密文件失效
[root@service .ssh]# ls 查看已经被删除
id_rsa id_rsa.pub known_hosts
在客户端无法免密连接:
[root@client .ssh]# ssh root@172.25.254.121 连接需要密码
root@172.25.254.121's password:
Last login: Thu Jun 14 08:49:10 2018 from 172.25.254.221
[root@service ~]# exit 退出
logout
Connection to 172.25.254.121 closed.
在服务端重新生成解密文件:
[root@service .ssh]# scp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys 从新生成锁文件,解密文件功能恢复
[root@service .ssh]# ls 查看已经生成锁文件
authorized_keys id_rsa id_rsa.pub known_hosts
在客户端可以免密连接:
客户端删除私钥之后同样不可以免密连接:
[root@client .ssh]# ssh root@172.25.254.121 可以免密连接
Last login: Thu Jun 14 08:49:35 2018 from 172.25.254.221
[root@service ~]# exit 退出
logout
Connection to 172.25.254.121 closed.
[root@client .ssh]# rm -fr id_rsa 在客户端删除私钥之后也没办法免密执行
[root@client .ssh]# ls 查看已经删除私钥
known_hosts
[root@client .ssh]# ssh root@172.25.254.121 连接需要密码
root@172.25.254.121's password:
Last login: Thu Jun 14 08:50:10 2018 from 172.25.254.221
[root@service ~]# exit 退出
logout
Connection to 172.25.254.121 closed.
在服务端重新发送私钥:
[root@service .ssh]# scp /root/.ssh/id_rsa root@172.25.254.221:/root/.ssh/ 重新发送解密文件
root@172.25.254.221's password:
id_rsa 100% 1675 1.6KB/s 00:00
在客户端恢复免密:
[root@client .ssh]# ls 查看已经有了私钥
id_rsa known_hosts
[root@client .ssh]# ssh root@172.25.254.121 可以免密连接
Last login: Thu Jun 14 08:50:23 2018 from 172.25.254.221
[root@service ~]# exit 退出
logout
Connection to 172.25.254.121 closed.
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
1
0- 0
已为社区贡献1条内容
所有评论(0)