openssh
文章目录
一. 常见的远程登录
1. telnet 远程登录协议,23/TCP
-
检查某一个服务是否打开
-
[root@SYL3 ~]# telnet 192.168.232.129 22 //查看ssh Trying 192.168.232.129... Connected to 192.168.232.129. Escape character is '^]'. SSH-2.0-OpenSSH_8.0 ^C Connection closed by foreign host. [root@SYL3 ~]#
2. dropbear 嵌入式系统专用的SSH服务器端和客户端工具
3. ssh (Secure SHell) 22/TCP
-
通信过程及认证过程是加密的,主机认证 ,用户认证过程加密
-
认证过程分为主机认证和用户认证
-
[root@SYL3 ~]# ssh root@192.168.232.129 The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes //主机认证 Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts. root@192.168.232.129's password: //用户认证 Last login: Wed Apr 13 15:32:21 2022 from 192.168.232.1 [root@SYL2 ~]# exit logout Connection to 192.168.232.129 closed. [root@SYL3 ~]#
-
数据传输过程加密
4. ssh的认证方式
-
口令认证 — 密码
-
密钥认证 — 公钥(P)和私钥(S)
-
[root@SYL2 ~]# cd /etc/ssh/ [root@SYL2 ssh]# ls moduli ssh_host_ecdsa_key.pub ssh_config ssh_host_ed25519_key ssh_config.d ssh_host_ed25519_key.pub sshd_config ssh_host_rsa_key //私钥 ssh_host_ecdsa_key ssh_host_rsa_key.pub //公钥 [root@SYL2 ssh]#
-
5. 工作模式 — openssh
-
架构 — 多台主机组成的结构
-
C/S架构 — C客户端 S服务端
-
服务器端 //sshd,配置文件在/etc/ssh/sshd_config 客户端 //ssh,配置文件在/etc/ssh/ssh_config ssh-keygen //密钥生成器 ssh-copy-id //将公钥传输至远程服务器 scp //跨主机安全复制工具 [root@SYL2 ~]# cd /etc/ssh/ [root@SYL2 ssh]# ls moduli ssh_host_ecdsa_key.pub ssh_config ssh_host_ed25519_key ssh_config.d ssh_host_ed25519_key.pub sshd_config ssh_host_rsa_key ssh_host_ecdsa_key ssh_host_rsa_key.pub [root@SYL2 ssh]#
-
B/S架构 — 浏览器,访问网站
6. ssh的远程登录方式
6.1 用户名相同,直接用ip地址登录
[root@SYL3 ~]# ssh 192.168.232.129
root@192.168.232.129's password:
Last login: Wed Apr 13 15:34:37 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[root@SYL3 ~]#
6.2 用户名不同,用户名+ip地址登录
[tom@SYL3 ~]$ ssh root@192.168.232.129
root@192.168.232.129's password:
Last login: Wed Apr 13 16:09:03 2022 from 192.168.232.128
[root@SYL2 ~]#
-
用户名不同,直接登录不上
-
[root@SYL3 ~]# echo 'run123456' | passwd --stdin tom Changing password for user tom. passwd: all authentication tokens updated successfully. [root@SYL3 ~]# su - tom [tom@SYL3 ~]$ ssh 192.168.232.129 The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts. tom@192.168.232.129's password:
6.3 不登录进去,并且执行命令后自动退出
客户端:
[tom@SYL3 ~]$ ssh root@192.168.232.129 'echo "123456" > /tmp/abc'
root@192.168.232.129's password:
[tom@SYL3 ~]$
服务端:
[root@SYL2 ~]# cat /tmp/abc
123456
[root@SYL2 ~]#
7. 加密与解密
1.分为3种
-
对称加密:加密解密使用同一个密钥
-
公钥加密 :也叫非对称加密。有一对密钥,公钥(P)和私钥(S)。用公钥加密,私钥解密反之亦然,公钥加密存在私钥中
-
公钥加密能实现加密和签名功能:
RSA :即能实现加密,也能实现签名
DSA:只能实现签名
ELGamal:商业加密算法
-
单向加密:提取数据特征码,能加密不能解密,常用于做数据完整性校验
-
单向加密的特性:
a) 雪崩效应(输入的微小改变,将会引起结果的巨大改变)
-
[root@SYL3 ~]# md5sum anaconda-ks.cfg 006220f587da6285b6b0611ee62211fb anaconda-ks.cfg [root@SYL3 ~]# echo '#' >> anaconda-ks.cfg [root@SYL3 ~]# md5sum anaconda-ks.cfg ae1344e3f6e53ddd00133be4f013f132 anaconda-ks.cfg
b) 定长输出(无论原始数据是多大,结果的长度是相同的)
MD5:Message Digest,128位定长输出
SHA1:Secure Hash Algorithm,160位定长输出
c) 不可逆(无法根据特征码还原成原始数据)
-
-
7.1 ssh主机密钥
-
当用户第一次使用
ssh
连接到特定服务器时,ssh
命令可在用户的/.ssh/known_hosts文件中存储该服务器的公钥。在此之后每当用户进行连接时,客户端都会通过对比/.ssh/known_hosts文件中的服务器条目和服务器发送的公钥,确保从服务器获得相同的公钥。如果公钥不匹配,客户端会假定网络通信已遭劫持或服务器已被入侵,并且中断连接。 -
如果服务器的公钥发生更改(由于硬盘出现故障导致公钥丢失,或者出于某些正当理由替换公钥),用户则需要更新其~/.ssh/known_hosts文件并删除旧的条目才能够进行登录。
-
登录生成的文件的位置
-
[tom@SYL3 ~]$ cd .ssh/ [tom@SYL3 .ssh]$ ls known_hosts [tom@SYL3 .ssh]$
-
[tom@SYL3 ~]$ ssh root@192.168.232.129 root@192.168.232.129's password: Last login: Wed Apr 13 16:18:27 2022 from 192.168.232.128 [root@SYL2 ~]# exit logout Connection to 192.168.232.129 closed. [tom@SYL3 ~]$ cat .ssh/known_hosts 192.168.232.129 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPSiWGhQ+/xyF44ZpZQLIL3+AikA192a77mG/Mq0KZ5ZnXxxLCiPMb62Q7dp10WdlDgyEyRLL9dvl9Rizr2pe9w=
7.2 将文件删除后在登录会重新进行主机验证和用户验证,并且会在客户端生成新文件
-
[tom@SYL3 .ssh]$ rm -f known_hosts [tom@SYL3 .ssh]$ ssh root@192.168.232.129 The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts. root@192.168.232.129's password: Last login: Wed Apr 13 17:21:44 2022 from 192.168.232.128 [root@SYL2 ~]# exit logout Connection to 192.168.232.129 closed. [tom@SYL3 .ssh]$ ls known_hosts [tom@SYL3 .ssh]$
7.3 当前主机生成的的文件位置
[tom@SYL3 ~]$ cd .ssh/
[tom@SYL3 .ssh]$ ls
known_hosts
7.4 当前主机密钥存在服务器端的位置,后面有pub的是公钥,其他则是私钥
[root@SYL2 ~]# cd /etc/ssh/
[root@SYL2 ssh]# ls *key*
ssh_host_ecdsa_key
ssh_host_ecdsa_key.pub
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
[root@SYL2 ssh]#
8. 免密登录的配置
1.ssh-keygen -t rsa
2.ssh-copy-id [email protected]
3.ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
8.1 使用ssh-keygen命令生成密码。将会生成私钥和公钥,rsa是算法 ssh-keygen -t rsa
生成密钥时,系统将提供指定密码的选项,在访问私钥时必须提供该密码。如果私钥被偷,除颁发者之外的其他任何人很难使用该私钥,因为已使用密码对其进行保护。这样,在攻击者破解并使用私钥前,会有足够的时间生成新的密钥对并删除所有涉及旧密钥的内容。
-
[mushuang@SYL3 ~]$ ssh-keygen -t rsa//用rsa算法生成 Generating public/private rsa key pair. Enter file in which to save the key (/home/mushuang/.ssh/id_rsa): //默认生成的位置 Created directory '/home/mushuang/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/mushuang/.ssh/id_rsa. Your public key has been saved in /home/mushuang/.ssh/id_rsa.pub. The key fingerprint is: SHA256:svIaGgTu1UN3p/ReXPgUc5lUcaprCT8B3HM9kXu9blc mushuang@SYL3 The key's randomart image is: +---[RSA 3072]----+ | .*X| | . . .**| |. . . oo.o.o++| |.. o . o +..++.+| | ... o. S...oo .o| |... .o .o.+ .E| | .. o . .* . .| | o + . . o.| | . ... . .| +----[SHA256]-----+ [mushuang@SYL3 ~]$ [mushuang@SYL3 ~]$
8.2 生成ssh
的密钥后,密钥将默认存储在家目录下的.ssh/
目录中。在什么用户下生成的密钥就会默认保存在该用户下的家目录下,私钥和公钥的权限就分别为600
和644
。.ssh
目录权限必须是700
。
- 生成的密钥的位置
[mushuang@SYL3 ~]$ ls .ssh/
id_rsa id_rsa.pub
[mushuang@SYL3 ~]$
- 私钥(600)和公钥(644)的权限,目录(700)
[mushuang@SYL3 ~]$ ll .ssh/
total 8
-rw-------. 1 mushuang mushuang 2602 Apr 13 17:55 id_rsa //私钥600
-rw-r--r--. 1 mushuang mushuang 567 Apr 13 17:55 id_rsa.pub //公钥644
[mushuang@SYL3 ~]$
[mushuang@SYL3 ~]$ ll -a .
total 16
drwx------. 2 mushuang mushuang 38 Apr 13 17:55 .ssh //目录700
[mushuang@SYL3 ~]$
8.3 在可以使用基于密钥的身份验证前,需要将公钥复制到目标系统上。ssh-copy-id 用户名@IP地址
8.3.1 通过ssh-copy-id
将密钥复制到另一系统时,它默认复制 ~/.ssh/id_rsa.pub
文件
-
将客户端生成的密钥复制到服务器中
-
[mushuang@SYL3 ~]$ ssh-copy-id root@192.168.232.129 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mushuang/.ssh/id_rsa.pub" The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.232.129's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.232.129'" and check to make sure that only the key(s) you wanted were added. [mushuang@SYL3 ~]$
-
服务端权限
-
[mushuang@SYL3 ~]$ ll .ssh/ total 8 -rw-r--r--. 1 mushuang mushuang 567 Apr 13 17:55 id_rsa.pub //公钥644 [root@SYL2 ~]# ls .ssh authorized_keys [root@SYL2 ~]# ll .ssh total 4 -rw-------. 1 root root 567 Apr 13 18:19 authorized_keys //600
-
复制的文件是主机的公钥,公钥(644)发送到服务器的权限变为(600)
-
[root@SYL2 .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoBmpK2/kHrOgTJzG7B6M4U4ZELV54Qge/lid0zdTcxRyOzLzyP++hwcpCTNt/sheDnNrK4YQTPTwLtbkRKIlM6bFbqUKmFHHUjsCIxi7DFqKV6J1XH7rDF+cO5EXEqEcBMYZ0ku0jj0XRp3GOgOBcidvAtIEoeJqcOZG+XIv72usTRKolNDHp5q9h4SL/9h8Ib2Ie9LX/z/MPA7whjFvogDBI3c8qKeF65/MVaBqHSS8PV04jUh168zu+ASp0W/8EZUspOj3YhuybTz5CYugOTAN2D4iFmheB23IsDbstYhByJ//8BcQIjcTyntGeCQDYG7wAThT0LD2OV7+0xlzGaz3YUMDTJHIyDWDgIWxpceNmd0y9oJzE8IvGiR+RSjNYLNgg+wygdEhEMk+K1WEtG+KbYpZV8HfySGy8Lv+VwfgV7aoxS/3Lc7owx962F5vovsUKIYKaXt0Zk0U3lJUYjE6a+RMo26LTqE/yeebjs0QTFJx2iIQNa14vAoDHoHU= mushuang@SYL3 [root@SYL2 .ssh]#
-
[mushuang@SYL3 .ssh]$ ls id_rsa id_rsa.pub known_hosts [mushuang@SYL3 .ssh]$ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoBmpK2/kHrOgTJzG7B6M4U4ZELV54Qge/lid0zdTcxRyOzLzyP++hwcpCTNt/sheDnNrK4YQTPTwLtbkRKIlM6bFbqUKmFHHUjsCIxi7DFqKV6J1XH7rDF+cO5EXEqEcBMYZ0ku0jj0XRp3GOgOBcidvAtIEoeJqcOZG+XIv72usTRKolNDHp5q9h4SL/9h8Ib2Ie9LX/z/MPA7whjFvogDBI3c8qKeF65/MVaBqHSS8PV04jUh168zu+ASp0W/8EZUspOj3YhuybTz5CYugOTAN2D4iFmheB23IsDbstYhByJ//8BcQIjcTyntGeCQDYG7wAThT0LD2OV7+0xlzGaz3YUMDTJHIyDWDgIWxpceNmd0y9oJzE8IvGiR+RSjNYLNgg+wygdEhEMk+K1WEtG+KbYpZV8HfySGy8Lv+VwfgV7aoxS/3Lc7owx962F5vovsUKIYKaXt0Zk0U3lJUYjE6a+RMo26LTqE/yeebjs0QTFJx2iIQNa14vAoDHoHU= mushuang@SYL3 [mushuang@SYL3 .ssh]$
-
登录不用输入密码
-
[mushuang@SYL3 ~]$ ssh root@192.168.232.129 Last login: Wed Apr 13 17:28:42 2022 from 192.168.232.128 [root@SYL2 ~]#
8.4 scp 复制
scp命令常用选项
-r //递归复制
-p //保持权限
-P //端口
-q //静默模式
-a //全部复制
- 使用 scp 命令传送文件到远程主机
[root@SYL3 ~]# scp anaconda-ks.cfg root@192.168.232.129:.
anaconda-ks.c 100% 1095 635.1KB/s 00:00
[root@SYL3 ~]#
[root@SYL2 ~]# ls
abc anaconda-ks.cfg
[root@SYL2 ~]#
- 使用 scp 命令从远程主机上下载文件到本地
[root@SYL3 ~]# scp root@192.168.232.129:/root/anaconda-ks.cfg /tmp/
anaconda-ks.c 100% 1095 896.7KB/s 00:00
[root@SYL3 ~]# ls /tmp/
abc
anaconda-ks.cfg
9. 自定义 SSH 服务配置
虽然OpenSSH
服务器通常无需修改,但会提供其他安全措施,可以在配置文件/etc/ssh/sshd_config
中修改OpenSSH
服务器的各个方面。
-
是否允许root用户远程登录系统—
PermitRootLogin {yes|no}
-
[root@SYL2 ~]# vi /etc/ssh/sshd_config [root@SYL2 ~]# cat /etc/ssh/sshd_config | grep PermitRootLogin PermitRootLogin no //不允许root账户登录 # the setting of "PermitRootLogin without-password". [root@SYL2 ~]# systemctl restart sshd //重启sshd服务 [root@SYL2 ~]# [root@SYL3 ~]# ssh root@192.168.232.129 root@192.168.232.129's password: Permission denied, please try again.//拒绝登录 在服务器端创建一个普通用户,并设置密码 [root@SYL2 ~]# useradd mushuang [root@SYL2 ~]# echo 'run123456'|passwd --stdin mushuang Changing password for user mushuang. passwd: all authentication tokens updated successfully. [root@SYL2 ~]# 回到客户端 [root@SYL3 ~]# ssh mushuang@192.168.232.129 //用普通用户登录 mushuang@192.168.232.129's password: Permission denied, please try again. mushuang@192.168.232.129's password: Last failed login: Wed Apr 13 20:13:03 CST 2022 from 192.168.232.128 on ssh:notty There were 10 failed login attempts since the last successful login. [mushuang@SYL2 ~]$ su - //切换家目录 Password: Last login: Wed Apr 13 20:08:36 CST 2022 from 192.168.232.128 on pts/1 Last failed login: Wed Apr 13 20:12:21 CST 2022 from 192.168.232.128 on ssh:notty There was 1 failed login attempt since the last successful login. [root@SYL2 ~]# //登录成功
-
仅允许root用户基于密钥方式远程登录 —
PermitRootLogin without-password
-
是否启用密码身份验证,默认开启 —
PasswordAuthentication {yes|no}
10. SSH 安全注意事项
- 密码应该经常换且足够复杂
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs 生成30位随机密码
b7PcVc1k3g_b4TZXjWji2SdkgGszGI
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs
sPNyMTE4s0JIltp7XSWDrjgqwoAVVf
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 20 |xargs //生成20位随机密码
xgJsjDHGeu67HSF8Ed3H
[root@SYL3 ~]# tr -dc A-Z0-9_ < /dev/urandom | head -c 10 |xargs
M36U2HWXLQ
[root@SYL3 ~]#
[root@localhost ~]# openssl rand 20 -base64
Di9ry+dyV40xVvBHirsc3XpBOzg= //生成20位随机密码
-
使用非默认端口,将默认端口号关闭,要把防火墙关闭
-
限制登录客户端地址
-
仅监听特定的IP地址
-
禁止管理员直接登录
-
仅允许有限制用户登录
- AllowUsers
- AllowGroups
-
使用基于密钥的认证
-
禁止使用空密码
-
禁止使用SSHv1版本
-
设定空闲会话超时时长
-
[root@SYL3 ~]# vi /etc/profile 将export TMOUT=120写入/etc/profile 然后source source 命令:常用于重新执行刚修改的初始化文件
-
-
利用防火墙设置ssh访问策略
-
限制ssh的访问频度和并发在线数
-
做好日志的备份,经常分析(集中于某台服务器)
二. 作业
1.说明密钥认证的过程
- 1.客户机向服务端发送登录请求
- 2.服务器收到请求将自己的公钥发送给客户机
- 3.客户机使用私钥解密验证后发送服务器
- 4.两者验证通过后,通过登录
2.手动配置密钥认证登录
1.在客户端生成密钥
1.ssh-keygen -t rsa
2.将生成的密钥复制到服务器端,需要指定的加-i
2.ssh-copy-id [email protected]
2.ssh-copy-id -i /root/.ssh/id_rsa.pub [email protected]
2.1 手动配置过程
- 在客户端生成密钥
[root@SYL3 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:tXrhhC46klUNJ98fUeARpAUSBI2l6rMyGxDjBiCkuP4 root@SYL3
The key's randomart image is:
+---[RSA 3072]----+
|+. .*=..o*+. |
|= +.o. +.. |
|* .* .o .. |
|o+ .. oo... |
|oo .. S +. . |
|o. .. . + .. |
| ..oo . o o |
| *..+ . . |
| .Eo. |
+----[SHA256]-----+
- 将生成的密钥复制到服务器端
[root@SYL3 ~]# ssh-copy-id root@192.168.232.129
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.232.129's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.232.129'"
and check to make sure that only the key(s) you wanted were added.
- 在服务器端查看复制的密钥
[root@SYL2 ~]# cd .ssh/
[root@SYL2 .ssh]# ls
authorized_keys id_rsa.pub
[root@SYL2 .ssh]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCVWPdudaHnGbRv3dDhbyX/2QPlIqdozBe/EvpJqMoxAgVPvy0W+2gQl8wlWOqwfjq0SXJ7LYQXHDIzz2DsPCQly1bJkEAEBoAcDTnDt+KwudmrtyEEb0t2GJEsiQ9zM2bj6B75/lgto65arD6DN8bnOy8x4RAfwTqiCMb9JJfmmmcbH/ttN3OqOW1oZvwr0Ja/U8GEgmO6KBmNojgsM2Z6c3QcXtwDuUzGhZo2j7i0cuYcr81ipNoQQdHRZ6SlFNfhricXOaIciAk/vfvwQuZu1nZbu3iavpMZ2XG2CSUJTpP45syxxyYeRLtz3jSaqSwS2Dl+bnKtTi7LC9vMWCPUGaSquBqN+5OdMIonhnojIJ3QPr328Z+TNXI4mHTsskW//5uqYrwL2+W1OC2xMcmeaCumjGqgoE1lETNyGdm3W8hWw46XjBhMG9USonrWBcL+a6Tm4DPGG1Rr6o8crMANfKQKGEMesvxzANd46wDYN5uvK5FDDKcWkRZYkQitro0= root@SYL3
[root@SYL2 .ssh]#
- 客户端免密成功登录
[root@SYL3 ~]# ssh 192.168.232.129
Last login: Thu Apr 14 16:42:09 2022 from 192.168.232.128
[root@SYL2 ~]#
3. scp命令免密登录
- 1.先在客户端(128)生成密钥,ssh-keygen -t rsa
- 2.在客户端(128)使用 scp 将生成的公钥发送到主机(129)
scp /home/mushuang/.ssh/id_rsa.pub [email protected]:/.ssh - 3.在服务器端创建公钥发送的目录位置 ,并创建文件
mkdir /.ssh
touch /root/.ssh/authorized_keys - 4.修改权限600
chmod 600 /root/.ssh/authorized_keys - 5.把客户端发送的公钥追加到你所创建的文件
cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys - 6.回到主机登录
3.1 scp命令配置过程
- 先在客户端(128)生成密钥
[mushuang@SYL3 ~]$ ssh-keygen -t rsa //用rsa算法生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mushuang/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mushuang/.ssh/id_rsa.
Your public key has been saved in /home/mushuang/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:66TgqDm8T2sUeY56Q86THiMgKxAZu5NvwcEANdN7dY4 mushuang@SYL3
The key's randomart image is:
生成rsa公私钥对。
输入保存密钥的文件(/home/mushuang/.ssh/id_rsa):
输入passphrase(为空表示没有passphrase):
再次输入相同的密码:
您的身份已经保存在/home/mushuang/.ssh/id_rsa。
您的公钥保存在/home/mushuang/.ssh/id_rsa.pub目录下。
密钥指纹为:
SHA256:66TgqDm8T2sUeY56Q86THiMgKxAZu5NvwcEANdN7dY4 mushuang@SYL3
钥匙的随机图像是:
+---[RSA 3072]----+
|=.+. |
| * o. . . |
|+ o .. . + |
| = +... E . |
|B o =. S |
|++ = . . |
|+.O+o o |
|o=o@+. + |
|o+B++ . . |
+----[SHA256]-----+
- 在客户端(128)使用 scp 将生成的公钥发送到主机(129)
[mushuang@SYL3 ~]$ scp /home/mushuang/.ssh/id_rsa.pub root@192.168.232.129:/root/.ssh/
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts.
无法建立主机“192.168.232.129(192.168.232.129)”的真实性。
ECDSA密钥指纹是SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY。
您确定要继续连接(yes/no/[fingerprint])吗? 是的
警告:已将'192.168.232.129' (ECDSA)添加到已知主机列表中。
root@192.168.232.129's password:
id_rsa.pub 100% 567 236.6KB/s 00:00
- 在服务器端创建公钥发送的目录位置 ,并创建文件,并修改公钥权限为600,目录权限为700
[root@SYL2 ~]# mkdir /.ssh
[root@SYL2 ~]# touch /root/.ssh/authorized_keys
[root@SYL2 ~]# ll -a
total 40
dr-xr-x---. 4 root root 171 Apr 14 15:39 .
drwx------. 2 root root 47 Apr 14 16:17 .ssh //为700权限
-rw-r--r--. 1 root root 129 May 11 2019 .tcshrc
-rw-------. 1 root root 532 Apr 7 14:49 .viminfo
[root@SYL2 ~]# ll /root/.ssh/
total 4
-rw-r--r--. 1 root root 0 Apr 14 16:17 authorized_keys
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub
[root@SYL2 ~]# chmod 600 /root/.ssh/authorized_keys //修改权限为600
[root@SYL2 ~]# ll /root/.ssh/
total 4
-rw-------. 1 root root 0 Apr 14 16:17 authorized_keys //600
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub //发送过来的公钥权限为644
- 将客户端发送的公钥内容追加到服务器端所创建文件中
[root@SYL2 ~]# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys //追加到服务器所创的文件中
[root@SYL2 ~]# ll /root/.ssh/
total 8
-rw-------. 1 root root 567 Apr 14 16:19 authorized_keys
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub
[root@SYL2 ~]# cat /root/.ssh/authorized_keys //查看公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDURL7SIZxuG6uEEYvFMBF4O5HLmTHrW8hEaB/HRELN+4jJduq8FPpLJb/p9sjl/Gc/wB/aL9Zyg4cFV7ehsTprQ9Zi4bg5qiVAyzx++i4RdJM1ZY5BnZP3G+eeGwCPZ5YYvM6eKeD2cX0H1Q9huV+De0vUycWU9lZpTwRrfMgOzqyU4FxDv81eUwOKNcK9P4NsxIAlNyt+zoFAbD/qv7yoLAHRUZH2LOVLxYxcRUy9WvmJGb5o2cHNClwwUHQ+WD4fQQU0RBnMGpXyyBt+isSm6tfS2IcnfQ22U31piN/clSQm/nY7P9mi1wZdL62PV6AaJkR3lSZ9TdTNdB1qX7OpqWWC45vJ7tbKRtP3iuhY9oE///qPTXY9x8ZaqozXZouFyfBmmQ9olKcywAMRZmU0jEiZruidSSHyrbftPScPCVpOWFUsWJkRktTxTJ0hVaLuN+tDKyks5PPm9C4P6haiO4X+Stqr7jHbBBN42uPDutc61BiC3e8kaH09055ey48= mushuang@SYL3
[root@SYL2 ~]#
- 回到客户端(128)成功免密登录
[mushuang@SYL3 ~]$ ssh root@192.168.232.129
Last login: Thu Apr 14 16:00:52 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[mushuang@SYL3 ~]$
TprQ9Zi4bg5qiVAyzx++i4RdJM1ZY5BnZP3G+eeGwCPZ5YYvM6eKeD2cX0H1Q9huV+De0vUycWU9lZpTwRrfMgOzqyU4FxDv81eUwOKNcK9P4NsxIAlNyt+zoFAbD/qv7yoLAHRUZH2LOVLxYxcRUy9WvmJGb5o2cHNClwwUHQ+WD4fQQU0RBnMGpXyyBt+isSm6tfS2IcnfQ22U31piN/clSQm/nY7P9mi1wZdL62PV6AaJkR3lSZ9TdTNdB1qX7OpqWWC45vJ7tbKRtP3iuhY9oE///qPTXY9x8ZaqozXZouFyfBmmQ9olKcywAMRZmU0jEiZruidSSHyrbftPScPCVpOWFUsWJkRktTxTJ0hVaLuN+tDKyks5PPm9C4P6haiO4X+Stqr7jHbBBN42uPDutc61BiC3e8kaH09055ey48= mushuang@SYL3
[root@SYL2 ~]#
- 回到客户端(128)成功免密登录
```basic
[mushuang@SYL3 ~]$ ssh [email protected]
Last login: Thu Apr 14 16:00:52 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[mushuang@SYL3 ~]$