Secure Shell (SSH) 是一种加密网络协议,用于通过不安全的网络提供安全的远程登录。SSH 支持远程命令行、登录和远程命令执行。
本文介绍了在源系统和目标系统之间设置无密码 SSH 或 SFTP 登录的分步过程。
如果组织中有大量服务器,则使用密码登录每个系统是困难、痛苦且耗时的过程。SSH 通过设置公私 RSA 或 DSA 加密密钥支持免密登录,这有助于免密快捷访问远程系统。
一、测试/演示环境
源/客户端系统:192.168.0.5
目标/服务器系统:192.168.0.6
客户端用户: testclient
服务器端用户: user01
二、192.168.0.5系统上的客户端配置
SSH 无密码身份验证如何工作?
⊙要设置无密码身份验证,请设置 RSA 或 DSA 密钥对。这会生成一对密钥, 私钥和公钥。
⊙私钥存储在客户端系统上,而公钥存储在目标或服务器系统上。
⊙登录远程系统时传递私钥的位置。
⊙远程 SSH 服务器将应用散列函数来验证存储在其数据库中的公钥的真实性,方法是使用客户端系统提供的私钥。
⊙如果验证成功,则无密码身份验证成功。
配置过程:
testclient登录客户端系统,然后执行以下命令生成 RSA 密钥对。
$ ssh-keygen -t rsa -C "testclient ssh client" ## With -C we add a comment to the key=> Enter the path of the key if needed and chose default Generating public/private rsa key pair. Enter file in which to save the key (/home/testclient/.ssh/id_rsa): Created directory '/home/testclient/.ssh'.=> If you need a passphrase to secure the private key enter the passphrase or just give enter to leave the passphrase empty. Enter passphrase (empty for no passphrase): Enter same passphrase again: => Now RSA public and private key pair has been created as below. Your identification has been saved in /home/testclient/.ssh/id_rsa. <<<<< Private key Your public key has been saved in /home/testclient/.ssh/id_rsa.pub. <<<<< Public Key The key fingerprint is: SHA256:Vlg9zEPVIPg5PRvkkS+uI2kQoCZ/KLtXy7wD2Dn9sxo testclient ssh client The key's randomart image is: +---[RSA 2048]----+ | .*o.o+ | | . o. *.+ .| | . .. .. B o | | . o .. + * .| | * + S. o = | | o B +.. o | | o BEo . . . | | . . =.o + o | | .o o+.+ . . | +----[SHA256]-----+
⊙成功执行上述命令后,我们将在/home/testclient/.ssh目录中看到以下两个文件
/home/testclient/.ssh/id_rsa <<<< 私有
/home/testclient/.ssh/id_rsa.pub <<<<< 公钥⊙使用以下命令将公钥/home/testclient/.ssh/id_rsa.pub文件复制到远程系统
[testclient@centos-testclient ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user01@192.168.0.6 /bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/testclient/.ssh/id_rsa.pub" Are you sure you want to continue connecting (yes/no)? yes /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys user01@192.168.0.6's password: <<<<<< Enter Password of user01 of the remote system Number of key(s) added: 1 [...]
上面的命令在 user01 的主目录内的远程系统上 创建一个authorized_keys文件,名称为~user01/.ssh/authorized_keys ,内容如下。
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxJi/qFpRjedjA+RU2QSgK63jJu4vVzVhzFhAwkrVNrDUWIYtHqqcnAh9Dm+IPr7VSA2LdEsSzrLJGIDpYSkBBBQOElVCg5+vxtTpD7p/P/mYv0Ay8s7QcxijrqhqoIlJcHaw52RzcMfiup0Sem0+8s5rY8FgLAZ28yZA5iG7kwv82dHP2yXBVWz51oCFz0C2FnM06adfstGxKuekVOD6Wz5Dr3r6N8zneicppaDNJ1tbucevogm9WXicBnptU5vrCmSl0r92tZsn7onzO9JDMW+RAJFKBH957Wciil/B6F9KVeZICS3l/Gvs2qpB5L2mEttm+WNSWZYd6+pw2Q2Wl testclient ssh client
⊙现在验证从 testclient 用户帐户从源到目标的无密码登录
[testclient@centos-client ~]$ ssh user01@192.168.0.6 <<< Login successful without password primpt >>> [user01@centos-server ~]$ id ## Command executed on the server system after login uid=1001(user01) gid=1001(user01) groups=1001(user01) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 <<< Logout from remote system >>> [user01@centos-testsrv ~]$ logout Connection to localhost closed.
注意:
1、如果私钥的名称和位置不是/home/testclient/.ssh/id_rsa,请执行以下命令进行无密码登录。
ssh -i <key path> user01@192.168.0.6
2、请勿随意修改.ssh文件夹及秘钥文件的权限。
3、请勿泄露私钥。
网友留言: