SSH的key认证

原创

文瀚always 2016-08-07 18:12:16 ©著作权

文章标签 ssh key 文章分类 运维

©著作权归作者所有：来自51CTO博客作者文瀚always的原创作品，请联系作者获取转载授权，否则将追究法律责任

ssh的key认证

#######生成key###########
[test@foundation0 ~]$ ssh-keygen                                                         ###生成公钥和私钥的工具
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):『enter』 ###指定加密字符保存文件，使用默认（可以直接输入enter）
Created directory '/home/test/.ssh'.
Enter passphrase (empty for no passphrase):                                        ###密码，必须大于4位
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:                                                                                ###确认密码
a5:4f:02:51:68:59:f4:e8:e3:c5:91:1f:6f:86:99:06 test@foundation0.ilt.example.com
The key's randomart p_w_picpath is:
+--[ RSA 2048]----+
|      .*+        |
|      +. o .     |
|     .. . E .    |
|       o + + *   |
|        S + * + |
|       . * . o   |
|        . .      |
|                 |
|                 |
+-----------------+
[test@foundation0 .ssh]$ pwd

         ###生成密钥存放位置
[test@foundation0 .ssh]$ ls
id_rsa id_rsa.pub       ####id_rsa是私钥，id_rsa.pub是公钥

.ssh 是隐藏文件在家目录下用ls -a 可找到

###########使用key加密目标主机的目标用户############

[test@foundation0 ~]$ ssh-copy-id -i /home/test/.ssh/id_rsa.pub westos@172.25.254.100

The authenticity of host '172.25.254.100 (172.25.254.100)' can't be established.
ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
westos@172.25.254.100's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'westos@172.25.254.100'"
and check to make sure that only the key(s) you wanted were added.

ssh-copy-id                          ####上传key的工具
-i                                    ####指定使用的公钥
/home/test/.ssh/id_rsa.pub   #####使用公钥的名称
westos                                      ####被管理的目标用户
172.25.254.100                       ####被管理用户所在主机的ip

authorized_keys           ###此文件在目标用户加目录的.ssh中，这个文件就是目标用户被加密的标识，文件内容位公钥内容。

##########利用key加密sshd服务##############
1.   ssh-copy-id    -i        id_rsa.pub    test@172.25.254.250   #######此造作在sshd服务器上进行
                  指定加密文件             加密文件       目标用户@目标主机

2.   在配置文件中若将通过密码登陆改为 no 主机就不能通过输入密码登陆，则需要
        scp    /home/test/.ssh/id_rsa        root@172.25.254.11:/root/.ssh/           ######此操作在sshd服务器上进行
   远程推送解密文件到客户主机的超级用户下
        这时在主机就可以再次登陆了

3. [root@foundation1 .ssh]# ssh test@172.25.254.250           ######此操作在客户机中进行
   Enter passphrase for key '/root/.ssh/id_rsa':                   ######密钥密码

######################
sshd服务的简单配置
vim /etc/ssh/sshd_config       ###sshd服务的配置文件

48 PermitRootLogin yes|no       ###是否允许root用户通过sshd的认证
78 PasswordAuthentication yes|no   ###开启或关闭用户密码认证
AllowUsers student westos       ###用户白名单，只允许在名单中出现的用户使用sshd服务