Centos7 ssh免密登陸
(1)實驗環境
兩臺CentOS7:
youxi1 192.168.1.6
youxi2 192.168.1.7
這裡我將防火牆關閉進行實驗,如果防火牆開啟,請將埠加入到防火牆規則中。
(2).目標
在ssh埠不為22的情況下,進行單向免密登入或雙向免密登入(埠不一致)
(3).實驗
首先修改兩臺伺服器的埠,vim /etc/ssh/sshd_config,找到如下部分
1 |
#Port 22
|
將#去除,22改為想要的埠號。這裡我將youxi1的ssh埠號改為2890,youxi2的ssh埠號改為2891。
接著使用命令systemctl restart sshd重啟服務。再使用netstat -tlunp | grep sshd檢視埠號(如果沒有netstat請安裝net-tools)
1 2 3 4 5 6 |
[root@youxi1 Packages]# netstat -tlunp | grep sshd //youxi1
tcp 0 0 0.0.0.0:2890 0.0.0.0:* LISTEN 9953/sshd
tcp6 0 0 :::2890 :::* LISTEN 9953/sshd
[root@youxi2 ~]# netstat -tlunp | grep sshd //youxi2
tcp 0 0 0.0.0.0:2891 0.0.0.0:* LISTEN 17526/sshd
tcp6 0 0 :::2891 :::* LISTEN 17526/sshd
|
1)單向免密登入
youxi1使用ssh遠端youxi2不需要密碼,但youxi2使用ssh遠端youxi1需要密碼
在yousi1上使用ssh-keygen生成公鑰和私鑰(這裡使用預設的rsa),一路預設即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
[root@youxi1 ~]# ssh-keygen -t rsa //預設指定的是rsa,所以可以沒有-t rsa
Generating public / private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): //選項沒有指定生成地址時,此處也可以指定
Created directory '/root/.ssh' .
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is :
SHA256:ia+le9ZX3cAxztmIINJbWnEGrK9lq4lY4pYNevgqecM root@youxi1
The key's randomart image is :
+---[RSA 2048]----+
| . .ooo |
| . o =o o |
| . B . = * |
| .+. . B .|
| . S. o.|
| . . + . o|
| o o.+. o= . . |
|o E.++.=+.o . |
| o.*+ =+o. . |
+----[SHA256]-----+
|
在沒有指定生成地址時,會預設生成到家目錄下的.ssh/目錄下。使用rsa就會生成id_rsa和id_rsa.pub兩個檔案,如果使用的是dsa則生成的是id_dsa和id_dsa.pub兩個檔案。
1 2 |
[root@youxi1 ~]# ls /root/.ssh/
id_rsa id_rsa.pub
|
接著使用命令ssh-copy-id命令將公鑰發到youxi2伺服器上
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[root@youxi1 ~]# ssh-copy-id -i .ssh/id_rsa.pub -p2891 [email protected] //-p選項指定被遠端的伺服器的埠號
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '[192.168.1.7]:2891 ([192.168.1.7]:2891)' can't be established.
ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg.
ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20.
Are you sure you want to continue connecting (yes/no)? yes //yes繼續
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: //輸入192.168.1.7伺服器上的root使用者的密碼
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2891' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
|
公鑰傳完後雖然會在本地生成.ssh/known_hosts檔案,但並不生效。而在youxi2伺服器的root使用者的家目錄下生成.ssh目錄,並含有authorized_keys檔案。
1 2 |
[root@youxi1 ~]# ls .ssh/
authorized_keys
|
此時youxi1上的id_rsa.pub檔案與youxi2是上的authorized_keys檔案相同。
最後測試:在youxi1上ssh遠端youxi2,會發現並不需要輸入密碼
1 2 3 4 |
[root@youxi1 ~]# ssh -p 2891 [email protected]
Last login: Sun May 12 17:46:49 2019 from youxi1.cn
[root@youxi2 ~]# ls .ssh/
authorized_keys
|
注意:是本機生成的公鑰發給被遠端的伺服器,在傳送公鑰和遠端伺服器時,都需要指定被遠端的伺服器的埠號。
2)雙向免密登入
雙向免密就是互換公鑰即可,這裡接著上面把youxi2的公鑰傳送到youxi1上,並進行測試。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
[root@youxi2 ~]# ssh-keygen
Generating public / private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is :
SHA256:9+woxNPvkE99zGUEZNcI+DJaUUIZXXMKb7k/Y6kPiJU root@youxi2
The key's randomart image is :
+---[RSA 2048]----+
| .+*++*.+|
| +..+.B.|
| o = .|
| + o. o |
| .S+.E . o|
| =.++.. =o|
| . ooo+..==|
| . *. +.o|
| ...+... |
+----[SHA256]-----+
[root@youxi2 ~]# ssh-copy-id -i .ssh/id_rsa.pub -p2890 [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
The authenticity of host '[192.168.1.6]:2890 ([192.168.1.6]:2890)' can't be established.
ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg.
ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2890' '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
[root@youxi2 ~]# ssh -p 2890 [email protected]
Last login: Sun May 12 17:24:54 2019 from youxi2.cn
[root@youxi1 ~]#
|