Linux配置SSH免密码登录的方法

Linux配置SSH免密码登录的方法

本次以CentOS7.4 配置SSH免密码登录为例,未作SSH免密码处理的机器在登录时,都必须输入密码才可以登录,SSH远程登录的安全外壳协议有两种身份认证机制:

  • 用户名+密码的方式
  • 密钥登录的方式

环境准备

  • Server1:172.16.0.33
  • Server2:172.16.0.34

下面以Server1 ssh免密码登录到Server2为例,进行说明。

1、在Server1机器执行命令:ssh-keygen -t rsa,生成两个密钥文件存放路径:/root/.ssh/文件夹下生成id_rsa(私钥)和id_rsa.pub(公钥)。

[root@Server1 /]# ssh-keygen -t rsa     //生成密钥对命令,一路回车
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:inUy3Rj658gLH6n45Lnkzl3phaOHh/JvmPXwIu3Es5Y root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|                 |
|        .        |
|       o +       |
|      = S .      |
|     o * ooo     |
|    . = +BX=.    |
|     B.B*XE=o    |
|    .oX+OX*.     |
+----[SHA256]-----+
[root@Server1 /]# cd /root/.ssh/
[root@Server1 .ssh]# ls
id_rsa  id_rsa.pub      //id_rsa(私钥)、id_rsa.pub(公钥)
[root@Server1 .ssh]# 

2、在Server1机器执行命令:ssh-copy-id root@172.16.0.34 以root用户登录,将公钥文件上传到Server2机器,需要知道Server2机器的root用户的密码。

[root@Server1 .ssh]# ssh-copy-id root@172.16.0.34    //上传公钥到Server2机器
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.16.0.34 (172.16.0.34)' can't be established.
ECDSA key fingerprint is SHA256:gzk6umTdkHWxpXceUiRd5+CFTiUjNPqpBfwRnsuKanw.
ECDSA key fingerprint is MD5:e4:71:7c:db:56:b8:5b:4a:44:41:48:47:ff:8c:b6:02.
Are you sure you want to continue connecting (yes/no)? yes   //输入yes继续连接
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.0.34's password:      //输入Server2机器的root用户密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.16.0.34'"
and check to make sure that only the key(s) you wanted were added.

[root@Server1 .ssh]# 

3、在Server1机器/root/.ssh/中创建一个known_hosts文件,记录连接到对方时,对方给的host key,每次连线都会检查目前对方给的host key 与你记录的host key是否相同,进行简单的验证。

[root@Server1 .ssh]# ls
id_rsa  id_rsa.pub  known_hosts
[root@Server1 .ssh]# cat known_hosts  //查看known_hosts文件中host key
172.16.0.34 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBVzbZeHE2HFWCiJo9mOiOWY5bEb3drD5UmkYg9cYEqxrmf0Lhv4WUwFQ2qsJmSjynuZt0GnZQWKtuMmXjax/AE=

4、查看Server2机器的authorized_keys文件,可以看到对应的变化:Server1机器的公钥已经增加到Server2机器的配置文件中了.

[root@Server2 /]# cd /root/.ssh/
[root@Server2 .ssh]# ls
authorized_keys
[root@Server2 .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8sJ3yQmuhn8WR5E1pVAS702gYahnxT7vHusMH7h6OGdGPeT0ZFllTV4k8epk4M4L/DKng+yhlw9YRAfBIGJ7dxh9A70sZ4swtHeuhrOP44x6bfZGWKLgXjFdVK/Th5rMvfQqN+AcnJbokrsEg0Ub1AwDvKp8jVNmjQU9Yl6ctdLON8Zk17zRGcJlyLXh2Y38ygpNAwoBFoistigUSGT58QVq5oBIykhjY2T8Al8LyG1EzoSlatIL1qkzRuhsCboLd+jGI0p+tYtZV0iO3aqDa8YjCzsrIx2Qh45Vz91vBVrzpXio3yjFYB3z6U/NEW3bmmos97XwCI7tzZTvirDVx root@Server1
[root@Server2 .ssh]# 

5、验证从Server1机器使用ssh登录到Server2机器时已经不需要密码,免密登录配置至此已完成了。

[root@Server1 /]# ssh 172.16.0.34
Last login: Sat Sep 21 12:59:24 2019 from 172.18.0.2
[root@Server2 ~]# ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.0.34  netmask 255.255.255.0  broadcast 172.16.0.255
        inet6 fe80::3a59:5502:dc86:c73  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:98:3e:cf  txqueuelen 1000  (Ethernet)
        RX packets 997  bytes 100043 (97.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 231  bytes 37762 (36.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 336 (336.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 336 (336.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@Server2 ~]# 

注意事项:

  • 免密码登录的处理是用户对用户的,切换其他用户后,仍然需要输入密码。
  • 远程机器的.ssh目录需要700权限,authorized_keys文件需要600权限,否则配置是不成功。

评论

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×