Linux 免密登录详解
一、概述
在实际工作中我们经常会使用ssh-key 密钥认证方式进行免密登录远程主机,例如常见的内网主机之间复制文件、分发数据、以及ansible 等自动化管理工具;
二、环境描述
1.具备ssh-key 的一台主机(Windows、MAC、Linux)
2.一台Linux远程服务器
1. 在远程服务器增加用于分发数据的用户,详细操作如下:
[root@localhost ~]# useradd example # 增加新用户
[root@localhost ~]# echo "example" |passwd --stdin example # 设置密码
Changing password for user example.
passwd: all authentication tokens updated successfully.
2. 生成密钥对
linux
[example@localhost ~]$ ssh-keygen -t rsa #生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa): #路径和文件名
Created directory '/home/example/.ssh'.
Enter passphrase (empty for no passphrase): # 密钥密码
Enter same passphrase again: # 确认密码
Your identification has been saved in /home/example/.ssh/id_rsa.
Your public key has been saved in /home/example/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:9l89pAvaDWd8V4MFfiN2VzQXb70qRfPTJZ6CmFnP4aY example@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| . +=|
| . . *|
| . .*.=*|
| = =ooO+*|
| S . *oo*o|
| . . oo.+.+|
| E+ *.oo|
| o.B.o o|
| . ..o |
+----[SHA256]-----+
windows–cmder
$ ssh-keygen.exe -t rsa -C "example@192.168.2.104"
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\example/.ssh/id_rsa): example
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in example.
Your public key has been saved in example.pub.
The key fingerprint is:
SHA256:9/x1/P0QUpS7CzV1YaiRolMKSaLbMMRqKFKWWO05nFo example@192.168.2.104
The key's randomart image is:
+---[RSA 2048]----+
|.+.+... . o+.|
|o.= oo o o oo o|
|o* o o. + . o .o.|
|=.= E + . .+ |
|+. + . S . ...o |
| . . o...o |
| o...+|
| ..o+|
| . =|
+----[SHA256]-----+
分发密钥到远程服务器
# 分发公钥到远程服务器
[example@localhost ~]$ ssh-copy-id -i /home/example/.ssh/id_rsa.pub example@192.168.2.106
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/example/.ssh/id_rsa.pub"
The authenticity of host '192.168.2.106 (192.168.2.106)' can't be established.
ECDSA key fingerprint is SHA256:YEUTpc9h9Yse/OUIpl+BrNA4zFvBXnX0mJaw/uN8QZs.
ECDSA key fingerprint is MD5:cd:10:1f:ac:05:5e:2e:0b:48:78:0a:99:b6:39:d9:c7.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
example@192.168.2.106's password:
Permission denied, please try again.
example@192.168.2.106's password:
Number of key(s) added: 1 # 密钥添加成功
Now try logging into the machine, with: "ssh 'example@192.168.2.106'"
and check to make sure that only the key(s) you wanted were added.
登陆远程服务器验证免密登录
[example@localhost ~]$ ssh example@192.168.2.106
Last failed login: Sat Nov 14 05:15:18 EST 2020 from 192.168.2.104 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sat Nov 14 05:03:47 2020
[example@example ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:02:66:03 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.106/24 brd 192.168.2.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::215:5dff:fe02:6603/64 scope link
valid_lft forever preferred_lft forever
将公钥写入认证文件:
将.ssh中的example.pub复制并改名字为authorized_keys
[root@localhost .ssh]# cp example.pub authorized_keys
[root@localhost .ssh]# ll
total 20
-rw-r--r--. 1 root root 402 Nov 14 19:23 authorized_keys
-rw-r--r--. 1 root root 402 Nov 14 19:22 example.pub
-rw-------. 1 root root 1679 Nov 14 18:09 id_rsa
-rw-r--r--. 1 root root 408 Nov 14 18:09 id_rsa.pub
-rw-r--r--. 1 root root 350 Nov 14 17:59 known_hosts
修改authorized_keys权限为700(必须修改为700,不能为其他,否则无法正常登陆)
[root@localhost .ssh]# chmod 700 authorized_keys
附注:Linux 分发密钥
[example@localhost ~]$ ssh-keygen -t rsa # 生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/home/example/.ssh/id_rsa): example
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in example.
Your public key has been saved in example.pub.
The key fingerprint is:
SHA256:XSUe/GJ1oNrlCO2L0J8oKqrG4h7ieeswstFvk2XWCNs example@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
| .o o. |
| o.=. .|
| . =o.. |
| . o *o+. |
| + oS +.+.. |
| . . E .. + o |
|=+. = . o + |
|===o= . . |
|B*+=oo. |
+----[SHA256]-----+
[example@localhost ~]$
[example@localhost ~]$ ll
total 8
-rw-------. 1 example example 1675 Nov 14 18:29 example
-rw-r--r--. 1 example example 411 Nov 14 18:29 example.pub
[example@localhost ~]$ ssh-copy-id -i example.pub example@192.168.2.106 #向远程服务器分发公钥
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "example.pub"
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'example@192.168.2.106'"
and check to make sure that only the key(s) you wanted were added.
[example@localhost ~]$ ssh -i example example@192.168.2.106 # 验证免密登录
Last login: Sat Nov 14 05:15:32 2020 from 192.168.2.104
附注登陆错误:
$ ssh -i example example@192.168.2.104
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions for 'example' are too open.
It is required that your private key files are NOT accessible by others. # 提示该文件的权限不可以被其他的用户访问,所以需要按照上面方法
This private key will be ignored.
Load key "chenman": bad permissions
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
