Centos 7 做ssh免密登录

一、准备阶段

 1、两台Centos系统，并已经安装了ssh

　　 jerry7-11   10.4.7.11
　 　jerry7-12   10.4.7.12

　 2、关闭防火墙，如果防火墙开启，将端口加入到防火墙规则中。

 

二、操作步骤

  1、 22端口修改

    可以修改ssh的22端口，或者不改 vim /etc/ssh/sshd_config，找到如下部分

    #Port 22

    将#去除，22改为想要的端口号。然后重启sshd服务 
    systemctl restart sshd
    使用netstat -tlunp | grep sshd查看端口号

   2、单向免密登录 

    jerry7-11使用ssh远程jerry7-12不需要密码，反之需要密码
    在jerry7-11上使用ssh-keygen生成公钥和私钥（这里使用默认的rsa），一路默认即可

[root@ jerry7-11 ~]# ssh-keygen -t rsa   //默认指定算法的是rsa，可以没有-t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):   
//保存私钥的路径默认/root/.ssh/id_rsa，可以指定生成地址
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):   //密码
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.  生成私钥
Your public key has been saved in /root/.ssh/id_rsa.pub.  生成公钥
The key fingerprint is:
SHA256:PXTg9KW4P582PWJMEwUstPfyXk6NWdrB518yCORbisc root@hdss7-11
The key's randomart image is:
+---[RSA 2048]----+
|          +...o  |
|         o =.+ . |
|          =.=..  |
|         = o..o  |
|        S * ...+o|
|         o B +oB+|
|        . E * BoB|
|         .   *+B=|
|            ..+o+|
+----[SHA256]-----+
[root@ jerry7-11 ~]# 

在没有指定生成地址时，会默认生成到家目录下的.ssh/目录下。使用rsa就会生成id_rsa和id_rsa.pub两个文件，如果使用的是dsa则生成的是id_dsa和id_dsa.pub两个文件。
[root@ jerry7-11 ~]# ll /root/.ssh/
-rw-------. 1 root root 1679 9月  16 14:53 id_rsa
-rw-r--r--. 1 root root  395 9月  16 14:53 id_rsa.pub

接着使用命令ssh-copy-id命令将本机生成的公钥发给jerry7-12被远程的服务器

[root@ jerry7-11 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub -p22 root@10.4.7.12 
                                   //-p是指你要发送对方的端口号
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.4.7.12 (10.4.7.12)' can't be established.
ECDSA key fingerprint is SHA256:iGP1Ez7V8/O5JAgo9FJ5GZ20TMU9l/dEVQkpRQrPO58.
ECDSA key fingerprint is MD5:d9:7f:07:c6:a7:77:8f:56:32:bc:69:83:cb:17:a6:c2.
Are you sure you want to continue connecting (yes/no)? yes    //yes继续 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.4.7.12's password:                     //输入jerry7-12服务器上的root用户的密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '22' 'root@10.4.7.12'"
and check to make sure that only the key(s) you wanted were added.
[root@ jerry7-11 ~]# 

公钥传完后在本地.ssh/ 下生成known_hosts文件
[root@jerry7-11 ~]# ll /root/.ssh/
-rw-------. 1 root root 1679 9月  16 14:53 id_rsa
-rw-r--r--. 1 root root  395 9月  16 14:53 id_rsa.pub
-rw-r--r--. 1 root root  171 9月  16 15:02 known_hosts

而在jerry7-12 服务器的root用户的家目录下生成.ssh目录，并含有authorized_keys文件。
[root@jerry7-12 .ssh]# ll /root/.ssh/
-rw------- 1 root root 395 9月  16 15:02 authorized_keys

测试：在hdss7-11测试ssh jerry7-12 
[root@jerry7-11~]# ssh root@10.4.7.12 -p 22
Last login: Wed Sep 16 12:59:08 2020 from 10.4.7.1
[root@jerry7-12 ~]#

3、双向免密登录

双向免密就是互换公钥即可，这里接着上面把jerry7-12 的公钥发送到jerry7-11 上，并进行测试。

jerry7-12 ：
[root@jerry7-12 .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:0N5SHnrZtgCwqcXd+W1waUrPpKaZN864xfKVp8LWiqU root@hdss7-12
The key's randomart image is:
+---[RSA 2048]----+
|      .          |
|     . * . .   . |
|      * + = o =  |
|     o o * * @   |
|    .   S * B =  |
|         o O o . |
|          =.B.o .|
|           %+o.o |
|          Eo=o.  |
+----[SHA256]-----+

[root@jerry7-12 .ssh]# cd /root/.ssh/
[root@jerry7-12 .ssh]# ll
-rw------- 1 root root  395 9月  16 15:02 authorized_keys
-rw------- 1 root root 1679 9月  16 15:21 id_rsa
-rw-r--r-- 1 root root  395 9月  16 15:21 id_rsa.pub

[root@jerry7-12 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub -p22 root@10.4.7.11
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.4.7.11 (10.4.7.11)' can't be established.
ECDSA key fingerprint is SHA256:iGP1Ez7V8/O5JAgo9FJ5GZ20TMU9l/dEVQkpRQrPO58.
ECDSA key fingerprint is MD5:d9:7f:07:c6:a7:77:8f:56:32:bc:69:83:cb:17:a6:c2.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.4.7.11's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p '22' 'root@10.4.7.11'"
and check to make sure that only the key(s) you wanted were added.

jerry7-11 ：
[root@jerry7-12 ~]# ll /root/.ssh/
-rw------- 1 root root  395 9月  16 15:02 authorized_keys
-rw------- 1 root root 1679 9月  16 15:21 id_rsa
-rw-r--r-- 1 root root  395 9月  16 15:21 id_rsa.pub
-rw-r--r-- 1 root root  171 9月  16 15:22 known_hosts

jerry7-12 ：
[root@jerry7-12 .ssh]# ssh 10.4.7.11 -p 22
Last login: Wed Sep 16 12:59:07 2020 from 10.4.7.1
[root@jerry7-11 ~]#