openssh免密登录配置
1.openssh简介
OpenSSH这一术语指系统中使用的Secure Shell软件的软件实施。用于在远程系统上安全运行shell。如果您在可提供ssh服务的远程Linux系统中拥有用户帐户,则ssh是通常用来远程登录到该系统的命令。ssh命令也可用于在远程系统中运行命令。
常见的远程登录工具有:
- telnet //23/TCP
- ssh //22/TCP 更安全 需要认证,通信过程、用户认证、数据传输加密
- dropbear //嵌入式系统一般运用在手机系统
1.1认证方式
ssh有两种认证方式:
- 口令认证 //密码认证,可以被别人获取到密码
- 密钥认证 //加密,获取到密钥后无法解密
2.配置
一般情况下sshd服务都是开启的;
通过systemctl status sshd 查看服务状态;
[root@zsr ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-12-22 15:56:49 CST; 2h 0min ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 977 (sshd)
Tasks: 1 (limit: 4766)
Memory: 5.8M
CGroup: /system.slice/sshd.service
└─977 /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes12>
Dec 22 15:56:49 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
Dec 22 15:56:49 localhost.localdomain sshd[977]: Server listening on 0.0.0.0 port 22.
Dec 22 15:56:49 localhost.localdomain sshd[977]: Server listening on :: port 22.
Dec 22 15:56:49 localhost.localdomain systemd[1]: Started OpenSSH server daemon.
Dec 22 16:03:10 localhost.localdomain sshd[1550]: Accepted password for root from 192.168.17.1 port 53545 ssh2
Dec 22 16:03:10 localhost.localdomain sshd[1550]: pam_unix(sshd:session): session opened for user root by (uid=0)
[root@zsr ~]#
生产密钥 ssh-keygen -t rsa (-t rsa 表示选择rsa算法)
[root@zsr ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): *//私钥在/root/.ssh/id_rsa*
Enter passphrase (empty for no passphrase): *//私钥没输密码 代表没有加密*
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub. *//公钥在/root/.ssh/id_rsa.pub*
The key fingerprint is:
SHA256:W6LWrA6tXMBS+ErtvzhRXCOkc9pI3Ii5zCsztJwXK4o root@zsr.simple.com
The key's randomart image is:
+---[RSA 3072]----+
| .. |
| = +. o |
| + B.oo . |
| o B *o |
| .*.B.. S . |
|o.o=+o + + |
|+=ooo.= + |
|o+o..B . |
|E +o=. |
+----[SHA256]-----+
[root@zsr ~]#
查看公钥私钥权限
公钥权限:644
私钥权限:600
[root@zsr ~]# ll .ssh
total 8
-rw-------. 1 root root 2602 Dec 22 18:00 id_rsa
-rw-r--r--. 1 root root 573 Dec 22 18:00 id_rsa.pub
[root@zsr ~]#
把公钥传给需要免密登录的主机
ssh-copy-id
[root@zsr ~]# ssh-copy-id root@192.168.17.131
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.17.131 (192.168.17.131)' can't be established.
ECDSA key fingerprint is SHA256:a573QZN4AWem0cTNPxncJQC7BvfoTWGhZAG+doMrjTI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.17.131's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@192.168.17.131'"
and check to make sure that only the key(s) you wanted were added.
[root@zsr ~]#
在需要免密登录主机上查看公钥
[root@zsr2 ~]# ls .ssh/
authorized_keys
[root@zsr2 ~]#
在主机上连接 不需要输入密码
[root@zsr ~]# ssh root@192.168.17.131
Last login: Thu Dec 22 17:55:02 2022 from 192.168.17.1
[root@zsr2 ~]#