Linux下,远程登录系统有两种认证方式:密码认证和密钥认证,本文只记录密钥认证过程。
密钥分为公用密钥和私有密钥,公用密钥存储在远程服务器上,私有密钥保存在本地,当需要登录系统时,通过本地私有密钥和远程服务器的公用密钥进行配对认证,如果认证成功,就可以成功登录系统。这种认证方式避免了被暴力破解的危险,同时只要保存在本地的私有密钥不被黑客盗用,攻击者一般无法通过密钥认证的方式进入系统。因此,在Linux下推荐使用密钥认证方式登陆系统。
环境一:
Node1:本地主机,用于控制其他主机的机器,ubuntu12.04,192.168.2.11
Node2:远程主机,用于被控制的主机,ubuntu12.04,192.168.2.10
-
在Node1上执行以下命令,生成密钥:
root@ha02:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #输入保存密钥的路径,默认就可以
Enter passphrase (empty for no passphrase): #输入密码或为空
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
bf:7f:15:03:78:2c:ad:40:bf:70:fd:00:1d:c0:dd:92 root@ha02
The key's randomart image is:
+--[ RSA 2048]----+
| ...oB.+ |
| ..+oE . |
| ..o+oo |
| o.. oo |
| S . .o|
| . .|
| . . |
| . . |
| .... |
+-----------------+
-
在Node2上创建.ssh文件夹,并将其权限设置为700,可直接ssh登录来完成:
root@ha02:~# ssh root@192.168.2.10 "mkdir .ssh;chmod 0700 .ssh"
root@192.168.2.10's password:
-
将Node1上的id_rsa.pub文件复制到Node2的.ssh文件夹下
root@ha02:~# scp .ssh/id_rsa.pub root@192.168.2.10:.ssh/id_rsa.pub
root@192.168.2.10's password:
id_rsa.pub 100% 391 0.4KB/s 00:00
-
在Node2上,新建文件authorized_keys,并设置权限600,用于包括公钥
root@ha01:~/.ssh# touch /root/.ssh/authorized_keys
root@ha01:~/.ssh# chmod 600 /root/.ssh/authorized_keys
-
将id_rsa.pub的内同放入authorized_keys
root@ha01:~/.ssh# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
-
从Node1登录Node2,验证是否成功:
root@ha02:~# ssh root@192.168.2.10
Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.8.0-29-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Sat Dec 27 14:25:26 CST 2014
System load: 0.04 Processes: 146
Usage of /: 5.8% of 885.02GB Users logged in: 1
Memory usage: 2% IP address for br0: 192.168.2.10
Swap usage: 0% IP address for virbr0: 192.168.122.1
Graph this data and manage this system at:
https://landscape.canonical.com/
packages can be updated.
updates are security updates.
New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your current Hardware Enablement Stack (HWE) is no longer supported
since 2014-08-07. Security updates for critical parts (kernel
and graphics stack) of your system are no longer available.
For more information, please see:
http://wiki.ubuntu.com/1204_HWE_EOL
To upgrade to a supported (or longer supported) configuration:
* Upgrade from Ubuntu 12.04 LTS to Ubuntu 14.04 LTS by running:
sudo do-release-upgrade
OR
* Install a newer HWE version by running:
sudo apt-get install linux-generic-lts-trusty linux-image-generic-lts-trusty
and reboot your system.
Last login: Sat Dec 27 09:46:43 2014 from 192.168.3.141
root@ha01:~# exit
logout
Connection to 192.168.2.10 closed.
-
使用密鑰方式登陸成功!
環境二:
SecurityCRT7.2.1 ubuntu12.04192.168.4.37
-
生成密鑰,Tools-> Create Public Key…
-
彈出”KeyGeneration Wizard”,單機下一步:
-
選擇密鑰類型為RSA
-
輸入加密密鑰的通行短語,可為空:
-
填寫密鑰長度,使用默認1024位:
-
系統開始生成密鑰:
-
選擇保存密鑰的路徑
-
在C:\Users\YY\Documents路徑下存在文件
Identity 和 Identity.pub
-
在遠程主機上新建.ssh文件夾并修改權限為700:
root@ubuntu12:~# mkdir .ssh
root@ubuntu12:~# chmod 700 .ssh
-
把生成的後綴為.pub文件Identity.pub上傳到遠程服務器的.ssh文件夾內:
root@ubuntu12:~/.ssh# ll
total 12
drwx------ 2 root root 4096 Dec 27 15:28 ./
drwx------ 5 root root 4096 Dec 27 15:14 ../
-rw-r--r-- 1 root root 328 Dec 27 15:21 Identity.pub
-
在遠程服務器上,新建文件authorized_keys,并设置权限600,用于保存公钥
root@ubuntu12:~/.ssh# touch /root/.ssh/authorized_keys
root@ubuntu12:~/.ssh# chmod 600 /root/.ssh/authorized_keys
root@ubuntu12:~/.ssh# ll
total 12
drwx------ 2 root root 4096 Dec 27 15:31 ./
drwx------ 5 root root 4096 Dec 27 15:14 ../
-rw------- 1 root root 0 Dec 27 15:31 authorized_keys
-rw-r--r-- 1 root root 328 Dec 27 15:21 Identity.pub
-
將Identity.pub的內容放入authorized_keys中
root@ubuntu12:~/.ssh# cat /root/.ssh/Identity.pub >> /root/.ssh/authorized_keys
-
在CRT上新建一個SSH2連接
-
只選擇PublicKey,單機Properties
-
Connect后成功登錄: