RHCE作业1

题目：使用ssh协议实现两台Linux主机免密登录

1.先准备好两台Linux主机，以及装好ssh包

这里我用的是一台红帽系统与华为的openeuler系统，这两个系统都自带ssh的包，可以用ps命令查看进程或者用rpm命令查看是否有这个包

ps -ef | grep ssh                         rpm -q ssh

2.先在一台主机上生成公钥与私钥

ssh-keygen -t rsa 

[root@xsl ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:zwmG6VC710z5K4sGLp6UY24Dn9KK5lNKAmJ5XmArDpI root@xsl
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|   o             |
| .o o .          |
|E+ o o +   .     |
|B + o + S o      |
|.o.o +.o B o     |
|o o+=oo.. * .    |
| =.+Bo.....  .   |
|+.o=+o .. .o.    |
+----[SHA256]-----+

生成的密钥在/root/.ssh/下

我们将目录切过去就可以用ls命令看到

[root@xsl ~]# cd /root/.ssh/
[root@xsl .ssh]# ls
authorized_keys  id_rsa  id_rsa.pub

3.将生成的密钥拷贝过去，这里可以在想要免密登录的主机上建立/root/.ssh/id_rsa.pub文件，也可以用命令拷贝过去

ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.23.128

[root@xsl .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.23.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.23.130 (192.168.23.130)' can't be established.
ED25519 key fingerprint is SHA256:7fl/VIJiutDYXvjCeDne46lGyU2iCDsjcgKPAYmckOc.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Authorized users only. All activities may be monitored and reported.
root@192.168.23.130's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.23.130'"
and check to make sure that only the key(s) you wanted were added.

输入yes后第一次需要输入密码，输入密码后

4.登录

输入密码后ssh 192.168.23.128就可以看到直接登录上去了

[root@xsl .ssh]# ssh 192.168.23.130

Authorized users only. All activities may be monitored and reported.

Authorized users only. All activities may be monitored and reported.
Last login: Wed Jan 10 22:54:00 2024 from 192.168.23.1


Welcome to 6.4.0-10.1.0.20.oe2309.x86_64

System information as of time: 	2024年 01月 11日 星期四 00:01:22 CST

System load: 	0.00
Processes: 	195
Memory used: 	20.2%
Swap used: 	0%
Usage On: 	15%
IP address: 	192.168.23.130
Users online: 	3

在另一台主机上进行相同操作，即可做到两台Linux主机免密登陆，为了更加安全，你可以禁用主机B上的密码登录方式

当你打开 /etc/ssh/sshd_config 文件并找到以下两行时

#PasswordAuthentication yes #ChallengeResponseAuthentication yes

你需要将其修改为：PasswordAuthentication no ChallengeResponseAuthentication no

这两行是 SSH 服务器配置文件中的选项。它们控制着是否允许使用密码进行身份验证和挑战应答进行身份验证。

• PasswordAuthentication 选项用于指定是否允许使用密码进行 SSH 登录。将其设置为 no 表示禁用密码登录方式，只允许使用 SSH 密钥进行身份验证。

• ChallengeResponseAuthentication 选项用于指定是否允许使用挑战应答进行 SSH 登录。将其设置为 no 表示禁用挑战应答方式进行身份验证。

通过将这两个选项设置为 no，你禁用了主机 B 上的密码登录方式和挑战应答方式登录，从而增加了主机的安全性。在修改完 /etc/ssh/sshd_config 文件后，你需要重新加载 SSH 配置文件以使更改生效。

重新启动命令为

[root@localhost ~]# systemctl restart sshd