1、介绍
公钥认证登录(免密登录)允许你登录一个远程服务器却不需要输入密码。首先第一步再本地服务器上生成一对公私钥,然后将公钥文件的内容拷贝到你要登录的远程机器上,最后只要你的本地保留由私钥,就可以免密登录远程服务器。ssh-keygen可以用来生成ssh免密登陆的密钥文件,这样在使用ssh登录的时候就可以不输入密码直接登录了。
2、生成公私钥(默认方式)
1、直接生成公私钥,默认存放在$HOME/.ssh目录下,公钥文件名默认为id_rsa.pub ,私钥文件名默认为id_rsa。默认生成是通过rsa算法加密的
[yiifung@master01 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/yiifung/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/yiifung/.ssh/id_rsa.
Your public key has been saved in /home/yiifung/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wRB3z4EE3QJYILvn9P7LJAGUot3oRlaCP3bKtupDlok yiifung@master01
The key's randomart image is:
+---[RSA 2048]----+
| .. =*==oo. |
| . o+++ .+o.. |
| +.*. o .o |
| . O.o. . |
| . O.+o S |
|E = *+ . . |
| o o .. o . |
| . . . + |
| .oo ..+. |
+----[SHA256]-----+
[yiifung@master01 ~]$
[yiifung@master01 ~]$
3、选项详解
-b bits 指定加密的bit位数,对于RSA算法,最小是1024位,默认是2048位
-C comment 添加注释
-f filename 指定输出文件名
-N new_passphrase 指定新密码
-P old_passphrase 指定密码,旧密码
-t dsa | ecdsa | ed25519 | rsa | rsa1 指定加密算法
4、具体执行如下
[yiifung@master01 .ssh]$ ssh-keygen -b 2048 -t rsa -f id_rsa -C 'lichf'
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:wv0Tagi8UHNxSu20erHyLtZ4rW+V58APFIMpC2/1Tqw lichf
The key's randomart image is:
+---[RSA 2048]----+
| o.. o |
| ..++ + o |
| o o= = o o |
| o + .B = |
| . o ooSo.* . |
| . oooooE.B . |
| . .*o.o. * |
| +.+ o. o |
| . +o+. |
+----[SHA256]-----+
[yiifung@master01 .ssh]$ ll id_rsa*
-rw-------. 1 yiifung yiifung 1675 Jul 8 23:12 id_rsa
-rw-r--r--. 1 yiifung yiifung 387 Jul 8 23:12 id_rsa.pub
[yiifung@master01 .ssh]$
5、将id_rsa 拷贝到远程机器上
需要将id_rsa的文件内容拷贝到远程服务器上的~/.ssh/authorized_keys文件中,可以将id_rsa的内容直接拷贝过去,也可以通过ssh-copy-id命令实现
-i 指定需要复制的公钥文件
-f 强制方式添加,如果不加此参数,会检查远程服务器上是否已经存在了该公钥,加上了该参数,不会再做检查操作,直接将该公钥添加进去,这样公钥文件会存在重复的情况
[yiifung@master01 .ssh]$ ssh-copy-id -i id_rsa.pub yiifung@192.168.168.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
yiifung@192.168.168.130's password:
Permission denied, please try again.
yiifung@192.168.168.130's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'yiifung@192.168.168.130'"
and check to make sure that only the key(s) you wanted were added.
[yiifung@master01 .ssh]$ ssh-copy-id -i id_rsa.pub yiifung@192.168.168.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)
[yiifung@master01 .ssh]$ ssh-copy-id -i id_rsa.pub -f yiifung@192.168.168.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'yiifung@192.168.168.130'"
and check to make sure that only the key(s) you wanted were added.
[yiifung@master01 .ssh]$