ssh-keygen&ssh-copy-id详解

1、介绍

公钥认证登录（免密登录）允许你登录一个远程服务器却不需要输入密码。首先第一步再本地服务器上生成一对公私钥，然后将公钥文件的内容拷贝到你要登录的远程机器上，最后只要你的本地保留由私钥，就可以免密登录远程服务器。ssh-keygen可以用来生成ssh免密登陆的密钥文件，这样在使用ssh登录的时候就可以不输入密码直接登录了。

2、生成公私钥（默认方式）

1、直接生成公私钥，默认存放在$HOME/.ssh目录下，公钥文件名默认为id_rsa.pub ，私钥文件名默认为id_rsa。默认生成是通过rsa算法加密的

[yiifung@master01 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/yiifung/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/yiifung/.ssh/id_rsa.
Your public key has been saved in /home/yiifung/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wRB3z4EE3QJYILvn9P7LJAGUot3oRlaCP3bKtupDlok yiifung@master01
The key's randomart image is:
+---[RSA 2048]----+
|   .. =*==oo.    |
|  . o+++ .+o..   |
|   +.*. o  .o    |
|  . O.o. .       |
| . O.+o S        |
|E = *+ . .       |
| o o .. o .      |
|  . .  . +       |
| .oo    ..+.     |
+----[SHA256]-----+
[yiifung@master01 ~]$ 
[yiifung@master01 ~]$

3、选项详解

-b bits 指定加密的bit位数，对于RSA算法，最小是1024位，默认是2048位

-C comment 添加注释

-f filename 指定输出文件名

-N new_passphrase 指定新密码

-P old_passphrase 指定密码，旧密码

-t dsa | ecdsa | ed25519 | rsa | rsa1 指定加密算法

4、具体执行如下

[yiifung@master01 .ssh]$ ssh-keygen   -b 2048 -t rsa  -f id_rsa  -C 'lichf'
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:wv0Tagi8UHNxSu20erHyLtZ4rW+V58APFIMpC2/1Tqw lichf
The key's randomart image is:
+---[RSA 2048]----+
|      o..  o     |
|     ..++ + o    |
|    o o= = o o   |
|   o + .B   =    |
|  . o ooSo.* .   |
|   . oooooE.B .  |
|    . .*o.o. *   |
|      +.+ o.  o  |
|     . +o+.      |
+----[SHA256]-----+

[yiifung@master01 .ssh]$ ll id_rsa*
-rw-------. 1 yiifung yiifung 1675 Jul  8 23:12 id_rsa
-rw-r--r--. 1 yiifung yiifung  387 Jul  8 23:12 id_rsa.pub
[yiifung@master01 .ssh]$

5、将id_rsa 拷贝到远程机器上

需要将id_rsa的文件内容拷贝到远程服务器上的~/.ssh/authorized_keys文件中，可以将id_rsa的内容直接拷贝过去，也可以通过ssh-copy-id命令实现

-i 指定需要复制的公钥文件

-f 强制方式添加，如果不加此参数，会检查远程服务器上是否已经存在了该公钥，加上了该参数，不会再做检查操作，直接将该公钥添加进去，这样公钥文件会存在重复的情况

[yiifung@master01 .ssh]$ ssh-copy-id -i id_rsa.pub     yiifung@192.168.168.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
yiifung@192.168.168.130's password: 
Permission denied, please try again.
yiifung@192.168.168.130's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'yiifung@192.168.168.130'"
and check to make sure that only the key(s) you wanted were added.

[yiifung@master01 .ssh]$ ssh-copy-id -i id_rsa.pub     yiifung@192.168.168.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
		(if you think this is a mistake, you may want to use -f option)

[yiifung@master01 .ssh]$ ssh-copy-id -i id_rsa.pub -f     yiifung@192.168.168.130
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_rsa.pub"

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'yiifung@192.168.168.130'"
and check to make sure that only the key(s) you wanted were added.

[yiifung@master01 .ssh]$