//TODO: 补充免密登录原理
ssh 远程登录的安全外壳协议,具有两种身份验证机制:
a.用户名+密码
该方式简单,忽略。
b.秘钥验证
一般来说图形化界面都是安装有ssh客户端的,接下来是免密登录的过程
1)、生成密钥对
ssh-keygen 然后一直回车
2)、发送公钥(id_rsa.pub)到对方
ssh-copy-id 192.168.16.22
3)、同样方式从对方生成密钥对,发送公钥给自己
4)、本机登录也需要发送公钥给自己
ssh-copy-id localhost
[wangshumin@CentOSNode1 hadoop]$ vim hdfs-site.xml
[wangshumin@CentOSNode1 hadoop]$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:4HhYUqWXR2NtpaaxQs2lJhE1viRBpNV9dHkqrvjH+1s.
ECDSA key fingerprint is MD5:ce:65:a7:5b:53:62:55:93:e6:43:1b:4b:91:93:e7:d1.
Are you sure you want to continue connecting (yes/no)? ^C
[wangshumin@CentOSNode1 hadoop]$ ^C
[wangshumin@CentOSNode1 hadoop]$ ^C
[wangshumin@CentOSNode1 hadoop]$ ^C
[wangshumin@CentOSNode1 hadoop]$ ssh CentOSNode1
The authenticity of host 'centosnode1 (192.168.72.141)' can't be established.
ECDSA key fingerprint is SHA256:4HhYUqWXR2NtpaaxQs2lJhE1viRBpNV9dHkqrvjH+1s.
ECDSA key fingerprint is MD5:ce:65:a7:5b:53:62:55:93:e6:43:1b:4b:91:93:e7:d1.
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.
[wangshumin@CentOSNode1 hadoop]$
[wangshumin@CentOSNode1 hadoop]$
[wangshumin@CentOSNode1 hadoop]$
[wangshumin@CentOSNode1 hadoop]$
[wangshumin@CentOSNode1 hadoop]$ cd
[wangshumin@CentOSNode1 ~]$ cd -
/home/wangshumin/hadoop-2.6.5/etc/hadoop
[wangshumin@CentOSNode1 hadoop]$ cd
[wangshumin@CentOSNode1 ~]$ ssh-keyken
bash: ssh-keyken: 未找到命令...
[wangshumin@CentOSNode1 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/wangshumin/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/wangshumin/.ssh/id_rsa.
Your public key has been saved in /home/wangshumin/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Zqmtf+kHCmFlGEvLIGB9BOHF/VSvcggAv4xfsWSAYP8 wangshumin@CentOSNode1
The key's randomart image is:
+---[RSA 2048]----+
|.=++O=+o .. |
|o o+o*++o. . |
| o..+Bo . |
| + * +o. . |
| . E +So o |
| . o= + |
| ..... o |
| .. o . |
| ...o.. |
+----[SHA256]-----+
[wangshumin@CentOSNode1 ~]$ ssh-copd-id CentOSNode1
bash: ssh-copd-id: 未找到命令...
[wangshumin@CentOSNode1 ~]$ ssh-copy-id CentOSNode1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/wangshumin/.ssh/id_rsa.pub"
The authenticity of host 'centosnode1 (192.168.72.141)' can't be established.
ECDSA key fingerprint is SHA256:4HhYUqWXR2NtpaaxQs2lJhE1viRBpNV9dHkqrvjH+1s.
ECDSA key fingerprint is MD5:ce:65:a7:5b:53:62:55:93:e6:43:1b:4b:91:93:e7:d1.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
wangshumin@centosnode1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'CentOSNode1'"
and check to make sure that only the key(s) you wanted were added.
[wangshumin@CentOSNode1 ~]$ cd /home/wangshumin/.ssh
[wangshumin@CentOSNode1 .ssh]$ ll
总用量 16
-rw-------. 1 wangshumin wangshumin 404 3月 11 11:11 authorized_keys
-rw-------. 1 wangshumin wangshumin 1675 3月 11 11:10 id_rsa
-rw-r--r--. 1 wangshumin wangshumin 404 3月 11 11:10 id_rsa.pub
-rw-r--r--. 1 wangshumin wangshumin 564 3月 11 11:11 known_hosts
[wangshumin@CentOSNode1 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqKetMdhAqe/4P9AXV2NJGrPcVCLlZSj+q7XfF0e6HHinFQwOfFun54xA8VvX7Tu+tkPKoWbVADkzBYp8sHbjRZ1AkRz+oOuJtqpys4y1w9+702atzyQvgyC7CQBPnvn+VUlD3w6M+5nuLDSRquhCxn1ut+zCbyuSuFsqPMKUfWCrHm+LzQbFi09y4E6L2T1+NmSzeP0eORJuz/h/tNih1GHPhmhDdRW4Q4Oo3d1oYXmnCW4IReLpufA4d1q22p81GTS1hF/zq3d3ditkmIl+RzU8POO8BRiL1sV8KEn3L4JnwfhpPsq9Ks9sHY9wG6r/9HUoZYYmBx5P/qaedPIRj wangshumin@CentOSNode1
[wangshumin@CentOSNode1 .ssh]$ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:4HhYUqWXR2NtpaaxQs2lJhE1viRBpNV9dHkqrvjH+1s.
ECDSA key fingerprint is MD5:ce:65:a7:5b:53:62:55:93:e6:43:1b:4b:91:93:e7:d1.
Are you sure you want to continue connecting (yes/no)?
Host key verification failed.
[wangshumin@CentOSNode1 .ssh]$
[wangshumin@CentOSNode1 .ssh]$
[wangshumin@CentOSNode1 .ssh]$
[wangshumin@CentOSNode1 .ssh]$ ssh CentOSNode1
Last login: Sun Mar 11 08:29:06 2018 from 192.168.72.200
[wangshumin@CentOSNode1 ~]$ exit
登出
Connection to centosnode1 closed.
[wangshumin@CentOSNode1 .ssh]$ ll
总用量 16
-rw-------. 1 wangshumin wangshumin 404 3月 11 11:11 authorized_keys
-rw-------. 1 wangshumin wangshumin 1675 3月 11 11:10 id_rsa
-rw-r--r--. 1 wangshumin wangshumin 404 3月 11 11:10 id_rsa.pub
-rw-r--r--. 1 wangshumin wangshumin 564 3月 11 11:11 known_hosts
[wangshumin@CentOSNode1 .ssh]$ ssh-copy-id localhost
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/wangshumin/.ssh/id_rsa.pub"
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:4HhYUqWXR2NtpaaxQs2lJhE1viRBpNV9dHkqrvjH+1s.
ECDSA key fingerprint is MD5:ce:65:a7:5b:53:62:55:93:e6:43:1b:4b:91:93:e7:d1.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)
[wangshumin@CentOSNode1 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqKetMdhAqe/4P9AXV2NJGrPcVCLlZSj+q7XfF0e6HHinFQwOfFun54xA8VvX7Tu+tkPKoWbVADkzBYp8sHbjRZ1AkRz+oOuJtqpys4y1w9+702atzyQvgyC7CQBPnvn+VUlD3w6M+5nuLDSRquhCxn1ut+zCbyuSuFsqPMKUfWCrHm+LzQbFi09y4E6L2T1+NmSzeP0eORJuz/h/tNih1GHPhmhDdRW4Q4Oo3d1oYXmnCW4IReLpufA4d1q22p81GTS1hF/zq3d3ditkmIl+RzU8POO8BRiL1sV8KEn3L4JnwfhpPsq9Ks9sHY9wG6r/9HUoZYYmBx5P/qaedPIRj wangshumin@CentOSNode1
[wangshumin@CentOSNode1 .ssh]$ ssh localhost
Last login: Sun Mar 11 11:12:36 2018 from centosnode1
[wangshumin@CentOSNode1 ~]$ exit
登出
Connection to localhost closed.
[wangshumin@CentOSNode1 .ssh]$ ll
总用量 16
-rw-------. 1 wangshumin wangshumin 404 3月 11 11:11 authorized_keys
-rw-------. 1 wangshumin wangshumin 1675 3月 11 11:10 id_rsa
-rw-r--r--. 1 wangshumin wangshumin 404 3月 11 11:10 id_rsa.pub
-rw-r--r--. 1 wangshumin wangshumin 735 3月 11 11:13 known_hosts
[wangshumin@CentOSNode1 .ssh]$
SSL设置免密登录
一:SSL基本介绍
ssh是secure shell的缩写,是建立在应用层和传输层基础上的安全协议,专为远程登录会话和其他网络服务提供安全性的协议。利用ssh协议可以有效地防止远程管理过程中的信息泄露问题。使用ssh之后,可以把所有传输的数据加密,避免中间人攻击,也能够繁殖DNS欺骗和ip欺骗,有个额外的好处是传输的数据是经过压缩的,可以加快传输速度。
二:SSL提供两种级别的安全验证
第一种:基于口令的安全验证
只要知道一台机器的账号和口令就可以登录到远程主机,传输的内容会被加密,但是不能保证正在连接的服务器就是你想要连接的服务器。即会受到中间人攻击。
第二种:基于密匙的安全验证
需要依靠密匙,就是需要为自己创建一对密匙,并将公共的密匙放在需要访问的服务器上。如果你要连接到该服务器,客户端软件会向服务器发送请求,请求用你的密匙进行安全验证。服务器收到请求后比较你发送的密匙和你放在服务器上的密匙。如能够果两个密匙一致,服务器就用公用密匙加密“质询”并发送给客户端软件,客户端软件收到质询后可以用私人密匙解密,再将其发送给服务器。
三、Linux环境下设置ssh免密码登录
说明:
1、环境:三台虚拟机系统 centos6.5(都已安装ssh),主机名分别为:a、 b、 c,三台主机上的用户皆为y
2、目标:使这三台主机实现自身及相互之间的ssh免密码登录
3、思路:为三台主机分别生成一对密匙,并将每台主机的密匙发送到其他两台主机。
具体步骤
1、使自身能免密码登录自身
(1)在普通用户下操作:在~/.ssh目录下生成一对密匙
cd ~/.ssh
ssh-keygen -t rsa
- 1
- 2
说明:输入该命令后会有提示,一直回车即可
(2)将公共密匙保存到authorized_keys文件中,实现对自身免密码登录
cat id_rsa.pub >> authorized_keys
- 1
(3)修改权限(需要修改~/.ssh文件夹和authorized_keys文件的,不然会报不允许的错误或者无法出现know_hosts文件)
chmod 700 ~/.ssh
chmod 700 ~/.ssh/authorized_keys
- 1
- 2
(4)修改SSH配置文件——“etc/ssh/sshd_config”
打开文件
vim /etc/ssh/sshd_config
- 1
将以下三句话的注释去掉
RSAAuthentication yes # 启用 RSA 认证
PubkeyAuthentication yes # 启用公钥私钥配对认证方式
AuthorizedKeysFile .ssh/authorized_keys # 公钥文件路径(和上面生成的文件相同)
- 1
- 2
- 3
(5)重启SSH(在root用户下操作)
service sshd restart
- 1
(6)免密登录本机(假设本机为a)
ssh a
- 1
发现可以免密码登录。
三台主机都进行前6步的操作。
2、使一台主机能免密码登录另一台
说明:此处以a免密码登录b为例
(1)将a的公共密匙发送给b
在a的终端输入命令:
scp ~/.ssh/id_rsa.pub y@b:~/
- 1
在b的~目录下会有id_rsa.pub
(2)b将其密匙存放到自己的authorized_keys文件中。
在b的~目录下输入命令:
cat id_rsa.pub >> ~/.ssh/authorized_keys
- 1
(3)b删除a发来的文件
rm id_rsa.pub
- 1
(4)在a上测试是否可以免密码登录b
ssh b
- 1
说明:其他的同理