ssh-keygen免密码认证的过程大致重现了一次,记录下来方便查找,过程如下:


简介:

SSH 是一个专为远程登录会话和其他网络服务提供安全性的协议。默认状态下ssh链接是需要密码认证的,可以通过添加系统认证(即公钥-私钥)的修改,修改后系统间切换可以避免密码输入和ssh认证。


1、准备工作

两台服务器:

发起ssh连接端:192.168.93.51 (feng_01)

被ssh连接端  :192.168.93.52 (feng_02)


清空生成密钥目录下的内容:

[root@feng_01 .ssh]# ls -lrt
total 0


2、在发起端(192.168.93.51)生成SSH KEY

命令:ssh-keygen -t rsa,执行过程中会提示要求输入密码,但目的是ssh连接过程中无密码登录,所以不用输入密码直接 enter 即可。

执行过程如下:

[root@feng_01 .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
02:93:7d:49:2b:37:7d:95:c9:d5:35:44:c3:36:29:57 root@feng_01


执行完成后,生成公钥和私钥文件: id_rsa.pub   id_rsa

[root@feng_01 .ssh]# ls
id_rsa  id_rsa.pub


3、拷贝公钥到被ssh连接端

(下面的拷贝是在知道  被ssh连接端  密码的情况下执行,如果不知道,则可以把公钥放在一个共享目录下,由 被ssh连接端  去取和放到对应的目录下,相当于是双向的选择了,双方都握有主动权)

[root@feng_01 .ssh]# scp id_rsa.pub 192.168.93.52:/root/.ssh/authorized_keys
The authenticity of host '192.168.93.52 (192.168.93.52)' can't be established.
RSA key fingerprint is fb:2f:dc:ae:26:9c:d4:1b:6e:d7:12:bb:0b:84:f8:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.93.52' (RSA) to the list of known hosts.
root@192.168.93.52's password:
id_rsa.pub                                               100%  394     0.4KB/s   00:00    
[root@feng_01 .ssh]# ls
id_rsa  id_rsa.pub  known_hosts


把发起ssh连接端的公钥拷贝到被ssh连接端,并命令成authorized_keys,把此文件设置成600权限

[root@feng_02 .ssh]# ls -lrt
total 4
-rw------- 1 root root 394 Apr 14 16:50 authorized_keys


因在此过程中进行了ssh连接操作,所以另外生成了known_hosts文件,记录已经登录过的机器信息。


4、验证访问

发起ssh连接端被ssh连接端 发出ssh登录命令:

[root@feng_01 .ssh]# ssh 192.168.93.52
Last login: Mon Apr 14 16:27:01 2014 from 192.168.93.51
[root@feng_02 ~]#

结果:发现发起ssh登录后,已经不需要进行密码认证了,直接ssh进入了 被ssh连接端。


过程总结:

发起ssh连接端 生成进行ssh免认证登录的公钥和私钥,然后把 公钥 发送给 被ssh连接端

被ssh连接端  对此免认证有选择权,如果允许其免认证登录,则把公钥放在对应目录下即可,如果不允许则可拒绝接受(从而实现了 发起权和接受权的分离,保证了安全性)


--------------------------------------------------------------------------------------------------

 发起ssh连接端  知道  被ssh连接端  密码的情况下,也可以这样设置:

1、生成密钥,过程和上面的方法一样:

[root@feng_01 .ssh]# ssh-keygen -t rsa


2、在  发起ssh连接端  配置认证

ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.93.52


[root@feng_01 .ssh]# ssh-copy-id -i /root/.ssh/id_rsa.pub 192.168.93.52
21
The authenticity of host '192.168.93.52 (192.168.93.52)' can't be established.
RSA key fingerprint is fb:2f:dc:ae:26:9c:d4:1b:6e:d7:12:bb:0b:84:f8:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.93.52' (RSA) to the list of known hosts.
root@192.168.93.52's password:
Now try logging into the machine, with "ssh '192.168.93.52'", and check in:

 .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.


执行之后,会在  被ssh连接端  生成authorized_keys文件,生成的文件权限自动为600

[root@feng_02 .ssh]# ls -lrt
total 4
-rw------- 1 root root 394 Apr 14 17:38 authorized_keys


3、验证访问:

执行上面的命令后,就能直接登录192.168.93.52了

[root@feng_01 .ssh]# ssh 192.168.93.52
Last login: Mon Apr 14 17:19:06 2014 from 192.168.93.51


是不是感觉比上面更快捷了呢!



------------------------------------------------------------------

今天打通各个机器间的免密码登录之后,仍然提示需要密码:

原因:发起端的用户家目录权限被设置成了700,从而导致上述问题,把此目录改变成755权限之后,问题解决。


参考网站:

http://blog.sina.com.cn/s/blog_538285a70100nvz6.html