安装完scponly,发现只能用密码去登录,能不能利用密钥无密码登录呢?
答案是可以的:原文如下:
# install the scponly package sudo apt-get install scponly # create the scp user and set their login shell to be scponly sudo useradd -m -s /usr/bin/scponly scpuser # create the .ssh directory sudo mkdir /home/scpuser/.ssh # create a key pair sudo ssh-keygen -f /home/scpuser/.ssh/id.rsa (no passphrase if used for automated backups) # create the authorized_keys file using the public key sudo cp /home/scpuser/.ssh/id.rsa.pub /home/scpuser/.ssh/authorized_keys # correct the ownership (creating keys can't be done as scpuser as no login shell!) sudo chmod 755 /home/scpuser/.ssh sudo chmod 644 /home/scpuser/.ssh/authorized_keys sudo chown -R scpuser:scpuser /home/scpuser 注意:在这里补充一点,为防止.ssh下的文件被利用,我们用chattr控制加强文件权限 #cd /home/scpuser/.ssh #chattr +i * # 拷贝id.rsa到我们指定的客户服务器上 # scp /home/scpuser/.ssh/id.rsa clientserver:/www/
进入clientserver
[root@apclt www]# ssh -i id.rsa scpuser@server @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'id.rsa' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. bad permissions: ignore key: id.rsa scpuser@server's password: Permission denied, please try again. scpuser@server's password: #报权限错误,我们给这个文件赋权 [root@apclt www]# chmod 400 id.rsa [root@apclt www]# ssh -i id.rsa scpuser@server Welcome to aliyun Elastic Compute Service! The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Jul 6 21:45:21 2015 from 183.11.157.17 Connection to server closed. #成功无密码登陆 但我们配置了SCPONLY所以无法成功登录 [root@apclt www]# scp -i id.rsa -r scponly-4.8 scpuser@server: scponly-4.8 100% 1675 1.6KB/s 00:00 注意: 如果sftp不能用-i指定认证文件 sftp: illegal option -- i 可以用: [root@apclt www]#sftp -oIdentityFile=/tmp/id.rsa scpuser@server
转载于:https://blog.51cto.com/xiangcun168/1672065