原理
LocalMachine(L)在本机产生一对私钥和公钥(ssh-keygen);将公钥传输到RemoteMachine(R)(ssh-copy-id)。
L使用ssh登录R
R产生一个随机数,并用公钥加密,传输给L;
L用本地私钥解密,并将解密后随机数返回R;
R验证收到随机数和产生一致,则允许L无口令登录。
L在使用ssh-keygen生成密钥时,通常需要设置密钥短语来保护私钥,因此,在上述步骤登录R时,每次需要输入正确密钥短语,才能使用本地私钥。
为解决上述问题,使用ssh-agent,该服务提供缓冲密钥功能,在使用本地密钥时,直接从该服务获取;使用ssh-add可将本地密钥添加到ssh-agent,首次添加时,仍需要输入正确密钥短语,才能访问本地私钥。
步骤
Windows下,可使用Cygwin或Git Bash。
1)本地产生密钥ssh-keygen
本地生成密钥默认在/root目录下.ssh文件夹下。
[root@iZbp1fza94gkbdpgoq00xcZ ~]# ssh-keygen #默认参数 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): #设置密钥短语,用于保护私钥
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:TCsJk+MRDmLVrloIyeAX3uVl0EhZCNVKB2fes1YRLxw root@iZbp1fza94gkbdpgoq00xcZ
The key's randomart image is:
+---[RSA 2048]----+
|..o.o.+=X+ E. |
|o. + + *+*. . + |
|+.. @ + *. o + . |
|oo + B * . + . |
|. o o o S o |
| . o . . |
| o |
| . |
| |
+----[SHA256]-----+
2)将公钥传输到远程服务器ssh-copy-id
[root@iZbp1fza94gkbdpgoq00xcZ ~]# ssh-copy-id -f -p 60 root@REMOTEMACHINEIP #-f 强制添加;-p 指定远程服务器端口;如果远程登录用户名和本机一样,可省略。
The authenticity of host '[REMOTEMACHINEIP]:60 ([REMOTEMACHINEIP]:60307)' can't be established.
ECDSA key fingerprint is SHA256:FllrfgAI7ObtDD8GGtt+rJOlFYbnq7C9/res0zIqpAA.
ECDSA key fingerprint is MD5:4A:2F:be:18:40:2c:14:f2:98:10:7f:7b:9a:43:8a:67.
Are you sure you want to continue connecting (yes/no)? yes
root@REMOTEMACHINEIP's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '60' 'root@REMOTEMACHINEIP'"
and check to make sure that only the key(s) you wanted were added.
3)启动ssh-agent,并ssh-add
本地私钥到ssh-agent
打开/root目录下.bashrc文件,不文件末尾添加,使得会话开启时自动添加:
[root@iZbp1fza94gkbdpgoq00xcZ ~]# vim .bashrc
if [ "$PS1" ] && [ -z "$SSH_AUTH_SOCK" ] ; then #检测是否是交互SHELL(非交互shell如scp使用场景),且ssh-agent是否启动
eval `ssh-agent` #启动ssh-agent
ssh-add #添加本地默认私钥
fi
在.bash_logout文件末尾添加,使得在使用logout退出会话时,清除ssh相关服务:
[root@iZbp1fza94gkbdpgoq00xcZ ~]# vim .bash_logout
if [ -n "$SSH_AUTH_SOCK" ] ; then
killall ssh-agent
killall ssh
fi
5)测试
Connecting to IP:PORT...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Thu Jul 5 11:39:07 2018 from 122.224.223.84
Welcome to Alibaba Cloud Elastic Compute Service !
Agent pid 17168
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@iZbp1fza94gkbdapgoq00xcZ ~]# ssh trans #在/etc/hosts中指定别名
Last login: Thu Jul 5 13:08:15 2018 from ip
Welcome to aliyun Elastic Compute Service!
[root@iZbp1c75kyx5u9xtp0ohdfZ ~]# logout
Connection to trans closed.
[root@iZbp1fza94gkbdapgoq00xcZ ~]# ssh -A trans
如果需要ssh具有传递属性,在使用ssh远程连接时,添加-A参数。
问题
1)检查远程主机/etc/ssh/sshd_config文件,是否存在
AuthorizedKeysFile .ssh/authorized_keys
否则,修改为上述语句,并重启sshd。
[root@iZ23o73gv02Z ~]# service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
2)修改.ssh目录权限为700,authorized_keys文件权限为600