ssh基于密钥连接

1 . ssh 协议

ssh 为Secure Shell 的缩写，是一种网络安全协议，专为远程登陆会话和其他网络服务提供安全协议的协议。通过使用可以把1数据的传输进行加密，有效防止远程管理过程中的信息泄露问题

从客户端来看，有两种验方式：基于密码，基于密钥。

非对称加密

公钥: 加密
私钥：解密
反之不可！！！

1.1 ssh登陆流程

---

1.2 ssh远程连接- 基于密钥的登陆方式

说明:

先在客户机生成一对密钥（公钥和私钥）
客户端将生成的公钥拷贝到需要访问的服务端机器上
当客户端再次发送一个连接请求，包括IP ，用户名
服务器得到客户端请求后，会得到authorized——key中查找，如果有相应的IP和用户，就会随机生成一个字符串，例如：qwer
服务端将客户端拷贝过来的公钥对随机字符串 qwer 进行加密
相关命令
生成密钥 ssh-keygen -t rsa
切换到ssh目录 cd .ssh/
查看.ssh目录（一步到位） ：cd .ssh | ll
上传密钥手动 ssh-copy-id 192.168.137.137 #目标服务器IP

1.2.1 OpenSSH

---

openSSH 是SSH协议的免费开源实现

Openssh由客户端和服务器端的软件组成，服务器是一个守护进程（daemon），它在后台进行并响应来自客户端的连接请求，服务器一般是 ssh进程，提供了对远程连接的处理。

客户端包含ssh程序以及像scp（远程拷贝），slogin(远程登录),.sfcp(安全文件传输)等其他的应用程序

默认情况下，centos会自带安装openSSH服务

 [root@centos6~]#yum list installed | grep openssh   #查询软件（openssh）安装
 openssh.x86_64          5.3p1-122.el6   @anaconda-CentOS-201703281317.x86_64/6.9
 openssh-askpass.x86_64  5.3p1-122.el6   @anaconda-CentOS-201703281317.x86_64/6.9
 openssh-clients.x86_64  5.3p1-122.el6   @anaconda-CentOS-201703281317.x86_64/6.9
 openssh-server.x86_64   5.3p1-122.el6   @anaconda-CentOS-201703281317.x86_64/6.9

1.2.2 openssh使用示例

---

目的：免密登陆

1. 设备

客户机：centos 6
标签 a
ip:192.168.137.129

服务器：centos 7
ip:192.168.137.130
标签 b

2.在 a 机器上生成密钥 （公钥和私钥）

    
 [root@centos6~]#ssh-keygen -t rsa            #按4下enter键
 Generatingpublic/privatersakeypair.
 Enterfileinwhichtosavethekey (/root/.ssh/id_rsa): 
 /root/.ssh/id_rsaalreadyexists.
 Overwrite (y/n)?y
 Enterpassphrase (emptyfornopassphrase): 
 Entersamepassphraseagain: 
 Youridentificationhasbeensavedin/root/.ssh/id_rsa.
 Yourpublickeyhasbeensavedin/root/.ssh/id_rsa.pub.
 Thekeyfingerprintis:
 8e:55:4d:53:39:c6:ff:39:e5:16:39:35:a8:f2:d2:bcroot@centos6
 Thekey's randomart image is:
 +--[ RSA2048]----+
 |            ooo. |
 |           oo=..|
 |          . o. o+|
 |         o .   +o|
 |        S=    .*|
 |       + . +   o+|
 |      . . . .  ..|
 |           E     |
 |                 |
 +-----------------+
 [root@centos6~]#cd .ssh   #切换到.ssh目录下
 [root@centos6~/.ssh]#ll   #查看一下
 total16
 -rw-------. 1rootroot  391Nov1700:43authorized_keys
 -rw-------. 1rootroot1675Nov2002:07id_rsa#私钥
 -rw-r--r--. 1rootroot  394Nov2002:07id_rsa.pub  #公钥
 -rw-r--r--. 1rootroot  794Nov1700:43known_hosts ​

2.将公钥拷贝到 b机器 上

 [root@centos6~/.ssh]#ssh-copy-id 192.168.137.130  # b机器的id
 Theauthenticityofhost'192.168.137.130 (192.168.137.130)'can't be established.
 RSAkeyfingerprintiscb:65:de:c5:99:52:fc:91:29:62:b6:ab:57:2f:e0:55.
 Areyousureyouwanttocontinueconnecting (yes/no)?yes  #输入 yes   connect:连接
 Warning: Permanentlyadded'192.168.137.130' (RSA) tothelistofknownhosts.
 root@192.168.137.130's password: 
 Nowtryloggingintothemachine, with"ssh '192.168.137.130'", andcheckin:
 ​
   .ssh/authorized_keys
 ​
 tomakesurewehaven't added extra keys that you weren'texpecting. ​

3.切换到b机器，查看一下

 [root@CCC01 ~]# cd .ssh  #切换到 .ssh目录下
 [root@CCC01 .ssh]# ll    #查看一下
 total 8
 -rw-------. 1 root root 394 Nov 22 10:41 authorized_keys   # 生成了这个文件
 -rw-r--r--. 1 root root 397 Nov 20 17:19 known_hosts
 [root@CCC01 .ssh]#  ​

1. 切换 a机器

 [root@centos6 ~/.ssh]#ssh root@192.168.137.130  #尝试使用a机器登陆b机器
 Last login: Tue Nov 22 09:59:13 2022 from 192.168.137.1
 [root@CCC01 ~]#       #登陆成功！
 [root@CCC01 ~]# exit  #尝试退出一下
 logout
 Connection to 192.168.137.130 closed.
 [root@centos6 ~/.ssh]#        # 退出到a机器上了

1.2.3公钥和私钥的非对称性

---

依旧使用上述机器

1. 切换到b机器

 [root@CCC01 .ssh]# ssh 192.168.137.129 登陆下a机器
 root@192.168.137.129's password:     # 依旧需要密码
 Last login: Sun Nov 20 01:37:51 2022 from 192.168.137.1
 [root@centos6 ~]# ​

2. 如果需要互相免密登陆的话，需要使用b机器在操作一次

 [root@CCC01 ~]# ssh-keygen -t rsa
 Generating public/private rsa key pair.
 Enter file in which to save the key (/root/.ssh/id_rsa): 
 Enter passphrase (empty for no passphrase): 
 Enter same passphrase again: 
 Your identification has been saved in /root/.ssh/id_rsa.
 Your public key has been saved in /root/.ssh/id_rsa.pub.
 The key fingerprint is:
 SHA256:lFyJzqMt4N3UP4YoJ7wSDYf4TpoPLjtzEz5rM75PUAI root@CCC01
 The key's randomart image is:
 +---[RSA 2048]----+
 |E        ...     |
 | .     ..o.      |
 |  .... o+.       |
 |  .o+ ..= .      |
 |  .o B =So o     |
 |  ..= O = . +    |
 | ..*.. *   . .   |
 |+.@oo .          |
 |.O=Xo.           |
 +----[SHA256]-----+
 [root@CCC01 ~]# ssh-copy-id 192.168.137.129
 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
 /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
 /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
 root@192.168.137.129's password: 
 ​
 Number of key(s) added: 1
 ​
 Now try logging into the machine, with:   "ssh '192.168.137.129'"
 and check to make sure that only the key(s) you wanted were added.
 ​
 [root@CCC01 ~]# ssh 192.168.137.129
 ==[root@centos6 ~]#== #测试成功！