-t 指定秘钥类型 rsa dsa
-C 指定用户邮箱
[root@m01 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter fileinwhich to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:f/QWh5uWzIqREAPqA+mnjUqBXrDjJm49tqkDHCQ8n88 root@m01
The key's randomart image is:
+---[RSA 2048]----+
|..||.+ ...||o.= o o ||.oo= o .||o+o.* S . o .||+.+= E o o + * ||o=+ . + . X ||=+ +. + + ||oo+oo ..|
+----[SHA256]-----+
[root@m01 ~]# cd .ssh[root@m01 .ssh]# ll
total 8
-rw------- 1 root root 1675 Apr 23 20:17 id_rsa #私钥
-rw-r--r-- 1 root root 390 Apr 23 20:17 id_rsa.pub #公钥
#方式二:命令推送公钥[root@m01 .ssh]# ssh-copy-id -i .ssh/id_rsa.pub root@172.16.1.31
/usr/bin/ssh-copy-id: ERROR: failed to open ID file'.ssh/id_rsa.pub': No such file or directory
[root@m01 .ssh]# cd [root@m01 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub 172.16.1.31
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.31's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '172.16.1.31'"
and check to make sure that only the key(s) you wanted were added.
#验证[root@m01 ~]# ssh 172.16.1.31
Last login: Fri Apr 23 19:50:32 2021 from 192.168.15.1
[root@nfs ~]# #公钥传输到这个文件[root@nfs ~]# cd .ssh[root@nfs .ssh]# ll
total 4
-rw------- 1 root root 390 Apr 23 20:23 authorized_keys
#配置文件所在目录[root@nfs .ssh]# vim /etc/ssh/sshd_config
AuthorizedKeysFile .ssh/authorized_keys
# 注:只给当前用户传输公钥#登录留痕[root@m01 .ssh]# ll
total 12
-rw------- 1 root root 1675 Apr 23 20:17 id_rsa
-rw-r--r-- 1 root root 390 Apr 23 20:17 id_rsa.pub
-rw-r--r-- 1 root root 173 Apr 23 20:20 known_hosts
[root@m01 .ssh]# cat known_hosts
172.16.1.31 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB1c8Kpnc5NjQ8I84CIVi7pjzvGNp5xoDqpNcWzG4DPTuSmbWduLCps6n00Gw6tirhkn0Rnt74BAhvWAgJQqYgw=
[root@m01 .ssh]# vim ssh.sh #!/bin/bashfor num in 41 31 7;doecho ------------------ 10.0.0.$num -----------------
sshpass -p 1 ssh -o StrictHostKeyChecking=no root@10.0.0.$numdf -h
done
SSH安全优化
SSH作为远程连接服务,通常我们需要考虑到服务的安全,所以需要对服务进⾏安全⽅⾯的配置。
1、更改远程登陆的端⼝
[root@backup ~]# vim /etc/ssh/sshd_config
Port 2222
2、禁⽌root管理员直接登录
[root@backup ~]# vim /etc/ssh/sshd_config
PermitRootLogin no
3、密码认证⽅式改为秘钥认证
[root@backup ~]# vim /etc/ssh/sshd_config
PasswordAuthentication no
4、重要服务不适⽤公⽹IP地址
[root@web2 ~]# vim /etc/ssh/sshd_config
UseDNS no
[root@web2 ~]# vim /etc/ssh/sshd_config
GSSAPIAuthentication no
ssh远程管理服务器
对内网所有的机器进行免密
# 创建密钥[root@m01 ~]# ssh-keygen -t rsa# 免密登录[root@m01 ~]# for i in 7 8 31 41 ;do ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.1.$i; done