CentOS7做ssh免密登录详解程序员

(1)实验环境

  两台CentOS7:

    youxi1  192.168.1.6

    youxi2  192.168.1.7

  这里我将防火墙关闭进行实验,如果防火墙开启,请将端口加入到防火墙规则中。

(2).目标

  在ssh端口不为22的情况下,进行单向免密登录或双向免密登录(端口不一致)

(3).实验

  首先修改两台服务器的端口,vim /etc/ssh/sshd_config,找到如下部分

#Port 22 

  将#去除,22改为想要的端口号。这里我将youxi1的ssh端口号改为2890,youxi2的ssh端口号改为2891。

  接着使用命令systemctl restart sshd重启服务。再使用netstat -tlunp | grep sshd查看端口号(如果没有netstat请安装net-tools)

[[email protected] Packages]# netstat -tlunp | grep sshd  //youxi1 
tcp        0      0 0.0.0.0:2890            0.0.0.0:*               LISTEN      9953/sshd            
tcp6       0      0 :::2890                 :::*                    LISTEN      9953/sshd 
[[email protected] ~]# netstat -tlunp | grep sshd  //youxi2 
tcp        0      0 0.0.0.0:2891            0.0.0.0:*               LISTEN      17526/sshd           
tcp6       0      0 :::2891                 :::*                    LISTEN      17526/sshd 

1)单向免密登录

  youxi1使用ssh远程youxi2不需要密码,但youxi2使用ssh远程youxi1需要密码

  在yousi1上使用ssh-keygen生成公钥和私钥(这里使用默认的rsa),一路默认即可

[[email protected] ~]# ssh-keygen -t rsa  //默认指定的是rsa,所以可以没有-t rsa 
Generating public/private rsa key pair. 
Enter file in which to save the key (/root/.ssh/id_rsa):   //选项没有指定生成地址时,此处也可以指定 
Created directory '/root/.ssh'. 
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in /root/.ssh/id_rsa. 
Your public key has been saved in /root/.ssh/id_rsa.pub. 
The key fingerprint is: 
SHA256:ia+le9ZX3cAxztmIINJbWnEGrK9lq4lY4pYNevgqecM [email protected] 
The key's randomart image is: 
+---[RSA 2048]----+ 
|       . .ooo    | 
|      . o =o  o  | 
|       . B . = * | 
|       .+.  . B .| 
|      . S.     o.| 
|    .  .  +   . o| 
| o o.+. o= . .   | 
|o E.++.=+.o .    | 
| o.*+ =+o. .     | 
+----[SHA256]-----+

  在没有指定生成地址时,会默认生成到家目录下的.ssh/目录下。使用rsa就会生成id_rsa和id_rsa.pub两个文件,如果使用的是dsa则生成的是id_dsa和id_dsa.pub两个文件。

[[email protected] ~]# ls /root/.ssh/ 
id_rsa  id_rsa.pub 

  接着使用命令ssh-copy-id命令将公钥发到youxi2服务器上

[[email protected] ~]# ssh-copy-id -i .ssh/id_rsa.pub -p2891 [email protected]//-p选项指定被远程的服务器的端口号 
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub" 
The authenticity of host '[192.168.1.7]:2891 ([192.168.1.7]:2891)' can't be established. 
ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg. 
ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20. 
Are you sure you want to continue connecting (yes/no)? yes  //yes继续 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed 
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 
[email protected]'s password:   //输入192.168.1.7服务器上的root用户的密码 
 
Number of key(s) added: 1 
 
Now try logging into the machine, with:   "ssh -p '2891' [email protected]'" 
and check to make sure that only the key(s) you wanted were added. 

  公钥传完后虽然会在本地生成.ssh/known_hosts文件,但并不生效。而在youxi2服务器的root用户的家目录下生成.ssh目录,并含有authorized_keys文件。

[[email protected] ~]# ls .ssh/ 
authorized_keys 

  此时youxi1上的id_rsa.pub文件与youxi2是上的authorized_keys文件相同。

  最后测试:在youxi1上ssh远程youxi2,会发现并不需要输入密码

[[email protected] ~]# ssh -p 2891 [email protected] 
Last login: Sun May 12 17:46:49 2019 from youxi1.cn 
[[email protected] ~]# ls .ssh/ 
authorized_keys 

  注意:是本机生成的公钥发给被远程的服务器,在发送公钥和远程服务器时,都需要指定被远程的服务器的端口号。

2)双向免密登录

  双向免密就是互换公钥即可,这里接着上面把youxi2的公钥发送到youxi1上,并进行测试。

[[email protected] ~]# ssh-keygen  
Generating public/private rsa key pair. 
Enter file in which to save the key (/root/.ssh/id_rsa):  
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in /root/.ssh/id_rsa. 
Your public key has been saved in /root/.ssh/id_rsa.pub. 
The key fingerprint is: 
SHA256:9+woxNPvkE99zGUEZNcI+DJaUUIZXXMKb7k/Y6kPiJU [email protected] 
The key's randomart image is: 
+---[RSA 2048]----+ 
|         .+*++*.+| 
|          +..+.B.| 
|           o  = .| 
|          + o. o | 
|       .S+.E  . o| 
|        =.++.. =o| 
|       . ooo+..==| 
|        .  *. +.o| 
|         ...+... | 
+----[SHA256]-----+ 
[[email protected] ~]# ssh-copy-id -i .ssh/id_rsa.pub -p2890 [email protected] 
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub" 
The authenticity of host '[192.168.1.6]:2890 ([192.168.1.6]:2890)' can't be established. 
ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg. 
ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20. 
Are you sure you want to continue connecting (yes/no)? yes 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed 
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 
[email protected]'s password:  
 
Number of key(s) added: 1 
 
Now try logging into the machine, with:   "ssh -p '2890' [email protected]'" 
and check to make sure that only the key(s) you wanted were added. 
 
[[email protected] ~]# ssh -p 2890 [email protected] 
Last login: Sun May 12 17:24:54 2019 from youxi2.cn 
[[email protected] ~]#  

  

原创文章,作者:奋斗,如若转载,请注明出处:https://blog.ytso.com/2765.html

(0)
上一篇 2021年7月16日
下一篇 2021年7月16日

相关推荐

发表回复

登录后才能评论