一,不需要输密码的ssh

原理:首先服务器端把公钥传给Client端,Client端在验证了服务器的可信性以后,可以通过对称加密传输数据。当Client要链接到server的时候,会通过/etc/shadow验证用户名和密码,但是如果在客户端产生一对密钥,然后把产生的公钥传到服务器端,这样的话在接受了客户端用私钥加密的数据以后可以直接用服务器拥有的客户机的公钥进行解密,用的是公钥加密私钥解密的模式,而不需要读/etc/shadow文件,这是两种不同的连接方式。

1,在ssh的server端启动sshd服务就会产生public key 和private key,一共3对钥匙。

[root@server1 ssh]# service sshd restart

Stopping sshd: [ OK ]

Generating SSH1 RSA host key: [ OK ]

Generating SSH2 RSA host key: [ OK ]

Generating SSH2 DSA host key: [ OK ]

Starting sshd:

[root@server1 ssh]# ls (/etc/ssh)

moduli ssh_host_dsa_key ssh_host_key.pub

ssh_config ssh_host_dsa_key.pub ssh_host_rsa_key

sshd_config ssh_host_key ssh_host_rsa_key.pub

2,每次有Client端得ssh联机需求传过来时,server就会传公钥给Client,此时client会利用/etc/ssh/ssh_know_hosts或者~/.ssh/know_hosts对比公钥的正确性。~/.ssh/know_hosts会记录曾经连过的服务器的public_key,

[root@server2 ~]# rm -fr .ssh/known_hosts

[root@server2 ~]# ls .ssh/

[root@server2 ~]# ssh ###如果在连某个主机的时候know_hosts里面没有记录,则在ssh的时候会弹出对话并在里面添加这条记录,这样下次再连的时候就不会再询问###

The authenticity of host ‘192.168.12.1 (192.168.12.1)’ can’t be established.

RSA key fingerprint is cf:ea:07:39:9b:fb:04:76:7e:c5:73:0b:97:fb:06:db.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘192.168.12.1’ (RSA) to the list of known hosts.

root@192.168.12.1’s password:

Server上 查看server上的指纹,与返回到Client端得指纹一样,则验证了主机的真实性,每一对密钥都有一样的指纹。

[root@server4 ~]# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

2048 cf:ea:07:39:9b:fb:04:76:7e:c5:73:0b:97:fb:06:db /etc/ssh/ssh_host_rsa_key.pub

[root@server4 ~]# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key

2048 cf:ea:07:39:9b:fb:04:76:7e:c5:73:0b:97:fb:06:db /etc/ssh/ssh_host_rsa_key.pub

[root@server2 ~]# cat .ssh/known_hosts

192.168.12.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvPOQ0LmlgrE15e37+eL2fGXGAbUaSr1BI5nWFjXc/pdN3MbGIPBDWnKryIke6gR3wxag72IZ5ZmXQ0VQ6CPBD/lumAo0Ymq2B70l9eyxri8j++O+DbQVmFMJ3aGgr2qf70NXC1I+C22i6Chfx2gWTm9rtDDa/5fYrXseqGlM+EhG7MgC2bIkcAweboDejd+4wet0Kgp0YSl+QVlqbsTMJi4fvhIt/n95+CzJFhp0uOcRvFvIuW+wGM3b7Tg7O3r6VzNBZJM27LHuoWRItHuFpkitT58fsp3aBkIeNR22V65SY/5ICO2ywz0QCYZAz4gcjFsEAGKqL1GqdwTkuN+QAQ==

####添加了该访问记录###

客户端产生密钥对   

ssh-keygen -t rsa -P ”  免密码生成公私钥,如下:

[youxi@localhost ~]$ ssh-keygen -t rsa -P ”
Generating public/private rsa key pair.
Enter file in which to save the key (/home/youxi/.ssh/id_rsa):
Your identification has been saved in /home/youxi/.ssh/id_rsa.
Your public key has been saved in /home/youxi/.ssh/id_rsa.pub.
The key fingerprint is:
95:4a:65:1d:92:f9:1b:0c:0b:10:8a:74:2a:27:5d:66 youxi@localhost.localdomain
The key’s randomart image is:
+–[ RSA 2048]—-+
| . E oo ++.. |
| o B . .o+o. |
|o = . ..o= |
| + . o. + |
| S o |
| . |
| |
| |
| |
+—————–+

 

[root@server2 ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase): ###这是对产生的私钥进行加密###

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa. ###客户端的私钥###

Your public key has been saved in /root/.ssh/id_rsa.pub. ###客户端的公钥###

The key fingerprint is:

ed:af:64:8c:14:18:0c:97:36:54:b5:e1:35:dc:83:5c root@server2

[root@server2 ~]# cd .ssh/

[root@server2 .ssh]# ls

id_rsa id_rsa.pub known_hosts ###客户端产生的密钥对存在这下面###

###把客户端的公钥传给客户端###

[root@server2 .ssh]# ssh-copy-id -i id_rsa.pub 192.168.12.1

10

root@192.168.12.1’s password:

Now try logging into the machine, with “ssh ‘192.168.12.1’”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[root@server2 .ssh]# cat id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAriu15Mg0+5AiZa0pp2/mOPre9T9JtNuwKCEX4OC6bDWd/FbXScUO7Nu/I6gLtToGiAoId9nucysHOvPIiqoKiRq7E6exueWzJkFj09RrndzW2XKwKlHzTIvBAuyp9fOT4nVauiu3UbdkyyRTiwgo5Ze5amlJlrr7tT3/f3JyOlVICPsebSm4eN2t0t8+6f/CwkhsGiHHMwVzrPp9oixnkVetYi1pDjCFxCQS2Q/eBPaC58HopcUqpkWMpw8imoud8oL7+zcypPVoUP8RqeOq/of0tqgNbsMpOcDxPiFyh6UMjaGotDGCHKFNpZerJzzmmevCkUNtF2bzIhUctadkZQ== root@server2

###在客户端查看,发现新产生了一个authorized_keys ,里面内容和公钥的一样,以后再加的话会自动在这个文件里追加内容###

[root@server4 .ssh]# ls

authorized_keys known_hosts

[root@server4 .ssh]# cat authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAriu15Mg0+5AiZa0pp2/mOPre9T9JtNuwKCEX4OC6bDWd/FbXScUO7Nu/I6gLtToGiAoId9nucysHOvPIiqoKiRq7E6exueWzJkFj09RrndzW2XKwKlHzTIvBAuyp9fOT4nVauiu3UbdkyyRTiwgo5Ze5amlJlrr7tT3/f3JyOlVICPsebSm4eN2t0t8+6f/CwkhsGiHHMwVzrPp9oixnkVetYi1pDjCFxCQS2Q/eBPaC58HopcUqpkWMpw8imoud8oL7+zcypPVoUP8RqeOq/of0tqgNbsMpOcDxPiFyh6UMjaGotDGCHKFNpZerJzzmmevCkUNtF2bzIhUctadkZQ== root@server2

注:在RHEL4里没有ssh-copy-id 这个命令,可以用

#~/.ssh/cat id_dsa.pub| ssh 192.168.12.1 “cat > ~/.ssh/authorized_keys” 代替

验证
在客户端

[root@server2 .ssh]# ssh 192.168.12.1

Enter passphrase for key ‘/root/.ssh/id_rsa’: ###输的是私钥的密码,而不是server端的密码###

Last login: Fri Oct 30 05:33:58 2009 from server2.163.com

但这只是以root身份登录才会免密码,如果以其他用户身份登录还是会要求输入密码,不用以上密码加密和解密的过程。

二,ssh-agent(客户端上)

通过上面的实验我们发现虽然加了私钥密码很安全,但是每次连接都要输私钥密码就会很麻烦,所以可以通过代理的方式使私钥只要解密一次,就会把它加载在内存里,以后登录的时候就不用输入密码了

但这只在该新起的shell中生效

[root@server2 .ssh]# ssh-agent /bin/bash

###[root@server2 .ssh]# ssh-agent $SHELL也可以,因为

[root@server2 .ssh]# echo $SHELL

/bin/bash

如果要起图形界面#ssh-agent /usr/bin/gnome-terminal

###

[root@server2 .ssh]# ssh-add ###将私钥导入内存,输入解密密码###

Enter passphrase for /root/.ssh/id_rsa:

Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)

[root@server2 .ssh]# ps

PID TTY TIME CMD

14758 pts/1 00:00:00 bash

14978 pts/1 00:00:00 bash

14993 pts/1 00:00:00 ps

注:如果不新开一个shell 在加入内存时会出现以下报错

[root@server2 .ssh]# ssh-add

Could not open a connection to your authentication agent.

本文出自 “运维之道” 博客,请务必保留此出处http://lxshopping.blog.51cto.com/4542643/1179864

改变目录底层的属性方法chattr和lsattr

chattr命令的作用很大,其中一些功能是由Linux内核版本来支持的,如果Linux内核版本低于2.2,那么许多 功能不能实现。同样-D检查压缩文件中的错误的功能,需...

阅读全文

sendmail简单配置与使用

linux邮件服务器现在主流是postfix,配置也比较简单,跟ftp配置一样,这里主要记录下sendmail的简单配置.  1.安装相关的包: yum -y install sendmail sendmai...

阅读全文

域名无法解析简单的排查方法

当域名出现无法解析的情况,可以使用下面的方法进行排查: 首先安装域名排查工具 [root@localhost ~]# yum install -y jwhois 运行如下命令:查看Domain Stat...

阅读全文