基于公私钥的认证(免密码登录)
基于密钥对认证,也就是所谓的免密码登录,理解免密登录原理:- 1.机器A 想免密码登录 机器B
- 2.机器A得发送自己的公钥给机器B
- 1.master-61机器生成一对公私钥
- 2.master-61机器发送自己的公钥,ssh-copy-id命令发给 web-7,此时需要输入web-7的账号密码,输入正确密码后。
- 3.web-7机器将master-61的公钥写入本地的~/.ssh/authorized_keys 已信任的公钥文件中
- 4.下一次master-61再次ssh登录web-7,web-7去本地的~/.ssh/authorized_keys文件里搜索master-61的公钥,如果找到了,生成随机字符串
- 5.web-7将生成的随机字符串结合master-61的公钥加密处理,返回给master-61
- 6.master-61拿到该加密后的随机字符串,使用自己的私钥解密,解密成功后将原始随机字符串发给web-7
- 7.web-7比对该随机字符串,确认正确,允许登录。
原理很复杂、但是操纵很简单,其实就几条下令,天生了几个配置文件;
但是于超老师给你讲清晰原理,了解其背后的通信过程,无论是排错,还是ssh出现安全问题,回头思考这个流程,就能摸索出解决方案。
免密登录步调
- 1.创建秘钥对,全部回车,默认即可
- [root@master-61 ~]#ssh-keygen
- Generating public/private rsa key pair.
- Enter file in which to save the key (/root/.ssh/id_rsa):
- Created directory '/root/.ssh'.
- Enter passphrase (empty for no passphrase):
- Enter same passphrase again:
- Your identification has been saved in /root/.ssh/id_rsa.
- Your public key has been saved in /root/.ssh/id_rsa.pub.
- The key fingerprint is:
- SHA256:ENZzEVp+qIjG+Cb/MBko8anhY8JGrbqLhR8+6ZI9B2o root@master-61
- The key's randomart image is:
- +---[RSA 2048]----+
- | o. +o |
- | . .o+.. |
- |. . .oo . |
- | o.= . o . . |
- |o.=.= . S |
- |+=oo o |
- |+@+o* |
- |XE*=.o |
- |*=++... |
- +----[SHA256]-----+
- 2.查看生成的公私钥
- [root@master-61 ~]#ls -l ~/.ssh/
- total 8
- -rw------- 1 root root 1679 Apr 22 19:43 id_rsa
- -rw-r--r-- 1 root root 396 Apr 22 19:43 id_rsa.pub
- 3.发送公钥给目标机器
- [root@master-61 ~]#ssh-copy-id web-7
- /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
- The authenticity of host 'web-7 (10.0.0.7)' can't be established.
- ECDSA key fingerprint is SHA256:Csqwr63+SZRFFOug/IGoFTgRe8hDSI/QalSMBcC6IaU.
- ECDSA key fingerprint is MD5:4c:9a:37:e2:5b:b5:de:a8:bf:90:b5:28:d8:5b:ac:60.
- Are you sure you want to continue connecting (yes/no)? yes
- /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
- /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
- root@web-7's password:
- Number of key(s) added: 1
- Now try logging into the machine, with: "ssh 'web-7'"
- and check to make sure that only the key(s) you wanted were added.
- 4.测试是否可以免密登录
- [root@master-61 ~]#ssh root@web-7
- Last login: Fri Apr 22 17:50:42 2022 from 10.0.0.1
- [root@web-7 ~]#
- [root@web-7 ~]#cat ~/.ssh/authorized_keys
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRsvpXAYBkQ/q3X9Rs7s+W5ppBaHj4zqtLk6Dvk0yvpFYIJvgvK27Q0hZWE5lXgiSpeYY3wXsg0SLI0/DAEU+mi2mrSUaCMDyia9A0vtpKsu574QDl2eOgU46sBrKfUw1vxC5Ow5awCzHu6RCdvo6mqVLDfqBG4e+pUEvYP4XVL4LMPqK0Wp5OZNprtIXzu57xE+wNUcbwC+hWc/2VSyBAtu9VXtVebrUk9t8hVAhKc2e7m8feexd+/WK5a4/FTj7oQb6P7GK+7gVXY6Thgwv54uIR9gSDU1U5aqEI9ng0xPUyI5KDMWjn2O2mfPY2tMF9ZsAgXJ/S7daMefRzdFvp root@master-61
- 公钥
- [root@master-61 ~]#cat ~/.ssh/id_rsa.pub
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRsvpXAYBkQ/q3X9Rs7s+W5ppBaHj4zqtLk6Dvk0yvpFYIJvgvK27Q0hZWE5lXgiSpeYY3wXsg0SLI0/DAEU+mi2mrSUaCMDyia9A0vtpKsu574QDl2eOgU46sBrKfUw1vxC5Ow5awCzHu6RCdvo6mqVLDfqBG4e+pUEvYP4XVL4LMPqK0Wp5OZNprtIXzu57xE+wNUcbwC+hWc/2VSyBAtu9VXtVebrUk9t8hVAhKc2e7m8feexd+/WK5a4/FTj7oQb6P7GK+7gVXY6Thgwv54uIR9gSDU1U5aqEI9ng0xPUyI5KDMWjn2O2mfPY2tMF9ZsAgXJ/S7daMefRzdFvp root@master-61
- 私钥文件
- [root@master-61 ~]#ls -l ~/.ssh/id_rsa
- -rw------- 1 root root 1679 Apr 22 19:43 /root/.ssh/id_rsa
- 已连接过的主机指纹
- [root@master-61 ~]#cat ~/.ssh/known_hosts
- web-7,10.0.0.7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL/Sx3bAaNcKqo7pC4FTYk3gyZ6hd1D/DKUWVfOd4gZb/8XwlAxWauceHe/BAsW5Z8pEmG6AjSyHM8ckOs94c7Y=
在整个免密登录过程中,涉及的配置文件- 客户端,需要生成公私钥,检查如下目录
- [root@master-61 ~]#ls ~/.ssh/
- id_rsa id_rsa.pub known_hosts
- 服务端,记录客户端的公钥
- [root@web-7 ~]#ls ~/.ssh/
- authorized_keys id_rsa id_rsa.pub known_hosts
- 其实整个过程就
- 1个目录 ~/.ssh/
- 四个配置文件
- authorized_keys id_rsa id_rsa.pub known_hosts
|
