ssh public key private key 免密码
想象有一扇门,门后有巨大的财富,这扇门是电子密码锁,别人想要进去,需要输入密码,小偷可以乱输密码,只要密码量够大就有机会输中,就像中六合彩一样,这是通过输入plain password的方式远程访问机器,而另外一种方法就是不用密码锁,而是用一把精密无比的钥匙,只有主人和家人才拥有,这就是key-based的方式去访问远程的机器,免输入密码的同时,安全性能会高很多
所谓的密钥对,是指有两种钥匙,一种叫公钥public key,另外一种叫私钥private key,公钥好比一扇门的门锁,摆在那里,谁都可以看得见,但私钥顾名思义,是私密的,个人的,只有被允许者,才能拥有
有一个地方容易误解的就是,密钥对是从client机器产生的,然后把public key交给master机器,不同的clients想要连接master,那就会让master机器拥有很多条public key
密钥对保存在一个叫.ssh的文件夹里面,它平常是隐藏的,确保它的权限只能给当前用户使用,也就是700
[lijunda@centos6 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/lijunda/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/lijunda/.ssh/id_rsa.
Your public key has been saved in /home/lijunda/.ssh/id_rsa.pub.
The key fingerprint is:
57:93:fb:47:1d:08:cc:88:ff:cc:52:fb:2d:54:a5:16 lijunda@centos6
The key's randomart image is:
+--[ RSA 2048]----+
| . +. |
| . . o..E .|
| . +. +.|
| . o oo.o|
| S * o.. o|
| o = o . |
| . o o .|
| o o |
| . |
+-----------------+
ssh-keygen的意思是,generate生产,创造ssh的钥匙,有两种加密的方式,一种叫RSA这是默认的,另外叫DSA,但前者的安全程度比后者要高,所以我们使用RSA的加密方式,另外public key已经被生产出来了——id_rsa.pub,带一个pub的后缀,
[lijunda@centos6 .ssh]$ ls -l
total 8
-rw-------. 1 lijunda lijunda 1743 Feb 3 16:15 id_rsa
-rw-r--r--. 1 lijunda lijunda 397 Feb 3 16:15 id_rsa.pub
id_rsa是private key,输入一连串的密码,是为了不让private key 暴露在空气中
[lijunda@centos6 .ssh]$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,07FDB46E4BB04064
F3yijV7vLxR6vT5OC2ylwF107pvj0sHGFhyJTtggoqxpAsPxNjjUvPL8gNi+dNIM
dzmfCw2G0CAW89TuzxDTSf1QUnJ6Bytgn28r2EUbW6ooMhTzHatWxlF9ulRFps3/
I8hJJZKqaD5yt6Xw37r1nVzupaBss2thKHxONc04E+GIQTgcoWRFCI/LCNpmfiac
s5cMqazIndei/P0JLLMPFyZqgcqPIjQ48fz0T5cZzQ9uNyEeFg4Eo+X2HRuEeG5L
pcKnVYgo4Aqn1IPEwi8rNlu/hs5dUGA9OOYaRcGpw+Bc68T1iepXgQa26WN0Uj9j
lo5GIX5Q+Qmg0OZWn8qVHiZJFSiZLVV4acSyfBf6SpSeK4/2dVaa6ub/dACcuHUl
7oaQE4DyI6zTe99C43ewuK67KuhISuzR86xRAkEGbN5+TG+EmFZYsElSh5cd0hlG
WKJqgRBMhNzC/YKpNou2ysM6ahb8AAkWOAM1v+4LrDaPiXEPBMUywIH/63TpxhNM
0TxEByBno/TqXaUV1gPVJleobrZG/p53kVq8PS/lT9fCCmY93OUgYkdfh0bIZujA
efMx5k+ka7VIV2Rqojd2ucQ1URAVNPUeevkkmPJYf52xiJkZ6o6Nw2iZGfqRF107
yAxeOEppZ5GptM/GTelawNDCrb/D0k5bepjA1q4YdbV4FTpajOTORC9GMeH0xV+V
K3HjDqCBv6A9OJGsPMTRhJ+4MoqsrlFBtfA/PtxXaPlQaj0qeUVT/K39Gg+BjO0y
tbyC//al/RyILUqsiGiPb+SleuDO6ky8MWq1aByx234Oiza47WxxJ49AshPI0nsm
4dMwg/e3cckJLWWvRBTkuz1qr/xtzj//23xD1CLo/SO9Hdo9oKyP9XdcghSPtiLC
w36byi0w8ZSKkJB/aBJtVEcwfe/BaNMSR6b8xGG12Lr1AozrmhF8SMnG3FUx2Fdq
su3zktKBUPLX/g5Th9iWoEKGfilpgSG0f8UAsd+ELDXdy+vSRpuTF8Gvuskc6VTH
ooheP9+0AqjSjU99uEGevYSbjxk08Rkye7nbmYT+yfPTPEQE8gGWBpv/1WfQXWl9
18DpWfZUeMJMzhr7kEKnWcZLX2haPNKqmMvdHh1jzM3fzB6uuQabuDer3A/Ntqwj
P5MQHsrEhzLTr1BnOdsn0UHqx0fLgNFG6wq/EEhMXoU0nhWKTP1Hy7Wlzltl8X3K
QuGjGqcmGd4Sas3eoX/9UDNxMNA8Bn38Ik4/sfldxC2RHpU675FILL9Nue/7K7h7
9onxzeGk00o1jWegGqSLSSPo6CUJx4wbeS7wOr3YlQ7H/RHh/x8Qt9B54CJUk9fH
UhT11eqQih7uhHZWUG2K4q7QUfVl7rYZXcy4plOcgTjajL1AI3x6lvgtgc7M9DGf
SwTW5LkMf8BWq8W8mRkfnCFtNti35IPEotwCRUyq+Ofbj35cn+Lrv+DHJqMeUTej
Aax5FFbzShS4X8nQhpJEM+g5jcGwgOyBIiBMIdepwVgdV2HqZDfYH7xdhPfUIbp9
tce0ROaO4vSOZthd8uUwJg3zVenMjSs2NRZ2NGL5KB7FsDkd7XYzKg==
-----END RSA PRIVATE KEY-----
public key是公开的,所有人都能看的
[lijunda@centos6 .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqoTt4p4eRzxnU4CGRlg9lUFkxsTyQv/7JXpzUPQNpC3rIuksy4xr4jofjqhXuVPSqag6wCCsJYZ/3DAWguo7IF5PfBQ5Zx4WEiAq+ymmkyKZ+H1WvRFT+6You5MMVpYKktISkBKOCMVDTTD3upNOG0v00QsqiPAbn1QeyQkMPdJWLK1xSQ1k41U2Q+QfMm6OE7gSBPgzgW7YZR4cOEl0HxBas2QaKOPt9mDVtDfCK3UB16g7U5SqtiDvMH2BzrAlKiT7anjtVUaq8WHHGF4XOHK/tVFGa5P/WpqNcMVmCASfW65tthvVbj1kZKztGfB6J4jXe0COYyI9qS4doE1+lw== lijunda@centos6
lijunda@centos6只说明,这个public key是在centos6这台电脑中的lijunda用户产生而已,如果有很多台client电脑需要连接master电脑,那就把private key 用u盘的方式复制到其他的client电脑中,同时把密码验证的功能关闭掉
我们要把public key 从client机器复制到master机器里面去
[lijunda@centos6 .ssh]$ ssh-copy-id root@192.168.1.107
The authenticity of host '192.168.1.107 (192.168.1.107)' can't be established.
RSA key fingerprint is 96:45:0d:96:7d:12:57:b3:f2:00:1c:4f:6c:90:37:aa.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.107' (RSA) to the list of known hosts.
root@192.168.1.107's password:
Now try logging into the machine, with "ssh 'root@192.168.1.107'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
以前教授hadoop的老师,使用的方式是
scp ./id_rsa.pub root@192.168.1.107:/root/.ssh/authorized_keys
意思都是一样的,不过要注意的方式是,可能master机器上面,原本已经有authorized_keys了,所以最好先备份,再采取append追尾的方式添加上去,查询一下增加了这个文件
[root@centos7 .ssh]# ls -la
total 12
drwx------. 2 root root 46 Feb 3 17:28 .
dr-xr-x---. 8 root root 4096 Feb 2 17:10 ..
-rw-------. 1 root root 397 Feb 3 17:28 authorized_keys
-rw-r--r--. 1 root root 570 Feb 2 20:48 known_hosts
现在尝试在client机器上使用ssh的方式连接master机器
[lijunda@centos6 .ssh]$ ssh root@192.168.1.107
Enter passphrase for key '/home/lijunda/.ssh/id_rsa':
Last login: Wed Feb 3 16:31:40 2016 from 192.168.1.105
Hi everyone,
please remember the meaning of SUFFER!
每次登陆就输入包裹private的密码
以上资料来源:https://help.ubuntu.com/community/SSH/OpenSSH/Keys
如果觉得每次都要输入密码很繁琐,那你需要一个类似password manager一样的东西,好比浏览器帮你保存密码,每次使用自动登录,那个东西叫做ssh-agent
But what if i use two keys, or three or a hundred. But what if I use the keys several times after each other, it sucks to have to enter my "l33t and strong" passphrase.
Okay, thats what ssh-agent is for. The little program ssh-agent does you a favor by managing your keys for you. You enter the passphrase once, and after that, ssh-agent keeps your key in its memory and pulls it up whenever it is asked for it.
[lijunda@centos6 .ssh]$ ssh-add
Could not open a connection to your authentication agent.
这说明未能够使用ssh-agent,补充一个操作
[lijunda@centos6 .ssh]$ eval $(ssh-agent)
Agent pid 4101
再次使用ssh-add就能把包裹private key的password顺利添加到ssh-agetnt里面了
[lijunda@centos6 .ssh]$ ssh-add
Enter passphrase for /home/lijunda/.ssh/id_rsa:
Identity added: /home/lijunda/.ssh/id_rsa (/home/lijunda/.ssh/id_rsa)
检查已经添加到password manager的private key
[lijunda@centos6 root]$ ssh-add -l
2048 57:93:fb:47:1d:08:cc:88:ff:cc:52:fb:2d:54:a5:16 /home/lijunda/.ssh/id_rsa (RSA)
以后通过client ssh 登录 master 机器就不需要提示输入密码了
[lijunda@centos6 .ssh]$ ssh root@192.168.1.107
Last login: Wed Feb 3 17:34:42 2016 from 192.168.1.108
Hi everyone,
please remember the meaning of SUFFER!
不过重新在SecureCRT开一个窗口,又提示让你输入passwordphrase了,因为ssh-agent仅限于某个terminal
centos5文档:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s3-openssh-config-ssh-agent.html
所以我们需要一个叫keychain的工具去保存,没有的话就yum install keychain先下载,使用它去接管你的private key
[lijunda@centos6 .ssh]$ /usr/bin/keychain $HOME/.ssh/id_rsa
* keychain 2.7.0 ~ http://www.funtoo.org
* Found existing ssh-agent: 4933
* Found existing gpg-agent: 4958
* Adding 1 ssh key(s): /home/lijunda/.ssh/id_rsa
Enter passphrase for /home/lijunda/.ssh/id_rsa:
* ssh-add: Identities added: /home/lijunda/.ssh/id_rsa
接着让配置生效
source $HOME/.keychain/$HOSTNAME-sh
为了每次开启新的客户端都能够使用keychain接管private key,把它加入到该用户的.bash_profile
[lijunda@centos6 ~]$ ls -a
. .dbus .gnote .mozilla Templates
.. Desktop .gnupg Music Videos
.abrt .dmrc .gstreamer-0.10 .nautilus .viminfo
.bash_history Documents .gtk-bookmarks Pictures .xsession-errors
.bash_logout Downloads .gvfs .pki .xsession-errors.old
.bash_profile .esd_auth .ICEauthority Public
.bashrc .gconf .imsettings.log .pulse
.cache .gconfd .keychain .pulse-cookie
.config .gnome2 .local .ssh
#passwordless to centos7
/usr/bin/keychain $HOME/.ssh/id_dsa
source $HOME/.keychain/$HOSTNAME-sh
这样每次开启一个新窗口就会出现接管操作
[root@centos6 ~]# su - lijunda
* keychain 2.7.0 ~ http://www.funtoo.org
* Found existing ssh-agent: 4933
* Found existing gpg-agent: 4958
* Known ssh key: /home/lijunda/.ssh/id_rsa
直接连接过去就可以了,免密码!!
[lijunda@centos6 ~]$ ssh root@192.168.1.107
Last login: Wed Feb 3 19:31:30 2016 from 192.168.1.108
Hi everyone,
please remember the meaning of SUFFER!
总结:google搜索技术答案,通常第一个答案就是了,但百度的话通常很难找到答案,或者找到别人博客的答案,读英文不是更麻烦,而是更简单易懂了
