Linux ssh服务(二)

2. SSH Key密钥认证
2.1 SSH KEY简介
　　1.基于口令的安全验证
　　　　只要知道服务器的账号密码（当然也知道服务的IP和端口，默认22），就可以通过ssh连接登陆到远程主机，此时联机过程中所有的传输数据都是加密的。
　　2.基于密钥的安全验证
　　　　基于密钥的安全验证方式是指，需要依靠密钥，也就是必须事先建立一对密钥对，然后把公用密钥放在需要访问的目标服务器上，另外还需要把私有密钥放到SSH客户端或者对应的客户端服务器上。

2.2 SSH KEY单向免密码登录实战应用

[环境]
CentOS release 5.8 (Final)
2.6.18-308.el5
中心分发服务器A：Center-A：10.0.0.56
接收节点服务器B：Client-B：10.0.0.57
接收节点服务器C：Client-C：10.0.0.58
######添加新用户： 添加系统账号（避免禁止root ssh远程连接，造成的问题）

[Center-A  10.0.0.56]
[root@Center-A .ssh]# useradd -u 600 lican
[root@Center-A .ssh]# echo 'centos'|passwd lican --stdin
Changing password for user lican.
passwd: all authentication tokens updated successfully.
[root@Center-A ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
08:3d:8c:ee:82:c0:d8:00:6a:56:e4:8a:36:9a:1a:28 root@Center-A
[root@Center-A ~]# tree .ssh/
.ssh/
|-- id_dsa
|-- id_dsa.pub
`-- known_hosts

0 directories, 3 files
[root@Center-A ~]# ll .ssh/
total 12
-rw------- 1 root root 672 May 22 06:52 id_dsa                ※ 私钥，权限600
-rw-r--r-- 1 root root 603 May 22 06:52 id_dsa.pub            ※ 公钥，权限644
-rw-r--r-- 1 root root 391 May 22 05:38 known_hosts
[root@Center-A ~]# ls -ld .ssh/
drwx------ 2 root root 4096 May 22 06:52 .ssh/                ※ .ssh 目录权限700

#Center-A 56 向 节点Client-B 57分发公钥
#若非22端口，需要用下面方法拷贝公钥                           
#ssh-copy-id -i id_dsa.pub "-p 52113 lican@10.0.0.57" 
[root@Center-A .ssh]# ssh-copy-id -i id_dsa.pub lican@10.0.0.57
10
The authenticity of host '10.0.0.57 (10.0.0.57)' can't be established.
RSA key fingerprint is 62:d2:ea:c0:0e:d7:f2:60:2d:6f:c7:6f:cd:73:30:ae.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.57' (RSA) to the list of known hosts.
Now try logging into the machine, with "ssh 'lican@10.0.0.57'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

#Center-A 56 向 节点Client-C 58分发公钥
[root@Center-A .ssh]# ssh-copy-id -i id_dsa.pub lican@10.0.0.58
10
The authenticity of host '10.0.0.58 (10.0.0.58)' can't be established.
RSA key fingerprint is 84:18:b2:a5:42:6e:7f:83:29:94:19:0e:3d:0a:88:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.58' (RSA) to the list of known hosts.
lican@10.0.0.58's password: 
Now try logging into the machine, with "ssh 'lican@10.0.0.58'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[Client-B  10.0.0.57]
[root@Client-B ~]# useradd -u 600 lican
[root@Client-B ~]# echo 'centos'|passwd lican --stdin
Changing password for user lican.
passwd: all authentication tokens updated successfully.
[root@Client-B ~]# su - lican
[lican@Client-B ~]$ tree /home/lican/.ssh/
/home/lican/.ssh/
`-- authorized_keys

0 directories, 1 file

[Client-C  10.0.0.58]
[root@Client-C ~]# useradd -u 600 lican
[root@Client-C ~]# echo 'centos'|passwd lican --stdin
Changing password for user lican.
passwd: all authentication tokens updated successfully.
[root@Client-C ~]# su - lican
[lican@Client-C ~]$ tree /home/lican/.ssh/
/home/lican/.ssh/
`-- authorized_keys

0 directories, 1 file
[lican@Client-C ~]$ 

#从Center-A发送到Client的公钥文件名称改变的原因：  id_dsa.pub -->  authorized_keys
[root@Center-A .ssh]# grep authorized_keys /etc/ssh/sshd_config  
#AuthorizedKeysFile     .ssh/authorized_keys

[测试]
[Center-A  10.0.0.56]
#已经不需要输入密码，通过key验证 
[root@Center-A .ssh]# ssh -p22 lican@10.0.0.57 uptime
 07:52:02 up  3:11,  1 user,  load average: 0.00, 0.00, 0.00
[root@Center-A .ssh]# ssh -p22 lican@10.0.0.58 uptime
 23:52:08 up  3:08,  1 user,  load average: 0.00, 0.00, 0.00
※※※ Center连接Client不需要密码，因为Center上有私钥（钥匙），Client上有公钥（锁）

[Client-B  10.0.0.57]
#仍然需要输入密码，通过口令验证
lican:x:600:600::/home/lican:/bin/bash
[lican@Client-B ~]$ ssh -p22 lican@10.0.0.56 free -m
The authenticity of host '10.0.0.56 (10.0.0.56)' can't be established.
RSA key fingerprint is 62:d2:ea:c0:0e:d7:f2:60:2d:6f:c7:6f:cd:73:30:ae.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.56' (RSA) to the list of known hosts.
lican@10.0.0.56's password: 
             total       used       free     shared    buffers     cached
Mem:           122        115          6          0          8         89
-/+ buffers/cache:         17        104
Swap:          996          0        996

[Client-C  10.0.0.58]
#仍然需要输入密码，通过口令验证
[lican@Client-C ~]$ ssh -p22 lican@10.0.0.56 free -m
The authenticity of host '10.0.0.56 (10.0.0.56)' can't be established.
RSA key fingerprint is 62:d2:ea:c0:0e:d7:f2:60:2d:6f:c7:6f:cd:73:30:ae.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.56' (RSA) to the list of known hosts.
lican@10.0.0.56's password: 
             total       used       free     shared    buffers     cached
Mem:           122        115          6          0          8         89
-/+ buffers/cache:         17        104
Swap:          996          0        996
※※※ Client连接Center还是需要密码的，因为Client上只有公钥（锁），Center上才有私钥（钥匙）

posted @ 2013-08-14 21:48 木子吾雨阅读(269) 评论(0) 收藏举报

刷新页面返回顶部

cojl

按计划执行是成功的第一步！

Linux ssh服务(二)

公告