SSH 公钥登录

　　一般使用SSH进行远程登录时需要提供密码，这也是我们所熟知的一种方式。

　　另外，就是通过公钥登录的方式，本文将简要介绍公钥登录的两种方法，建议使用方法二。本文也将简单演示公钥登录过程，以及强制使用公钥和密码的双因子认证。

公钥登录:法一

Step 1：创建公钥/私钥对ssh-keygen

$ ssh-keygen
Generating public/private rsa key pair.
...
$ ls
id_rsa  id_rsa.pub  known_hosts

Step 2：将id_rsa.pub上传到要远程登录到的机器上

$ scp id_rsa.pub root@142.93.198.56:/tmp
root@142.93.198.56's password:
id_rsa.pub                                                         100%  405     1.5KB/s   00:00

Step 3：将公钥添加到authorized_keys中

　　首先，远程登录到目标机器，在远程进行操作。

$ ssh root@142.93.198.56
...
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# cd /tmp/
root@ubuntu-s-1vcpu-1gb-nyc1-01:/tmp# cat id_rsa.pub >> ~/.ssh/authorized_keys

Step 4：更改文件权限

root@ubuntu-s-1vcpu-1gb-nyc1-01:/tmp# chmod 600 ~/.ssh/authorized_keys

Step 5：查看配置

　　查看和更改配置文件：/etc/ssh/sshd_config

root@ubuntu-s-1vcpu-1gb-sfo2-01:~# vim /etc/ssh/sshd_config

PasswordAuthentication yes　　　　　　# 口令登录
RSAAuthentication yes　　　　　　　　　# RSA认证
PubkeyAuthentication yes　　　　　　　# 公钥登录 

　　然后重启sshd服务。如果不想使用口令登录，可以修改PasswordAuthentication 为no。不过还是建议保留这项配置，如果一不下心执行了一下ssh-keygen命令，那这台远程服务器就真的离你有点远了。

Step 6：ssh公钥登录

　　现在便能使用私钥登录到远程机器了。

$ ssh -i id_rsa root@142.93.198.56
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

New release '18.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.

　　vps ：142.93.198.56仅供测试，已销毁。

公钥登录:法二

　　在接触Hadoop环境搭建的过程中，由于Hadoop集群之间是使用公钥直接进行数据传输。接触和使用了ssh-copy-id命令，该命令可轻松完成上述方法一的所有步骤。

root@kali:~# ssh-keygen　　　　　　　　　　　　　　　　　　　　　　# 生成公钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:+E2PL7KFGu9pdzg9gEkg5OhMToGQxvMipMkXgBNub/k root@kali
The key's randomart image is:
+---[RSA 2048]----+
|*=o..            |
|*= =. .          |
|==* o. .         |
|=O.o.  ..        |
|. *+  ..So.      |
|  . .  .o+.o     |
|     E. o ++.    |
|       +oo=.+    |
|      .o=+ +..   |
+----[SHA256]-----+
root@kali:~# 
root@kali:~# ssh-copy-id root@172.16.82.136　　　　　　　　　　# ssh-copy-id 命令
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.16.82.136 (172.16.82.136)' can't be established.
ECDSA key fingerprint is SHA256:buanLhYcZbfmeZ2rRECFo5K1v2EcfUAutraLAIQH/yU.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.82.136's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.16.82.136'"
and check to make sure that only the key(s) you wanted were added.

root@kali:~# ssh root@172.16.82.136　　　　　　　　　　# 可直接公钥登录，无需输入密码
Last failed login: Mon Mar  4 08:50:43 CST 2019 from 172.16.83.136 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Mon Mar  4 08:50:28 2019
[root@hadoop ~]# 

强制需要同时使用公钥和密码登录

　　在公钥登录的基础之上，需要增加如下配置：

[lz@mail ~]$ sudo vim /etc/ssh/sshd_config 
...
AuthenticationMethods publickey,password

　　重启SSHD服务：

[lz@mail ~]$ sudo service sshd restart

　　具体展示如下如所示：

 　　需要公钥和输入密码才能登录。

　　以上！

Reference:

　　linux下ssh公钥验证的设置和远程登录