ssh_key认证

ssh认证流程步骤:

1.主机host_key认证

2.身份验证

3.身份验证通过

原理及更多知识点，请查看好友博客 http://www.cnblogs.com/f-ck-need-u/p/7129122.html

-------------------------------------------------------------------------------------------------------------------

1.主机host_key验证过程：（只需一次，此时服务端B-server持有的host_key为私钥，A-client持有的是来自B-server的公钥）

A-client要想链接到B-server，首先进行主机验证(host_key)，判断本机以前是否链接过B-server，判断的标准是查看自身家目录下文件~/.ssh/known_hosts中内容，是否有B-server的主机信息host_key，如果没有该地址的host_key，则询问是否保存主机B发送过来的host_key，如果有，则将此文件中host key和主机B发送过来的host_key做比对，如果完全相同，则表示主机A曾经保存过主机B的host_key，无需再保存，直接进入下一个过程——身份验证，如果不完全相同（或者内容被修改过），则提示是否（重新）保存主机B当前使用的host_key。

~/.ssh/known_hosts     #<==A-client
/etc/ssh/known_hosts   #<==B-server

[test@A-client ~]$ ssh -p 52113 test@10.0.0.4 
The authenticity of host '[10.0.0.4]:52113 ([10.0.0.4]:52113)' can't be established.
RSA key fingerprint is d4:82:8d:5c:83:52:e9:79:2c:e3:3f:6a:fd:eb:4b:21.
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added '[10.0.0.4]:52113' (RSA) to the list of known hosts.
test@10.0.0.4's password: 
[test@B-server ~]$ logout
Connection to 10.0.0.4 closed.
[test@A-client ~]$ cat .ssh/known_hosts     #<===在主机A上查看保存的host_key
[10.0.0.4]:52113 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnmy+37PLTSWUlEp/t3c4xJoUFtZ1hlnMuXddxfeFM0x0Mq03y6vuaK8w6KY4V/VPTYuI3NeBHdVkBy2vQFba4O5uBU8GZJ+iyfnnL/klHKgrB2+Oq0mNbEATaJDOVbsIgjVUsPCTwSeVYfevkl9Zcd5QLgR0Hzr83y4iLvZcewosvxOnCE7dTXQQej1GCLpxZLSHhUg/gt9M3Z2KnqoFuSawVr3dIMzQrtlqAjixKmvDI/uGFHRAylflsXHdNyb+ggCSdsy84q9FfCND44KHWrLLLpupyA7ARE1O7TmGkLMhtWb8o09+7HV1n3rTi+3eJCTXTGE24f/OjDUdx8I+lQ==
说明：
1.每一行的行首是主机名，为搜索host_key时的索引
2.如果内容被修改过，则丢弃，重新询问是否保存
[root@B-server ~]# cat /etc/ssh/ssh_host_rsa_key.pub   #<===在主机B上查看自身host_key（回应给其他请求链接的主机host_key）
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnmy+37PLTSWUlEp/t3c4xJoUFtZ1hlnMuXddxfeFM0x0Mq03y6vuaK8w6KY4V/VPTYuI3NeBHdVkBy2vQFba4O5uBU8GZJ+iyfnnL/klHKgrB2+Oq0mNbEATaJDOVbsIgjVUsPCTwSeVYfevkl9Zcd5QLgR0Hzr83y4iLvZcewosvxOnCE7dTXQQej1GCLpxZLSHhUg/gt9M3Z2KnqoFuSawVr3dIMzQrtlqAjixKmvDI/uGFHRAylflsXHdNyb+ggCSdsy84q9FfCND44KHWrLLLpupyA7ARE1O7TmGkLMhtWb8o09+7HV1n3rTi+3eJCTXTGE24f/OjDUdx8I+lQ==
注意：
1.服务端使用的host_key是sshd服务启动时重新建立的，保存在/etc/ssh/ssh_host_rsa_key 文件中(私钥)和/etc/ssh/ssh_host_rsa_key.pub（公钥，主机验证）
2.ssh将host_key.pub公钥转换为指纹比对，以此验证双方的host_key指纹是否一致

[test@A-client ~]$ ssh-keygen -l -f .ssh/known_hosts 
2048 d4:82:8d:5c:83:52:e9:79:2c:e3:3f:6a:fd:eb:4b:21 [10.0.0.4]:52113 (RSA)

root@B-server ~]# ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 
2048 d4:82:8d:5c:83:52:e9:79:2c:e3:3f:6a:fd:eb:4b:21 /etc/ssh/ssh_host_rsa_key.pub (RSA)

[test@A-client ~]$ ssh-keygen -lv -f .ssh/known_hosts 
2048 d4:82:8d:5c:83:52:e9:79:2c:e3:3f:6a:fd:eb:4b:21 [10.0.0.4]:52113 (RSA)
+--[ RSA 2048]----+
| ..oo |
| ..o= o |
| o+o+ . |
| =.o. |
| . +E . |
| . . . |
| o . |
| . +. |
| ... +=o |
+-----------------+

2.身份验证，身份验证常见是公钥验证和密码验证，如果公钥验证通过，则无需进行密码验证；如果不使用公钥验证方法，就是密码验证，在上一步的基础上，输入远程用户的密码，密码正确则验证通过（基于用户，需每个用户单独验证；公钥验证一般由客户端生成密钥对，保留私钥，传送公钥给服务端；客户端如果再次分发公钥给自己，并传送私钥给服务端，以此可以实现双机互信）

相关文件：

~/.ssh/id_rsa           #<===私钥
~/.ssh/id_rsa.pub       #<===公钥
在A-client上生成密钥对
[test@A-client ~]$ ssh-keygen -t rsa      #<==指定-t参数，rsa为非对称密钥算法，生成密钥对
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
13:0d:da:79:84:8d:ef:14:ad:5b:09:20:45:c6:65:b0 test@A-client
The key's randomart image is:
+--[ RSA 2048]----+
| .+BB+. |
| =+B+ . |
| . E.o+ . |
| o+ o |
| So o |
| .o |
| |
| |
| |
+-----------------+

[test@A-client ~]$ ll .ssh/       
总用量 12
-rw------- 1 test test 1675 1月 22 15:33 id_rsa        #<==注意，私钥文件权限必须为600，如果权限不一致，会导致私钥解锁公钥失败
-rw-r--r-- 1 test test 395 1月 22 15:33 id_rsa.pub
-rw-r--r-- 1 test test 398 1月 22 12:03 known_hosts

[test@A-client ~]$ ssh-copy-id -i "-p 52113 test@10.0.0.4"     #<==传送公钥到B-server，注意加双引号

[test@A-client ~]$ ssh-copy-id -i .ssh/id_rsa.pub "-p 52113 test@10.0.0.5"
The authenticity of host '[10.0.0.5]:52113 ([10.0.0.5]:52113)' can't be established.
RSA key fingerprint is f4:0b:56:80:aa:99:67:74:2a:ce:34:b4:ab:1d:a7:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[10.0.0.5]:52113' (RSA) to the list of known hosts.
test@10.0.0.5's password: 
Now try logging into the machine, with "ssh '-p 52113 test@10.0.0.5'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting

Now try logging into the machine, with "ssh '-p 52113 test@10.0.0.4'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

ssh-copy-id的实质（查看cat /usr/bin/ssh-copy-id 脚本可知）：
1.检测目标主机指定用户的家目录下，是否存在.ssh目录，没有则以700创建该目录
2.将本地的公钥，传送至目标主机的.ssh/下，并更改文件名为authorized_keys（sshd_config中定义），权限为600

3.基于公钥验证通过

[test@A-client ~]$ ssh -p 52113 10.0.0.4 
Last login: Tue Jan 22 12:03:09 2019 from 10.0.0.2
[test@B-server ~]$ logout
Connection to 10.0.0.4 closed.
[test@A-client ~]$ ssh -p 52113 10.0.0.5 
[test@C-server ~]$