zoukankan      html  css  js  c++  java
  • ssh免密码登陆

    1. 客户端生成公钥文件

    ssh-keygen -t rsa (这样生成就可以了,man具体参数)
    
    [root@arch ~]# ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/root/.ssh/id_rsa): 
    /root/.ssh/id_rsa already exists.
    Overwrite (y/n)? y
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    1c:ce:14:77:97:35:72:9a:0f:ac:d4:57:3e:ad:3d:23 root@arch
    The key's randomart image is:
    +---[RSA 2048]----+
    |        . . ...=o|
    |         o .o.*.+|
    |        o  . * oo|
    |       = .. . +o.|
    |        S  . E.+.|
    |              . o|
    |                 |
    |                 |
    |                 |
    +-----------------+
    

    会生成id_rsaid_rsa.pub文件,前者是私钥,后者是需要上传到服务器的公钥

    2.把公钥放到服务器上

        scp .ssh/id_rsa.pub mike@127.0.0.1:/home/mike/.ssh
    

    使用scp简单方便

    3.修改sshd的配置(/etc/ssh/sshd_config)

    找到以下内容,并去掉注释符”#“

        =========================
          RSAAuthentication yes
          PubkeyAuthentication yes
          AuthorizedKeysFile  .ssh/authorized_keys
        =========================
    

    配置authorized_keys文件

    若’~/.ssh/authorized_keys’不存在,则建立.ssh文件夹和authorized_keys文件.
    将上文中客户机id_rsa.pub的内容拷贝到authorized_keys中.

    注意:

    用户目录权限为 755 或者 700就是不能是77x
    .ssh目录权限必须为755(不能775)
    rsa_id.pub 及authorized_keys权限必须为644(或600)
    rsa_id权限必须为600

    4.重启sshd.

    $ /etc/init.d/sshd restart
    

    5.测试

    客户机执行:

    ssh -v user@host (-v 调试模式)
    
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/id_rsa type 1
    debug1: key_load_public: No such file or directory
    debug1: identity file /root/.ssh/id_rsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /root/.ssh/id_dsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /root/.ssh/id_ecdsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /root/.ssh/id_ecdsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /root/.ssh/id_ed25519 type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /root/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.7
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr umac-64@openssh.com none
    debug1: kex: client->server aes128-ctr umac-64@openssh.com none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA fc:96:ed:b8:79:b6:99:7e:58:f2:4c:58:58:e7:3a:17
    debug1: Host '127.0.0.1' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:6
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /root/.ssh/id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 279
    debug1: Authentication succeeded (publickey).
    Authenticated to 127.0.0.1 ([127.0.0.1]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    

    会显示一些登陆信息.
    若登陆失败,或者仍然要输入密码,可以在服务器查看日志文件:/var/log/secure.

    若登陆成功,则以后就可以用’ssh user@host’ 直接登陆了,不用输入密码.

    附录(sshd配置文件ubuntu14.04默认):

    # Package generated configuration file
    # See the sshd_config(5) manpage for details
    
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    ListenAddress 127.0.0.1
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 1024
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin without-password
    StrictModes yes
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile	%h/.ssh/authorized_keys
    
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no
    
    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication no
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    
    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no
    
    #MaxStartups 10:30:60
    #Banner /etc/issue.net
    
    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*
    
    Subsystem sftp /usr/lib/openssh/sftp-server
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
    
  • 相关阅读:
    hdu 4358 Boring counting 树状数组
    hdu 4501 小明系列故事——买年货 多重背包
    hdu 4503 湫湫系列故事——植树节 水题
    hdu 4031 Attack 树状数组
    技巧心得:如何解除运行office软件的时候弹出 正在安装 缺少pro11.msi对话框
    读书札记:VC++学习之Windows程序运行原理
    读书札记:7天搞定C语言(二)
    视频教程:计算器制作MFC
    读书札记:knowledge and Virtue
    技巧心得:各大搜索免费登记入口个人门户推广
  • 原文地址:https://www.cnblogs.com/mikeguan/p/7227058.html
Copyright © 2011-2022 走看看