一、 SSH无密码远程登录原理
二、 SSH实现无密码远程登录
实现主机A 无密码远程登录主机B
主机A IP地址:10.8.9.154
主机B IP地址:10.8.9.155
1、 主机A操作如下:
[root@cloucentos6 .ssh]# pwd #一般SSH生成公钥和私密会在.ssh目录下,如果没有此目录可以手动创建
/root/.ssh
[root@cloucentos6 .ssh]# ls #一般.ssh目录会存在一个文件known_hosts,此文件主要记录本地SSH远程登录过哪些主机
known_hosts
[root@cloucentos6 .ssh]# ssh-keygen -t rsa -P '' #执行ssh-keygen生成公钥和私钥,-P表示密码,’’ 表示空密码,也可以不使用 –P 参数,这样就要按三次回车,用 -P就输入一次回车
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): #按一次回车键即可
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
9c:f5:83:54:fd:da:6b:1a:9b:e3:d8:cf:ca:c9:b3:b4 root@cloucentos6.0
The key's randomart image is:
+--[ RSA 2048]----+
| .. |
| . . |
| o . |
| . + o .|
| S . o o |
| .. .|
| o .|
| *oBo |
| ..EOo |
+-----------------+
[root@cloucentos6 .ssh]# ls # id_rsa(私钥) id_rsa.pub (公钥)
id_rsa id_rsa.pub known_hosts
[root@cloucentos6 .ssh]# scp /root/.ssh/id_rsa.pub root@10.8.9.155:/root/.ssh/authorized_keys #把主机A /root/.ssh/id_rsa.pub 公钥复制到主机B /root/.ssh/authorized_keys文件里(要确认主机B已经创建好/root/.ssh目录),由于还没有免密码登录,所以要输入一次B主机的root密码
root@10.8.9.155's password: #输入主机B的密码
id_rsa.pub 100% 400 0.4KB/s 00:00
注意:主机B 目录/root/.ssh/authorized_keys文件需要具有读写权限,否则会提示远程失败
[root@ssticentos65 .ssh]# ls -l authorized_keys
-rw-r--r-- 1 root root 400 Jun 5 11:47 authorized_keys
现在主机A可以实现SSH无密码远程登录主机B (如果第一次登录需要输入 yes)
[root@cloucentos6 .ssh]# ssh root@10.8.9.155 'chmod 600 /root/.ssh/authorized_keys ; ls -l /root/.ssh/authorized_keys' #执行SSH远程主机B修改authorized_keys文件权限
-rw-------. 1 root root 400 1月 6 02:02 /root/.ssh/authorized_keys
特殊问题:
问题1:如果执行scp或ssh命令远程连接特殊慢才显示出输入密码提示还提示错误信息
[root@cloucentos6 .ssh]# scp /root/.ssh/id_rsa.pub root@10.8.9.155:/root/.ssh/authorized_keys #执行scp命令远程复制会出现连接缓慢并且还有警告
The authenticity of host '10.8.9.155 (10.8.9.155)' can't be established.
RSA key fingerprint is b6:a2:4d:65:af:cf:19:97:99:ff:1e:99:5f:ec:1b:7a.
Are you sure you want to continue connecting (yes/no)? yes #第一次登录,所以需要输入 yes
Warning: Permanently added '10.8.9.155' (RSA) to the list of known hosts.
解决办法:修改SSH配置文件/etc/ssh/ssh_config,手动添加GSSAPIAuthentication no
[root@cloucentos6 .ssh]#vim /etc/ssh/ssh_config
GSSAPIAuthentication no
[root@cloucentos6 .ssh]# scp /root/.ssh/id_rsa.pub root@10.8.9.155:/root/.ssh/authorized_keys
root@10.8.9.155's password:
问题2:/root目录下没有发现.ssh目录
linux-3ghc:~ # ls -a
. .bash_history .esd_auth .viminfo Downloads Templates dead.letter
.. .cache .gnupg .xsession-errors-:0 Music Videos inst-sys
.ICEauthority .config .local Desktop Pictures autoinst.xml
.Xauthority .dbus .rnd Documents Public bin
解决办法:因为系统没有使用ssh登录过,所以,ssh是没有记录到你的用户密码信息,只需要执行下列命令就可以生成.ssh目录
linux-3ghc:~ # ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is c2:ec:5d:98:45:b4:71:3c:c3:dd:5d:95:7d:20:dc:2f [MD5].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Password:
Last login: Wed Feb 13 15:53:38 2019 from 10.8.9.11
linux-3ghc:~ # ls -a /root/
. .Xauthority .config .gnupg .ssh Desktop Music Templates bin
.. .bash_history .dbus .local .viminfo Documents Pictures Videos dead.letter
.ICEauthority .cache .esd_auth .rnd .xsession-errors-:0 Downloads Public autoinst.xml inst-sys