sshd服务提供两种安全验证的方法:
基于口令的安全验证:经过验证帐号与密码即可登陆到远程主机。
基于密钥的安全验证:需要在本地生成"密钥对"后将公钥传送至服务端,进行公共密钥的比较。
使用密码验证终归会存在着被骇客暴力破解或嗅探监听的危险,其实也可以让ssh服务基于密钥进行安全验证(可无需密码验证),步骤如下:
1.在本地主机中生成密钥对
[root@wluat ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): #回车或设置密钥的存储路径 Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): #回车或设置密钥的密码 Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 92:9e:ae:cd:eb:40:a8:7c:ad:ac:af:89:c2:ce:16:fa root@wluat The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . . | | . . o S | |.o ... o | |+.....o | |=o+ .= | |=BE+.o*. | +-----------------+
注:这里为了ssh连接不要再输入密码,没有输入密码,而是直接回车。
2.将生成好的公钥密钥传送至远程主机:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
[root@wluat ~]# ssh-copy-id 192.168.0.80 The authenticity of host '192.168.0.80 (192.168.0.80)' can't be established. RSA key fingerprint is af:b9:dc:e7:7d:45:d7:e0:ae:24:0f:b1:a3:1f:94:48. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.80' (RSA) to the list of known hosts. root@192.168.0.80's password: Now try logging into the machine, with "ssh '192.168.0.80'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
注:其是这个就相当于在服务器端建立了~/.ssh,目录,并将公钥写到了远程主机的"~/.ssh/authorized_keys"文件中,文件的权限如下:
root@wls12c ~]$ ll .ssh 总用量 8 -rw------- 1 root root 392 8月 17 14:15 authorized_keys -rw-r--r-- 1 root root 1586 8月 17 12:01 known_hosts [root@wls12c ~]$ ll .ssh/authorized_keys -rw------- 1 root root 392 8月 17 14:15 .ssh/authorized_keys
如果是传送到远程主机的普通用户,authorized_keys的权限并不是600,需要手工修改,否则报如下错误:
[root@wluat ~]# ssh weblogic@192.168.0.80 Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
或者手工复制公钥到认证文件:
cat ~/.ssh/id_rsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"
3.测试,连接远程主机的效果
ssh -i ~/.ssh/id_rsa user@hostname
[root@wluat ~]# ssh 192.168.0.80 Last login: Wed Aug 17 14:21:51 2016 from 192.168.0.150 [root@wls12c ~]$
已经实现了不要通过密码验证了
注意:第一次用ssh连接服务端的时候会把要服务端的公钥放到客户端的~/.ssh/know_hosts来进行验证,会弹出一个警告:
[root@wluat ssh]# ssh 192.168.0.80 The authenticity of host '192.168.0.80 (192.168.0.80)' can't be established. RSA key fingerprint is 93:6b:6d:07:34:8c:f5:e0:30:60:34:e0:8d:81:09:c8. Are you sure you want to continue connecting (yes/no)?
为了安全,我们可以在80的机器上检查指纹,确定是要连接的主机
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 93:6b:6d:07:34:8c:f5:e0:30:60:34:e0:8d:81:09:c8 /etc/ssh/ssh_host_rsa_key.pub
键入yes接受密钥并确认连接。您将看到一个通知,说明服务器已被添加到已知主机的列表中,并提示您输入密码:
如果前面有把私钥加密,可以使用ssh-agent让机器记住密钥的密码,从而避免输入:
ssh-agent bash ssh-add 密钥
配置别名登录远程机器,编辑~/.ssh/config
Host ecs // 输入远程机器别名 HostName 192.*.*.* // 输入远程机器IP地址 Port 22 // 输入端口号,默认为22 User tomcat // 输入登录账号 IdentityFile ~/.ssh/ecs.pem // 输入.pem私钥文件在本机的地址
然后直接ssh tomcat就登录到远程机器的tomcat用户了。
4.修改远程主机的配置文件,让登陆远程主机只能通过密钥登陆,而不能通过密码验证登录。
vim /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
5.重启远程主机的sshd服务
[root@wls12c ~]$ service sshd restart
6.配置Xshell通过密钥登陆
工具-->用户密钥管理者
然后导入本地主机生成的“.ssh/id_rsa”私钥,
然后删除本地主机的私钥 rm -rf .ssh/id_rsa
将公钥重命名 mv id_rsa.pub authorized_keys
并修改权限 chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
就可以让Xshell通过密钥进行登陆了。