共计 2721 个字符,预计需要花费 7 分钟才能阅读完成。
作为一名运维人员来说,管理 1 - 5 台机器尚有余力,但如果是 10 台、100 台或更多服务器,是不是每次登录输入密码非常繁琐,且费时费力,无法提高工作效率。今天我们通过使用 ssh-kengen 命令生成私钥 & 公钥对,目的:免密码登录 SSH。其算法有两种,分别是 RSA 和 DSA。
RSA 是非对称加密算法,可以用来加密和签名。
DSA(Digital Signature Algorithm) 只能用来数字签名的算法。
以下操作适用于 OS:Centos 7、Ubuntu 17,其他系统没测,理论上都可以使用。
服务器:
10.10.204.63
10.10.204.64
1. 如何生成 ssh 公钥
登录 10.10.204.63 服务器生成公私密钥对:
[root@10-10-204-63 ~]# ssh-keygen -b 4096 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qLcoj2nSzq6G9ZpFQZ/OFqFT+oBDf3ousHkt82F1/xM root@10-10-204-63.10.10.204.63
The key's randomart image is:
+---[RSA 4096]----+
| . . o |
| . + = o |
| o B = |
| . X o |
| . o B S . |
| .= * . . . E |
|.oo.B * . . |
|oo+*.O o .. |
|o*O+o o .. |
+----[SHA256]-----+
三次回车即可生成 ssh key。注解:
-b 指定密钥长度。对于 RSA 密钥,最小要求 768 位,默认是 2048 位,最长 4096 字节。
-t 指定要创建的密钥类型。可以使用:”rsa1″(SSH-1)“rsa”(SSH-2)“dsa”(SSH-2)。
2. 查看生成的文件
[root@10-10-204-63 ~]# ll .ssh/
total 8
-rw------- 1 root root 3243 Nov 25 15:58 id_rsa
-rw-r--r-- 1 root root 758 Nov 25 15:58 id_rsa.pub
说明:id_rsa 私钥
id_rsa.pub 公钥 3. 将公钥上传到 10.10.204.64
[root@10-10-204-63 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@10.10.204.64
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.10.204.64 (10.10.204.64)' can't be established.
ECDSA key fingerprint is SHA256:/YI/L4RT1QH7lkfxMCAkKnvniQslyUl15mOUKUo8K3k.
ECDSA key fingerprint is MD5:6d:b6:f3:93:8e:48:53:24:9d:5d:c2:2a:5f:28:f4:d2.
Are you sure you want to continue connecting (yes/no)? yes【输入 yes 回车】/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.10.204.64's password:【输入服务器密码回车】Number of key(s) added: 1
Now try logging into the machine, with: "ssh'root@10.10.204.64'"
and check to make sure that only the key(s) you wanted were added.上传成功。
4. 修改 SSH 配置文件
登录 10.28.204.64 修改,操作如下:
$ vim /etc/ssh/sshd_config
去除以下注释:RSAAuthentication yes
PubkeyAuthentication yes5. 重启 SSH 服务
$ systemctl restart sshd6. 测试免密码登录 10.10.204.64
[root@10-10-204-63 ~]# ssh 'root@10.10.204.64'
Last failed login: Sat Nov 25 16:09:48 CST 2017 from 83.234.149.66 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Sat Nov 25 15:57:33 2017 from 36.7.69.84
[root@10-10-204-64 ~]#在不输入密码的情况下成功登录。
登陆成功后,建议在 10.10.204.64 服务器上也生成 ssh 公钥,并上传到 10.10.204.63 服务器,这样以来我们就可以相互免密码 SSH 登陆。多台服务器亦是如此。
7. 查看公钥
[root@10-10-204-64 ~]# ll /root/.ssh/
total 8
-rw------- 1 root root 758 Nov 25 16:08 authorized_keys
-rw-r--r--. 1 root root 175 Aug 9 09:19 known_hostsauthorized_keys 是刚上传过来的公钥名称
8. 如果公钥丢失,可以使用私钥再次生成公钥,命令如下:
[root@10-10-204-63 ~]# ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
