SSH免密登录

合集 - ansible(2)

1.nginx负载均衡大练习02-12

2.SSH免密登录02-23

收起

基于公私钥的认证（免密码登录）

基于密钥对认证，也就是所谓的免密码登录，理解免密登录原理：

1.机器A 想免密码登录 机器B
2.机器A得发送自己的公钥给机器B

1.master-61机器生成一对公私钥
2.master-61机器发送自己的公钥，ssh-copy-id命令发给 web-7，此时需要输入web-7的账号密码，输入正确密码后。
3.web-7机器将master-61的公钥写入本地的~/.ssh/authorized_keys 已信任的公钥文件中
4.下一次master-61再次ssh登录web-7，web-7去本地的~/.ssh/authorized_keys文件里搜索master-61的公钥，如果找到了，生成随机字符串
5.web-7将生成的随机字符串结合master-61的公钥加密处理，返回给master-61
6.master-61拿到该加密后的随机字符串，使用自己的私钥解密，解密成功后将原始随机字符串发给web-7
7.web-7比对该随机字符串，确认正确，允许登录。

基于公私钥认证实践（重要）

原理很复杂、但是操作很简单，其实就几条命令，生成了几个配置文件；

但是于超老师给你讲清楚原理，了解其背后的通信过程，无论是排错，还是ssh出现安全问题，回头思考这个流程，就能摸索出解决方案。

免密登录步骤

1.创建秘钥对，全部回车，默认即可
[root@master-61 ~]#ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:ENZzEVp+qIjG+Cb/MBko8anhY8JGrbqLhR8+6ZI9B2o root@master-61
The key's randomart image is:
+---[RSA 2048]----+
|      o.  +o     |
|     . .o+..     |
|.     . .oo .    |
| o.= . o . .     |
|o.=.= . S        |
|+=oo o           |
|+@+o*            |
|XE*=.o           |
|*=++...          |
+----[SHA256]-----+


2.查看生成的公私钥
[root@master-61 ~]#ls -l ~/.ssh/
total 8
-rw------- 1 root root 1679 Apr 22 19:43 id_rsa
-rw-r--r-- 1 root root  396 Apr 22 19:43 id_rsa.pub


3.发送公钥给目标机器
[root@master-61 ~]#ssh-copy-id web-7
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'web-7 (10.0.0.7)' can't be established.
ECDSA key fingerprint is SHA256:Csqwr63+SZRFFOug/IGoFTgRe8hDSI/QalSMBcC6IaU.
ECDSA key fingerprint is MD5:4c:9a:37:e2:5b:b5:de:a8:bf:90:b5:28:d8:5b:ac:60.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@web-7's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'web-7'"
and check to make sure that only the key(s) you wanted were added.


4.测试是否可以免密登录
[root@master-61 ~]#ssh root@web-7
Last login: Fri Apr 22 17:50:42 2022 from 10.0.0.1
[root@web-7 ~]#

检查web-7上的authorized_keys

[root@web-7 ~]#cat ~/.ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRsvpXAYBkQ/q3X9Rs7s+W5ppBaHj4zqtLk6Dvk0yvpFYIJvgvK27Q0hZWE5lXgiSpeYY3wXsg0SLI0/DAEU+mi2mrSUaCMDyia9A0vtpKsu574QDl2eOgU46sBrKfUw1vxC5Ow5awCzHu6RCdvo6mqVLDfqBG4e+pUEvYP4XVL4LMPqK0Wp5OZNprtIXzu57xE+wNUcbwC+hWc/2VSyBAtu9VXtVebrUk9t8hVAhKc2e7m8feexd+/WK5a4/FTj7oQb6P7GK+7gVXY6Thgwv54uIR9gSDU1U5aqEI9ng0xPUyI5KDMWjn2O2mfPY2tMF9ZsAgXJ/S7daMefRzdFvp root@master-61

检验master-61的公私钥文件

公钥
[root@master-61 ~]#cat ~/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRsvpXAYBkQ/q3X9Rs7s+W5ppBaHj4zqtLk6Dvk0yvpFYIJvgvK27Q0hZWE5lXgiSpeYY3wXsg0SLI0/DAEU+mi2mrSUaCMDyia9A0vtpKsu574QDl2eOgU46sBrKfUw1vxC5Ow5awCzHu6RCdvo6mqVLDfqBG4e+pUEvYP4XVL4LMPqK0Wp5OZNprtIXzu57xE+wNUcbwC+hWc/2VSyBAtu9VXtVebrUk9t8hVAhKc2e7m8feexd+/WK5a4/FTj7oQb6P7GK+7gVXY6Thgwv54uIR9gSDU1U5aqEI9ng0xPUyI5KDMWjn2O2mfPY2tMF9ZsAgXJ/S7daMefRzdFvp root@master-61


私钥文件
[root@master-61 ~]#ls -l  ~/.ssh/id_rsa
-rw------- 1 root root 1679 Apr 22 19:43 /root/.ssh/id_rsa


已连接过的主机指纹
[root@master-61 ~]#cat   ~/.ssh/known_hosts 
web-7,10.0.0.7 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL/Sx3bAaNcKqo7pC4FTYk3gyZ6hd1D/DKUWVfOd4gZb/8XwlAxWauceHe/BAsW5Z8pEmG6AjSyHM8ckOs94c7Y=

配置文件总结

在整个免密登录过程中，涉及的配置文件

客户端，需要生成公私钥，检查如下目录
[root@master-61 ~]#ls ~/.ssh/
id_rsa  id_rsa.pub  known_hosts


服务端，记录客户端的公钥
[root@web-7 ~]#ls ~/.ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts


其实整个过程就

1个目录 ~/.ssh/
四个配置文件
authorized_keys  id_rsa  id_rsa.pub  known_hosts