Linux-ssh-key验证
ssh登录验证方式介绍
ssh服务登录的常用验证方式
- 用户/口令
- 基于密钥
基于用户和口令登录验证
- 客户端发起ssh请求,服务器会把自己的公钥发送给用户
- 用户会根据服务器发来的公钥对密码进行加密
- 加密后的信息回传给服务器,服务器用自己的私钥解密,如果密码正确,则用户登录成功
基于密钥的登录方式
- 首先在客户端生成一对密钥(ssh-keygen)
- 并将客户端的公钥ssh-copy-id 拷贝到服务端
- 当客户端再次发送一个连接请求,包括ip、用户名
- 服务端得到客户端的请求后,会到authorized_keys中查找,如果有响应的IP和用户,就会随机生 成一个字符串。
- 服务端将使用客户端拷贝过来的公钥进行加密,然后发送给客户端
- 得到服务端发来的消息后,客户端会使用私钥进行解密,然后将解密后的字符串发送给服务端
- 服务端接受到客户端发来的字符串后,跟之前的字符串进行对比,如果一致,就允许免密码登录
实现基于密钥的登录方式
再客户端生成密钥对
ssh-keygen -t rsa [-P 'password'] [-f “~/.ssh/id_rsa"]
把公钥文件传输至远程服务器对应用户的家目录
ssh-copy-id [-i [identity_file]] [user@]host
重设私钥口令:
ssh-keygen -p
验证代理(authentication agent)保密解密后的密钥,口令就只需要输入一次,在GNOME中,代理被 自动提供给root用户
#启用代理 ssh-agent bash #钥匙通过命令添加给代理 ssh-add
在SecureCRT或Xshell实现基于key验证
在SecureCRT工具—>创建公钥—>生成Identity.pub文件
转化为openssh兼容格式(适合SecureCRT,Xshell不需要转化格式),并复制到需登录主机上相应文件authorized_keys中,注意权限必须为600,在需登录的ssh主机上执行:
ssh-keygen -i -f Identity.pub >> .ssh/authorized_keys
示例:实现key验证
1、生成密钥文件
[root@centos7-liyj ~]#ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): #回车,默认值 Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): #回车,默认值,空密码 Enter same passphrase again: #回车,默认值 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:beb76jlNwNgyAjqbZWDfqwAUibQejOj/8GbU6cU1SeQ root@centos7-liyj The key's randomart image is: +---[RSA 2048]----+ |ooo .. | |=o+ . .. | |+= + o +.E. | |+ + + o +.++ | | + * .oSo=.. | | = ..o * . | | +... . .o | | =o . .o. | | oo .=+. | +----[SHA256]-----+
[root@centos7-liyj ~]#tree .ssh/ .ssh/ ├── id_rsa └── id_rsa.pub 0 directories, 2 files [root@centos7-liyj ~]#ll .ssh/ total 8 -rw------- 1 root root 1675 Apr 29 15:32 id_rsa -rw-r--r-- 1 root root 399 Apr 29 15:32 id_rsa.pub [root@centos7-liyj ~]#cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGYDO+EKw/2OteUi6IjyWPOoLkTsVhApCDhqA6b4Egpc1sdmwDKaIWz06gdPUncGkCTvKF35gEi+yT3SPdjJE+8/mbD3IVpFW7GUU5MWB3JvqJEI2kr4NBuO876ygxrFUe4sOnZLqIX28qwYeG31XWyYIvd27G7ycTfFFiULa20QeipsEtypKwTj3kw5+xVbqGNl6emSqRKWhvhk1AT4InuLy2Vxdz3ssRxLBUQLTbd/ltpRtv5M2+zJw7rUUfjDsXQrwN+y/N4CXbWS+2eX/OmVBA+jbc9IzHonJQu6DgO0Mr7ALEjAmk/8q4clejOECkbktZILf7R7hVzXu4Pmbf root@centos7-liyj [root@centos7-liyj ~]#cat .ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAxmAzvhCsP9jrXlIuiI8ljzqC5E7FYQKQg4agOm+BIKXNbHZs AymiFs9OoHT1J3BpAk7yhd+YBIvsk90j3YyRPvP5mw9yFaRVuxlFOTFgdyb6iRCN pK+DQbjvO+soMaxVHuLDp2S6iF9vKsGHht9V1smCL3duxu8nE3xRYlC2ttEHoqbB LcqSsE495MOfsVW6hjZenpkqkSlob4ZNQE+CJ7i8tlcXc97LEcSwVEC023f5baUb b+TNvsycO61FH4w7F0K8DfsvzeAl21kvtnl/zplQQPo23PSMx6JyULug4DtDK+wC xIwJpP/KuHJXozhApG5LWSC3+0e4Vc17uD5m3wIDAQABAoIBAHRAkFID502LS3N8 6bQxXytueKJe3yCYpiPN0zwreBqvz5COXYIE9e40ErnJkJlKMN+fcFSv0aBod323 jHsbE0s3IsGR7aNtKKh6iKyZmRR6jTuhrcAi8uKjA9+zUVy6xy9QaKRCTWX5t2Xx AAE0BFPYxygV7585K0cqBW9+KXU8RRk49tnicBm/Wys3vrnqK39/2ikMxoUCAEGR yk44+lY+ik3W15nbB0nwNPdSDEnmdeR5jO4zDRdDkIfV58xrZRUDuJD9lgfXdgYT cLP57oC+M5YFdhjsunRDrcFnj6oEJuazdVW7agbGl5gEDbqEFiOo6+nbr1JG8Scx Yny0uIECgYEA9N7ieevWzLAL4EiCyKWdTcl9VkwsLpqrFNLKv0D0HKGgEEwW4tTA DaBT7P5bx9NwOYdKRqPJap07y71cAZFEtBd+w4Ch+/t+b6t57S48iSfHMPoLfer2 yljrQhusKsWiU1UZ89IF7RrxYdGgubBmMMKluIHm77qwSXMLRwKFH38CgYEAz2RX WSR7SSOoRudGhP6EOTbQkH6jpS2I485PrdUaCwXshEkTM/azwy61JXTox/9cJrDc Nwl1H+ZG+VgpFgAv3iEg1tUpskXEXSMoXP+kVK+Pt473tPhRbjnGu3+PWq8wUggM 6mYB66ArMIGjEOMCy/X/+yp3/ccMfD4ncg9GaKECgYEAiZO0YNXNYEFE2uVCfaL3 B14+Sj8Pz7tchZ2NBfljbbatLJrjfNwVb1J19MBQJqw38Ep/w8KABqOClgy05biN hjVxJjxeRindtrX8EfMZVeIAexbxX/SkZbmhrAnKKFnTwsgcha2pYLbziYbyq4Fd WOXzn/90FZqpMwss+d+DldcCgYA9aDuI1ImAnYM9A0vZIzdpbXaR4j14MiRfN35W PUwJyYY/oReDgl+1wkW2wogOd+kEN8fsr+szN876E4WO0x1ZSzvbAKDo/UloPnm8 F6HDxXvrYPSta/1Iguj6KYn70vWexG12lh+pcfJ32Vq8LEtusvdJmkiPJvnma8zo M+eoIQKBgGKw2S21ZjessqgvAqQ0itX30kLJOMGR883me1OoVjK7JlnA0gQi7dxk e36ho72NOVutXEFmIh4H6UTJWC5jSnEOXkm5uWAaXYBybrx2PvOJ8j2AXOPszxW5 WZM8GtLHOgj9VwEkKUZT+k3E07qogt/EILxGuUi4QO+I3D2J9Vbs -----END RSA PRIVATE KEY-----
2、传送密钥文件至远程机器对应用户的家目录
[root@centos7-liyj ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub root@10.0.0.88 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" The authenticity of host '10.0.0.88 (10.0.0.88)' can't be established. ECDSA key fingerprint is SHA256:znuk6BAInoe362ut3bwJWL5K6tg8VKfXj2EHZ/8mt8s. ECDSA key fingerprint is MD5:a8:ca:c4:71:1a:11:6b:28:f5:f0:17:b6:a8:f4:49:e4. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@10.0.0.88's password: #输入远程用户的密码 Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@10.0.0.88'" and check to make sure that only the key(s) you wanted were added.
[root@centos8-liyj ~]#ll -a total 23980 dr-xr-x---. 4 root root 188 Apr 29 13:38 . dr-xr-xr-x. 19 root root 270 Apr 28 09:45 .. -rw-------. 1 root root 1470 Apr 18 18:34 anaconda-ks.cfg -rw-------. 1 root root 9755 Apr 28 19:08 .bash_history -rw-r--r--. 1 root root 18 May 11 2019 .bash_logout -rw-r--r--. 1 root root 176 May 11 2019 .bash_profile -rw-r--r--. 1 root root 176 Apr 18 19:38 .bashrc drwx------ 4 root root 32 Apr 27 22:09 .config -rw-r--r--. 1 root root 100 May 11 2019 .cshrc -rw-r--r-- 1 root root 24504320 Apr 28 10:02 -J drwx------ 2 root root 29 Apr 29 15:44 .ssh -rw-r--r--. 1 root root 129 May 11 2019 .tcshrc -rw------- 1 root root 11607 Apr 28 11:37 .viminfo [root@centos8-liyj ~]#tree .ssh/ .ssh/ └── authorized_keys 0 directories, 1 file [root@centos8-liyj ~]#cat .ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGYDO+EKw/2OteUi6IjyWPOoLkTsVhApCDhqA6b4Egpc1sdmwDKaIWz06gdPUncGkCTvKF35gEi+yT3SPdjJE+8/mbD3IVpFW7GUU5MWB3JvqJEI2kr4NBuO876ygxrFUe4sOnZLqIX28qwYeG31XWyYIvd27G7ycTfFFiULa20QeipsEtypKwTj3kw5+xVbqGNl6emSqRKWhvhk1AT4InuLy2Vxdz3ssRxLBUQLTbd/ltpRtv5M2+zJw7rUUfjDsXQrwN+y/N4CXbWS+2eX/OmVBA+jbc9IzHonJQu6DgO0Mr7ALEjAmk/8q4clejOECkbktZILf7R7hVzXu4Pmbf root@centos7-liyj
3、远程连接88号机器
[root@centos7-liyj ~]#ssh 10.0.0.88 Last login: Fri Apr 29 13:37:58 2022 from 10.0.0.1 [root@centos8-liyj ~]#
4、对私钥加密
[root@centos7-liyj ~]#ssh-keygen -p Enter file in which the key is (/root/.ssh/id_rsa): #默认 Enter new passphrase (empty for no passphrase): #密码 Enter same passphrase again: #再次确认密码 Your identification has been saved with the new passphrase. [root@centos7-liyj ~]#ssh 10.0.0.88 Enter passphrase for key '/root/.ssh/id_rsa': #输入私钥密码 Last login: Fri Apr 29 15:58:51 2022 from 10.0.0.1 [root@centos8-liyj ~]#
5、启动ssh代理,只要不退出 ssh代理进程,基于同一个公钥远程连接机器的就一直免输密码
[root@centos7-liyj ~]#ssh-agent bash #启用代理 [root@centos7-liyj ~]#ps aux |grep agent root 1247 0.0 0.0 72552 784 ? Ss 16:06 0:00 ssh-agent bash root 1259 0.0 0.0 112812 980 pts/0 R+ 16:06 0:00 grep --color=auto agent [root@centos7-liyj ~]#ssh-add #添加代理 Enter passphrase for /root/.ssh/id_rsa: #私钥密码 Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) [root@centos7-liyj ~]#ssh 10.0.0.88 Last login: Fri Apr 29 16:02:50 2022 from 10.0.0.77
6、退出代理,代理是进程性的,退出进程就不在生效
[root@centos7-liyj ~]#ssh-agent bash [root@centos7-liyj ~]#ps aux |grep agent root 1247 0.0 0.0 72552 784 ? Ss 16:06 0:00 ssh-agent bash root 1259 0.0 0.0 112812 980 pts/0 R+ 16:06 0:00 grep --color=auto agent [root@centos7-liyj ~]#ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) [root@centos7-liyj ~]#ssh 10.0.0.88 Last login: Fri Apr 29 16:02:50 2022 from 10.0.0.77 [root@centos8-liyj ~]#exit logout Connection to 10.0.0.88 closed. [root@centos7-liyj ~]#exit exit [root@centos7-liyj ~]#ps aux |grep agent root 1264 0.0 0.0 112812 976 pts/0 S+ 16:10 0:00 grep --color=auto agent [root@centos7-liyj ~]#
再次连接需输入 私钥密码
范例:基于key验证实现批量主机管理
[root@centos7 ~]#cat hosts.txt 10.0.0.78 10.0.0.10 [root@centos7 ~]#for i in `cat hosts.txt`;do ssh $i hostname -I ;done 10.0.0.78 10.0.0.10
