2018-9-9日常作业：openssh

1.说明密匙认证的过程

1.用户向主机端发登录请求：ssh root@主机端IP（如果主机端和用户端用户名相同可不用加用户名，直接ssh + IP地址即可

2.主机端收到用户的登录请求的同时把用户的公钥发给主机端

3.用户使用这个公钥，将登录密码加密后，发送回主机端

4.主机端用自己的私钥，解密登录密码，如果密码正确，就同意用户登录

2.手工配置密匙认证登录

1.执行ssh-keygen -t rsa生成密钥

[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.                                      生成公钥/私钥rsa密钥对
Enter file in which to save the key (/root/.ssh/id_rsa):                     输入保存密钥的文件：默认回车即可
Enter passphrase (empty for no passphrase):                                  输入密码
Enter same passphrase again:                                                 再次输入密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:98gylLppiPiKSZxnJ0gsXXZGIoag2ocmQ/Jxm9QymPg [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|o.o . .          |
|oo + +           |
|+.+ B +          |
|== B B   .       |
|=oE +   S .      |
|++o.   o o o     |
| * = o. o o .    |
|+.+ + .o o       |
|+o.  .o          |
+----[SHA256]-----+
[root@localhost ~]# cd /root/.ssh/
[root@localhost .ssh]# ls
id_rsa  id_rsa.pub

2.将密匙发送至用户端

[root@localhost .ssh]# ssh-copy-id 192.168.116.133        ssh-copy-id+目标用户端IP地址
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.116.133 (192.168.116.133)' can't be established.
ECDSA key fingerprint is SHA256:9np0IgjJJ7eKl9AfCJtUGRegWysD9lsdPbTPMX0M9/M.
ECDSA key fingerprint is MD5:a6:b8:ac:9d:b8:44:c9:f8:dc:21:a2:58:62:d8:f6:a3.
Are you sure you want to continue connecting (yes/no)? yes     
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.116.133's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.116.133'"
and check to make sure that only the key(s) you wanted were added.

3.使用ssh命令登录远程主机

[root@localhost .ssh]# ssh 192.168.116.133
Enter passphrase for key '/root/.ssh/id_rsa': 
root@192.168.116.133's password: 
Last login: Sun Sep  9 20:58:14 2018 from 192.168.116.1
[root@localhost ~]# ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:74:37:c0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.116.133/24 brd 192.168.116.255 scope global noprefixroute dynamic ens33
       valid_lft 1798sec preferred_lft 1798sec
    inet6 fe80::780a:6fbe:4247:c199/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

4.登出远程客户端

[root@localhost .ssh]# exit 
登出
Vim: Caught deadly signal TERM
Vim: preserving files...
Connection to 192.168.116.133 closed.

注：如果想要对SSH的远程连接进行限制，可以修改/etc/ssh/sshd_config的文件即可

[root@localhost ~]vi /etc/ssh/sshd_config
PubkeyAuthentication yes                  #启用公告密钥配对认证方式
AuthorizedKeysFile                               .ssh/authorized_keys
RSAAuthentication yes                       # 启用 RSA 认证
PasswordAuthentication no                #禁止密码验证登录
PermitRootLogin no                       #禁止root登录

对其修改完成重启ssh 服务

[root@localhost ~]service sshd restart