1.说明密匙认证的过程
1.用户向主机端发登录请求:ssh root@主机端IP(如果主机端和用户端用户名相同可不用加用户名,直接ssh + IP地址即可
2.主机端收到用户的登录请求的同时把用户的公钥发给主机端
3.用户使用这个公钥,将登录密码加密后,发送回主机端
4.主机端用自己的私钥,解密登录密码,如果密码正确,就同意用户登录
2.手工配置密匙认证登录
1.执行ssh-keygen -t rsa生成密钥
[root@localhost ~]# ssh-keygen -t rsa
Generating public/private rsa key pair. 生成公钥/私钥rsa密钥对
Enter file in which to save the key (/root/.ssh/id_rsa): 输入保存密钥的文件:默认回车即可
Enter passphrase (empty for no passphrase): 输入密码
Enter same passphrase again: 再次输入密码
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:98gylLppiPiKSZxnJ0gsXXZGIoag2ocmQ/Jxm9QymPg [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|o.o . . |
|oo + + |
|+.+ B + |
|== B B . |
|=oE + S . |
|++o. o o o |
| * = o. o o . |
|+.+ + .o o |
|+o. .o |
+----[SHA256]-----+
[root@localhost ~]# cd /root/.ssh/
[root@localhost .ssh]# ls
id_rsa id_rsa.pub
2.将密匙发送至用户端
[root@localhost .ssh]# ssh-copy-id 192.168.116.133 ssh-copy-id+目标用户端IP地址
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.116.133 (192.168.116.133)' can't be established.
ECDSA key fingerprint is SHA256:9np0IgjJJ7eKl9AfCJtUGRegWysD9lsdPbTPMX0M9/M.
ECDSA key fingerprint is MD5:a6:b8:ac:9d:b8:44:c9:f8:dc:21:a2:58:62:d8:f6:a3.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.116.133's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '192.168.116.133'"
and check to make sure that only the key(s) you wanted were added.
3.使用ssh命令登录远程主机
[root@localhost .ssh]# ssh 192.168.116.133
Enter passphrase for key '/root/.ssh/id_rsa':
root@192.168.116.133's password:
Last login: Sun Sep 9 20:58:14 2018 from 192.168.116.1
[root@localhost ~]# ip a
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:74:37:c0 brd ff:ff:ff:ff:ff:ff
inet 192.168.116.133/24 brd 192.168.116.255 scope global noprefixroute dynamic ens33
valid_lft 1798sec preferred_lft 1798sec
inet6 fe80::780a:6fbe:4247:c199/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4.登出远程客户端
[root@localhost .ssh]# exit
登出
Vim: Caught deadly signal TERM
Vim: preserving files...
Connection to 192.168.116.133 closed.
注:如果想要对SSH的远程连接进行限制,可以修改/etc/ssh/sshd_config的文件即可
[root@localhost ~]vi /etc/ssh/sshd_config
PubkeyAuthentication yes #启用公告密钥配对认证方式
AuthorizedKeysFile .ssh/authorized_keys
RSAAuthentication yes # 启用 RSA 认证
PasswordAuthentication no #禁止密码验证登录
PermitRootLogin no #禁止root登录
对其修改完成重启ssh 服务
[root@localhost ~]service sshd restart