通过linux系统,登陆Linux服务器来实现昨天的四种认证方式。
更多的内容,我们不说了,直接进入主题,但之前要确保有两台Linux系统来进行此实验,而且要是连通的哦。本文是通过CentOS5(IP:192.168.6.19 hostname:test.opsers.org [root@test ~]# )来连接RHEL6(IP:192.168.6.10 hostname:yufei.opsers.org [root@yufei ~]# )服务器。下面进入正题:
1、用户名+密码认证
在CentOS5上进行操作
[root@test ~]# ssh [email protected]
The authenticity of host '192.168.6.10 (192.168.6.10)' can't be established.
RSA key fingerprint is 8c:b0:8a:bc:d1:ca:fc:74:32:5c:a7:e7:0d:59:76:43.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.6.10' (RSA) to the list of known hosts.
[email protected]'s password:
Last login: Mon Apr 25 13:59:19 2011
[root@yufei ~]#
让我们退出RHEL6系统,回到RHEL5环境中
[root@yufei ~]# exit
logout
Connection to 192.168.6.10 closed.
[root@test ~]#
这个就不用多说,自己输入输入名和密码登陆就OK。我们主要来讲下面三种认证方式。
2、密钥认证
在CentOS5上进行操作
创建无密码的密钥
[root@test ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fc:c9:fe:e9:a0:d4:30:96:28:0a:f9:c6:e4:8d:ec:0a [email protected]
[root@test ~]# 
把公钥上传到RHEL6服务器上
[root@test ~]# ssh-copy-id -i .ssh/id_rsa.pub 192.168.6.10
15
[email protected]'s password:
Now try logging into the machine, with "ssh '192.168.6.10'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
在RHEL6上操作
确定上传来的文件是存在的
[root@test ~]# ssh [email protected]
[email protected]'s password:
Last login: Mon Apr 25 14:00:51 2011 from 192.168.6.19
[root@yufei ~]# ls -l .ssh/authorized_keys
-rw-------. 1 root root 402 4月 25 14:06 .ssh/authorized_keys
[root@japie ~]#
说明文件上传成功
配置sshd_config
[root@japie ~]# cd /etc/ssh/
[root@japie ssh]# cp sshd_config sshd_config.bak
[root@japie ssh]# vim sshd_config
把下面的两行注释去掉
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
保存后,重新启动sshd服务
[root@japie ssh]# service sshd restart
[root@japie ssh]# exit
logout
Connection to 192.168.6.10 closed.
退出RHEL6系统,回到RHEL5环境中
[root@test ~]# ssh [email protected]
Last login: Mon Apr 25 14:07:29 2011 from 192.168.6.19
[root@japie ~]#
已经无需输入密码直接登陆了
让我们退出RHEL6系统,回到RHEL5环境中
[root@japie ~]# exit
logout
Connection to 192.168.6.10 closed.
[root@test ~]#
3、密钥+密钥密码认证
在CentOS5上进行操作
重新生成密钥,并设置带密码的密钥
[root@test ~]# rm -fr .ssh
[root@test ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
26:88:da:e1:72:a8:a5:f8:6a:a3:d7:4c:eb:64:1c:5d [email protected]
上传公钥
[root@test ~]# ssh-copy-id -i .ssh/id_rsa.pub 192.168.6.10
15
The authenticity of host '192.168.6.10 (192.168.6.10)' can't be established.
RSA key fingerprint is 8c:b0:8a:bc:d1:ca:fc:74:32:5c:a7:e7:0d:59:76:43.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.6.10' (RSA) to the list of known hosts.
[email protected]'s password:
Now try logging into the machine, with "ssh '192.168.6.10'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@test ~]#
这时候会自动覆盖掉我们前面上传的公钥文件,我们再来给大家看一下公钥的属性
[root@test ~]# ssh [email protected]
Enter passphrase for key '/root/.ssh/id_rsa':
Last login: Mon Apr 25 14:12:17 2011 from 192.168.6.19
[root@yufei ~]# ls -l .ssh/authorized_keys
-rw-------. 1 root root 804 4月 25 14:19 .ssh/authorized_keys
[root@japie ~]#
我们输入刚才设置的密码,已经能正常登陆了,而且此公钥文件属性也是新创建的。
注意:
a、如果说,你没有对上传的公钥做修改的话,我们在RHEL6服务器上对配置文件什么也不用做(上一个实验已经做过了)。直接可以用了。
b、我们没有退出RHEL6服务器的环境,因为下面一个认证还需要对SSH的配置文件做修改
4、SSH代理:密钥+密钥密码、但无需输入密码
接着上面的结果继续在RHEL6服务器上操作
[root@japie ~]# vim /etc/ssh/sshd_config
AllowAgentForwarding yes
把前面的注释去掉
然后重新启动sshd服务
[root@japie ~]# service sshd restart
退出RHEL6服务器环境,回到CentOS5中来
[root@japie ~]# exit
logout
Connection to 192.168.6.10 closed.
[root@test ~]#
在CentOS5上进行操作
[root@test ~]# ssh-agent bash
[root@test ~]# ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@test ~]#
登陆测试
[root@test ~]# ssh [email protected]
Last login: Mon Apr 25 14:27:15 2011 from 192.168.6.19
[root@japie ~]#
我们已经无需密码正常登陆上了
我们还是退出RHEL6服务器,回到CentOS5上来
[root@japie ~]# exit
logout
Connection to 192.168.6.10 closed.
[root@test ~]#
这里有一个问题:当我们退出shell环境后,还需要执行一下ssh-agentbash和ssh-add才能正常使用,有没有一个办法,让我们不用执行这两个命令,直接输入认证密码就能登陆呢?我下面给出两种实现方法,大家可以根据自己的喜好来实现。
第一种方法:在/etc/profile.d/下创建一个文件,如我起名ssh-agent.sh
[root@test ~]# vim /etc/profile.d/ssh-agent.sh
#!/bin/sh
if [ -f ~/.agent.env ]; then
. ~/.agent.env >/dev/null
if ! kill -0 $SSH_AGENT_PID >/dev/null 2>&1; then
echo "Stale agent file found. Spawning new agent..."
eval `ssh-agent |tee ~/.agent.env`
ssh-add
fi
else
echo "Starting ssh-agent..."
eval `ssh-agent |tee ~/.agent.env`
ssh-add
fi
这时候,我们退出SHELL后,重新登陆SHELL后,会出现下面的提示
Xshell:\> ssh [email protected]
Connecting to 192.168.6.19:22...
Connection established.
Escape character is '^@]'.
Last login: Mon Apr 25 15:12:40 2011 from 192.168.6.1
我们再登陆RHEL6服务器还是能正常连接的,而且无需再次输入密码了
[root@test ~]# ssh [email protected]
Last login: Mon Apr 25 14:31:06 2011 from 192.168.6.19
[root@japie ~]#
我们还是先退出RHEL6服务器,回到CentOS5上来
[root@japie ~]# exit
logout
Connection to 192.168.6.10 closed.
[root@test ~]#
第二种方法:用keychain来实现
首先下载软件,目前最新版本是2.7.1
[root@test ~]# wget http://www.funtoo.org/archive/keychain/keychain-2.7.1.tar.bz2
然后进行软件的安装
[root@test ~]# tar jxvf keychain-2.7.1.tar.bz2
[root@test ~]# cd keychain-2.7.1
[root@test keychain-2.7.1]# install -m 0755 keychain /usr/bin/
或者是直接拷贝keychain到/usr/bin/目录下,都是一样的效果
然后编辑用户家目录下的.bash_profile文件
[root@test keychain-2.7.1]# cd
[root@test ~]# vim .bash_profile
在最后加入下面内容
eval `keychain --eval --agents ssh id_rsa`
删除我们第一种方法创建的文件
[root@test ~]# rm -f /etc/profile.d/ssh-agent.sh
退出SHELL,再次登陆测试
[root@test ~]# exit
Xshell:\> ssh [email protected]
Connecting to 192.168.6.19:22...
Connection established.
Escape character is '^@]'.
Last login: Mon Apr 25 15:02:10 2011 from 192.168.6.1
* keychain 2.7.1 ~ http://www.funtoo.org
* Found existing ssh-agent: 4133
* Known ssh key: /root/.ssh/id_rsa
[root@test ~]# ssh [email protected]
Last login: Mon Apr 25 15:02:55 2011 from 192.168.6.19
[root@japie ~]# exit
logout
Connection to 192.168.6.10 closed.
[root@test ~]#
注:
a、ssh [email protected]这种方式来接连,如果再打开一个会话的话,就还需要输入一次密码。
b、如果重新启动系统后,就需要输入一次密钥密码。
说明:不知道有没有一种方法,能让系统重新启动过后,也无需输入密钥密码,如果有朋友知道的,希望能分享一下,谢谢!