ssh 有2种认证方式:一种是密码认证,一种是密匙认证。
然而密码认证的方式是比较不安全的。首先如果密码强度不是很高的话很容易就被别人猜出来了(当然不是用人脑猜),其次是密码在传输的过程中容易被别人劫持(专业术语叫 中间人攻击)。详细的ssh认证过程可以看这个帖子,介绍的比较全。(传送门)
对于运维人员来说管理大量的服务器人工输入密码是不现实的,将密码写在登录脚本里也是不可取的。那么使用密匙登录服务器是比较好的做法。
场景: server1(127.0.0.1), server2(192.168.0.6), server3(192.168.0.7)
1. 在server1服务器上面使用命令 ssh-keygen 生成公钥私钥。
bingaos-MacBook-Pro:~ bingao$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/bingao/.ssh/id_rsa):
/Users/bingao/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/bingao/.ssh/id_rsa.
Your public key has been saved in /Users/bingao/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:tm55gD9g9rv3X3+LOnkn4FP95SCJb0Wl1Gu2zt3wm0Y [email protected]
The key's randomart image is:
+---[RSA 2048]----+
| . |
| . o|
| . o.|
| o+ |
| .S . o+ .|
| =.....o.+E.|
| o +.o..+o+=*|
| .* o=oo.*X|
| .+* +*o=+=|
+----[SHA256]-----+
bingaos-MacBook-Pro:~ bingao$ -t rsa 表示 使用rsa方式加密,其他加密方式还有 dsa, ecdsa, ed25519
由于我这里已经生成过,所以提示 overwrite (y/n)
Enter passphrase 输入口令,最好输一下,我这里没有输入。
2. 生成完之后可以在用户目录的 .ssh 文件夹下面看到2个文件: id_rsa, id_rsa.pub
bingaos-MacBook-Pro:~ bingao$ ll ~/.ssh/
total 96
-rw------- 1 bingao staff 1679 Dec 7 15:53 id_rsa
-rw-r--r-- 1 bingao staff 414 Dec 7 15:53 id_rsa.pub
-rw-r--r-- 1 bingao staff 22799 Dec 7 15:52 known_hosts
bingaos-MacBook-Pro:~ bingao$ id_rsa 是私钥,内容类似
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEArdh52+aPhalePduymkPWVSI6odvf/DVfxkVEpm4Kl9TuB7o2
...
640rfbph0AflsPhjIhDu/a/TdVtLYBgkR4ENTvnCNC7YLRA+GHXGsaVnooWvQQjW
KDB//FarJuEf9386hW/Xp9/0+FnQxSY+WHD0ULsDdLS2PeHkd44dBw==
-----END RSA PRIVATE KEY-----id_rsa.pub 是公钥,内容类似
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt2Hnb5o+FqV4927KaQ9ZVIjqh2...P4TfovAyHfafboYz2JopyoUU3L12Q2xDB4wjAA7R+Eccbx/fwxwOIL0hcru/OMSmpaxMY5G2Z4+d [email protected]3.将公钥(id_rsa.pub)上传到目标服务器(server2)上面
bingaos-MacBook-Pro:~ bingao$ scp ~/.ssh/id_rsa.pub [email protected]:~
[email protected]'s password:
id_rsa.pub 100% 414 73.4KB/s 00:00
bingaos-MacBook-Pro:~ bingao$ 4.在目标服务器上讲公钥写入用户目录下 .ssh 文件夹下面的 authorized_keys 文件内(如没有则创建)
[root@localhost ~]# cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: No such file or directory
[root@localhost ~]# mkdir ~/.ssh
[root@localhost ~]# cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
[root@localhost ~]# ll ~/.ssh/
total 4
-rw-r--r--. 1 root root 414 Dec 7 16:21 authorized_keys
[root@localhost ~]# 5.将 authorized_keys 文件权限设置为 600
[root@localhost ~]# chmod 600 ~/.ssh/authorized_keys
[root@localhost ~]# ll ~/.ssh/
total 4
-rw-------. 1 root root 414 Dec 7 16:21 authorized_keys
[root@localhost ~]# 配置完成,接下来就可以直接登录了
bingaos-MacBook-Pro:~ bingao$ ssh [email protected]
Last login: Thu Dec 7 16:26:06 2017 from 192.168.1.164
[root@localhost ~]# 因为server2已经持有server1的公钥,所以直接通过密匙认证成功。从认证原理来看 用户将自己的公钥储存在远程主机上。登录的时候,远程主机会向用户发送一段随机字符串,用户用自己的私钥加密后,再发回来。远程主机用事先储存的公钥进行解密,如果成功,就证明用户是可信的,直接允许登录shell,不再要求密码。也就是说凡是持有这个私钥的用户都能够直接登录远程服务器。
将server1的私钥发送到server3上面
bingaos-MacBook-Pro:~ bingao$ scp ~/.ssh/id_rsa [email protected]:~
[email protected]'s password:
id_rsa 100% 1679 364.5KB/s 00:00
bingaos-MacBook-Pro:~ bingao$ 在server3上面使用命名 ssh -i ~/id_rsa [email protected]
[john@localhost ~]$ ssh -i ~/id_rsa [email protected]
The authenticity of host '192.168.0.6 (192.168.0.6)' can't be established.
ECDSA key fingerprint is 23:c5:0e:6b:3c:26:0c:e9:31:21:12:1f:d8:b5:60:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.6' (ECDSA) to the list of known hosts.
Last login: Thu Dec 7 16:28:02 2017 from 192.168.1.164
[root@localhost ~]# 由于是第一次登录,提示是否信任远程主机的签名,输入 yes,无需输入密码即可登录。
第二次登录直接进入服务器
[john@localhost ~]$ ssh -i ~/id_rsa [email protected]
Last login: Thu Dec 7 16:39:15 2017 from 10.2.0.130
[root@localhost ~]# 所以运维人员有义务保证私钥的安全,避免在开发人员之间随意传播。