一、公鑰認證的基本思想:
對信息的加密和解密采用不同的key,這對key分別稱作private key和public key,其中,public key存放在目標服務器上,而private key為特定的客戶機所持有。
當客戶機向服務器發出建立安全連接的請求時,首先發送自己的public key,如果這個public key是被服務器所允許的,服務器就發送一個經過public key加密的隨機數據給客戶機,這個數據只能通過private key解密,客戶機將解密后的信息發還給服務器,服務器驗證正確后即確認客戶機是可信任的,從而建立起一條安全的信息通道。
通過這種方式,客戶機不需要向外發送自己的身份標志“private key”即可達到校驗的目的,並且private key是不能通過public key反向推斷出來的。這避免了網絡竊聽可能造成的密碼泄露。客戶機需要小心的保存自己的private key,以免被其他人竊取,一旦這樣的事情發生,就需要各服務器更換受信的public key列表。
二、無密碼登錄實現方式(server1 publickey連接server2免密碼登錄)
1、用ssh-keygen創建公鑰(server1)
[root@server1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): (此處密碼決定終端連接時使用的私鑰密碼)
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
7b:aa:08:a0:99:fc:d9:cc:d8:2e:4b:1a:c0:6b:da:e4root@Server1
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
|. |
|o. S |
|++. . |
|+=o. . . |
|o+=oB. o |
|..E==*... |
+-----------------+
補充說明 ssh-keygen:生成秘鑰,其中:
-t指定算法
-f 指定生成秘鑰路徑
-N 指定密碼
2、查看生成證書:
[root@server1]$ ll /root/.ssh/
total 16
-rw------- 1 yida yida 1675 Mar 31 11:42 id_rsa
-rw-r--r-- 1 yida yida 399 Mar 31 11:42 id_rsa.pub
3、將server1 publickey復制到server2 authorized_keys,需要輸入server2 root用戶密碼
[root@server1 .ssh]$ ssh-copy-id -i id_rsa.pub root@10.207.0.179
The authenticity of host '10.207.0.179 (10.207.0.179)' can't be established.
RSA key fingerprint is 94:5f:47:a8:ae:0b:b0:31:0f:ce:6b:86:08:51:98:a7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.207.0.179' (RSA) to the list of known hosts.
Address 10.207.0.179 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
Password:
Now try logging into the machine, with "ssh 'root@10.207.0.179'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[yida@yw_d10075798 .ssh]$
4、server2 查看public key文件
[root@server2]$ ll
total 16
-rw------- 1 root root 408 Mar 30 15:43 authorized_keys
5、實現server1登錄server2免密碼登錄
ssh-keygen -t rsa -f /root/test/root.pem -b 2048 -P "XXXXX"
三、SecureCRT客戶端使用publickey登錄linux
方法一:服務器端生成公鑰私鑰文件,保留公鑰文件為authorized_keys,下載公鑰私鑰文件到客戶端本地,提供給secureCRT連接使用。
1、用ssh-keygen創建公鑰(server1)
[root@server1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key(/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): (此處密碼決定終端連接時使用的私鑰密碼)
Enter same passphrase again:
Your identification has been saved in/root/.ssh/id_rsa.
Your public key has been saved in/root/.ssh/id_rsa.pub.
The key fingerprint is:
7b:aa:08:a0:99:fc:d9:cc:d8:2e:4b:1a:c0:6b:da:e4root@Server1
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| |
|. |
|o. S |
|++. . |
|+=o. . . |
|o+=oB. o |
|..E==*... |
+-----------------+
[root@server1]$ ll /root/.ssh/
total 16
-rw------- 1 yida yida 1675 Mar 31 11:42 id_rsa
-rw-r--r-- 1 yida yida 399 Mar 31 11:42 id_rsa.pub
2、發送公鑰私鑰到本地,修改公鑰為授權證書文件
[root@.ssh~]#sz id_rsa id_rsa.pub
[root@.ssh~]#mv id_rsa.pub authorized_keys
3、設置secureCRT連接
注意生成在server1生成證書時passphrase設置,同時一定要把公鑰私鑰文件放在本地同一目錄下,否則會出現以下報錯
4、登陸成功
方法二:在secureCRT客戶端生成通用openssh key format公鑰私鑰文件,並將公鑰文件復制到server端authorized_keys文件。
