sshd服務提供兩種安全驗證的方法:
基於口令的安全驗證:經過驗證帳號與密碼即可登陸到遠程主機。
基於密鑰的安全驗證:需要在本地生成"密鑰對"后將公鑰傳送至服務端,進行公共密鑰的比較。
使用密碼驗證終歸會存在着被駭客暴力破解或嗅探監聽的危險,其實也可以讓ssh服務基於密鑰進行安全驗證(可無需密碼驗證),步驟如下:
1.在本地主機中生成密鑰對
[root@wluat ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): #回車或設置密鑰的存儲路徑 Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): #回車或設置密鑰的密碼 Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 92:9e:ae:cd:eb:40:a8:7c:ad:ac:af:89:c2:ce:16:fa root@wluat The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . . | | . . o S | |.o ... o | |+.....o | |=o+ .= | |=BE+.o*. | +-----------------+
注:這里為了ssh連接不要再輸入密碼,沒有輸入密碼,而是直接回車。
2.將生成好的公鑰密鑰傳送至遠程主機:
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
[root@wluat ~]# ssh-copy-id 192.168.0.80 The authenticity of host '192.168.0.80 (192.168.0.80)' can't be established. RSA key fingerprint is af:b9:dc:e7:7d:45:d7:e0:ae:24:0f:b1:a3:1f:94:48. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.0.80' (RSA) to the list of known hosts. root@192.168.0.80's password: Now try logging into the machine, with "ssh '192.168.0.80'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
注:其是這個就相當於在服務器端建立了~/.ssh,目錄,並將公鑰寫到了遠程主機的"~/.ssh/authorized_keys"文件中,文件的權限如下:
root@wls12c ~]$ ll .ssh 總用量 8 -rw------- 1 root root 392 8月 17 14:15 authorized_keys -rw-r--r-- 1 root root 1586 8月 17 12:01 known_hosts [root@wls12c ~]$ ll .ssh/authorized_keys -rw------- 1 root root 392 8月 17 14:15 .ssh/authorized_keys
如果是傳送到遠程主機的普通用戶,authorized_keys的權限並不是600,需要手工修改,否則報如下錯誤:
[root@wluat ~]# ssh weblogic@192.168.0.80 Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
或者手工復制公鑰到認證文件:
cat ~/.ssh/id_rsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"
3.測試,連接遠程主機的效果
ssh -i ~/.ssh/id_rsa user@hostname
[root@wluat ~]# ssh 192.168.0.80 Last login: Wed Aug 17 14:21:51 2016 from 192.168.0.150 [root@wls12c ~]$
已經實現了不要通過密碼驗證了
注意:第一次用ssh連接服務端的時候會把要服務端的公鑰放到客戶端的~/.ssh/know_hosts來進行驗證,會彈出一個警告:
[root@wluat ssh]# ssh 192.168.0.80 The authenticity of host '192.168.0.80 (192.168.0.80)' can't be established. RSA key fingerprint is 93:6b:6d:07:34:8c:f5:e0:30:60:34:e0:8d:81:09:c8. Are you sure you want to continue connecting (yes/no)?
為了安全,我們可以在80的機器上檢查指紋,確定是要連接的主機
ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 93:6b:6d:07:34:8c:f5:e0:30:60:34:e0:8d:81:09:c8 /etc/ssh/ssh_host_rsa_key.pub
鍵入yes接受密鑰並確認連接。您將看到一個通知,說明服務器已被添加到已知主機的列表中,並提示您輸入密碼:
如果前面有把私鑰加密,可以使用ssh-agent讓機器記住密鑰的密碼,從而避免輸入:
ssh-agent bash ssh-add 密鑰
配置別名登錄遠程機器,編輯~/.ssh/config
Host ecs // 輸入遠程機器別名 HostName 192.*.*.* // 輸入遠程機器IP地址 Port 22 // 輸入端口號,默認為22 User tomcat // 輸入登錄賬號 IdentityFile ~/.ssh/ecs.pem // 輸入.pem私鑰文件在本機的地址
然后直接ssh tomcat就登錄到遠程機器的tomcat用戶了。
4.修改遠程主機的配置文件,讓登陸遠程主機只能通過密鑰登陸,而不能通過密碼驗證登錄。
vim /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes
5.重啟遠程主機的sshd服務
[root@wls12c ~]$ service sshd restart
6.配置Xshell通過密鑰登陸
工具-->用戶密鑰管理者
然后導入本地主機生成的“.ssh/id_rsa”私鑰,
然后刪除本地主機的私鑰 rm -rf .ssh/id_rsa
將公鑰重命名 mv id_rsa.pub authorized_keys
並修改權限 chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
就可以讓Xshell通過密鑰進行登陸了。