linux或windows向linux主機分發密鑰流程介紹

簡介：主要講解如何在linux和windows上面生成ssh密鑰文件以及上傳到被控主機上，實現免密連接。（請注意區分公鑰和密鑰的作用）

 

零、測試環境

windows10 x64

xshell6

mobaxterm

finalshell

[root@osker ~]# uname -a
Linux oldboy 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

 

 

一、linux主機向linux主機分發密鑰

1.m01主機創建ssh密鑰

[root@m01 ~]# ssh-keygen -C jumpserver
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:17Leb+HcnQ6KG8DmaIJ1owCvMbGCgZyqA1/IuP8gXOs jumpserver
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|o .              |
|=o               |
|+B .  .    .     |
|X.+o.o +S o .    |
|=*=.+ = .. o  .  |
|*oo+ o . ..  + oo|
| +..o    .o.. =.o|
|  .E.    oo..oo. |
+----[SHA256]-----+

 

2.查看生成的公鑰id_rsa.pub

[root@m01 ~]# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmsnAb+0VDb/8yfCDZhsMj8w1SoRthxTKEnFh+qCS6buM7V9MJckMOMWfBN47R6McQvvuSQAoPxm+67aCl75pvKpOXvypt/mzPmClHW7UYvKVKV46lOJKSqB43V8Qq1AhYqL6Ls3KZ7JkMWaT50DeSvRH7lIMk64zHRO896X9cfduQsUxh/f+tBfL+zYLynkrm+I45iVPq09eBrkrMJg9rrzzyzqOSze2CCB0gI+luz2fxaCJPNWbkx+VHOfx9N+j8oOPxNY1VLTTBZU/QDe+kdaiMAeCHQDqOfLEl0Sby83X7ou4K92URX0rr5Oy/XgYOT4LVyBMAeK7JgHlDb/4H jumpserver

 

3.使用ssh-copy-id命令自動上傳公鑰到41主機（backup主機）

[root@m01 ~]# ssh-copy-id -i ./.ssh/id_rsa.pub root@172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "./.ssh/id_rsa.pub"
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:cHKT5G6hYgv1k1zTfc36tZrLNQqJhc1JeBTeke545Fk.
ECDSA key fingerprint is MD5:24:4e:94:6d:46:82:0a:61:3a:1e:83:3f:75:82:e1:aa.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.[root@m01 ~]# ssh-copy-id -i ./.ssh/id_rsa.pub root@172.16.1.41
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "./.ssh/id_rsa.pub"
The authenticity of host '172.16.1.41 (172.16.1.41)' can't be established.
ECDSA key fingerprint is SHA256:cHKT5G6hYgv1k1zTfc36tZrLNQqJhc1JeBTeke545Fk.
ECDSA key fingerprint is MD5:24:4e:94:6d:46:82:0a:61:3a:1e:83:3f:75:82:e1:aa.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.1.41's password:
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@172.16.1.41'"
and check to make sure that only the key(s) you wanted were added.

 

4.查看本機的私鑰文件id_rsa （注意私鑰文件的權限為600）

[root@m01 ~]# ll -a .ssh/
total 12
drwx------  2 root root   57 Apr 20 11:24 .
dr-xr-x---. 3 root root  163 Apr 13 12:37 ..
-rw-------  1 root root 1679 Apr 20 11:23 id_rsa
-rw-r--r--  1 root root  392 Apr 20 11:23 id_rsa.pub
-rw-r--r--  1 root root  173 Apr 20 11:24 known_hosts
[root@m01 ~]# cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAprJwG/tFQ2//Mnwg2YbDI/MNUqEbYcUyhJxYfqgkum7jO1fT
...
n3h/Fk2FvAY5PCTBnMGeBl11hWMyIQTbW3Viyt36Dby3vvW0Z22lLw==
-----END RSA PRIVATE KEY-----

 

5.此時直接使用ssh就可以免密登錄了。

[root@m01 ~]# ssh root@172.16.1.41
Last login: Mon Apr 20 11:19:20 2020 from 10.0.0.1
[root@backup ~]#

6.m01分發公鑰后到backup服務端查看公鑰位置及信息（注意公鑰的權限為600）

[root@backup ~]# ll .ssh/
-rw-------  1 root root 392 Apr 20 11:24 authorized_keys
[root@backup ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmsnAb+0VDb/8yfCDZhsMj8w1SoRthxTKEnFh+qCS6buM7V9MJckMOMWfBN47R6McQvvuSQAoPxm+67aCl75pvKpOXvypt/mzPmClHW7UYvKVKV46lOJKSqB43V8Qq1AhYqL6Ls3KZ7JkMWaT50DeSvRH7lIMk64zHRO896X9cfduQsUxh/f+tBfL+zYLynkrm+I45iVPq09eBrkrMJg9rrzzyzqOSze2CCB0gI+luz2fxaCJPNWbkx+VHOfx9N+j8oOPxNY1VLTTBZU/QDe+kdaiMAeCHQDqOfLEl0Sby83X7ou4K92URX0rr5Oy/XgYOT4LVyBMAeK7JgHlDb/4H jumpserver
[root@backup ~]# 

 

 

二、windows向linux分發密鑰

1.打開xshell中的工具選項，選擇“新建用戶密鑰生成向導”

 

2.密鑰類型默認，密鑰長度默認，點擊下一步。

 

3.下一步

 

4.密鑰名稱填入自定義名稱，密碼為給密鑰添加密碼，此處可以不填。點擊下一步。

 

5.選擇 是

 

6.選擇 完成

 

7.選擇用戶密鑰管理者

 

8.選中剛剛生成的密鑰名稱，然后點擊屬性。

 

9.點擊公鑰

 

10.這里可以復制出公鑰內容或者保存為文件

 

11.私鑰導出：首先選中密鑰名稱，然后點擊導出。（此私鑰下文會使用到）

 

12.選擇位置，添加文件名，保存即可。（私鑰請妥善保管）

 

13.首先使用xshell  密碼登錄， ssh root@10.0.0.100

[root@osker ~]# ll -a
-rw-r--r--.  1 root root  100 Dec 29  2013 .cshrc

...
drwx------   2 root root   25 Apr  9 20:14 .ssh
-rw-r--r--.  1 root root  129 Dec 29  2013 .tcshrc

###切到.ssh下，創建authorized_keys文件並將公鑰內容copy到文件中
###為什么要在此處創建認證文件？因為在sshd的配置文件中有默認定義認證文件的位置。
###vim /etc/ssh/sshd_config
###47 AuthorizedKeysFile  .ssh/authorized_keys
###大約在第47行左右
[root@osker ~]# cd .ssh/
[root@osker .ssh]# vim authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzw6Q6jjoL43wnC3lQBuAMdVcI1CjeJYvrTUQuIJMCKFBZOWhM/8grwlq9DLwor
kFgBmGHXQL3DqbBSsc5zjrJZgejITtHpkcCusfpucOuHFNSjglMmfRYZFy21Mimbg4ARH5ecrXxPwmWjCTSWMclFtS1pwzWGW9
9o+QkOX5C4zcJBvNpTFabu1Vw5XIy6HfxdgTXnGeFj39i0NPYXxrrCnT+LkDi9ksDT/KYsjXlPqTNqeVQQ0Et+NevjvZuRmswe
yW/WruFK/Ki0mtQTfSqwzRmSMv8dTCOfgTf2JJ8SlQ476uB8Mu1MTe2TXN16n0kXceYPnyhYxt5zRzNiR9Kw== rsa 2048-04
2120
[root@osker .ssh]# ll -a
total 8
drwx------  2 root root  48 Apr 21 07:46 .
dr-xr-x---. 3 root root 163 Apr 21 07:46 ..
-rw-r--r--  1 root root 397 Apr 21 07:46 authorized_keys
-rw-r--r--  1 root root 177 Apr  9 20:14 known_hosts
[root@osker .ssh]# ll authorized_keys
-rw-r--r-- 1 root root 397 Apr 21 07:46 authorized_keys

###修改權限
[root@osker .ssh]# chmod 600 authorized_keys
[root@osker .ssh]# ll authorized_keys
-rw------- 1 root root 397 Apr 21 07:46 authorized_keys

至此，公鑰就上傳到被控主機上了。

 

在xshell終端使用ssh 10.0.100登錄，輸入root

 

選擇public key，再選中剛才創建的 測試密鑰，就可以免密登錄了。

 

 

三、其它遠程連接軟件添加私鑰

1.mobaxterm設置：填入主機地址和用戶名，再advanced ssh setting中 勾選use private key,然后找到之前導出到電腦的測試私鑰文件，選中后點擊ok。（我們已經在上文中上傳了公鑰到測試主機中，所以這里就不操作上傳公鑰了。）

2.finalshell設置：認證方法上選擇公鑰，私鑰選擇上文中導出到電腦的私鑰文件。

 

 

 

至此，linux或windows向linux分發密鑰的流程就介紹完畢了。

本博文為原創博文，轉發請標明出處。

---

from:chiugui@qq.com