前提:
1. 秘钥的生成需要OpenSSL的支持, 需要自行进行安装
一. 新建用户
在root登陆状态中执行命令:
useradd -m ssh-user # centos
adduser ssh-user # ubuntu passwd ssh-user // 设置ssh-user密码
切换到ssh-user 用户:
su ssh-user
追加用户组:
sudo usermod -a -G sudo xxx
# 将xxx用户加入到sudo组中,具有超级管理员权限
二. 创建.ssh目录并生成秘钥对
创建.ssh目录:
mkdir /home/ssh-user/.ssh
生成秘钥对:
ssh-keygen -t rsa -b 4096
参数说明:
usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase] [-C comment] [-f output_keyfile] ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile] ssh-keygen -i [-m key_format] [-f input_keyfile] 读取未加密的ssh-v2兼容的私钥/公钥文件,然后在标准输出设备上显示openssh兼容的私钥/公钥 ssh-keygen -e [-m key_format] [-f input_keyfile] 读取openssh的私钥或者公钥文件 ssh-keygen -y [-f input_keyfile] ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]
-C 添加注释 ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] 显示公钥文件的指纹数据 ssh-keygen -B [-f input_keyfile] ssh-keygen -D pkcs11 ssh-keygen -F hostname [-f known_hosts_file] [-l] ssh-keygen -H [-f known_hosts_file] ssh-keygen -R hostname [-f known_hosts_file] ssh-keygen -r hostname [-f input_keyfile] [-g] ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines] [-j start_line] [-K checkpt] [-W generator] ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals] [-O option] [-V validity_interval] [-z serial_number] file ... ssh-keygen -L [-f input_keyfile] ssh-keygen -A ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... ssh-keygen -Q -f krl_file file ...
生成成功之后 ,会在该目录下有两个文件: id_rsa(私钥), id_rsa.pub(公钥)
目录下新建文件authorized_keys:
touch authorized_keys
将公钥追加到authorized.key文件中:
cat id_rsa.pub >> authorized_keys
设置目录权限:
chmod 700 /home/ssh-user/.ssh
设置文件权限:
chmod 600 /home/ssh-user/.ssh/authorized_keys
将私钥下发到本地或需要进行登陆的远端服务器上:
可以使用FTP链接下载或者scp等命令传输过去即可.
scp -P 8932 -i user1/.ssh/id_rsa user2/.ssh/authorized_keys user1@172.160.114.147:/home/user2
三. 远程登录(秘钥对)
远程登录命令:
ssh -i ./id_rsa ssh-user@47.99.180.120
参数说明:
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]
四. 禁止密码登陆
编辑文件/etc/ssh/sshd_config
AuthorizedKeysFile .ssh/authorized_keys //公钥公钥认证文件 PubkeyAuthentication yes //可以使用公钥登录 PasswordAuthentication no //不允许使用密码登录
五. 重启sshd服务
1) centos
service sshd restart
systemctl restart sshd.service
2)ubuntu
# 启动 /etc/init.d/ssh start # 重启 /etc/init.d/ssh restart
其他:
l 使用配置登录别名,进行登陆(在需要进行登陆的服务器上)
vim ~/.ssh/config Host ssh-user # 别名 HostName aslong.xin # 域名或ip Port 22 # 端口 User dev # 登录名 IdentityFile ~/.ssh/id_rsa # 本机私钥存放位置
命令:
ssh ssh-user
2. 使用ssh-copy-id实现免密登陆
1) 在本地机器上使用ssh-keygen产生公钥私钥对
ssh-keygen -t 加密方式
2)用ssh-copy-id将公钥复制到远程机器中
$ ssh-copy-id -i .ssh/id_rsa.pub 用户名字@192.168.x.xxx 注意: ssh-copy-id 将key写到远程机器的 ~/ .ssh/authorized_keys 文件中
3)登录到远程机器不用输入密码
$ ssh 用户名字@192.168.x.xxx
常见问题
1. Permissions 0644 for ‘/root/.ssh/id_rsa’ are too open
使用终端进行连接的时候,报错,这是由于权限过大,需要限制其私钥的访问权限
chmod 600 id_rsa