Linux ssh 安全登陆

创建ssh密钥

[root@localhost ~]# ssh-keygen -t rsa #创建密钥

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): # 密钥位置

Enter passphrase (empty for no passphrase): #输入密钥,可以为空

Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa. #私钥

Your public key has been saved in /root/.ssh/id_rsa.pub. #公钥

The key fingerprint is:

40:96:bf:a5:89:c2:66:a3:bd:dc:79:a3:b5:a8:1f:8d root@localhost.localdomain

The key's randomart image is:

+--[ RSA 2048]----+

| o. |

| o. |

| .. |

| .. . |

| . .S= |

| * .o+ |

| = oE o |

| .... =o. |

| ++*o.. |

+-----------------+

[root@localhost .ssh]# ls

id_rsa id_rsa.pub #把公钥上传到远程的linux机器上

[root@localhost .ssh]#

[root@localhost ~]# clear

[root@localhost ~]# ssh-copy-id -i .ssh/id_rsa.pub root@10.0.0.2

The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.

RSA key fingerprint is fb:82:7c:05:f1:74:86:47:52:64:87:3c:86:fd:cd:ee.

Are you sure you want to continue connecting (yes/no)? yes #第一次需要确认一下

Warning: Permanently added '10.0.0.2' (RSA) to the list of known hosts.

root@10.0.0.2's password:

Now try logging into the machine, with "ssh 'root@10.0.0.2'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[root@localhost ~]#

[root@localhost ~]# ssh 10.0.0.2

Enter passphrase for key '/root/.ssh/id_rsa': #需要输入密钥

Last login: Wed Oct 29 16:47:08 2014 from 10.0.0.1

[root@postgresql ~]# ls -a .ssh/

. .. authorized_keys # 公钥查看ok

[root@postgresql ~]# # 重启一下ssh就ok了。

为了使系统更加安全,关闭密码认证启用密钥认证

[root@localhost ~]# vi /etc/ssh/sshd_config

Protocol 2 #启用ssh2

PubkeyAuthentication yes #启用密钥认证

AuthorizedKeysFile .ssh/authorized_keys #密钥存放位置

PasswordAuthentication no #关闭密码认证

[root@localhost ~]# /etc/init.d/sshd restart #重启ssh 服务

把系统默认的22端口改为四位数端口,并且修改ssh文件

vi /etc/ssh/sshd_config

如果需要登陆,将公钥的文件拷贝出来就ok了。

如果需要使用工具的话,那么可以在工具上配置密钥

前面创建的是单向的密钥

创建双向密钥对两个机器都执行 # ssh-keygen t rsa 使用相同的密钥

将生成的密钥拷贝对方机器~/.ssh/ 目录下 并且更改名字为 authorized_krys(两个名字修改后拷贝对方的用户~/.ssh/ 目录下) 修改sshd_config 文件

测试

不需要任何认证,还有锁定网络ip等