Linux ssh 安全登陆
创建ssh密钥
[root@localhost ~]# ssh-keygen -t rsa #创建密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): # 密钥位置
Enter passphrase (empty for no passphrase): #输入密钥,可以为空
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa. #私钥
Your public key has been saved in /root/.ssh/id_rsa.pub. #公钥
The key fingerprint is:
40:96:bf:a5:89:c2:66:a3:bd:dc:79:a3:b5:a8:1f:8d root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
| o. |
| o. |
| .. |
| .. . |
| . .S= |
| * .o+ |
| = oE o |
| .... =o. |
| ++*o.. |
+-----------------+
[root@localhost .ssh]# ls
id_rsa id_rsa.pub #把公钥上传到远程的linux机器上
[root@localhost .ssh]#
[root@localhost ~]# clear
[root@localhost ~]# ssh-copy-id -i .ssh/id_rsa.pub root@10.0.0.2
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
RSA key fingerprint is fb:82:7c:05:f1:74:86:47:52:64:87:3c:86:fd:cd:ee.
Are you sure you want to continue connecting (yes/no)? yes #第一次需要确认一下
Warning: Permanently added '10.0.0.2' (RSA) to the list of known hosts.
root@10.0.0.2's password:
Now try logging into the machine, with "ssh 'root@10.0.0.2'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@localhost ~]#
[root@localhost ~]# ssh 10.0.0.2
Enter passphrase for key '/root/.ssh/id_rsa': #需要输入密钥
Last login: Wed Oct 29 16:47:08 2014 from 10.0.0.1
[root@postgresql ~]# ls -a .ssh/
. .. authorized_keys # 公钥查看ok
[root@postgresql ~]# # 重启一下ssh就ok了。
为了使系统更加安全,关闭密码认证启用密钥认证
[root@localhost ~]# vi /etc/ssh/sshd_config
Protocol 2 #启用ssh2
PubkeyAuthentication yes #启用密钥认证
AuthorizedKeysFile .ssh/authorized_keys #密钥存放位置
PasswordAuthentication no #关闭密码认证
[root@localhost ~]# /etc/init.d/sshd restart #重启ssh 服务
把系统默认的22端口改为四位数端口,并且修改ssh文件
vi /etc/ssh/sshd_config
如果需要登陆,将公钥的文件拷贝出来就ok了。
如果需要使用工具的话,那么可以在工具上配置密钥
前面创建的是单向的密钥
创建双向密钥对两个机器都执行 # ssh-keygen t rsa 使用相同的密钥
将生成的密钥拷贝对方机器~/.ssh/ 目录下 并且更改名字为 authorized_krys(两个名字修改后拷贝对方的用户~/.ssh/ 目录下) 修改sshd_config 文件
测试
不需要任何认证,还有锁定网络ip等