0.說明

?

????平常使用ssh登陸遠程服務器時,都需要使用輸入密碼,希望可以實現通過密鑰登陸而免除輸入密碼,從而可以為以后實現批量自動部署主機做好準備。

????環境如下:


IP地址操作系統
服務器端10.0.0.128/24CentOS 6.5 x86
客戶端10.0.0.129/24Ubuntu 16.04 x86



1.客戶端生成密鑰對


????生成密鑰對:

xpleaf@leaf:~$?ssh-keygen?-t?rsa?-b?2048
Generating?public/private?rsa?key?pair.
Enter?file?in?which?to?save?the?key?(/home/xpleaf/.ssh/id_rsa):?
Created?directory?'/home/xpleaf/.ssh'.
Enter?passphrase?(empty?for?no?passphrase):?
Enter?same?passphrase?again:?
Your?identification?has?been?saved?in?/home/xpleaf/.ssh/id_rsa.
Your?public?key?has?been?saved?in?/home/xpleaf/.ssh/id_rsa.pub.
The?key?fingerprint?is:
SHA256:eLssyXJLzUCfSN5mu6nqNH9dB/gOyXSvWBwQdNssIYE?xpleaf@leaf
The?key's?randomart?p_w_picpath?is:
+---[RSA?2048]----+
|?????????o=oo????|
|????????E?.o?=???|
|??????o????oo?o??|
|?????+?=?.o?+.???|
|??????=?So?=?+???|
|???????B?o+?=?o??|
|????o...=.?*?o???|
|???..+=..+o?o????|
|???.o++==????????|
+----[SHA256]-----+

????查看生成的密鑰對:

xpleaf@leaf:~$?ls?.ssh
id_rsa??id_rsa.pub#?id_rsa為私鑰,這個一般需要保密;id_rsa.pub為公鑰,這個可以公開。



2.上傳公鑰到服務器端


? ?使用scp命令操作:

xpleaf@leaf:~$?scp?.ssh/id_rsa.pub?root@10.0.0.128:/root
The?authenticity?of?host?'10.0.0.128?(10.0.0.128)'?can't?be?established.
RSA?key?fingerprint?is?SHA256:0Tpm11wruaQXyvOfEB1maIkEwxmjT2AklWb198Vrln0.
Are?you?sure?you?want?to?continue?connecting?(yes/no)??yes
Warning:?Permanently?added?'10.0.0.128'?(RSA)?to?the?list?of?known?hosts.
root@10.0.0.128's?password:?
id_rsa.pub????????????????????????????????????????????????????100%??393?????0.4KB/s???00:00

?


3.服務器端操作


????把從客戶端傳來的公鑰添加到.ssh/authorized_keys中:

[root@leaf?~]#?cat?id_rsa.pub?>>?.ssh/authorized_keys
[root@leaf?~]#?chmod?600?.ssh/authorized_keys#?authorized_keys的權限需要為600

????修改ssh配置文件/etc/ssh/sshd_config,找到下面一行:

PubkeyAuthentication?no

????修改為:

PubkeyAuthentication?yes



4.測試


????在客戶端上使用密鑰登陸到服務器上:

xpleaf@leaf:~$?ssh?-i?.ssh/id_rsa?root@10.0.0.128
Last?login:?Tue?May??9?15:14:01?2017?from?10.0.0.129
[root@leaf?~]#



5.注意事項


  • 在服務器端需要把selinux關閉,否則最后無法使用密鑰進行遠程登陸;

  • 客戶端使用scp命令時,在服務器端也需要安裝ssh客戶端,否則無法把公鑰上傳到服務器端,另外也可以使用ssh-copy-id root@10.0.0.128來代替scp操作(這樣在服務器端也不需要執行創建.ssh目錄等這些操作,即相當于該命令可以一步幫我們完成密鑰的上傳與配置工作);