原文地址:http://lxshopping.blog.51cto.com/4542643/1179864/
一,不需要输密码的ssh
原理:首先服务器端把公钥传给Client端,Client端在验证了服务器的可信性以后,可以通过对称加密传输数据。当Client要链接到server的时候,会通过/etc/shadow验证用户名和密码,但是如果在客户端产生一对密钥,然后把产生的公钥传到服务器端,这样的话在接受了客户端用私钥加密的数据以后可以直接用服务器拥有的客户机的公钥进行解密,用的是公钥加密私钥解密的模式,而不需要读/etc/shadow文件,这是两种不同的连接方式。
1,在ssh的server端启动sshd服务就会产生public key 和private key,一共3对钥匙。
[root@server1 ssh]# service sshd restart Stopping sshd: [ OK ] Generating SSH1 RSA host key: [ OK ] Generating SSH2 RSA host key: [ OK ] Generating SSH2 DSA host key: [ OK ] Starting sshd:
[root@server1 ssh]# ls (/etc/ssh) moduli ssh_host_dsa_key ssh_host_key.pub ssh_config ssh_host_dsa_key.pub ssh_host_rsa_key sshd_config ssh_host_key ssh_host_rsa_key.pub
2,每次有Client端的ssh联机需求传过来时,server就会传公钥给Client,此时client会利用/etc/ssh/ssh_know_hosts或者~/.ssh/know_hosts对比公钥的正确性。~/.ssh/know_hosts会记录曾经连过的服务器的public_key,
[root@server2 ~]# rm -fr .ssh/known_hosts [root@server2 ~]# ls .ssh/ [root@server2 ~]# ssh ###如果在连某个主机的时候know_hosts里面没有记录,则在ssh的时候会弹出对话并在里面添加这条记录,这样下次再连的时候就不会再询问### The authenticity of host '192.168.12.1 (192.168.12.1)' can't be established. RSA key fingerprint is cf:ea:07:39:9b:fb:04:76:7e:c5:73:0b:97:fb:06:db. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.12.1' (RSA) to the list of known hosts. root@192.168.12.1's password:
Server上 查看server上的指纹,与返回到Client端得指纹一样,则验证了主机的真实性,每一对密钥都有一样的指纹。
[root@server4 ~]# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub 2048 cf:ea:07:39:9b:fb:04:76:7e:c5:73:0b:97:fb:06:db /etc/ssh/ssh_host_rsa_key.pub [root@server4 ~]# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key 2048 cf:ea:07:39:9b:fb:04:76:7e:c5:73:0b:97:fb:06:db /etc/ssh/ssh_host_rsa_key.pub
[root@server2 ~]# cat .ssh/known_hosts 192.168.12.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvPOQ0LmlgrE15e37+eL2fGXGAbUaSr1BI5nWFjXc/pdN3MbGIPBDWnKryIke6gR3wxag72IZ5ZmXQ0VQ6CPBD/lumAo0Ymq2B70l9eyxri8j++O+DbQVmFMJ3aGgr2qf70NXC1I+C22i6Chfx2gWTm9rtDDa/5fYrXseqGlM+EhG7MgC2bIkcAweboDejd+4wet0Kgp0YSl+QVlqbsTMJi4fvhIt/n95+CzJFhp0uOcRvFvIuW+wGM3b7Tg7O3r6VzNBZJM27LHuoWRItHuFpkitT58fsp3aBkIeNR22V65SY/5ICO2ywz0QCYZAz4gcjFsEAGKqL1GqdwTkuN+QAQ==
####添加了该访问记录###
客户端产生密钥对
[root@server2 ~]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): ###这是对产生的私钥进行加密### Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. ###客户端的私钥### Your public key has been saved in /root/.ssh/id_rsa.pub. ###客户端的公钥### The key fingerprint is: ed:af:64:8c:14:18:0c:97:36:54:b5:e1:35:dc:83:5c root@server2
[root@server2 ~]# cd .ssh/ [root@server2 .ssh]# ls id_rsa id_rsa.pub known_hosts ###客户端产生的密钥对存在这下面### ###把客户端的公钥传给客户端### [root@server2 .ssh]# ssh-copy-id -i id_rsa.pub 192.168.12.1 10 root@192.168.12.1's password: Now try logging into the machine, with "ssh '192.168.12.1'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. [root@server2 .ssh]# cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAriu15Mg0+5AiZa0pp2/mOPre9T9JtNuwKCEX4OC6bDWd/FbXScUO7Nu/I6gLtToGiAoId9nucysHOvPIiqoKiRq7E6exueWzJkFj09RrndzW2XKwKlHzTIvBAuyp9fOT4nVauiu3UbdkyyRTiwgo5Ze5amlJlrr7tT3/f3JyOlVICPsebSm4eN2t0t8+6f/CwkhsGiHHMwVzrPp9oixnkVetYi1pDjCFxCQS2Q/eBPaC58HopcUqpkWMpw8imoud8oL7+zcypPVoUP8RqeOq/of0tqgNbsMpOcDxPiFyh6UMjaGotDGCHKFNpZerJzzmmevCkUNtF2bzIhUctadkZQ== root@server2 ###在客户端查看,发现新产生了一个authorized_keys ,里面内容和公钥的一样,以后再加的话会自动在这个文件里追加内容### [root@server4 .ssh]# ls authorized_keys known_hosts [root@server4 .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAriu15Mg0+5AiZa0pp2/mOPre9T9JtNuwKCEX4OC6bDWd/FbXScUO7Nu/I6gLtToGiAoId9nucysHOvPIiqoKiRq7E6exueWzJkFj09RrndzW2XKwKlHzTIvBAuyp9fOT4nVauiu3UbdkyyRTiwgo5Ze5amlJlrr7tT3/f3JyOlVICPsebSm4eN2t0t8+6f/CwkhsGiHHMwVzrPp9oixnkVetYi1pDjCFxCQS2Q/eBPaC58HopcUqpkWMpw8imoud8oL7+zcypPVoUP8RqeOq/of0tqgNbsMpOcDxPiFyh6UMjaGotDGCHKFNpZerJzzmmevCkUNtF2bzIhUctadkZQ== root@server2 注:在RHEL4里没有ssh-copy-id 这个命令,可以用 #~/.ssh/cat id_dsa.pub| ssh 192.168.12.1 "cat > ~/.ssh/authorized_keys" 代替
验证
在客户端
[root@server2 .ssh]# ssh 192.168.12.1 Enter passphrase for key '/root/.ssh/id_rsa': ###输的是私钥的密码,而不是server端的密码### Last login: Fri Oct 30 05:33:58 2009 from server2.163.com
但这只是以root身份登录才会免密码,如果以其他用户身份登录还是会要求输入密码,不用以上密码加密和解密的过程。
二,ssh-agent(客户端上)
通过上面的实验我们发现虽然加了私钥密码很安全,但是每次连接都要输私钥密码就会很麻烦,所以可以通过代理的方式使私钥只要解密一次,就会把它加载在内存里,以后登录的时候就不用输入密码了
但这只在该新起的shell中生效
[root@server2 .ssh]# ssh-agent /bin/bash ###[root@server2 .ssh]# ssh-agent $SHELL也可以,因为 [root@server2 .ssh]# echo $SHELL /bin/bash
如果要起图形界面#ssh-agent /usr/bin/gnome-terminal
###
[root@server2 .ssh]# ssh-add ###将私钥导入内存,输入解密密码### Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) [root@server2 .ssh]# ps PID TTY TIME CMD 14758 pts/1 00:00:00 bash 14978 pts/1 00:00:00 bash 14993 pts/1 00:00:00 ps 注:如果不新开一个shell 在加入内存时会出现以下报错 [root@server2 .ssh]# ssh-add Could not open a connection to your authentication agent.