文件所在路径

存在于用户家目录的**.ssh/**路径下:

1
2
3
4
5
6
7
8
9
[root@localhost ~]# tree ~/.ssh/
/root/.ssh/
├── authorized_keys
├── id_rsa
├── id_rsa.pub
└── known_hosts

0 directories, 4 files
[root@localhost ~]#

文件作用

  1. authorized_keys: 该文件存储了允许通过SSH公钥认证登录到本机的公钥列表。每个用户可以在自己的~/.ssh/目录下创建一个**authorized_keys**文件,并将其他计算机上的公钥添加到该文件中,以便实现无密码登录。
  2. id_rsaid_rsa.pub: 这是SSH使用的私钥和公钥对,其中id_rsa是私钥,用于加密传输过程中的数据,而id_rsa.pub则是公钥,用于与其他计算机进行身份验证。
  3. known_hosts: 当你首次连接另一台计算机时,SSH会将该计算机的公钥保存在known_hosts文件中。以后连接到该计算机时,SSH会验证其公钥是否与known_hosts文件中保存的一致,以确保连接的安全性。

文件的权限

.ssh/ 目录 设置权限为700(即rwx------)。这样只有当前用户可以读取、写入和执行该目录,其他用户无法访问。

1
2
3
[root@localhost ~]# ls -al | grep .ssh
drwx------.  2 root root   80 12月 14 23:48 .ssh
[root@localhost ~]#

.ssh/ 目录下的授权文件,设置权限为600(即rw-------)。这样只有当前用户可以读取和写入该文件,其他用户无法访问。

1
2
3
4
5
6
7
[root@localhost ~]# ll .ssh/
总用量 16
-rw-------. 1 root root  408 12月 14 23:34 authorized_keys
-rw-------. 1 root root 1679 12月 14 23:34 id_rsa
-rw-------. 1 root root  408 12月 14 23:34 id_rsa.pub
-rw-------. 1 root root  527 12月 14 23:47 known_hosts
[root@localhost ~]#

文件之间关系

使用密钥链接服务器:

image-20231215162551089

客户端发起连接流程:

image-20231215163814848

配置密钥登陆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[root@localhost ~]# ssh-keygen -t rsa        #创建密钥文件
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):     #存储路径这里默认 
Created directory '/root/.ssh'.    #创建/root/.ssh、
Enter passphrase (empty for no passphrase):    #密钥文件密码(可选)
Enter same passphrase again: 	               #确认秘钥文件密码(可选)
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:/GnECRwfbqx4tJxqkIcsOMV5UO3fJQCelBJ5F4Q6d1U root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|  ..o+o=+...E    |
| . ooo=oo=..     |
|  + .=o.+o=      |
| o oooo=.B...    |
|o . =oooS.+o     |
| . . o o.o..     |
|      o   +      |
|     .   .       |
|                 |
+----[SHA256]-----+
[root@localhost ~]# cat ~/.ssh/id_rsa.pub >>~/.ssh/authorized_keys    #将生成的公钥放到authorized_keys中
1
2
3
4
5
6
修改sshd_config配置文件
PubkeyAuthentication yes #公钥身份验证
RSAAuthentication yes    #使用RSA密钥链接
AuthorizedKeysFile      .ssh/authorized_keys      #ssh文件位置,此项默认设置相同
PasswordAuthentication yes                        #使用密码  no为不使用密码
AuthenticationMethods publickey,password          #如果密码和密钥都使用在末尾加上此行代码
1
将 ~/.ssh/id_rsa 下载到本地就可以登陆了

下面示例XSHELL配置密钥登陆:

image-20231215165119290

选择用户密钥–》输入密码(可选) --》连接

服务器间免密登陆

示例

server1 免密登陆 server2

服务器环境

  • server1 ip: 192.168.101.1
  • server2 ip: 192.168.101.2

image-20231215223529839

思路:

  • server1 生成公钥文件
  • server1将生成的公钥放到server2的authorized.keys

server1 生成公钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@server1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:m7C4gC1FF20/5KpfadDSHBKQEZbmoRWPpMRbAqn5/p0 root@server1
The key's randomart image is:
+---[RSA 2048]----+
|.+. OO.          |
|..o+B+o..        |
|..oOooo+.        |
|o.o..  =+.       |
| ..   +.S.       |
| +.  ..= +       |
|o.o ... *        |
| ....o +         |
|   .o.E          |
+----[SHA256]-----+

server1 将公钥发送到server2机器的authorized.keys中,这里一共有两种常用方法

  • 使用ssh-copy-id
  • 手动复制到authorized.keys

使用ssh-copy-id

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@server1 ~]# ssh-copy-id 192.168.101.2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.101.2 (192.168.101.2)' can't be established.
ECDSA key fingerprint is SHA256:aCn6wUHG7CKvLmBnrWxrR1VgmXbhPzBp0TusZJu2iWA.
ECDSA key fingerprint is MD5:b4:6e:1f:96:8e:16:00:d5:64:bd:fe:73:3d:5c:36:df.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.101.2's password: 	#输入server2的登陆密码

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '192.168.101.2'"
and check to make sure that only the key(s) you wanted were added.

完成后就可以server1就可以免密登陆server2。