0.说明
平常使用ssh登陆远程服务器时,都需要使用输入密码,希望可以实现通过密钥登陆而免除输入密码,从而可以为以后实现批量自动部署主机做好准备。
环境如下:
IP地址 | 操作系统 | |
服务器端 | 10.0.0.128/24 | CentOS 6.5 x86 |
客户端 | 10.0.0.129/24 | Ubuntu 16.04 x86 |
1.客户端生成密钥对
生成密钥对:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
xpleaf@leaf:~$
ssh
-keygen -t rsa -b 2048
Generating public
/private
rsa key pair.
Enter
file
in
which
to save the key (
/home/xpleaf/
.
ssh
/id_rsa
):
Created directory
'/home/xpleaf/.ssh'
.
Enter passphrase (empty
for
no passphrase):
Enter same passphrase again:
Your identification has been saved
in
/home/xpleaf/
.
ssh
/id_rsa
.
Your public key has been saved
in
/home/xpleaf/
.
ssh
/id_rsa
.pub.
The key fingerprint is:
SHA256:eLssyXJLzUCfSN5mu6nqNH9dB
/gOyXSvWBwQdNssIYE
xpleaf@leaf
The key's randomart image is:
+---[RSA 2048]----+
| o=oo |
| E .o = |
| o oo o |
| + = .o +. |
| = So = + |
| B o+ = o |
| o...=. * o |
| ..+=..+o o |
| .o++== |
+----[SHA256]-----+
|
查看生成的密钥对:
1
2
3
4
|
xpleaf@leaf:~$
ls
.
ssh
id_rsa id_rsa.pub
# id_rsa为私钥,这个一般需要保密;id_rsa.pub为公钥,这个可以公开。
|
2.上传公钥到服务器端
使用scp命令操作:
1
2
3
4
5
6
7
|
xpleaf@leaf:~$
scp
.
ssh
/id_rsa
.pub root@10.0.0.128:
/root
The authenticity of host
'10.0.0.128 (10.0.0.128)'
can't be established.
RSA key fingerprint is SHA256:0Tpm11wruaQXyvOfEB1maIkEwxmjT2AklWb198Vrln0.
Are you sure you want to
continue
connecting (
yes
/no
)?
yes
Warning: Permanently added
'10.0.0.128'
(RSA) to the list of known hosts.
root@10.0.0.128's password:
id_rsa.pub 100% 393 0.4KB
/s
00:00
|
3.服务器端操作
把从客户端传来的公钥添加到.ssh/authorized_keys中:
1
2
3
4
|
[root@leaf ~]
# cat id_rsa.pub >> .ssh/authorized_keys
[root@leaf ~]
# chmod 600 .ssh/authorized_keys
# authorized_keys的权限需要为600
|
修改ssh配置文件/etc/ssh/sshd_config,找到下面一行:
1
|
PubkeyAuthentication no
|
修改为:
1
|
PubkeyAuthentication
yes
|
4.测试
在客户端上使用密钥登陆到服务器上:
1
2
3
|
xpleaf@leaf:~$
ssh
-i .
ssh
/id_rsa
root@10.0.0.128
Last login: Tue May 9 15:14:01 2017 from 10.0.0.129
[root@leaf ~]
#
|
5.注意事项
-
在服务器端需要把selinux关闭,否则最后无法使用密钥进行远程登陆;
-
客户端使用scp命令时,在服务器端也需要安装ssh客户端,否则无法把公钥上传到服务器端,另外也可以使用ssh-copy-id root@10.0.0.128来代替scp操作(这样在服务器端也不需要执行创建.ssh目录等这些操作,即相当于该命令可以一步帮我们完成密钥的上传与配置工作);
本文转自 xpleaf 51CTO博客,原文链接:http://blog.51cto.com/xpleaf/1924771,如需转载请自行联系原作者