~/.ssh/authorized_keys
文件中。第一种级别,基于密码的安全验证,通过账号密码就可以登录到远程主机,而且传输的数据会被加密。但是若有人冒充了对端服务器,就会被“中间人”攻击。
[root@vm1 ~]# ssh root@192.168.122.200
root@192.168.122.200‘s password:
Last login: Sun Jun 27 22:42:29 2021 from 192.168.122.100
第二种级别,基于密钥的安全验证,需要依靠密钥,由客户端创建一对密钥,并把公钥放在需要访问的服务器上。
通过命令ssh-keygen
生成密钥:
[root@vm1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Z91byIEjVajXDH53eyFsIXxi27Mx1/Bw12P0AYTYZM0 root@vm1
The key‘s randomart image is:
+---[RSA 3072]----+
| =o*=+o.|
| ..OoEoo*|
| ooX++==|
| .+o%+==|
| S o.o.@.=|
| o . +.|
| . .|
| |
| |
+----[SHA256]-----+
[root@vm1 ~]# ll ~/.ssh/
total 12
-rw-------. 1 root root 2590 Jun 27 22:46 id_rsa
-rw-r--r--. 1 root root 562 Jun 27 22:46 id_rsa.pub
-rw-r--r--. 1 root root 177 Jun 27 22:00 known_hosts
在~/.ssh/
目录下,会生成几个文件:
通过命令ssh-copy-id
发送公钥到要访问的服务器上(vm1的公钥发送到vm2):
[root@vm1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@192.168.122.200
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.122.200‘s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh ‘root@192.168.122.200‘"
and check to make sure that only the key(s) you wanted were added.
测试免密登陆:
[root@vm1 ~]# ssh root@192.168.122.200
Last login: Sun Jun 27 22:45:30 2021 from 192.168.122.100
[root@vm2 ~]#
此时,vm1已经可以正常访问vm2。
此时vm2上的~/.ssh/authorized_keys
记录了vm1的id_rsa.pub(vm1的公钥):
[root@vm2 /]# cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+Msefk9KeGUHZsI4uudhsUHrB8UbB1MCF5sKKb7957iLUUseScwbja+nTk/+hcTix1WJa0maypv5MA+xJb0YlSSNeu4z9kO0rwu0s5vma67mKbwlngv0v6lpsRVpB4eU/E8x/uSCKE/P34wClPaxZoBfXLmSd3/mohiUdWUEI+NkN93KtArBRABgMT/iYUOb74o9G2N6PEMrdC3g2NaIzhOp3JSEIYIPS3IILp3refCxt+YgFy4yQN0S8E7sPdUEBnvT+KDz+KRJ1UQNeIdV9LOERnuVQB0w6pRI4N866teJdLHZxaPMbW3GQjHUP3ectkCBmNr30yNbiQFRjQ2gIk7dtSrfDuusb3cCVODU+YWoTroglATJNjJ4C3J+QUbeCoqUZDYcnONs4CD6Wwe1aqtwm1vOkFLA65vu5rFZPueeCdGzDpPUOOYXxFvIX3rp4SEGLFbcHrqmPOcLPkw7Ysk4igd+zwKquOP5ysOH87MK6jJwlsu8Qkr3coUTWA20= root@vm1
vm1的ip_rsa.pub(vm1的公钥)如下:
[root@vm1 ~]# cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+Msefk9KeGUHZsI4uudhsUHrB8UbB1MCF5sKKb7957iLUUseScwbja+nTk/+hcTix1WJa0maypv5MA+xJb0YlSSNeu4z9kO0rwu0s5vma67mKbwlngv0v6lpsRVpB4eU/E8x/uSCKE/P34wClPaxZoBfXLmSd3/mohiUdWUEI+NkN93KtArBRABgMT/iYUOb74o9G2N6PEMrdC3g2NaIzhOp3JSEIYIPS3IILp3refCxt+YgFy4yQN0S8E7sPdUEBnvT+KDz+KRJ1UQNeIdV9LOERnuVQB0w6pRI4N866teJdLHZxaPMbW3GQjHUP3ectkCBmNr30yNbiQFRjQ2gIk7dtSrfDuusb3cCVODU+YWoTroglATJNjJ4C3J+QUbeCoqUZDYcnONs4CD6Wwe1aqtwm1vOkFLA65vu5rFZPueeCdGzDpPUOOYXxFvIX3rp4SEGLFbcHrqmPOcLPkw7Ysk4igd+zwKquOP5ysOH87MK6jJwlsu8Qkr3coUTWA20= root@vm1
SSH文件存放在:/etc/ssh/sshd_config
配置文件:/etc/ssh/sshd_config
,第17行。
Port 22 #ssh服务监听端口
ListenAddress 0.0.0.0 #ssh服务默认监听IP地址
配置文件:/etc/ssh/sshd_config
,第46行。
PermitRootLogin yes #是否允许使用root用户ssh登陆
配置文件:/etc/ssh/sshd_config
,第122行。
ClientAliveInterval 60 #每60秒,服务端向客户端询问是否在线,不在就断开连接。
配置文件:/etc/ssh/sshd_config
MaxAuthTries 6 #设置客户端登陆失败尝试次数为6次
原文:https://www.cnblogs.com/Skybiubiu/p/14942684.html