ssh-key免密鑰認證
環境:
server 服務器192.168.1.178/24
client-b服務器192.168.1.1.179/24
client-c服務器192.168.1.1.180/24
這三臺機器都禁止root的遠程登錄,並且把ssh的默認訪問端口22改成5201端口
這三臺機器都創建了crazy普通用戶,密碼123456
需求:實現server端通過SSH通道可以免密碼訪問client-b主機和client-c主機
拓撲圖:
實戰操作:
在server服務器使用crazy普通用戶創建一對密鑰,默認生成並且存放在家目錄下:
[crazy@server ~]$ ssh-keygen -t dsa #生成一對dsa類型的密鑰對
Generating public/private dsa key pair.
Enter file in which to save the key (/home/crazy/.ssh/id_dsa): #直接回車默認存放路徑,路徑不存的自動創建
Created directory '/home/crazy/.ssh'. #自動在家目錄下創建.ssh目錄
Enter passphrase (empty for no passphrase): #直接回車
Enter same passphrase again: #直接回車
Your identification has been saved in /home/crazy/.ssh/id_dsa.
Your public key has been saved in /home/crazy/.ssh/id_dsa.pub.
The key fingerprint is:
d8:2f:27:3e:92:18:1d:2a:8b:92:59:37:71:2f:e2:f6 crazy@server
[crazy@server ~]$ ls -al /home/crazy/.ssh/
total 16
drwx------ 2 crazy crazy 4096 Oct 26 04:25 .
drwx------ 4 crazy crazy 4096 Oct 26 04:24 ..
-rw------- 1 crazy crazy 672 Oct 26 04:25 id_dsa #創建的私鑰(鑰匙)
-rw-r--r-- 1 crazy crazy 602 Oct 26 04:25 id_dsa.pub #創建的公鑰(鎖)
使用 ssh-copy-id -i /home/crazy/.ssh/id_dsa.pub '-p5201 [email protected]'
ssh-copy-id -i /home/crazy/.ssh/id_dsa.pub '-p5201 [email protected]'
ssh-copy-id -i 這個是ssh的內置一個命令腳本
把公鑰推送到192.168.1.179/24和192.168.1.180/24主機crazy用戶的家目錄下.ssh目錄下存放
[crazy@server ~]$ ssh-copy-id -i /home/crazy/.ssh/id_dsa.pub '-p5201 [email protected]'
27
The authenticity of host '192.168.1.179 (192.168.1.179)' can't be established.
RSA key fingerprint is 1d:8e:6d:4e:63:41:8f:19:c0:dd:7e:1d:c4:dd:9c:8d.
Are you sure you want to continue connecting (yes/no)? yes #第一次連接需要把RSA認證加入本地
Warning: Permanently added '192.168.1.179' (RSA) to the list of known hosts.
[email protected]'s password: #輸入對方crazy的用戶密碼
Now try logging into the machine, with "ssh '-p5201 [email protected]'", and check in:
.ssh/authorized_keys #推送的公鑰,然後在對方家目錄下創建.ssh目錄,把公鑰改名爲authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[crazy@server ~]$ ssh-copy-id -i /home/crazy/.ssh/id_dsa.pub '-p5201 [email protected]'
27
The authenticity of host '192.168.1.180 (192.168.1.180)' can't be established.
RSA key fingerprint is 1d:8e:6d:4e:63:41:8f:19:c0:dd:7e:1d:c4:dd:9c:8d.
Are you sure you want to continue connecting (yes/no)? yes #第一次連接需要把RSA認證加入本地
Warning: Permanently added '192.168.1.180' (RSA) to the list of known hosts.
[email protected]'s password: #輸入對方crazy的用戶密碼
Now try logging into the machine, with "ssh '-p5201 [email protected]'", and check in:
.ssh/authorized_keys #推送的公鑰,然後在對方家目錄下創建.ssh目錄,把公鑰改名爲authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
查看client-b服務器192.168.1.1.179/24和client-c服務器192.168.1.1.180/24
[crazy@client-B ~]$ tree -a #client-b服務器192.168.1.1.179/24
.
|-- .bash_history
|-- .bash_logout
|-- .bash_profile
|-- .bashrc
|-- .emacs
|-- .lesshst
|-- .mozilla
| |-- extensions
| `-- plugins
|-- .viminfo
`-- .zshrc
3 directories, 8 files
[crazy@client-B ~]$ tree -a
.
|-- .bash_history
|-- .bash_logout
|-- .bash_profile
|-- .bashrc
|-- .emacs
|-- .lesshst
|-- .mozilla
| |-- extensions
| `-- plugins
|-- .ssh #新創建的目錄
| `-- authorized_keys #公鑰(鎖)的名稱
|-- .viminfo
`-- .zshrc
4 directories, 9 files
[crazy@client-C ~]$ tree #client-c服務器192.168.1.1.180/24
.
|-- .bash_history
|-- .bash_logout
|-- .bash_profile
|-- .bashrc
|-- .emacs
|-- .mozilla
| |-- extensions
| `-- plugins
|-- .zshrc
`-- abcde
3 directories, 7 files
[crazy@client-C ~]$ tree -a
.
|-- .bash_history
|-- .bash_logout
|-- .bash_profile
|-- .bashrc
|-- .emacs
|-- .mozilla
| |-- extensions
| `-- plugins
|-- .ssh #新創建的目錄
| `-- authorized_keys #公鑰(鎖)的名稱
|-- .zshrc
`-- abcde
4 directories, 8 files
公鑰(鎖)分發完成後在server服務器使用ssh查看遠程查看內存,不再提示輸入密碼
[crazy@server ~]$ ssh -p5201 [email protected] free #查看內存client-b服務器192.168.1.1.179/24
total used free shared buffers cached
Mem: 60528 28212 32316 0 1172 13364
-/+ buffers/cache: 13676 46852
Swap: 265064 132 264932
[crazy@server ~]$ ssh -p5201 [email protected] free #查看內存client-c服務器192.168.1.1.180/24
total used free shared buffers cached
Mem: 60528 27076 33452 0 1128 13060
-/+ buffers/cache: 12888 47640
Swap: 265064 224 264840
在sever端查看密鑰對的權限,看出ssh免密鑰認證對私鑰權限控制的比較嚴格,公鑰沒有那麼嚴格控制
[crazy@server .ssh]$ ls -l
total 12
-rw------- 1 crazy crazy 672 Oct 26 04:25 id_dsa #默認權限是600
-rw-r--r-- 1 crazy crazy 602 Oct 26 04:25 id_dsa.pub #默認權限是644
-rw-r--r-- 1 crazy crazy 790 Oct 26 05:20 known_hosts
改變權限測試:
[crazy@server .ssh]$ chmod 300 id_dsa #權限改成300
[crazy@server .ssh]$ ll
total 12
--wx------ 1 crazy crazy 672 Oct 26 04:25 id_dsa #權限改成300,無法驗證通過
-rw-r--r-- 1 crazy crazy 602 Oct 26 04:25 id_dsa.pub
-rw-r--r-- 1 crazy crazy 790 Oct 26 05:20 known_hosts
[crazy@server .ssh]$ ssh -p5201 [email protected] free
Enter passphrase for key '/home/crazy/.ssh/id_dsa':
[email protected]'s password: #提示輸入密碼
[crazy@server .ssh]$ chmod 710 id_dsa #權限改成710
[crazy@server .ssh]$ ll
total 12
-rwx--x--- 1 crazy crazy 672 Oct 26 04:25 id_dsa #權限改成710,無法驗證通過
-rw-r--r-- 1 crazy crazy 602 Oct 26 04:25 id_dsa.pub
-rw-r--r-- 1 crazy crazy 790 Oct 26 05:20 known_hosts
[crazy@server .ssh]$ ssh -p5201 [email protected] free
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0710 for '/home/crazy/.ssh/id_dsa' are too open. ##權限改成710,提示權限too open
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/crazy/.ssh/id_dsa
Enter passphrase for key '/home/crazy/.ssh/id_dsa':
[email protected]'s password: #提示輸入密碼
[crazy@server .ssh]$ chmod 400 id_dsa #權限改成400,驗證可以通過
[crazy@server .ssh]$ ssh -p5201 [email protected] free
total used free shared buffers cached
Mem: 60528 27332 33196 0 1352 13076
-/+ buffers/cache: 12904 47624
Swap: 265064 224 264840
[crazy@server .ssh]$ chmod 700 id_dsa #權限改成700,驗證可以通過
[crazy@server .ssh]$ ssh -p5201 [email protected] free
total used free shared buffers cached
Mem: 60528 27368 33160 0 1384 13076
-/+ buffers/cache: 12908 47620
Swap: 265064 224 264840
結論:
經過測試,私鑰文件的權限改成400,500,600,700都能通過驗證,其他的權限無法通過驗證