(一)ssh客戶端操作
添加需要免密碼登錄的用戶
[root@open ~]# useradd admin -d /data/admin
[root@open ~]# su - admin
[admin@open ~]$ pwd
/data/admin
1、生成客戶端密鑰文件
[admin@open ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/data/admin/.ssh/id_rsa):
Created directory '/data/admin/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /data/admin/.ssh/id_rsa.
Your public key has been saved in /data/admin/.ssh/id_rsa.pub.
The key fingerprint is:
6c:9e:5e:15:91:df:60:fe:d8:a5:cc:22:2b:dd:77:77 [email protected]
The key's randomart p_w_picpath is:
+--[ RSA 2048]----+
| .. |
| ..o |
| .+ o |
| . .o o|
| S .o =.|
| o .... = o|
| o..+ . |
| ...o . . E|
| .. . .o|
+-----------------+
[admin@open ~]$ ll .ssh/
總用量 8
-rw------- 1 admin admin 1675 8月 20 14:16 id_rsa
-rw-r--r-- 1 admin admin 398 8月 20 14:16 id_rsa.pub
2、發送公鑰文件到服務器端
[admin@open ~]$ scp .ssh/id_rsa.pub [email protected]:/tmp/
The authenticity of host '192.168.1.250 (192.168.1.250)' can't be established.
RSA key fingerprint is be:82:1e:ac:79:ab:4e:40:86:2e:38:cc:5b:73:90:7e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.250' (RSA) to the list of known hosts.
[email protected]'s password:
id_rsa.pub 100% 398 0.4KB/s 00:00
確保服務器端有公鑰,客戶端上有私鑰,這樣就可以實現無密碼驗證登錄了。
(二)sshd服務端操作
1、建立.ssh目錄,並修改權限爲700
[admin@localhost ~]$ mkdir .ssh
[admin@localhost ~]$ chmod 700 .ssh/
2、在.ssh目錄下建立authorized_keys文件,導入客戶端密鑰文件內容後,修改權限爲400
[admin@localhost .ssh]$ vi .ssh/authorized_keys
[admin@localhost .ssh]$ chmod 700 authorized_keys
[admin@localhost .ssh]$ cat /tmp/id_rsa.pub >>authorized_keys
[admin@localhost .ssh]$ chmod 400 authorized_keys
[root@localhost ~]# vi /etc/ssh/sshd_config
3、禁止用戶使用口令登錄,修改/etc/ssh/sshd_conf
PasswordAuthentication yes 改爲
PasswordAuthentication no
也即只能使用密匙認證的openssh,禁止使用口令認證。
4、禁止root用戶的登陸,修改/etc/ssh/sshd_config
permitrootlogin yes 改爲
permitrootlogin no
5、重啓sshd服務
[root@localhost ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
(三)從客戶端使用密鑰文件認證登錄測試
[admin@open ~]$ ssh [email protected]
[admin@localhost ~]$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:59:01:ED
inet addr:192.168.1.250 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe59:1ed/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3395 errors:0 dropped:0 overruns:0 frame:0
TX packets:631 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:273572 (267.1 KiB) TX bytes:83330 (81.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[admin@localhost ~]$
(四)其他說明
在windows的客服端上使用putty登陸,需要把生成的祕鑰文件進行轉換後纔可以使用祕鑰連接,步驟如下:
a.將私鑰複製到windows客戶端,使用puttygen導入私鑰,點擊“save private key”進行私鑰的轉換
b.打開putty,添入“hostname”、“port”,然後選擇左面導航裏的“Connection”->“Data”,在“Auto-login username”裏添入你要登陸的用戶名;在“SSH”->“Auth”裏導入轉換後的祕鑰文件。
c.單擊“open”登陸。
6.另外,限制某個用戶或者用戶組的登陸,使用"denyusers"和"denygroups"即可。