分类:
2006-10-23 15:57:29
以下的文章讲述的是如何设置ssh, 使得登陆到服务器时不需要口令:
感谢以下两个链接提供的帮助:
~ranga/notes/ssh_nopass.html
以下的步骤为设置client使用ssh登录server免除口令;
1. On the client run the following commands:
$ mkdir -p $HOME/.ssh$ chmod 0700 $HOME/.ssh$ ssh-keygen -t dsa -f $HOME/.ssh/id_dsa -P ''-P’’表示指定passphrase为空。-t为指定加密算法,dsa或rsa都可以
以上的命令生成了两个文件,$HOME/.ssh/id_dsa (private key) and $HOME/.ssh/id_dsa.pub (public key).
2. Copy $HOME/.ssh/id_dsa.pub (public key )to the server.
3. On the server run the following commands:
$ cat id_dsa.pub >> $HOME/.ssh/authorized_keys$ chmod 0600 $HOME/.ssh/authorized_keys
4. On the client test the results by ssh'ing to the server:
$ ssh -i $HOME/.ssh/id_dsa server$ ssh server$ ssh root@server上面三种方法都可以测试
以下摘自第二个链接,讲得是使用rsa加密并带passphrase的设置,写得不错。我加些注释,为粗体红色
does your private key have a passphrase? if so, you'll need to use ssh-agent and ssh-add so you only have to enter the password once per session.
here's the way i set it up:
1) on the client set up root user key on the machine you're copying from:
|
# ssh-keygen -t rsa Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: xxxxxxxx Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 17:73:df:43:65:41:55:e2:53:17:6d:cd:6e:c2:ed:90 root@esxtest |
where xxxxxxxx is your passphrase. you don't need to supply one, but if you don't anyone can use your private key if they get a copy of it.
2) on the server create authorized_keys file on machine you're copying to:
|
# scp /root/.ssh/id_rsa.pub remotemachine:/root/.ssh/authorized_keys |
this assumes you already have a /root/.ssh directory on the client, and you don't already have an authorized_keys file. if you do and you simply want to add to it, use this:
|
# cat /root/.ssh/id_rsa.pub | ssh remotemachine "cat >> /root/.ssh/authorized_keys" |
for either choice you'll be prompted for the password to the remote machine.
3) on the client use ssh-agent and ssh-add to enter your passphrase:
|
# eval `ssh-agent` # ssh-add Enter passphrase for /root/.ssh/id_rsa: xxxxxxxx Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) |
where xxxxxxxx is the passphrase used when creating the key pair. ssh-agent keeps an unlocked copy of your key in memory as long as the session is active, and uses it for authentication when you call ssh or scp. if you log out of this session, you'll have to run ssh-agent/ssh-add again when you next log in.
if you didn't use a passphrase when creating the key, you don't need to do this part.
at this point, you should be able to ssh/scp from the "primary" machine to the remote machine without needing to enter a password. if it doesn't work, check the following things:
a) permissions are 700 (drw-------) on /root/.ssh
b) only root can write to /root/.ssh/authorized_keys (644 or -rw-r--r--)
c) in /etc/ssh/sshd_config on the remote machine, the following are set:
|
PermitRootLogin yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys |
以上两种方法分别使用了dsa和rsa两种加密方法,后者还使用了passphrase。passphrase虽然安全,但是使用起来并不方便。具体则看用户的需求了。