Chinaunix首页 | 论坛 | 博客
  • 博客访问: 19912281
  • 博文数量: 679
  • 博客积分: 10495
  • 博客等级: 上将
  • 技术积分: 9308
  • 用 户 组: 普通用户
  • 注册时间: 2006-07-18 10:51
文章分类

全部博文(679)

文章存档

2012年(5)

2011年(38)

2010年(86)

2009年(145)

2008年(170)

2007年(165)

2006年(89)

分类: LINUX

2007-04-23 10:39:19

 

§6.4 使用Public Key (OpenSSH) 不用密码登陆.

步骤如下:

l         创建key

1.           $ mkdir -p ~/.ssh                        If it doesn't already exist

2.           $ chmod 700 ~/.ssh

3.           $ cd ~/.ssh

$ ssh-keygen -t dsa

l         拷贝key到服务器端

$ scp -p id_dsa.pub remoteuser@remotehost:

Password: ********

l         登陆到服务器端安装公钥

$ ssh -l remoteuser remotehost

Password: ********

 

remotehost$ mkdir -p ~/.ssh                        If it doesn't already exist

remotehost$ chmod 700 ~/.ssh

remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys   (Appending)

remotehost$ chmod 600 ~/.ssh/authorized_keys

remotehost$ mv id_dsa.pub ~/.ssh        可选步骤,该文件甚至可以删除掉

remotehost$ logout

l         public-key登陆

$ ssh -l remoteuser remotehost

Enter passphrase for key '/home/smith/.ssh/id_dsa': ********

 

公钥一般存放在~/.ssh/authorized_keys, 老的OpenSSH版本可能存放在~/.ssh/authorized_keys2.

 

Public-key 认证机制比密码要安全, 因为密码不在网络上传输. 而且可以是用加密的方式存储的,如果没有别人没有passphrase,拿到密钥也没有用.为此一定要设置passphrase

 

如果以上不步骤不能实现不输密码登陆,请检查:

/etc/ssh/sshd_config:

PubkeyAuthentication yes           If no, change it and restart sshd

可以用ssh –v来显示详细的登陆过程.

 

SSH-2 key文件格式:

SSH的两种主要实现方式: OpenSSH and SSH Secure Shell ("SSH2")

OpenSSH 的如下:

ssh-dss A9AAB3NzaC1iGMqHpSCEliaouBun8FF9t8p...

or:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA3DIqRox...

SSH Secure Shell的如下:

---- BEGIN SSH2 PUBLIC KEY ----

AAAAB3NzaC1kc3MAAACBAM4a2KKBE6zhPBgRx4q6Dbjxo5hXNKNWYIGkX/W/k5PqcCH0J6 ...

---- END SSH2 PUBLIC KEY ----

 

SSH Secure Shell的安装方式也不同,目录在~/.ssh2 要在, ~/.ssh2/authorization中用如下方式提及: Key public_key_filename. 私钥也需要在~/.ssh2/identification用如下方式引用:

IdKey private_key_filename

 

§6.5 (OpenSSH) 客户端登陆SSH2 server (OpenSSH Key)

Export your OpenSSH key to create an SSH2-format public key. If your OpenSSH private key is ~/.ssh/id_dsa:

 

$ cd ~/.ssh

$ ssh-keygen -e -f id_dsa > mykey-ssh2.pub

Copy the public key to the SSH2 server:

 

$ scp mykey-ssh2.pub remoteuser@remotehost:

Log into the SSH2 server and install the public key, then log out:

 

$ ssh -l remoteuser remotehost

Password: ********

 

remotehost$ mkdir -p ~/.ssh2                                      If it doesn't already exist

remotehost$ chmod 700 ~/.ssh2

remotehost$ mv mykey-ssh2.pub ~/.ssh2/

remotehost$ cd ~/.ssh2

remotehost$ echo "Key mykey-ssh2.pub" >> authorization      (Appending)

remotehost$ chmod 600 mykey-ssh2.pub authorization

remotehost$ logout

Now log in via public-key authentication:

 

$ ssh -l remoteuser remotehost

Enter passphrase for key '/home/smith/.ssh/id_dsa': *******

 

ssh-keygen能把OpenSSH格式的密钥转换成SSH2格式, -e即可.

 

§6.6 (OpenSSH) 客户端登陆SSH2 server (SSH2 Key)

使用已经存在的SSH2格式的密钥.

ssh-keygen能把SSH2格式的密钥转换成OpenSSH格式, -i即可. 但是只能针对没有加密的.

 

上面是转换key的方式,但是在有passphrase的情况下不能实现,以下方法给它先解密

 

Suppose your SSH2 private key is id_dsa_1024_a.

 

Make a copy of the SSH2 private key:

 

$ cd ~/.ssh2

$ cp -p id_dsa_1024_a newkey

Set its passphrase to the empty string, creating an unencrypted key:

 

$ ssh-keygen2 -e newkey

...

Do you want to edit passphrase (yes or no)? yes

New passphrase :

Again          :

Import the SSH2 private key to convert it into an OpenSSH private key, imported-ssh2-key:

 

$ mkdir -p ~/.ssh                        If it doesn't already exist

$ chmod 700 ~/.ssh

$ cd ~/.ssh

$ mv ~/.ssh2/newkey .

$ ssh-keygen -i -f newkey > imported-ssh2-key

$ rm newkey

$ chmod 600 imported-ssh2-key

Change the passphrase of the imported key:

 

$ ssh-keygen -p imported-ssh2-key

Use your new key:

 

$ ssh -l remoteuser -i ~/.ssh/imported-ssh2-key remotehost

To generate the OpenSSH public key from the OpenSSH private key imported-ssh2-key, run:

 

$ ssh-keygen -y -f imported-ssh2-key > imported-ssh2-key.pub

Enter passphrase: ********

 

§6.7 (SSH2) 客户端登陆OpenSSH server

Create an SSH2 private key on the client machine, if one doesn't already exist, and install it by appending a line to ~/.ssh2/identification:

 

$ mkdir -p ~/.ssh2                                       If it doesn't already exist

$ chmod 700 ~/.ssh2

$ cd ~/.ssh2

$ ssh-keygen2                                            Creates id_dsa_1024_a

$ echo "IdKey id_dsa_1024_a" >> identification     (Appending)

Copy its public key to the OpenSSH server machine:

 

$ scp2 id_dsa_1024_a.pub remoteuser@remotehost:.ssh/

Log into the OpenSSH server host and use OpenSSH's ssh-keygen to import the public key, creating an OpenSSH format key: [Recipe 6.6]

 

$ ssh2 -l remoteuser remotehost

Password: ********

 

remotehost$ cd ~/.ssh

remotehost$ ssh-keygen -i > imported-ssh2-key.pub

Enter file in which the key is (/home/smith/.ssh/id_rsa): id_dsa_1024_a.pub

Install the new public key by appending a line to ~/.ssh/authorized_keys:

 

remotehost$ cat imported-ssh2-key.pub >> authorized_keys   (Appending)

Log out and log back in using the new key:

 

remotehost$ exit

$ ssh2 -l remoteuser remotehost

阅读(5617) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~