SSH无密码验证登陆
====================================================
实现原理
使用一种被称为"公私钥"认证的方式来进行ssh登录. "公私钥"认证方式简单的解释是
首先在客户端上创建一对公私钥 (公钥文件:~/.ssh/id_rsa.pub; 私钥文件:~/.ssh/id_rsa)
然后把公钥放到服务器上(~/.ssh/authorized_keys), 自己保留好私钥
当ssh登录时,ssh程序会发送私钥去和服务器上的公钥做匹配.如果匹配成功就可以登录了
=================================================
实验环境:IP 172.18.3.200
[root@localhost .ssh]# ls -a
. .. known_hosts
[root@localhost wangzm]# ssh 172.18.3.200
password:
Last login: Wed Apr 4 06:51:19 2007 from 172.18.3.194
this is panjun's server
[root@localhost .ssh]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a7:35:ea:87:c1:92:0e:74:69:a6:c8:c9:a0:a5:61:17
[root@localhost .ssh]# ls
id_rsa id_rsa.pub known_hosts
[root@localhost .ssh]# cp id_rsa.pub id_rsa.pub.bak
[root@localhost .ssh]# mv id_rsa.pub.bak authorized_keys
[root@localhost .ssh]# ssh 172.18.3.200
Last login: Wed Apr 4 07:36:04 2007 from localhost.localdomain
this is panjun's server
===========================================================
该错误的解决方法
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
42:05:1c:63:13:8a:c8:78:26:c9:95:fa:ee:ff:05:c8.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:221
RSA host key for 192.168.35.11 has changed and you have requested strict checking.
Host key verification failed.
用OpenSSH的人都知ssh会把你每个你访问过计算机的公钥(public key)都记录在~/.ssh/known_hosts。当下次访问相同计算机时,OpenSSH会核对公钥。如果公钥不同,OpenSSH会发出警告,避免你受到DNS Hijack之类的攻击。
不过known_hosts的内容一些只是以纯文本方式存放。如果你的帐号被人成功入侵,他可以由known_hosts直接得知你到访过的计算机列表。为减低出现类似情况的机会。OpenSSH在4.0p1引入了 Hash Known Hosts功能,在known_hosts中把访问过的计算机名称或IP地址以hash方式存放,令入侵都不能直接知道你到访过那些计算机。这项新项功能缺省是关闭的,要你手动地在ssh_config加上"HashKnownHosts yes"才会被开启。不过Debian Testing就缺省开启了个功能。
然而,偶然一些计算机的ssh公钥是合理地被更动。虽然遇到这些情况OpenSSH会发出惊告并禁止你进入该计算机。以往当我们确定该次 ssh公钥被更动没有可疑时,我们用文字编辑器开启known_hosts,把相关的公钥记录删掉就可以了。但现在因为所有计算机名称或IP地址都被 hash了,我们很难知道那行是相关计算机的公钥。当然我们可以把整个known_hosts删除,但我们会同时失去其他正常计算机的ssh公钥。
事实上OpenSSH在工具ssh-keygen加了三个选项,协助你管理hash了的known_hosts。你可以用"ssh-keygen -F 计算机名称"找出相关的公钥:
ssh-keygen -F
如果你想更新某计算机的公钥,可以先打"ssh-keygen -R 计算机名称"删除该计算机的公钥,然后再"ssh 计算机名称"再进入该计算机,ssh自然会重新下载新的公钥。
如果你的known_hosts 档案仍未被hash,你可以打"ssh-keygen -H"
==================================================================
快速建立信任
ssh-keygen -t rsa (客户端)
ssh-copy-id -i id_rsa.pub 192.168.12.1
直接将重新生成的公钥,拷贝到服务器端(192.168.12.1)的authorized_keys 会自动生成authorized_keys文件
for x in 192.168.22.21 192.168.22.22;do ssh-copy-id -i id_rsa.pub $x;done
============================================================================
阅读(1350) | 评论(0) | 转发(0) |