返回列表 发帖

Linux之间的密钥对验证(一)

SSH远程管理的端口为 TCP 22
SSH(Secure Shell)是一种安全通道协议,主要用来实现字符界面的远程登录、远程复制等功能。SSH协议对通信双方的数据都进行了加密处理,其中包括用户登录时输入的口令。


实验机的系统版本:
图片1.png
2020-9-9 10:03



图片2.png
2020-9-9 10:03





使用ssh远程登录,需要输入目标主机用户的密码 (退出的命令为 exit
下面是从192.168.168.130访问192.168.168.135

[root@localhost ~]# ssh root@192.168.168.135
The authenticity of host '192.168.168.135 (192.168.168.135)' can't be established.
RSA key fingerprint is e5:fc:28:be:3b:10:54:1c:85:a7:b0:31:3f:d7:93:26.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.168.135' (RSA) to the list of known hosts.
root@192.168.168.135's password:
Last login: Mon Aug 12 05:41:47 2019 from 192.168.168.159
[root@oracle-linux6 ~]#
[root@oracle-linux6 ~]# whoami
root
[root@oracle-linux6 ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:01:1A:AF  
          inet addr:192.168.168.135  Bcast:192.168.168.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe01:1aaf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:571 errors:0 dropped:0 overruns:0 frame:0
          TX packets:115 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:57368 (56.0 KiB)  TX bytes:15836 (15.4 KiB)


[root@oracle-linux6 ~]# exit
logout
Connection to 192.168.168.135 closed.
[root@localhost ~]#
[root@localhost ~]# whoami
root
[root@localhost ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:2B:17:3A  
          inet addr:192.168.168.130  Bcast:192.168.168.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe2b:173a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:715 errors:0 dropped:0 overruns:0 frame:0
          TX packets:383 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:67871 (66.2 KiB)  TX bytes:44203 (43.1 KiB)





###

下面是从192.168.168.135访问192.168.168.130

[root@oracle-linux6 ~]# ssh 192.168.168.130
-bash: ssh: command not found

解决方法:
[root@oracle-linux6 ~]# yum -y install openssh-clients


注释:默认目标用户就是 root
[root@oracle-linux6 ~]# ssh 192.168.168.130
The authenticity of host '192.168.168.130 (192.168.168.130)' can't be established.
RSA key fingerprint is ec:65:c4:90:15:02:d1:6b:f3:8e:28:c5:21:3a:9b:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.168.130' (RSA) to the list of known hosts.
root@192.168.168.130's password:
Last login: Tue Jun 23 02:39:44 2020 from 192.168.168.159
[root@localhost ~]# whoami
root
[root@localhost ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:2B:17:3A  
          inet addr:192.168.168.130  Bcast:192.168.168.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe2b:173a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:886 errors:0 dropped:0 overruns:0 frame:0
          TX packets:423 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:82188 (80.2 KiB)  TX bytes:51140 (49.9 KiB)


[root@localhost ~]# exit
logout
Connection to 192.168.168.130 closed.
[root@oracle-linux6 ~]#
[root@oracle-linux6 ~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:01:1A:AF  
          inet addr:192.168.168.135  Bcast:192.168.168.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe01:1aaf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1079 errors:0 dropped:0 overruns:0 frame:0
          TX packets:548 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:99400 (97.0 KiB)  TX bytes:70389 (68.7 KiB)s






######
######

构建密钥对验证的SSH体系(Linux对Linux)
SSH客户端:192.168.168.130   用户:zhuohua_0
SSH服务端:192.168.168.135   用户:zhuohua_1

笺注:
在SSH客户端创建密钥对,私钥自己留着,公钥发给SSH服务端。



在SSH服务端新建用户:
[root@oracle-linux6 ~]# useradd zhuohua_1
[root@oracle-linux6 ~]# echo '111' |passwd --stdin zhuohua_1
更改用户 zhuohua_1 的密码 。
passwd: 所有的身份验证令牌已经成功更新。

###

在SSH客户端创建对应的用户:
[root@localhost ~]# adduser zhuohua_0
[root@localhost ~]# echo '000' |passwd --stdin zhuohua_0
更改用户 zhuohua_0 的密码 。
passwd: 所有的身份验证令牌已经成功更新。


生成zhuohua_0的密钥对:(先切换用户)
[root@localhost ~]# su - zhuohua_0
[zhuohua_0@localhost ~]$ ssh-keygen -t rsa
注释:下面全部按回车键即可 ^_^
Generating public/private rsa key pair.
Enter file in which to save the key (/home/zhuohua_0/.ssh/id_rsa):
Created directory '/home/zhuohua_0/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/zhuohua_0/.ssh/id_rsa.
Your public key has been saved in /home/zhuohua_0/.ssh/id_rsa.pub.
The key fingerprint is:
78:56:cc:dd:3e:f6:be:15:a5:80:83:04:90:ea:ac:7a zhuohua_0@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|    .o...        |
|    .  . + o .   |
|   .    . * o . .|
|  .    . . . o ..|
| o    . S     =. |
|  o    o     . o.|
| .              o|
|. E            ..|
|o.             .o|
+-----------------+




会给用户zhuohua_0生成一个文件夹:
[zhuohua_0@localhost ~]$ ls -alh
总用量 28K
drwx------  4 zhuohua_0 zhuohua_0 4.0K 6月  23 02:46 .
drwxr-xr-x. 6 root      root      4.0K 6月  23 02:46 ..
-rw-r--r--  1 zhuohua_0 zhuohua_0   18 3月  23 2017 .bash_logout
-rw-r--r--  1 zhuohua_0 zhuohua_0  176 3月  23 2017 .bash_profile
-rw-r--r--  1 zhuohua_0 zhuohua_0  124 3月  23 2017 .bashrc
drwxr-xr-x  2 zhuohua_0 zhuohua_0 4.0K 11月 12 2010 .gnome2
drwx------  2 zhuohua_0 zhuohua_0 4.0K 6月  23 02:46 .ssh


[zhuohua_0@localhost ~]$ cd .ssh/
[zhuohua_0@localhost .ssh]$ pwd
/home/zhuohua_0/.ssh
[zhuohua_0@localhost .ssh]$ ll
总用量 8
-rw------- 1 zhuohua_0 zhuohua_0 1675 6月  23 02:46 id_rsa
-rw-r--r-- 1 zhuohua_0 zhuohua_0  413 6月  23 02:46 id_rsa.pub





私钥文件的内容:(每次生成的内容都不一样的)
[zhuohua_0@localhost .ssh]$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAuyrCs/F0fOG5LGB9k8kQHEOG86cofhO+rzy9oBGALVSRl3bo
nRppc7whuIEIv/2WeRFEQaoO54tU7GwU9ilKA/7pswIoyYpC9kHuD+o7eWvKJK8V
8iAT8LTWmPXx7n4J8a0FDzhRjwHyGQ9GYytcKt7nb2nAfLXZOkKy/0ogdvSHTL5l
miM+xN7/IxfUJ9xfZeGCJFd03QojlhWkIQ6wn6TNb/L9L5/1wRq4gZWdDoHyThIq
0imw9jrJ6/hMEIZb2B0JzgRGp3iN3A0BkOE395WC9z108IU547CdVtuqYwLnYmTU
wIXkngMPXMGIdBiRHKjFA3p8fWiB+tw9uY+mvwIBIwKCAQEAtdHEdEmkXA55Xk8a
51Wanx0GwM5El7tox3zVduxt4uRwLLyndAsHWnw+A7CMKDgrxhDF9qUzDNB+YgKY
BRIqpMu+c2Eu76rh9okwZztPt8fLrpt0Z4zgK6hbcATcZAVovuKXM1tH6gHj3dRT
AUAQZCj+FHVb5tyJ4NMUSHPlBdXvs1WIho2OI4fZIZCJ/QMC9pux+4cGrIDnujjn
QistJqD9sJ/5k+0TAZly+eK1MoD9PB6UuQAbMjJhFkJDftcVUw5LvNVnR1TeG/7v
KXniJPvtlUByU/J7furRJif9ePJWUJg1ewXItLbsp6+69EilU+dbyy9vq4IIkr6K
eUFs2wKBgQDki3Zb+qF3KDPirASbBlUVvYK5TpTj20Pl9uRdVcmQ856dhScE9AIu
B+1VWtkkbW3xzyp1SUt4/hsDo6mNlYs4HjDhExhS9ED9D6oo7O6C1Lf/6lsqatwQ
GjbpCpDDsMBKYNHqA9sVww4eiV0GxNkVwMeeefVim8cpoGR27sF1mwKBgQDRpspX
b1l5Dq5TiTqrFYu3jGQoNLeRqozWm7p22fqPT42jPIGkfbFDN4flQ55jv+mSZqoc
cBLQrdzaz4MAh3gVTdXp0uMYcVEkoIIPnuYuOQdZxhDj4/NQTlrN8E7pTFg1GAVK
RY5EAs85chF9d4tJo6Ap7RCBR6qLw2hWXQrXrQKBgQCwTlP9z/jm5H/MHkyyGtPs
MxuzhcNQsHY1DuquZsAQu+9jkppxiQj+8CwdRhU5W7s24aRpG0jZrhTW6/fTnz+D
D/nSM01HTrXKiG1SxWeJf4ag2VxFSx7Kl+E3bozuu40GLW671xa5BC92pHr2l9qq
YYQMiffPugAKK0Yv3MEgNQKBgE3e3XDu2BcFc/MkV56hmkt9ScXKcBGIfXRIeHVJ
pjU6zjVQ/PP0K+XEKylFAFDvgqQXgQM/kfW866G6ykIGbm5QHEDn7fMixl4Pu0eh
a3BBEVvb2mNGCeqgwqRDUIKKEiJZYQz1Q3hY0KBO8I2wDyn68li3I2M34EKKaJUb
PoqfAoGAVRP+ca2ViHUN4LN60vvYS6QXMO1kgfiHPpWeoTigFZOHbxdRHGw+uk0C
dbR/+6RSyc9cr9zgHENCsK0PJCMKbPMqGC+0LTOBQ1Y/WmIxHa9IbXvIaX6Tu5s1
Xu+ZNIGrFk0n3u4BTCZyiUo9s5o1sMYYskSuDH3i3eWdiXuIMD0=
-----END RSA PRIVATE KEY-----





公钥文件的内容:(每次生成的内容都不一样的)
[zhuohua_0@localhost .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuyrCs/F0fOG5LGB9k8kQHEOG86cofhO+rzy9oBGALVSRl3bonRppc7whuIEIv/2WeRFEQaoO54tU7GwU9ilKA/7pswIoyYpC9kHuD+o7eWvKJK8V8iAT8LTWmPXx7n4J8a0FDzhRjwHyGQ9GYytcKt7nb2nAfLXZOkKy/0ogdvSHTL5lmiM+xN7/IxfUJ9xfZeGCJFd03QojlhWkIQ6wn6TNb/L9L5/1wRq4gZWdDoHyThIq0imw9jrJ6/hMEIZb2B0JzgRGp3iN3A0BkOE395WC9z108IU547CdVtuqYwLnYmTUwIXkngMPXMGIdBiRHKjFA3p8fWiB+tw9uY+mvw== zhuohua_0@localhost.localdomain







在SSH客户端将公钥文件传送至至SSH服务端的用户zhuohua_1的家目录:
[zhuohua_0@localhost ~]$ ssh-copy-id zhuohua_1@192.168.168.135

The authenticity of host '192.168.168.135 (192.168.168.135)' can't be established.
RSA key fingerprint is e5:fc:28:be:3b:10:54:1c:85:a7:b0:31:3f:d7:93:26.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.168.135' (RSA) to the list of known hosts.
zhuohua_1@192.168.168.135's password: #要输入zhuohua_1的密码
Now try logging into the machine, with "ssh 'zhuohua_1@192.168.168.135'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.





在SSH服务端查看公钥文件:
[root@oracle-linux6 ~]# su - zhuohua_1
[zhuohua_1@oracle-linux6 ~]$ ls -alh
总用量 28K
drwx------. 4 zhuohua_1 zhuohua_1 4.0K 8月  12 05:53 .
drwxr-xr-x. 4 root      root      4.0K 8月  12 05:48 ..
-rw-r--r--. 1 zhuohua_1 zhuohua_1   18 3月  22 2017 .bash_logout
-rw-r--r--. 1 zhuohua_1 zhuohua_1  176 3月  22 2017 .bash_profile
-rw-r--r--. 1 zhuohua_1 zhuohua_1  124 3月  22 2017 .bashrc
drwxr-xr-x. 2 zhuohua_1 zhuohua_1 4.0K 11月 20 2010 .gnome2
drwx------. 2 zhuohua_1 zhuohua_1 4.0K 8月  12 05:53 .ssh



公钥文件的名称会自动改变,但内容是一样的:
笺注:注意文件的权限( 600 )
[zhuohua_1@oracle-linux6 ~]$ cd .ssh/
[zhuohua_1@oracle-linux6 .ssh]$ ll
总用量 4
-rw-------. 1 zhuohua_1 zhuohua_1 413 8月  12 05:53 authorized_keys


[zhuohua_1@oracle-linux6 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuyrCs/F0fOG5LGB9k8kQHEOG86cofhO+rzy9oBGALVSRl3bonRppc7whuIEIv/2WeRFEQaoO54tU7GwU9ilKA/7pswIoyYpC9kHuD+o7eWvKJK8V8iAT8LTWmPXx7n4J8a0FDzhRjwHyGQ9GYytcKt7nb2nAfLXZOkKy/0ogdvSHTL5lmiM+xN7/IxfUJ9xfZeGCJFd03QojlhWkIQ6wn6TNb/L9L5/1wRq4gZWdDoHyThIq0imw9jrJ6/hMEIZb2B0JzgRGp3iN3A0BkOE395WC9z108IU547CdVtuqYwLnYmTUwIXkngMPXMGIdBiRHKjFA3p8fWiB+tw9uY+mvw== zhuohua_0@localhost.localdomain






在SSH服务端设置登录验证方式:(也可以进入文件里修改,命令本身是有的;要切换为用户root才有权限操作)

// 禁止空密码用户远程登录
echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config

// 启用密钥对验证
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config

// 指定公钥库数据文件
echo 'AuthorizedKeysFile     .ssh/authorized_keys' >> /etc/ssh/sshd_config

// 禁止root用户远程登录(可选)
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config

// 禁止密码验证(可选)
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config


重启sshd服务:
[root@oracle-linux6 ~]# service sshd restart
停止 sshd:[确定]
正在启动 sshd:[确定]





######

此后,SSH客户端就可以通过密钥对访问SSH服务端了(反之还是要密码验证)
[zhuohua_0@localhost ~]$ ssh zhuohua_1@192.168.168.135
[zhuohua_1@oracle-linux6 ~]$ whoami
zhuohua_1
[zhuohua_1@oracle-linux6 ~]$ ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:01:1A:AF  
          inet addr:192.168.168.135  Bcast:192.168.168.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe01:1aaf/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1010 errors:0 dropped:0 overruns:0 frame:0
          TX packets:733 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:105957 (103.4 KiB)  TX bytes:95217 (92.9 KiB)

# 可以切换为 root@192.168.168.135
[zhuohua_1@oracle-linux6 ~]$ su - root
密码: #要输入root@192.168.168.135的密码
[root@oracle-linux6 ~]#
[root@oracle-linux6 ~]# whoami
root
[root@oracle-linux6 ~]#
[root@oracle-linux6 ~]# exit
logout
[zhuohua_1@oracle-linux6 ~]$ whoami
zhuohua_1

[zhuohua_1@oracle-linux6 ~]$ exit
logout
Connection to 192.168.168.135 closed.
[zhuohua_0@localhost ~]$






###

在SSH客户端上传文件、文件夹到SSH服务端:( 不需要输入密码的 )
[zhuohua_0@localhost ~]$ pwd
/home/zhuohua_0
[zhuohua_0@localhost ~]$ ls
1.txt  dir1

[zhuohua_0@localhost ~]$ scp -rp ~/1.txt zhuohua_1@192.168.168.135:/home/zhuohua_1
1.txt                                                                  100%    4     0.0KB/s   00:00   

[zhuohua_0@localhost ~]$ scp -rp dir1 zhuohua_1@192.168.168.135:/home/zhuohua_1
11.txt                                                                 100%    5     0.0KB/s   00:00  



SSH服务端收到的文件、文件夹:
[zhuohua_1@oracle-linux6 ~]$ pwd
/home/zhuohua_1

[zhuohua_1@oracle-linux6 ~]$ ll
总用量 8
-rw-rw-r--. 1 zhuohua_1 zhuohua_1    4 6月  23 2020 1.txt
drwxrwxr-x. 2 zhuohua_1 zhuohua_1 4096 6月  23 2020 dir1

[zhuohua_1@oracle-linux6 ~]$ cd dir1/
[zhuohua_1@oracle-linux6 dir1]$ ll
总用量 4
-rw-rw-r--. 1 zhuohua_1 zhuohua_1 5 6月  23 2020 11.txt


###

在SSH客户端下载SSH服务端的文件、文件夹:( 也不需要输入密码的 )
[zhuohua_0@localhost ~]$ scp -rp zhuohua_1@192.168.168.135:/home/zhuohua_1/2.txt ./
2.txt                                                                  100%    4     0.0KB/s   00:00

[zhuohua_0@localhost ~]$ scp -rp zhuohua_1@192.168.168.135:/home/zhuohua_1/dir2 ./
22.txt                                                                 100%    5     0.0KB/s   00:00


下载下来的文件和文件夹:
[zhuohua_0@localhost ~]$ pwd
/home/zhuohua_0
[zhuohua_0@localhost ~]$ ll
总用量 16
-rw-rw-r-- 1 zhuohua_0 zhuohua_0    4 6月  23 03:01 1.txt
-rw-rw-r-- 1 zhuohua_0 zhuohua_0    4 8月  12 2019 2.txt
drwxrwxr-x 2 zhuohua_0 zhuohua_0 4096 6月  23 03:05 dir1
drwxrwxr-x 2 zhuohua_0 zhuohua_0 4096 8月  12 2019 dir2
[zhuohua_0@localhost ~]$
[zhuohua_0@localhost ~]$ cd dir2
[zhuohua_0@localhost dir2]$ ll
总用量 4
-rw-rw-r-- 1 zhuohua_0 zhuohua_0 5 8月  12 2019 22.txt





相关文章:
Linux之间的密钥对验证(二)
rsync远程同步目录树
MySQL5.6主从/主主同步

SecureCRT+密钥对验证
SecureCRT远程管理Linux(一)





#################################
#################################
亲,学习研究也要劳逸结合哦,来我微店逛逛,买点东西好好犒劳犒劳自己和家人吧^_^^_^

休闲零食传承世家风干牛肉干 手撕风干牛肉四川特产【非偏远地区满79包邮】
niur.png
2019-10-4 15:48


长虹办公室鼠标加热保暖桌垫毯电脑暖手桌面发热板电热台板写字台
dianzi.png
2019-10-4 15:50


飞科电熨斗蒸汽家用熨斗家用电烫斗蒸气手持迷你电熨斗FI9308包邮
weidou.png
2019-10-4 15:51


新款男长款拉链潮男士钱包男士手拿包 商务皮夹钱夹-JKPJ1806
nanbao.png
2019-10-4 15:54


韩版定型斜挎单肩手提包SN-两层活动女包8874
nvbao.png
2019-10-4 15:56

返回列表