【CentOS實(shí)用篇】之SSH的安全登錄

SSH是安全的遠(yuǎn)程登錄赂乐,使用SSH v2的協(xié)議版本躁锡,基于DH算法做密鑰交換,基于RSA或DSA實(shí)現(xiàn)身份認(rèn)證。SSH的用戶登錄認(rèn)證是基于password和基于key

準(zhǔn)備工作

本次實(shí)驗(yàn)用到的虛擬機(jī)有
(1)c6 --------- IP:172.18.252.84
(2)c7 --------- IP:172.18.253.104
(3)Mini6 ----- IP:172.18.251.89
(4)Mini7 ----- IP:172.18.250.11

客戶端工具包:openssh-clients.x86_64
服務(wù)器端工具包:openssh-server.x86_64
客戶端配置文件:/etc/ssh/ssh_config
服務(wù)器端配置文件:/etc/ssh/sshd_config
登錄記錄保存文件:/root/.ssh/known_hosts

一碌识、基于password的SSH連接

基于用戶和口令登錄驗(yàn)證的登錄流程
1 客戶端發(fā)起ssh請(qǐng)求,服務(wù)器會(huì)把自己的公鑰發(fā)送給用戶
2 用戶會(huì)根據(jù)服務(wù)器發(fā)來的公鑰對(duì)密碼進(jìn)行加密
3 加密后的信息回傳給服務(wù)器虱而,服務(wù)器用自己的私鑰解密筏餐,如果密碼正確,則用戶登錄成功

SSH的安全性

在首次遠(yuǎn)程登錄某個(gè)主機(jī)時(shí)牡拇,會(huì)保存對(duì)方主機(jī)的公鑰儲(chǔ)存于/root/.ssh/known_hosts文件里魁瞪,方便于再次連接時(shí)的身份確認(rèn)穆律,不能被假冒或替代。由以下實(shí)驗(yàn)證實(shí)SSH的安全性

第一步:利用c6首次登錄Mini6主機(jī)的ip地址172.18.251.89

[root@c6 ~]#ssh 172.18.251.89
The authenticity of host '172.18.251.89 (172.18.251.89)' can't be established.
RSA key fingerprint is 3d:25:b4:84:db:de:ef:e8:57:e9:79:10:cb:57:a6:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.251.89' (RSA) to the list of known hosts.
root@172.18.251.89's password: 
Last login: Mon Sep 11 15:03:36 2017 from 192.168.10.1
[root@Mini6 ~]#

第二步:查看c6主機(jī)的連接記錄文件known_hosts

[root@c6 ~]#cat .ssh/known_hosts 
172.18.251.89 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8edaJKzACgj4cnfyGmjCy2p2vn87KAcm+i/5q5RadFUknS7ALyUxoMBMWz1VThdjoW4nII32qiRV+zoEYEn+ua5fc3ZtBmNZ+saeGeDApE6u0OsfHbBiR6lp97GbB1r1yi4ERgbZsRtlNpJPaHXoRKLx2VtiVQ5WHdBEPMoqXnoMbv54r7F3TvWIOGvDzzm9Xq0SCGUbWtz3M0PpxVVPTSb9RMgCLLt+qtWkkBL6G7WWQhMrc8fbKqzXZO26OUSW9nVowlDqkXXzHaGeNJvNyhkDSRXzCDV3GxSM7TksgCizaCY/ilTO77gZVzDZZyB870/j+uHaiPogdqcV1eLer

第三步:down掉Mini6主機(jī)IP地址172.18.251.89使用的網(wǎng)卡

[root@Mini6 ~]#ifconfig eth1 down
[root@Mini6 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:27:99:0c brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.129/24 brd 192.168.10.255 scope global eth0
    inet6 fe80::20c:29ff:fe27:990c/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    link/ether 00:0c:29:27:99:16 brd ff:ff:ff:ff:ff:ff
    inet 172.18.251.89/16 brd 172.18.255.255 scope global eth1

第四步:修改Mini7主機(jī)的ip為172.18.251.89导俘,實(shí)現(xiàn)冒充

[root@Mini7 network-scripts]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:fc:73:b3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.128/24 brd 192.168.10.255 scope global dynamic ens33
       valid_lft 1797sec preferred_lft 1797sec
    inet6 fe80::dc7d:7e:6cb9:fcd5/64 scope link 
       valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:fc:73:bd brd ff:ff:ff:ff:ff:ff
    inet 172.18.251.89/16 brd 172.18.255.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::d46f:ec3b:310f:2e3a/64 scope link 
       valid_lft forever preferred_lft forever

第五步:用c6主機(jī)重新登錄172.18.251.89峦耘,會(huì)有報(bào)錯(cuò)提示

[root@c6 ~]#ssh 172.18.251.89
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
17:f2:11:d1:ca:b1:42:3e:72:bc:29:26:0d:ba:69:67.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 172.18.251.89 has changed and you have requested strict checking.
Host key verification failed.

第六步:重新恢復(fù)主機(jī)Mini6的IP地址,再次用主機(jī)c6登錄Mini6旅薄,即可實(shí)現(xiàn)登錄

[root@c6 ~]#ssh 172.18.251.89
root@172.18.251.89's password: 
Last login: Mon Sep 11 16:27:20 2017 from 172.18.252.84
[root@Mini6 ~]#

第八步:查看主機(jī)Mini6的公鑰辅髓,與主機(jī)c6登錄時(shí)保存的文件known_hosts內(nèi)的公鑰一致

[root@Mini6 ssh]#cat ssh_host_rsa_key.pub 
172.18.251.89 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8edaJKzACgj4cnfyGmjCy2p2vn87KAcm+i/5q5RadFUknS7ALyUxoMBMWz1VThdjoW4nII32qiRV+zoEYEn+ua5fc3ZtBmNZ+saeGeDApE6u0OsfHbBiR6lp97GbB1r1yi4ERgbZsRtlNpJPaHXoRKLx2VtiVQ5WHdBEPMoqXnoMbv54r7F3TvWIOGvDzzm9Xq0SCGUbWtz3M0PpxVVPTSb9RMgCLLt+qtWkkBL6G7WWQhMrc8fbKqzXZO26OUSW9nVowlDqkXXzHaGeNJvNyhkDSRXzCDV3GxSM7TksgCizaCY/ilTO77gZVzDZZyB870/j+uHaiPogdqcV1eLer
模擬IP地址的冒充

在SSH的登錄過程中,因?yàn)闀?huì)保存對(duì)方的公鑰文件做為對(duì)主機(jī)的確認(rèn)少梁,也就是利用對(duì)方的公鑰驗(yàn)證對(duì)方的私鑰檢驗(yàn)對(duì)方主機(jī)洛口,所以如果要實(shí)現(xiàn)冒充對(duì)方主機(jī),除了冒充對(duì)方的IP地址之外凯沪,還要拿到對(duì)方主機(jī)的私鑰第焰。在現(xiàn)實(shí)中很難拿到對(duì)方的私鑰,以下實(shí)驗(yàn)僅做證實(shí)和參考妨马。

第一步:復(fù)制主機(jī)Mini6的私鑰文件到主機(jī)Mini7對(duì)應(yīng)的私鑰文件目錄挺举,替換掉主機(jī)Mini7自帶的私鑰文件

[root@Mini6 ~]#scp ssh_host_rsa_key 172.18.253.104:/etc/ssh/
The authenticity of host '172.18.253.104 (172.18.253.104)' can't be established.
RSA key fingerprint is 4a:3c:ce:1a:3f:e1:76:9a:89:9e:b0:c8:ff:ac:9e:0d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.253.104' (RSA) to the list of known hosts.
root@172.18.253.104's password: 
ssh_host_rsa_key                                           100% 1675     1.6KB/s   00:00

第二步:down掉主機(jī)Mini6對(duì)應(yīng)IP地址的網(wǎng)卡

[root@Mini6 ~]#ifconfig eth1 down
[root@Mini6 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:27:99:0c brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.129/24 brd 192.168.10.255 scope global eth0
    inet6 fe80::20c:29ff:fe27:990c/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
    link/ether 00:0c:29:27:99:16 brd ff:ff:ff:ff:ff:ff
    inet 172.18.251.89/16 brd 172.18.255.255 scope global eth1

第三步:修改主機(jī)Mini7的IP地址為172.18.251.89

[root@Mini7 ~]#ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:32:35:10 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.134/24 brd 192.168.10.255 scope global dynamic ens33
       valid_lft 951sec preferred_lft 951sec
    inet6 fe80::997a:4280:f508:a15b/64 scope link 
       valid_lft forever preferred_lft forever
3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:32:35:1a brd ff:ff:ff:ff:ff:ff
    inet 172.18.251.89/16 brd 172.18.255.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 fe80::eaa:3e5a:d418:b3c3/64 scope link 
       valid_lft forever preferred_lft forever

第四步:重新用主機(jī)c6登錄172.18.251.89,此時(shí)連接到主機(jī)Mini7烘跺,而不再是之前的主機(jī)Mini6

[root@c6 ~]#ssh 172.18.251.89
root@172.18.251.89's password: 
Last login: Mon Sep 11 17:05:19 2017 from 192.168.10.1
[root@Mini7 ~]#
更改SSH的監(jiān)聽端口

第一步:修改SSH服務(wù)器端的配置文件/etc/ssh/sshd_config湘纵,找到Port 22(默認(rèn)端口22),修改Port后的端口號(hào)

[root@Mini6 ~]#vim /etc/ssh/sshd_config 

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 2234       # 端口號(hào)修改為2234

第二步:因?yàn)槎丝诟臑榉菢?biāo)準(zhǔn)端口滤淳,需要關(guān)閉SELinux和防火墻iptables

[root@Mini6 ~]#vim /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@Mini6 ~]#service iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@Mini6 ~]#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

第三步:重啟sshd服務(wù)梧喷,并查看服務(wù)端口

[root@Mini6 ~]#service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@Mini6 ~]#ss -nl
State       Recv-Q Send-Q              Local Address:Port                Peer Address:Port 
LISTEN      0      100                           ::1:25                            :::*     
LISTEN      0      100                     127.0.0.1:25                             *:*     
LISTEN      0      128                            :::2234                          :::*     
LISTEN      0      128                             *:2234                           *:*

第四步:用主機(jī)c6重新登錄172.18.251.89
因?yàn)閟shd端口的改變,此時(shí)用最基本的ssh命令重新登錄172.18.251.89娇钱,系統(tǒng)會(huì)提示目標(biāo)主機(jī)不可到達(dá)

[root@c6 ~]#ssh 172.18.251.89
ssh: connect to host 172.18.251.89 port 22: Connection refused

在遠(yuǎn)程登錄時(shí)用-p屬性指定端口2234即可連接

[root@c6 ~]#ssh 172.18.251.89 -p 2234
root@172.18.251.89's password: 
Last login: Mon Sep 11 16:27:45 2017 from 172.18.252.84
[root@Mini6 ~]#

修改本機(jī)ssh的配置文件/etc/ssh/ssh_config伤柄,修改默認(rèn)端口號(hào)Pork為2234绊困,可以直接登錄端口為2234的Mini6主機(jī)

[root@c6 ~]#vim /etc/ssh/ssh_config

#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
   Port 2234

[root@c6 ~]#ssh 172.18.251.89
root@172.18.251.89's password: 
Last login: Mon Sep 11 18:42:43 2017 from 172.18.252.84
[root@Mini6 ~]#
SSH的跳轉(zhuǎn)連接

生產(chǎn)環(huán)境中文搂,某些服務(wù)器只循序特定的主機(jī)才能登錄,隱藏其他機(jī)器需要利用這個(gè)特定的主機(jī)去跳轉(zhuǎn)到服務(wù)器主機(jī)秤朗。在ssh命令中煤蹭,使用-t選項(xiàng)可以實(shí)現(xiàn)ssh的跳轉(zhuǎn)登錄,以下實(shí)現(xiàn)模擬跳轉(zhuǎn)登錄
第一步:在主機(jī)Mini6中禁止來自于172.18.252.84的流量

[root@Mini6 ~]#iptables -A INPUT -s 172.18.252.84 -j REJECT

第二步:利用主機(jī)c7進(jìn)行跳轉(zhuǎn)取视,實(shí)現(xiàn)主機(jī)c6對(duì)主機(jī)Mini6的遠(yuǎn)程登錄硝皂,登錄時(shí)需要輸入跳板機(jī)和對(duì)方主機(jī)的登錄口令

[root@c6 ~]#ssh -t 172.18.253.104 ssh 172.18.251.89
root@172.18.253.104's password: 
root@172.18.251.89's password: 
Last login: Mon Sep 11 21:06:38 2017 from 172.18.253.104
[root@Mini6 ~]#

基于key的遠(yuǎn)程連接

在生產(chǎn)環(huán)境中,一個(gè)工作人員需要維護(hù)很多設(shè)備作谭,需要經(jīng)常登錄不同的設(shè)備稽物,每次登錄都需要輸入口令會(huì)大大降低工作的效率,基于key的驗(yàn)證可以解決這個(gè)問題

基于密鑰的登錄方式
1 首先在客戶端生成一對(duì)密鑰(ssh-keygen)
2 并將客戶端的公鑰ssh-copy-id 拷貝到服務(wù)端
3 當(dāng)客戶端再次發(fā)送一個(gè)連接請(qǐng)求折欠,包括ip贝或、用戶名
4 服務(wù)端得到客戶端的請(qǐng)求后吼过,會(huì)到authorized_keys中查找,如果有響應(yīng)的IP和用戶咪奖,就會(huì)隨機(jī)生成一個(gè)字符串盗忱,例如:acdf
5 服務(wù)端將使用客戶端拷貝過來的公鑰進(jìn)行加密,然后發(fā)送給客戶端
6 得到服務(wù)端發(fā)來的消息后羊赵,客戶端會(huì)使用私鑰進(jìn)行解密趟佃,然后將解密后的字符串發(fā)送給服務(wù)端
7 服務(wù)端接受到客戶端發(fā)來的字符串后,跟之前的字符串進(jìn)行對(duì)比昧捷,如果一致闲昭,就允許免密碼登錄

以下實(shí)驗(yàn)實(shí)現(xiàn)主機(jī)c6對(duì)Mini6基于key的登錄

第一步:生成c6的密鑰對(duì),-t指定算法為rsa料身,-P指定私鑰的加密口令為空汤纸,默認(rèn)保存的文件夾為/root/.ssh/,私鑰文件位為id_rsa芹血,公鑰文件為id_rsa.pub

[root@c6 ~]#ssh-keygen -t rsa -P ''
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f9:fc:db:08:05:6e:a2:58:6f:43:06:0b:b0:3d:a4:d0 root@c6
The key's randomart image is:
+--[ RSA 2048]----+
|... .            |
| .E*             |
|  o + .   .      |
|     o o o .     |
|      o S o .    |
|     o = = .     |
|    . . + +      |
|       . . o o   |
|            +..  |
+-----------------+

[root@c6 ~]#ls /root/.ssh/
id_rsa  id_rsa.pub  known_hosts

第二步:從主機(jī)c6復(fù)制公鑰文件到需要連接的主機(jī)Mini6
-i指定要復(fù)制的公鑰文件名贮泞,利用ssh-copy-id命令復(fù)制公鑰文件時(shí),即使指定的文件是私鑰文件幔烛,也會(huì)復(fù)制公鑰文件到對(duì)方主機(jī)啃擦,相對(duì)于用scp復(fù)制到對(duì)方主機(jī),避免了修改路徑饿悬、文件名和錯(cuò)誤復(fù)制私鑰令蛉。

[root@c6 ~]#ssh-copy-id -i /root/.ssh/id_rsa.pub root@172.18.251.89
root@172.18.251.89's password: 
Now try logging into the machine, with "ssh 'root@172.18.251.89'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[root@Mini6 ~]#ls .ssh/
authorized_keys  known_hosts

第三步:利用主機(jī)c6直接連接Mini6

[root@c6 ~]#ssh 172.18.251.89
Last login: Mon Sep 11 21:06:50 2017 from 172.18.253.104
[root@Mini6 ~]#

復(fù)制公鑰到所有需要直連的主機(jī)可實(shí)現(xiàn)對(duì)多主機(jī)的直接操作

在基于key的連接以后,大大的方便了對(duì)遠(yuǎn)程主機(jī)的操作狡恬,可以直接在本機(jī)執(zhí)行遠(yuǎn)程主機(jī)的命令
[root@c6 ~]#ssh 172.18.251.89 'hostname'
Mini6
[root@c6 ~]#

[root@c6 ~]#ssh 172.18.251.89 'ifconfig eth1'
eth1      Link encap:Ethernet  HWaddr 00:0C:29:27:99:16  
          inet addr:172.18.251.89  Bcast:172.18.255.255  Mask:255.255.0.0
          inet6 addr: fe80::20c:29ff:fe27:9916/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:432507 errors:0 dropped:0 overruns:0 frame:0
          TX packets:87108 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:286056641 (272.8 MiB)  TX bytes:6116023 (5.8 MiB)
私鑰文件很重要珠叔!復(fù)制私鑰到其他主機(jī)進(jìn)行直接登錄

第一步:從c6機(jī)器中復(fù)制私鑰到c7

[root@c6 ~]#scp .ssh/id_rsa root@172.18.253.104:/root/.ssh/
root@172.18.253.104's password: 
id_rsa                                                  100% 1671     1.6KB/s   00:00

第二步:利用主機(jī)c7直接登錄主機(jī)Mini6

[root@c7 ~]#ssh 172.18.251.89
Last login: Mon Sep 11 22:02:35 2017 from 192.168.10.1
[root@Mini6 ~]#
擁有私鑰的主機(jī)可以無視直連主機(jī)的密碼修改,為了私鑰的安全弟劲,通常要對(duì)私鑰進(jìn)行加密

利用ssh-keygen -p可以直接找到私鑰文件并進(jìn)行加密

[root@c6 ~]#ssh-keygen -p
Enter file in which the key is (/root/.ssh/id_rsa): 
Key has comment '/root/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

私鑰加密后利用設(shè)備直接登錄遠(yuǎn)程主機(jī)需要輸入一次私鑰的加密口令祷安,僅此一次

[root@c6 ~]#ssh 172.18.251.89
Enter passphrase for key '/root/.ssh/id_rsa': 
Last login: Mon Sep 11 22:23:18 2017 from 172.18.252.84
[root@Mini6 ~]#
啟用代理,托管口令

利用命令ssh-agent bash啟用代理兔乞,把私鑰的密碼進(jìn)行托管汇鞭,方便下次把公鑰傳給其他主機(jī)時(shí),不用輸入私鑰加密口令即可直接登錄庸追。以下實(shí)驗(yàn)把c6的公鑰復(fù)制到Mini7霍骄,第一次登錄時(shí)跳過輸入私鑰密碼

[root@c6 ~]#ssh-agent bash
[root@c6 ~]#ssh-add
Enter passphrase for /root/.ssh/id_rsa: 
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)

[root@c6 ~]#ssh-copy-id -i /root/.ssh/id_rsa root@172.18.250.11
The authenticity of host '172.18.250.11 (172.18.250.11)' can't be established.
RSA key fingerprint is 17:f2:11:d1:ca:b1:42:3e:72:bc:29:26:0d:ba:69:67.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.18.250.11' (RSA) to the list of known hosts.
root@172.18.250.11's password: 
Now try logging into the machine, with "ssh 'root@172.18.250.11'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[root@c6 ~]#ssh 172.18.250.11
Last login: Mon Sep 11 18:17:12 2017 from 192.168.10.1
[root@Mini7 ~]#
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 人面猴
    序言:七十年代末,一起剝皮案震驚了整個(gè)濱河市淡溯,隨后出現(xiàn)的幾起案子读整,更是在濱河造成了極大的恐慌,老刑警劉巖咱娶,帶你破解...
    沈念sama閱讀 222,000評(píng)論 6 515
  • 死咒
    序言:濱河連續(xù)發(fā)生了三起死亡事件米间,死亡現(xiàn)場(chǎng)離奇詭異煎楣,居然都是意外死亡,警方通過查閱死者的電腦和手機(jī)车伞,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 94,745評(píng)論 3 399
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進(jìn)店門择懂,熙熙樓的掌柜王于貴愁眉苦臉地迎上來,“玉大人另玖,你說我怎么就攤上這事困曙。” “怎么了谦去?”我有些...
    開封第一講書人閱讀 168,561評(píng)論 0 360
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵慷丽,是天一觀的道長(zhǎng)。 經(jīng)常有香客問我鳄哭,道長(zhǎng)要糊,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 59,782評(píng)論 1 298
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任妆丘,我火速辦了婚禮锄俄,結(jié)果婚禮上,老公的妹妹穿的比我還像新娘勺拣。我一直安慰自己奶赠,他們只是感情好,可當(dāng)我...
    茶點(diǎn)故事閱讀 68,798評(píng)論 6 397
  • 惡毒庶女頂嫁案:這布局不是一般人想出來的
    文/花漫 我一把揭開白布药有。 她就那樣靜靜地躺著毅戈,像睡著了一般。 火紅的嫁衣襯著肌膚如雪愤惰。 梳的紋絲不亂的頭發(fā)上摧茴,一...
    開封第一講書人閱讀 52,394評(píng)論 1 310
  • 城市分裂傳說
    那天店量,我揣著相機(jī)與錄音介陶,去河邊找鬼换可。 笑死,一個(gè)胖子當(dāng)著我的面吹牛蜡励,可吹牛的內(nèi)容都是我干的令花。 我是一名探鬼主播阻桅,決...
    沈念sama閱讀 40,952評(píng)論 3 421
  • 雙鴛鴦連環(huán)套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開眼凉倚,長(zhǎng)吁一口氣:“原來是場(chǎng)噩夢(mèng)啊……” “哼!你這毒婦竟也來了嫂沉?” 一聲冷哼從身側(cè)響起稽寒,我...
    開封第一講書人閱讀 39,852評(píng)論 0 276
  • 萬榮殺人案實(shí)錄
    序言:老撾萬榮一對(duì)情侶失蹤,失蹤者是張志新(化名)和其女友劉穎趟章,沒想到半個(gè)月后杏糙,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體慎王,經(jīng)...
    沈念sama閱讀 46,409評(píng)論 1 318
  • ?護(hù)林員之死
    正文 獨(dú)居荒郊野嶺守林人離奇死亡,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 38,483評(píng)論 3 341
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年宏侍,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了赖淤。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點(diǎn)故事閱讀 40,615評(píng)論 1 352
  • 活死人
    序言:一個(gè)原本活蹦亂跳的男人離奇死亡谅河,死狀恐怖咱旱,靈堂內(nèi)的尸體忽然破棺而出,到底是詐尸還是另有隱情绷耍,我是刑警寧澤吐限,帶...
    沈念sama閱讀 36,303評(píng)論 5 350
  • ?日本核電站爆炸內(nèi)幕
    正文 年R本政府宣布,位于F島的核電站褂始,受9級(jí)特大地震影響诸典,放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜崎苗,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 41,979評(píng)論 3 334
  • 男人毒藥:我在死后第九天來索命
    文/蒙蒙 一狐粱、第九天 我趴在偏房一處隱蔽的房頂上張望。 院中可真熱鬧胆数,春花似錦脑奠、人聲如沸。這莊子的主人今日做“春日...
    開封第一講書人閱讀 32,470評(píng)論 0 24
  • 一樁弒父案宋欺,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽。三九已至胰伍,卻和暖如春齿诞,著一層夾襖步出監(jiān)牢的瞬間,已是汗流浹背骂租。 一陣腳步聲響...
    開封第一講書人閱讀 33,571評(píng)論 1 272
  • 情欲美人皮
    我被黑心中介騙來泰國(guó)打工祷杈, 沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留,地道東北人渗饮。 一個(gè)月前我還...
    沈念sama閱讀 49,041評(píng)論 3 377
  • 代替公主和親
    正文 我出身青樓但汞,卻偏偏與公主長(zhǎng)得像,于是被迫代替她去往敵國(guó)和親互站。 傳聞我的和親對(duì)象是個(gè)殘疾皇子私蕾,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 45,630評(píng)論 2 359

推薦閱讀更多精彩內(nèi)容