【原創】Linux基礎之SSH祕鑰登陸

官方：https://www.ssh.com/ssh/

The SSH protocol uses encryption to secure the connection between a client and a server. All user authentication, commands, output, and file transfers are encrypted to protect against attacks in the network. 

 

密鑰類型包括rsa和dsa，詳見 https://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys

The security of the RSA algorithm is based on the fact that factorization of large integers is known to be "difficult", whereas DSA security is based on the discrete logarithm problem.

rsa基於大數分解，dsa基於離散對數；

RSA keys can go up to 4096 bits, where DSA has to be exactly 1024 bits (although OpenSSL allows for more.)

rsa key最高支持4096長度bit，dsa key只支持1024長度bit；

1 生成祕鑰，rsa或者dsa

1.1 命令生成（linux或mac）

$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/testuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/testuser/.ssh/id_rsa.
Your public key has been saved in /home/testuser/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:mRMuErgh17o9EPe1gzdd/tFuj6L0rVsk7qTw1rrGFCc testuser@testserver
The key's randomart image is:
+---[RSA 4096]----+
| |
| o |
|. = + o . |
| o * o + *Eo. . |
| + . + S .+o o .|
| + . o +.. + o |
| . o .o..o o o|
| . ++=oo o.|
| o*+=+o .|
+----[SHA256]-----+

建立過程會輸入密碼；

建立完成後默認會在home目錄的.ssh目錄下建立兩個祕鑰文件，公鑰（pub後綴）和私鑰

$ ls .ssh
id_rsa id_rsa.pub

 登陸時私鑰本身保存，公鑰放到服務器上

1.2 securecrt或xshell界面生成（windows）

securecrt建立祕鑰的地方在

Tools--Create Public Keys

2 上傳公鑰

將公鑰上傳到要登陸的服務器的用戶home目錄下，同時將公鑰加入authorized_keys

cat .ssh/id_rsa.pub >> .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

3 本機私鑰登陸

3.1 ssh命令登陸（linux或mac）

$ ssh -i /path/id_rsa user@remote_ip

另外還能夠修改配置文件，配置key，這樣就能夠免掉-i

#vi /etc/ssh/ssh_config

IdentityFile ~/.ssh/id_rsa

3.2 securecrt或xshell登陸（windows）

 選擇私鑰

 

4 hadoop集羣配置免密登陸

4.1 root用戶ssh免密登陸

1 準備key

# ssh-keygen -t rsa -b 4096
# ls .ssh
authorized_keys id_rsa id_rsa.pub known_hosts
# cat .ssh/id_rsa.pub >> .ssh/authorized_keys
# chmod 600 .ssh/authorized_keys

2 拷貝

1）沒有密碼，可是能夠登陸到服務器，逐臺登陸服務器後nc接收文件

# nc -l $receive_port |tar -zxvf -

本機執行

# tar -zcvf - .ssh |nc $receive_ip $receive_port

2）有服務器的登陸帳號和密碼，逐臺拷貝

# scp .ssh/id_rsa.pub root@$server_ip:/root/.ssh
# scp .ssh/authorized_keys root@$server_ip:/root/.ssh

3 逐臺ssh登陸驗證

# ssh $server_ip

4 逐臺拷貝known_hosts

# scp .ssh/known_hosts $server_ip:/root/.ssh/

 

4.2 其餘用戶免密登錄，以hadoop爲例

# ansible all-servers -m shell -a 'useradd hadoop'# su - hadoop$ ssh-keygen -t rsa -b 4096$ cat .ssh/id_rsa.pub >> .ssh/authorized_keys$ chmod 600 .ssh/authorized_keys$ exit# ansible other-servers -m copy -a 'src=/home/hadoop/.ssh dest=/home/hadoop/'# ansible other-servers -m shell -a 'chown -R hadoop.hadoop /home/hadoop/.ssh && cd /home/hadoop/.ssh && chmod 600 id_rsa authorized_keys'# su - hadoop$ ssh $server$ scp .ssh/known_host $server:/home/hadoop/.ssh