ssh免密登录配置

/ 隋天谋

ssh免密登录配置

[TOC]

写在最前面:服务端的.ssh文件夹本身、上级文件夹、下级文件,的权限一定不能是777或者775之类的,也就是不能有本用户之外其他用户的写权限,否则一定登录不上

1. 客户端配置

1.1 生成证书

如果$HOME/.ssh/文件夹不存在,则生成公钥和私钥

/Users/suitm/.ssh>ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/suitm/.ssh/id_rsa): aaa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in aaa.
Your public key has been saved in aaa.pub.
The key fingerprint is:
SHA256:SPfo5Hlj7hs/5GDkE++iyNc8mFEBW9nv8RPes0x3PbQ suitm@suitmdeMacBook-Pro.local
The key's randomart image is:
+---[RSA 2048]----+
|        ...o     |
|         oo .    |
|      . o  . .   |
|     . o o+   oo |
|      . S+.o .oo=|
|       +..= o .E*|
|        +B=*  o B|
|     . .++=++  o |
|      o..o++..   |
+----[SHA256]-----+
Users/suitm/.ssh>l -tr
total 120
-rw-r--r--  1 suitm  staff    788  3 21  2017 icesky1stm@sina.com-GitHub.pub
-rw-------  1 suitm  staff   3326  3 21  2017 icesky1stm@sina.com-GitHub
-rw-r--r--@ 1 suitm  staff    412  9 26  2017 id_rsa.pub
-rw-------  1 suitm  staff   1679  9 26  2017 id_rsa
-rw-r--r--  1 suitm  staff  17059  3 13 00:55 known_hosts2
-rw-r--r--  1 suitm  staff  18305  4  7 17:36 known_hosts
-rw-r--r--@ 1 suitm  staff   1070  4 10 19:14 config

1.2 将公钥设置到服务器中

  • 方法1:

将id_rsa.pub中的内容,复制粘贴到服务端的$HOME/.ssh/authorized_keys文件中,注意权限一定要是600

  • 方法2:

在客户端使用ssh-copy-id root@123.123.123.123,输入密码,自动将本地公钥复制到服务器中。

/Users/suitm/.ssh>ssh-copy-id test@123.123.123.123
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/suitm/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
test@icesky1stm.cn's password:

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'test@123.123.123.123'"
and check to make sure that only the key(s) you wanted were added.

1.3 修改客户端$HOME/.ssh/config(可选)

# --- Host是一个简写,HostName是实际的ip或者域名 ---
Host icesky1stm
    HostName icesky1stm.cn
    User root
    PreferredAuthentications publickey
    IdentityFile /Users/suitm/.ssh/id_rsa.pub
    UseKeychain yes
    AddKeysToAgent yes
# ----------------------------

2. 服务端需要支持免密登录(如果不好使)

2.1 第一优先检查目录的权限

有如下三个权限是必须要正确的:

  • .ssh的上级目录,建议是755
  • .ssh目录的权限,建议是700
  • .ssh/authorized_keys文件的权限,建议是600

需要注意的是,以上的权限一定不能是777或者775之类的,也就是不能有本用户之外其他用户的写权限,否则一定登录不上

2.2 查看/etc/ssh/sshd_config文件,检查或配置如下几项:

#启用密钥验证
PubkeyAuthentication yes

#指定公钥数据库文件(注意位置,一般不用修改)
AuthorsizedKeysFile.ssh/authorized_keys

配置完成后重启ssh服务,

systemctl restart sshd.service

# 查看是否启动成功
systemctl status sshd.service

# 某些系统的重启命令是
/etc/init.d/ssh restart

2.3 如果root用户无法登录,则修改/etc/ssh/sshd_config中的如下配置:

PermitRootLogin yes