(1) 实验环境
两台 CentOS7:
- youxi1 192.168.1.6
- youxi2 192.168.1.7
这里我将防火墙关闭进行实验, 如果防火墙开启, 请将端口加入到防火墙规则中.
(2). 目标
在 SSH 端口不为 22 的情况下, 进行单向免密登录或双向免密登录 (端口不一致)
(3). 实验
首先修改两台服务器的端口, VIM /etc/SSH/sshd_config, 找到如下部分
#Port 22
将 #去除, 22 改为想要的端口号. 这里我将 youxi1 的 SSH 端口号改为 2890,youxi2 的 SSH 端口号改为 2891.
接着使用命令 systemctl restart sshd 重启服务. 再使用 netstat -tlunp | grep sshd 查看端口号 (如果没有 netstat 请安装 net-tools)
- [[email protected] Packages]# netstat -tlunp | grep sshd //youxi1
- tcp 0 0 0.0.0.0:2890 0.0.0.0:* LISTEN 9953/sshd
- tcp6 0 0 :::2890 :::* LISTEN 9953/sshd
- [[email protected] ~]# netstat -tlunp | grep sshd //youxi2
- tcp 0 0 0.0.0.0:2891 0.0.0.0:* LISTEN 17526/sshd
- tcp6 0 0 :::2891 :::* LISTEN 17526/sshd
1) 单向免密登录
youxi1 使用 SSH 远程 youxi2 不需要密码, 但 youxi2 使用 SSH 远程 youxi1 需要密码
在 yousi1 上使用 SSH-keygen 生成公钥和私钥 (这里使用默认的 rsa), 一路默认即可
- [[email protected] ~]# SSH-keygen -t rsa // 默认指定的是 rsa, 所以可以没有 - t rsa
- Generating public/private rsa key pair.
- Enter file in which to save the key (/root/.SSH/id_rsa): // 选项没有指定生成地址时, 此处也可以指定
- Created directory '/root/.ssh'.
- Enter passphrase (empty for no passphrase):
- Enter same passphrase again:
- Your identification has been saved in /root/.SSH/id_rsa.
- Your public key has been saved in /root/.SSH/id_rsa.pub.
- The key fingerprint is:
- SHA256:ia+le9ZX3cAxztmIINJbWnEGrK9lq4lY4pYNevgqecM [email protected]
- The key's randomart image is:
- +---[RSA 2048]----+
- | . .ooo |
- | . o =o o |
- | . B . = * |
| .+. . B .|
| . S. o.|
| . . + . o|
- | o o.+. o= . . |
- |o E.++.=+.o . |
- | o.*+ =+o. . |
- +----[SHA256]-----+
在没有指定生成地址时, 会默认生成到家目录下的. SSH / 目录下. 使用 rsa 就会生成 id_rsa 和 id_rsa.pub 两个文件, 如果使用的是 dsa 则生成的是 id_dsa 和 id_dsa.pub 两个文件.
- [[email protected] ~]# ls /root/.SSH/
- id_rsa id_rsa.pub
接着使用命令 SSH-copy-id 命令将公钥发到 youxi2 服务器上
- [[email protected] ~]# SSH-copy-id -i .SSH/id_rsa.pub -p2891 [email protected] //-p 选项指定被远程的服务器的端口号
- /usr/bin/SSH-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
- The authenticity of host '[192.168.1.7]:2891 ([192.168.1.7]:2891)' can't be established.
- ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg.
- ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20.
- Are you sure you want to continue connecting (yes/no)? yes //yes 继续
- /usr/bin/SSH-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
- /usr/bin/SSH-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
- [email protected]'s password: // 输入 192.168.1.7 服务器上的 root 用户的密码
- Number of key(s) added: 1
- Now try logging into the machine, with: "ssh -p'2891''[email protected]'"
- and check to make sure that only the key(s) you wanted were added.
公钥传完后虽然会在本地生成. SSH/known_hosts 文件, 但并不生效. 而在 youxi2 服务器的 root 用户的家目录下生成. SSH 目录, 并含有 authorized_keys 文件.
- [[email protected] ~]# ls .SSH/
- authorized_keys
此时 youxi1 上的 id_rsa.pub 文件与 youxi2 是上的 authorized_keys 文件相同.
最后测试: 在 youxi1 上 SSH 远程 youxi2, 会发现并不需要输入密码
- [[email protected] ~]# SSH -p 2891 [email protected]
- Last login: Sun May 12 17:46:49 2019 from youxi1.cn
- [[email protected] ~]# ls .SSH/
- authorized_keys
注意: 是本机生成的公钥发给被远程的服务器, 在发送公钥和远程服务器时, 都需要指定被远程的服务器的端口号.
2) 双向免密登录
双向免密就是互换公钥即可, 这里接着上面把 youxi2 的公钥发送到 youxi1 上, 并进行测试.
- [[email protected] ~]# SSH-keygen
- Generating public/private rsa key pair.
- Enter file in which to save the key (/root/.SSH/id_rsa):
- Enter passphrase (empty for no passphrase):
- Enter same passphrase again:
- Your identification has been saved in /root/.SSH/id_rsa.
- Your public key has been saved in /root/.SSH/id_rsa.pub.
- The key fingerprint is:
- SHA256:9+woxNPvkE99zGUEZNcI+DJaUUIZXXMKb7k/Y6kPiJU [email protected]
- The key's randomart image is:
- +---[RSA 2048]----+
- | .+*++*.+|
- | +..+.B.|
- | o = .|
- | + o. o |
- | .S+.E . o|
- | =.++.. =o|
- | . ooo+..==|
| . *. +.o|
- | ...+... |
- +----[SHA256]-----+
- [[email protected] ~]# SSH-copy-id -i .SSH/id_rsa.pub -p2890 [email protected]
- /usr/bin/SSH-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
- The authenticity of host '[192.168.1.6]:2890 ([192.168.1.6]:2890)' can't be established.
- ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg.
- ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20.
- Are you sure you want to continue connecting (yes/no)? yes
- /usr/bin/SSH-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
- /usr/bin/SSH-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
- [email protected]'s password:
- Number of key(s) added: 1
- Now try logging into the machine, with: "ssh -p'2890''[email protected]'"
- and check to make sure that only the key(s) you wanted were added.
- [[email protected] ~]# SSH -p 2890 [email protected]
- Last login: Sun May 12 17:24:54 2019 from youxi2.cn
- [[email protected] ~]#
来源: http://www.bubuko.com/infodetail-3056233.html