CentOS7做ssh免密登录详解程序员

youxi2 192.168.1.7

这里我将防火墙关闭进行实验，如果防火墙开启，请将端口加入到防火墙规则中。

(2).目标

在ssh端口不为22的情况下，进行单向免密登录或双向免密登录（端口不一致）

(3).实验

首先修改两台服务器的端口，vim /etc/ssh/sshd_config，找到如下部分

#Port 22 

将#去除，22改为想要的端口号。这里我将youxi1的ssh端口号改为2890，youxi2的ssh端口号改为2891。

接着使用命令systemctl restart sshd重启服务。再使用netstat -tlunp | grep sshd查看端口号（如果没有netstat请安装net-tools）

[[email protected] Packages]# netstat -tlunp | grep sshd //youxi1 

tcp 0 0 0.0.0.0:2890 0.0.0.0:* LISTEN 9953/sshd 

tcp6 0 0 :::2890 :::* LISTEN 9953/sshd 

[[email protected] ~]# netstat -tlunp | grep sshd //youxi2 

tcp 0 0 0.0.0.0:2891 0.0.0.0:* LISTEN 17526/sshd 

tcp6 0 0 :::2891 :::* LISTEN 17526/sshd 

1）单向免密登录

youxi1使用ssh远程youxi2不需要密码，但youxi2使用ssh远程youxi1需要密码

在yousi1上使用ssh-keygen生成公钥和私钥（这里使用默认的rsa），一路默认即可

[[email protected] ~]# ssh-keygen -t rsa //默认指定的是rsa，所以可以没有-t rsa 

Generating public/private rsa key pair. 

Enter file in which to save the key (/root/.ssh/id_rsa): //选项没有指定生成地址时，此处也可以指定 

Created directory /root/.ssh. 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /root/.ssh/id_rsa. 

Your public key has been saved in /root/.ssh/id_rsa.pub. 

The key fingerprint is: 

SHA256:ia+le9ZX3cAxztmIINJbWnEGrK9lq4lY4pYNevgqecM [email protected] 

The keys randomart image is: 

+---[RSA 2048]----+ 

| . .ooo | 

| . o =o o | 

| . B . = * | 

| .+. . B .| 

| . S. o.| 

| . . + . o| 

| o o.+. o= . . | 

|o E.++.=+.o . | 

| o.*+ =+o. . | 

+----[SHA256]-----+

在没有指定生成地址时，会默认生成到家目录下的.ssh/目录下。使用rsa就会生成id_rsa和id_rsa.pub两个文件，如果使用的是dsa则生成的是id_dsa和id_dsa.pub两个文件。

[[email protected] ~]# ls /root/.ssh/ 

id_rsa id_rsa.pub 

接着使用命令ssh-copy-id命令将公钥发到youxi2服务器上

[[email protected] ~]# ssh-copy-id -i .ssh/id_rsa.pub -p2891 [email protected]//-p选项指定被远程的服务器的端口号 

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub" 

The authenticity of host [192.168.1.7]:2891 ([192.168.1.7]:2891) cant be established. 

ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg. 

ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20. 

Are you sure you want to continue connecting (yes/no)? yes //yes继续 

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed 

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 

[email protected]s password: //输入192.168.1.7服务器上的root用户的密码 

Number of key(s) added: 1 

Now try logging into the machine, with: "ssh -p 2891 [email protected]" 

and check to make sure that only the key(s) you wanted were added. 

公钥传完后虽然会在本地生成.ssh/known_hosts文件，但并不生效。而在youxi2服务器的root用户的家目录下生成.ssh目录，并含有authorized_keys文件。

[[email protected] ~]# ls .ssh/ 

authorized_keys 

此时youxi1上的id_rsa.pub文件与youxi2是上的authorized_keys文件相同。

最后测试：在youxi1上ssh远程youxi2，会发现并不需要输入密码

[[email protected] ~]# ssh -p 2891 [email protected] 

Last login: Sun May 12 17:46:49 2019 from youxi1.cn 

[[email protected] ~]# ls .ssh/ 

authorized_keys 

注意：是本机生成的公钥发给被远程的服务器，在发送公钥和远程服务器时，都需要指定被远程的服务器的端口号。

2）双向免密登录

双向免密就是互换公钥即可，这里接着上面把youxi2的公钥发送到youxi1上，并进行测试。

[[email protected] ~]# ssh-keygen 

Generating public/private rsa key pair. 

Enter file in which to save the key (/root/.ssh/id_rsa): 

Enter passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved in /root/.ssh/id_rsa. 

Your public key has been saved in /root/.ssh/id_rsa.pub. 

The key fingerprint is: 

SHA256:9+woxNPvkE99zGUEZNcI+DJaUUIZXXMKb7k/Y6kPiJU [email protected] 

The keys randomart image is: 

+---[RSA 2048]----+ 

| .+*++*.+| 

| +..+.B.| 

| o = .| 

| + o. o | 

| .S+.E . o| 

| =.++.. =o| 

| . ooo+..==| 

| . *. +.o| 

| ...+... | 

+----[SHA256]-----+ 

[[email protected] ~]# ssh-copy-id -i .ssh/id_rsa.pub -p2890 [email protected] 

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub" 

The authenticity of host [192.168.1.6]:2890 ([192.168.1.6]:2890) cant be established. 

ECDSA key fingerprint is SHA256:j3ee8eoTo2XEv0QxCYmxphMipcNRxC+IONPmt1HwRLg. 

ECDSA key fingerprint is MD5:25:e2:b4:08:f2:79:7d:6e:42:84:b5:78:3d:6a:81:20. 

Are you sure you want to continue connecting (yes/no)? yes 

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed 

/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 

[email protected]s password: 

Number of key(s) added: 1 

Now try logging into the machine, with: "ssh -p 2890 [email protected]" 

and check to make sure that only the key(s) you wanted were added. 

[[email protected] ~]# ssh -p 2890 [email protected] 

Last login: Sun May 12 17:24:54 2019 from youxi2.cn 

[[email protected] ~]# 

2765.html