1.1 生成密钥
ssh2同时支持RSA和DSA密钥,但是ssh1仅支持RSA密钥。
[[email protected] ~]# ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: 15:91:d4:10:10:62:a8:1d:66:50:36:21:87:30:62:a2 [email protected]node1.example.com The key‘s randomart image is: +--[ DSA 1024]----+ |=oo+*oo o+** | |=..+=o . ... | |E = . . | | . . . | | S | | | | | | | | | +-----------------+ [[email protected]-node1 ~]# ll .ssh/ total 12 -rw------- 1 root root 410 Mar 29 20:04 authorized_keys -rw------- 1 root root 668 Apr 27 20:52 id_dsa 钥匙 (私钥) -rw-r--r-- 1 root root 618 Apr 27 20:52 id_dsa.pub 锁 (公钥)
1.2 分发密钥把公钥传到客户端
id_dsa(钥匙)留到管理机,id_dsa.pub(锁)发送到所有的被管理机
ssh-copy-id原理:
将id_dsa.pub(锁)发送到所有的被管理机,改名为~/.ssh/authorized_keys
同时权限是600, ~/.ssh权限为700
[[email protected] ~]# grep authorized /etc/ssh/sshd_config #AuthorizedKeysFile .ssh/authorized_keys
被管理机:
[[email protected] tmp]# ll ~/.ssh/authorized_keys -rw------- 1 root root 598 Oct 9 12:31 /root/.ssh/authorized_keys [[email protected] tmp]# ll -ld ~/.ssh drwx------ 2 root root 4096 Oct 9 12:31 /root/.ssh
1.3 单个密钥分发
[[email protected] ~]# ssh-copy-id -i .ssh/id_dsa.pub [email protected]172.16.1.41 The authenticity of host ‘172.16.1.41 (172.16.1.41)‘ can‘t be established. RSA key fingerprint is ce:6b:ba:e5:83:74:fe:d4:a1:ef:3a:3e:10:b0:63:14. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘172.16.1.41‘ (RSA) to the list of known hosts. Address 172.16.1.41 maps to bogon, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! [email protected]172.16.1.41‘s password: Now try logging into the machine, with "ssh ‘[email protected]‘", and check in: .ssh/authorized_keys to make sure we haven‘t added extra keys that you weren‘t expecting.
时间: 2024-10-26 15:11:24