openssh
文章目录
一. 常见的远程登录
1. telnet 远程登录协议,23/TCP
-  检查某一个服务是否打开 
-  [root@SYL3 ~]# telnet 192.168.232.129 22 //查看ssh Trying 192.168.232.129... Connected to 192.168.232.129. Escape character is '^]'. SSH-2.0-OpenSSH_8.0 ^C Connection closed by foreign host. [root@SYL3 ~]#
2. dropbear 嵌入式系统专用的SSH服务器端和客户端工具
3. ssh (Secure SHell) 22/TCP
-  通信过程及认证过程是加密的,主机认证 ,用户认证过程加密 
-  认证过程分为主机认证和用户认证 
-  [root@SYL3 ~]# ssh root@192.168.232.129 The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes //主机认证 Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts. root@192.168.232.129's password: //用户认证 Last login: Wed Apr 13 15:32:21 2022 from 192.168.232.1 [root@SYL2 ~]# exit logout Connection to 192.168.232.129 closed. [root@SYL3 ~]#
-  数据传输过程加密 
4. ssh的认证方式
-  口令认证 — 密码 
-  密钥认证 — 公钥(P)和私钥(S) -  [root@SYL2 ~]# cd /etc/ssh/ [root@SYL2 ssh]# ls moduli ssh_host_ecdsa_key.pub ssh_config ssh_host_ed25519_key ssh_config.d ssh_host_ed25519_key.pub sshd_config ssh_host_rsa_key //私钥 ssh_host_ecdsa_key ssh_host_rsa_key.pub //公钥 [root@SYL2 ssh]#
 
-  
5. 工作模式 — openssh
-  架构 — 多台主机组成的结构 
-  C/S架构 — C客户端 S服务端 
-  服务器端 //sshd,配置文件在/etc/ssh/sshd_config 客户端 //ssh,配置文件在/etc/ssh/ssh_config ssh-keygen //密钥生成器 ssh-copy-id //将公钥传输至远程服务器 scp //跨主机安全复制工具 [root@SYL2 ~]# cd /etc/ssh/ [root@SYL2 ssh]# ls moduli ssh_host_ecdsa_key.pub ssh_config ssh_host_ed25519_key ssh_config.d ssh_host_ed25519_key.pub sshd_config ssh_host_rsa_key ssh_host_ecdsa_key ssh_host_rsa_key.pub [root@SYL2 ssh]#
-  B/S架构 — 浏览器,访问网站 
6. ssh的远程登录方式
6.1 用户名相同,直接用ip地址登录
[root@SYL3 ~]# ssh 192.168.232.129
root@192.168.232.129's password: 
Last login: Wed Apr 13 15:34:37 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[root@SYL3 ~]# 
6.2 用户名不同,用户名+ip地址登录
[tom@SYL3 ~]$ ssh root@192.168.232.129
root@192.168.232.129's password: 
Last login: Wed Apr 13 16:09:03 2022 from 192.168.232.128
[root@SYL2 ~]# 
-  用户名不同,直接登录不上 
-  [root@SYL3 ~]# echo 'run123456' | passwd --stdin tom Changing password for user tom. passwd: all authentication tokens updated successfully. [root@SYL3 ~]# su - tom [tom@SYL3 ~]$ ssh 192.168.232.129 The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts. tom@192.168.232.129's password:
6.3 不登录进去,并且执行命令后自动退出
客户端:
[tom@SYL3 ~]$ ssh root@192.168.232.129 'echo "123456" > /tmp/abc'
root@192.168.232.129's password: 
[tom@SYL3 ~]$ 
服务端:
[root@SYL2 ~]# cat /tmp/abc 
123456
[root@SYL2 ~]# 
7. 加密与解密
1.分为3种
-  对称加密:加密解密使用同一个密钥 
-  公钥加密 :也叫非对称加密。有一对密钥,公钥(P)和私钥(S)。用公钥加密,私钥解密反之亦然,公钥加密存在私钥中 
-  公钥加密能实现加密和签名功能:  RSA :即能实现加密,也能实现签名  DSA:只能实现签名  ELGamal:商业加密算法 
-  单向加密:提取数据特征码,能加密不能解密,常用于做数据完整性校验 -  单向加密的特性:  a) 雪崩效应(输入的微小改变,将会引起结果的巨大改变) -  [root@SYL3 ~]# md5sum anaconda-ks.cfg 006220f587da6285b6b0611ee62211fb anaconda-ks.cfg [root@SYL3 ~]# echo '#' >> anaconda-ks.cfg [root@SYL3 ~]# md5sum anaconda-ks.cfg ae1344e3f6e53ddd00133be4f013f132 anaconda-ks.cfg
  b) 定长输出(无论原始数据是多大,结果的长度是相同的)  MD5:Message Digest,128位定长输出  SHA1:Secure Hash Algorithm,160位定长输出  c) 不可逆(无法根据特征码还原成原始数据) 
-  
 
-  
7.1 ssh主机密钥
-  当用户第一次使用 ssh连接到特定服务器时,ssh命令可在用户的/.ssh/known_hosts文件中存储该服务器的公钥。在此之后每当用户进行连接时,客户端都会通过对比/.ssh/known_hosts文件中的服务器条目和服务器发送的公钥,确保从服务器获得相同的公钥。如果公钥不匹配,客户端会假定网络通信已遭劫持或服务器已被入侵,并且中断连接。
-  如果服务器的公钥发生更改(由于硬盘出现故障导致公钥丢失,或者出于某些正当理由替换公钥),用户则需要更新其~/.ssh/known_hosts文件并删除旧的条目才能够进行登录。 
-  登录生成的文件的位置 
-  [tom@SYL3 ~]$ cd .ssh/ [tom@SYL3 .ssh]$ ls known_hosts [tom@SYL3 .ssh]$
-  [tom@SYL3 ~]$ ssh root@192.168.232.129 root@192.168.232.129's password: Last login: Wed Apr 13 16:18:27 2022 from 192.168.232.128 [root@SYL2 ~]# exit logout Connection to 192.168.232.129 closed. [tom@SYL3 ~]$ cat .ssh/known_hosts 192.168.232.129 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPSiWGhQ+/xyF44ZpZQLIL3+AikA192a77mG/Mq0KZ5ZnXxxLCiPMb62Q7dp10WdlDgyEyRLL9dvl9Rizr2pe9w=
7.2 将文件删除后在登录会重新进行主机验证和用户验证,并且会在客户端生成新文件
-  [tom@SYL3 .ssh]$ rm -f known_hosts [tom@SYL3 .ssh]$ ssh root@192.168.232.129 The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts. root@192.168.232.129's password: Last login: Wed Apr 13 17:21:44 2022 from 192.168.232.128 [root@SYL2 ~]# exit logout Connection to 192.168.232.129 closed. [tom@SYL3 .ssh]$ ls known_hosts [tom@SYL3 .ssh]$
7.3 当前主机生成的的文件位置
[tom@SYL3 ~]$ cd .ssh/
[tom@SYL3 .ssh]$ ls
known_hosts
7.4 当前主机密钥存在服务器端的位置,后面有pub的是公钥,其他则是私钥
[root@SYL2 ~]# cd /etc/ssh/
[root@SYL2 ssh]# ls *key*
ssh_host_ecdsa_key
ssh_host_ecdsa_key.pub
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
[root@SYL2 ssh]# 
8. 免密登录的配置
1.ssh-keygen -t rsa
2.ssh-copy-id root@192.168.232.129
3.ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.232.129
8.1 使用ssh-keygen命令生成密码。将会生成私钥和公钥,rsa是算法 ssh-keygen -t rsa
-  [mushuang@SYL3 ~]$ ssh-keygen -t rsa//用rsa算法生成 Generating public/private rsa key pair. Enter file in which to save the key (/home/mushuang/.ssh/id_rsa): //默认生成的位置 Created directory '/home/mushuang/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/mushuang/.ssh/id_rsa. Your public key has been saved in /home/mushuang/.ssh/id_rsa.pub. The key fingerprint is: SHA256:svIaGgTu1UN3p/ReXPgUc5lUcaprCT8B3HM9kXu9blc mushuang@SYL3 The key's randomart image is: +---[RSA 3072]----+ | .*X| | . . .**| |. . . oo.o.o++| |.. o . o +..++.+| | ... o. S...oo .o| |... .o .o.+ .E| | .. o . .* . .| | o + . . o.| | . ... . .| +----[SHA256]-----+ [mushuang@SYL3 ~]$ [mushuang@SYL3 ~]$
8.2 生成ssh 的密钥后,密钥将默认存储在家目录下的.ssh/目录中。在什么用户下生成的密钥就会默认保存在该用户下的家目录下,私钥和公钥的权限就分别为600和644。.ssh目录权限必须是700。
 
- 生成的密钥的位置
[mushuang@SYL3 ~]$ ls .ssh/
id_rsa  id_rsa.pub
[mushuang@SYL3 ~]$ 
- 私钥(600)和公钥(644)的权限,目录(700)
[mushuang@SYL3 ~]$ ll .ssh/
total 8
-rw-------. 1 mushuang mushuang 2602 Apr 13 17:55 id_rsa  //私钥600
-rw-r--r--. 1 mushuang mushuang  567 Apr 13 17:55 id_rsa.pub //公钥644
[mushuang@SYL3 ~]$ 
[mushuang@SYL3 ~]$ ll -a .
total 16
drwx------. 2 mushuang mushuang  38 Apr 13 17:55 .ssh  //目录700
[mushuang@SYL3 ~]$ 
8.3 在可以使用基于密钥的身份验证前,需要将公钥复制到目标系统上。ssh-copy-id 用户名@IP地址
8.3.1 通过ssh-copy-id将密钥复制到另一系统时,它默认复制 ~/.ssh/id_rsa.pub 文件
 
-  将客户端生成的密钥复制到服务器中 
-  [mushuang@SYL3 ~]$ ssh-copy-id root@192.168.232.129 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/mushuang/.ssh/id_rsa.pub" The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established. ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.232.129's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@192.168.232.129'" and check to make sure that only the key(s) you wanted were added. [mushuang@SYL3 ~]$
-  服务端权限 
-  [mushuang@SYL3 ~]$ ll .ssh/ total 8 -rw-r--r--. 1 mushuang mushuang 567 Apr 13 17:55 id_rsa.pub //公钥644 [root@SYL2 ~]# ls .ssh authorized_keys [root@SYL2 ~]# ll .ssh total 4 -rw-------. 1 root root 567 Apr 13 18:19 authorized_keys //600
-  复制的文件是主机的公钥,公钥(644)发送到服务器的权限变为(600) 
-  [root@SYL2 .ssh]# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoBmpK2/kHrOgTJzG7B6M4U4ZELV54Qge/lid0zdTcxRyOzLzyP++hwcpCTNt/sheDnNrK4YQTPTwLtbkRKIlM6bFbqUKmFHHUjsCIxi7DFqKV6J1XH7rDF+cO5EXEqEcBMYZ0ku0jj0XRp3GOgOBcidvAtIEoeJqcOZG+XIv72usTRKolNDHp5q9h4SL/9h8Ib2Ie9LX/z/MPA7whjFvogDBI3c8qKeF65/MVaBqHSS8PV04jUh168zu+ASp0W/8EZUspOj3YhuybTz5CYugOTAN2D4iFmheB23IsDbstYhByJ//8BcQIjcTyntGeCQDYG7wAThT0LD2OV7+0xlzGaz3YUMDTJHIyDWDgIWxpceNmd0y9oJzE8IvGiR+RSjNYLNgg+wygdEhEMk+K1WEtG+KbYpZV8HfySGy8Lv+VwfgV7aoxS/3Lc7owx962F5vovsUKIYKaXt0Zk0U3lJUYjE6a+RMo26LTqE/yeebjs0QTFJx2iIQNa14vAoDHoHU= mushuang@SYL3 [root@SYL2 .ssh]#
-  [mushuang@SYL3 .ssh]$ ls id_rsa id_rsa.pub known_hosts [mushuang@SYL3 .ssh]$ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoBmpK2/kHrOgTJzG7B6M4U4ZELV54Qge/lid0zdTcxRyOzLzyP++hwcpCTNt/sheDnNrK4YQTPTwLtbkRKIlM6bFbqUKmFHHUjsCIxi7DFqKV6J1XH7rDF+cO5EXEqEcBMYZ0ku0jj0XRp3GOgOBcidvAtIEoeJqcOZG+XIv72usTRKolNDHp5q9h4SL/9h8Ib2Ie9LX/z/MPA7whjFvogDBI3c8qKeF65/MVaBqHSS8PV04jUh168zu+ASp0W/8EZUspOj3YhuybTz5CYugOTAN2D4iFmheB23IsDbstYhByJ//8BcQIjcTyntGeCQDYG7wAThT0LD2OV7+0xlzGaz3YUMDTJHIyDWDgIWxpceNmd0y9oJzE8IvGiR+RSjNYLNgg+wygdEhEMk+K1WEtG+KbYpZV8HfySGy8Lv+VwfgV7aoxS/3Lc7owx962F5vovsUKIYKaXt0Zk0U3lJUYjE6a+RMo26LTqE/yeebjs0QTFJx2iIQNa14vAoDHoHU= mushuang@SYL3 [mushuang@SYL3 .ssh]$
-  登录不用输入密码 
-  [mushuang@SYL3 ~]$ ssh root@192.168.232.129 Last login: Wed Apr 13 17:28:42 2022 from 192.168.232.128 [root@SYL2 ~]#
8.4 scp 复制
scp命令常用选项
    -r      //递归复制
    -p      //保持权限
    -P      //端口
    -q      //静默模式
    -a      //全部复制
- 使用 scp 命令传送文件到远程主机
[root@SYL3 ~]# scp anaconda-ks.cfg root@192.168.232.129:.
anaconda-ks.c 100% 1095   635.1KB/s   00:00    
[root@SYL3 ~]# 
[root@SYL2 ~]# ls
abc  anaconda-ks.cfg
[root@SYL2 ~]# 
- 使用 scp 命令从远程主机上下载文件到本地
[root@SYL3 ~]# scp root@192.168.232.129:/root/anaconda-ks.cfg /tmp/
anaconda-ks.c 100% 1095   896.7KB/s   00:00    
[root@SYL3 ~]# ls /tmp/
abc
anaconda-ks.cfg
9. 自定义 SSH 服务配置
虽然OpenSSH服务器通常无需修改,但会提供其他安全措施,可以在配置文件/etc/ssh/sshd_config中修改OpenSSH服务器的各个方面。
-  是否允许root用户远程登录系统— PermitRootLogin {yes|no}
-  [root@SYL2 ~]# vi /etc/ssh/sshd_config [root@SYL2 ~]# cat /etc/ssh/sshd_config | grep PermitRootLogin PermitRootLogin no //不允许root账户登录 # the setting of "PermitRootLogin without-password". [root@SYL2 ~]# systemctl restart sshd //重启sshd服务 [root@SYL2 ~]# [root@SYL3 ~]# ssh root@192.168.232.129 root@192.168.232.129's password: Permission denied, please try again.//拒绝登录 在服务器端创建一个普通用户,并设置密码 [root@SYL2 ~]# useradd mushuang [root@SYL2 ~]# echo 'run123456'|passwd --stdin mushuang Changing password for user mushuang. passwd: all authentication tokens updated successfully. [root@SYL2 ~]# 回到客户端 [root@SYL3 ~]# ssh mushuang@192.168.232.129 //用普通用户登录 mushuang@192.168.232.129's password: Permission denied, please try again. mushuang@192.168.232.129's password: Last failed login: Wed Apr 13 20:13:03 CST 2022 from 192.168.232.128 on ssh:notty There were 10 failed login attempts since the last successful login. [mushuang@SYL2 ~]$ su - //切换家目录 Password: Last login: Wed Apr 13 20:08:36 CST 2022 from 192.168.232.128 on pts/1 Last failed login: Wed Apr 13 20:12:21 CST 2022 from 192.168.232.128 on ssh:notty There was 1 failed login attempt since the last successful login. [root@SYL2 ~]# //登录成功
-  仅允许root用户基于密钥方式远程登录 — PermitRootLogin without-password
-  是否启用密码身份验证,默认开启 — PasswordAuthentication {yes|no}
10. SSH 安全注意事项
- 密码应该经常换且足够复杂
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs 生成30位随机密码
b7PcVc1k3g_b4TZXjWji2SdkgGszGI
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 30 |xargs 
sPNyMTE4s0JIltp7XSWDrjgqwoAVVf
[root@SYL3 ~]# tr -dc A-Za-z0-9_ < /dev/urandom | head -c 20 |xargs //生成20位随机密码
xgJsjDHGeu67HSF8Ed3H
[root@SYL3 ~]# tr -dc A-Z0-9_ < /dev/urandom | head -c 10 |xargs 
M36U2HWXLQ
[root@SYL3 ~]# 
[root@localhost ~]# openssl rand 20 -base64
Di9ry+dyV40xVvBHirsc3XpBOzg=    //生成20位随机密码
-  使用非默认端口,将默认端口号关闭,要把防火墙关闭 
-  限制登录客户端地址 
-  仅监听特定的IP地址 
-  禁止管理员直接登录 
-  仅允许有限制用户登录 - AllowUsers
- AllowGroups
 
-  使用基于密钥的认证 
-  禁止使用空密码 
-  禁止使用SSHv1版本 
-  设定空闲会话超时时长 -  [root@SYL3 ~]# vi /etc/profile 将export TMOUT=120写入/etc/profile 然后source source 命令:常用于重新执行刚修改的初始化文件
 
-  
-  利用防火墙设置ssh访问策略 
-  限制ssh的访问频度和并发在线数 
-  做好日志的备份,经常分析(集中于某台服务器) 
二. 作业
1.说明密钥认证的过程
- 1.客户机向服务端发送登录请求
- 2.服务器收到请求将自己的公钥发送给客户机
- 3.客户机使用私钥解密验证后发送服务器
- 4.两者验证通过后,通过登录
2.手动配置密钥认证登录
1.在客户端生成密钥
1.ssh-keygen -t rsa
2.将生成的密钥复制到服务器端,需要指定的加-i
2.ssh-copy-id root@192.168.232.129
2.ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.232.129
2.1 手动配置过程
- 在客户端生成密钥
[root@SYL3 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:tXrhhC46klUNJ98fUeARpAUSBI2l6rMyGxDjBiCkuP4 root@SYL3
The key's randomart image is:
+---[RSA 3072]----+
|+.    .*=..o*+.  |
|=     +.o. +..   |
|*     .* .o ..   |
|o+   .. oo...    |
|oo  ..  S +. .   |
|o. ..  . + ..    |
| ..oo . o o      |
|  *..+ . .       |
|  .Eo.           |
+----[SHA256]-----+
- 将生成的密钥复制到服务器端
[root@SYL3 ~]# ssh-copy-id root@192.168.232.129
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.232.129's password: 
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@192.168.232.129'"
and check to make sure that only the key(s) you wanted were added.
- 在服务器端查看复制的密钥
[root@SYL2 ~]# cd .ssh/
[root@SYL2 .ssh]# ls
authorized_keys  id_rsa.pub
[root@SYL2 .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCVWPdudaHnGbRv3dDhbyX/2QPlIqdozBe/EvpJqMoxAgVPvy0W+2gQl8wlWOqwfjq0SXJ7LYQXHDIzz2DsPCQly1bJkEAEBoAcDTnDt+KwudmrtyEEb0t2GJEsiQ9zM2bj6B75/lgto65arD6DN8bnOy8x4RAfwTqiCMb9JJfmmmcbH/ttN3OqOW1oZvwr0Ja/U8GEgmO6KBmNojgsM2Z6c3QcXtwDuUzGhZo2j7i0cuYcr81ipNoQQdHRZ6SlFNfhricXOaIciAk/vfvwQuZu1nZbu3iavpMZ2XG2CSUJTpP45syxxyYeRLtz3jSaqSwS2Dl+bnKtTi7LC9vMWCPUGaSquBqN+5OdMIonhnojIJ3QPr328Z+TNXI4mHTsskW//5uqYrwL2+W1OC2xMcmeaCumjGqgoE1lETNyGdm3W8hWw46XjBhMG9USonrWBcL+a6Tm4DPGG1Rr6o8crMANfKQKGEMesvxzANd46wDYN5uvK5FDDKcWkRZYkQitro0= root@SYL3
[root@SYL2 .ssh]# 
- 客户端免密成功登录
[root@SYL3 ~]# ssh 192.168.232.129
Last login: Thu Apr 14 16:42:09 2022 from 192.168.232.128
[root@SYL2 ~]# 
3. scp命令免密登录
- 1.先在客户端(128)生成密钥,ssh-keygen -t rsa
- 2.在客户端(128)使用 scp 将生成的公钥发送到主机(129)
 scp /home/mushuang/.ssh/id_rsa.pub root@192.168.232.129:/.ssh
- 3.在服务器端创建公钥发送的目录位置 ,并创建文件
 mkdir /.ssh
 touch /root/.ssh/authorized_keys
- 4.修改权限600
 chmod 600 /root/.ssh/authorized_keys
- 5.把客户端发送的公钥追加到你所创建的文件
 cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
- 6.回到主机登录
3.1 scp命令配置过程
- 先在客户端(128)生成密钥
[mushuang@SYL3 ~]$ ssh-keygen -t rsa    //用rsa算法生成密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mushuang/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/mushuang/.ssh/id_rsa.
Your public key has been saved in /home/mushuang/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:66TgqDm8T2sUeY56Q86THiMgKxAZu5NvwcEANdN7dY4 mushuang@SYL3
The key's randomart image is:
生成rsa公私钥对。  
输入保存密钥的文件(/home/mushuang/.ssh/id_rsa):  
输入passphrase(为空表示没有passphrase):  
再次输入相同的密码:  
您的身份已经保存在/home/mushuang/.ssh/id_rsa。  
您的公钥保存在/home/mushuang/.ssh/id_rsa.pub目录下。  
密钥指纹为:  
SHA256:66TgqDm8T2sUeY56Q86THiMgKxAZu5NvwcEANdN7dY4 mushuang@SYL3  
钥匙的随机图像是:  
+---[RSA 3072]----+
|=.+.             |
| * o.   . .      |
|+ o .. . +       |
| = +... E .      |
|B o =.  S        |
|++ = .   .       |
|+.O+o   o        |
|o=o@+. +         |
|o+B++ . .        |
+----[SHA256]-----+
- 在客户端(128)使用 scp 将生成的公钥发送到主机(129)
[mushuang@SYL3 ~]$ scp /home/mushuang/.ssh/id_rsa.pub root@192.168.232.129:/root/.ssh/
The authenticity of host '192.168.232.129 (192.168.232.129)' can't be established.
ECDSA key fingerprint is SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.232.129' (ECDSA) to the list of known hosts.
无法建立主机“192.168.232.129(192.168.232.129)”的真实性。  
ECDSA密钥指纹是SHA256:WlI+c2MQDTEJhLAvW//ahd5T4DlwkGIfuB3+u8cWJZY。  
您确定要继续连接(yes/no/[fingerprint])吗? 是的  
警告:已将'192.168.232.129' (ECDSA)添加到已知主机列表中。
root@192.168.232.129's password: 
id_rsa.pub                           100%  567   236.6KB/s   00:00    
- 在服务器端创建公钥发送的目录位置 ,并创建文件,并修改公钥权限为600,目录权限为700
[root@SYL2 ~]# mkdir /.ssh
[root@SYL2 ~]# touch /root/.ssh/authorized_keys
[root@SYL2 ~]# ll -a 
total 40
dr-xr-x---.  4 root root  171 Apr 14 15:39 .
drwx------.  2 root root   47 Apr 14 16:17 .ssh   //为700权限
-rw-r--r--.  1 root root  129 May 11  2019 .tcshrc
-rw-------.  1 root root  532 Apr  7 14:49 .viminfo
[root@SYL2 ~]# ll /root/.ssh/
total 4
-rw-r--r--. 1 root root   0 Apr 14 16:17 authorized_keys
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub
[root@SYL2 ~]# chmod 600 /root/.ssh/authorized_keys //修改权限为600
[root@SYL2 ~]# ll /root/.ssh/
total 4
-rw-------. 1 root root   0 Apr 14 16:17 authorized_keys   //600
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub        //发送过来的公钥权限为644
- 将客户端发送的公钥内容追加到服务器端所创建文件中
[root@SYL2 ~]# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys //追加到服务器所创的文件中
[root@SYL2 ~]# ll /root/.ssh/
total 8
-rw-------. 1 root root 567 Apr 14 16:19 authorized_keys
-rw-r--r--. 1 root root 567 Apr 14 16:16 id_rsa.pub
[root@SYL2 ~]# cat /root/.ssh/authorized_keys //查看公钥
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDURL7SIZxuG6uEEYvFMBF4O5HLmTHrW8hEaB/HRELN+4jJduq8FPpLJb/p9sjl/Gc/wB/aL9Zyg4cFV7ehsTprQ9Zi4bg5qiVAyzx++i4RdJM1ZY5BnZP3G+eeGwCPZ5YYvM6eKeD2cX0H1Q9huV+De0vUycWU9lZpTwRrfMgOzqyU4FxDv81eUwOKNcK9P4NsxIAlNyt+zoFAbD/qv7yoLAHRUZH2LOVLxYxcRUy9WvmJGb5o2cHNClwwUHQ+WD4fQQU0RBnMGpXyyBt+isSm6tfS2IcnfQ22U31piN/clSQm/nY7P9mi1wZdL62PV6AaJkR3lSZ9TdTNdB1qX7OpqWWC45vJ7tbKRtP3iuhY9oE///qPTXY9x8ZaqozXZouFyfBmmQ9olKcywAMRZmU0jEiZruidSSHyrbftPScPCVpOWFUsWJkRktTxTJ0hVaLuN+tDKyks5PPm9C4P6haiO4X+Stqr7jHbBBN42uPDutc61BiC3e8kaH09055ey48= mushuang@SYL3
[root@SYL2 ~]# 
- 回到客户端(128)成功免密登录
[mushuang@SYL3 ~]$ ssh root@192.168.232.129
Last login: Thu Apr 14 16:00:52 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[mushuang@SYL3 ~]$ 
TprQ9Zi4bg5qiVAyzx++i4RdJM1ZY5BnZP3G+eeGwCPZ5YYvM6eKeD2cX0H1Q9huV+De0vUycWU9lZpTwRrfMgOzqyU4FxDv81eUwOKNcK9P4NsxIAlNyt+zoFAbD/qv7yoLAHRUZH2LOVLxYxcRUy9WvmJGb5o2cHNClwwUHQ+WD4fQQU0RBnMGpXyyBt+isSm6tfS2IcnfQ22U31piN/clSQm/nY7P9mi1wZdL62PV6AaJkR3lSZ9TdTNdB1qX7OpqWWC45vJ7tbKRtP3iuhY9oE///qPTXY9x8ZaqozXZouFyfBmmQ9olKcywAMRZmU0jEiZruidSSHyrbftPScPCVpOWFUsWJkRktTxTJ0hVaLuN+tDKyks5PPm9C4P6haiO4X+Stqr7jHbBBN42uPDutc61BiC3e8kaH09055ey48= mushuang@SYL3
 [root@SYL2 ~]#
- 回到客户端(128)成功免密登录
```basic
[mushuang@SYL3 ~]$ ssh root@192.168.232.129
Last login: Thu Apr 14 16:00:52 2022 from 192.168.232.128
[root@SYL2 ~]# exit
logout
Connection to 192.168.232.129 closed.
[mushuang@SYL3 ~]$ 










