From the surface of a simple understanding of the process of login, first ssh-keygen-t RSA command generated a key and a public key, and the key can set its own password can be understood as a key, the public key is understood as the key corresponding to the lock, the lock (public key) Put it on the server you want to control, lock the server, only the person who owns the key (key) can open the lock, enter the server and control and for the person who owns the key, must know the key itself password, in order to use this key (unless the key is not set the password), This prevents the key from being matched (the private key is copied) Of course, this example is easy to understand, the person who has the root password will not be locked, and there is not necessarily a lock (public key), but if any one lock, the corresponding key (private key) is opened, The server can be controlled by that person. So, as long as you know the root password of the server, and put the root of the public key on the above, you can use the private key corresponding to the public key "open" server, and then log in as root, even if the root password has changed! SSH can support both PublicKey and password two modes of authorization, publickey default is not turned on, need to be configured to Yes.
If the local host does not exist. Ssh/id_rsa, the password authorization is used, the publickey authorization is used, and password authorization is still used if the PublicKey authorization fails. /etc/ssh/sshd_config Open PublicKey Certification:
Rsaauthentication Yes
Pubkeyauthentication Yes
Authorizedkeysfile. Ssh/authorized_keys
Turn off SELinux
- Vi/etc/selinux/config
- Selinux=disabled #重启生效
- Setenforce 0 #立即生效
Method A is a local host (that is, the machine used to control other hosts); b is the remote host (that is, the controlled machine server), if the IP is 172.24.253.2; A and B systems are linux on a command: # ssh-keygen-t RSA (three consecutive returns, that is, the public and private keys are generated locally, no password is set) # SSH [email protected] "mkdir. SSH; chmod 0700. SSH "(Requires password, note: You must set the. SSH permissions to #) # SCP ~/.ssh/id_rsa.pub [email protected]:.ssh/id_rsa.pub (password required) command on B: # Touch/root/.ssh/authorized_keys (if this file already exists, skip this) # chmod ~/.ssh/authorized_keys (# Note: Must be ~/. Ssh/authorized_keys permissions to 600, the file is used to save the SSH client generated public key, you can modify the server's SSH service-side configuration file/etc/ssh/sshd_config to specify a different file name) # cat/root/.ssh/ Id_rsa.pub >>/root/.ssh/authorized_keys (append id_rsa.pub content to Authorized_keys, be careful not to use >, otherwise it will empty the original content. Make the other person unable to log on with the original key) back to a machine: # SSH [email protected] (no password required, login successful) If you specify a different file name when generating the key pair (or you need to control n machines, You will generate a multi-pair key at this time, you need to specify the private key file with the parameter-I # SSH [email protected]-i/path/to/your_id_rsa www.2cto.com The same is true for SCP, such as: Scp-i/root/.ssh/id_rsa ./xxx 192.168.102.158:/home/wwy/bak because the SSH command uses ~/.ssh/id_ by default RSA is logged on as a private key file, if you need to connect to more than one server andYou do not want to specify a private key file each time you use the SSH command, you can add the following configuration in the client global profile/etc/ssh/ssh_config (or the local profile ~/.ssh/config if the file does not exist) in SSH Identityfile /path/to/your_id_rsa. can also specify a Host configuration for each server: host 172.24.253.2 identityfile/path/to/your_id_rsa If the following error occurs when connecting: Agent admitted failure to sign using the key uses the Ssh-add Instructions to add the private keys (according to the personal key name different changes Id_rsa) Ssh-add ~/.SSH/ID_RSA If you can protect your private key, this method relative to the shell to enter the password, it is safer to some method two, Install sshpass# sudo apt-get install sshpass after the installation is complete use sshpass allows you to specify the clear-text password with the-p parameter and then log in directly to the remote server. For example: # sshpass-p ' your password ' SSH username @ server IP address www.2cto.com Specify the password with '-P ', you also need to follow the standard SSH Connection command later. sshd configuration file/etc/ssh/ssd_config -------------------------------SSH without password Authentication to send commands to the remote host send a: SSH [ Email protected]_server_ip your_command ssh [email protected]_server_ip "YOUR_COMMAND1; Your_command2; Your_command3 "
SSH password-free login
