Transferred from: http://7056824.blog.51cto.com/69854/403669
As a Linux administrator, logging on to multiple Linux servers for remote operations is part of the daily work. But with the increase of the server, each login, the system will prompt to enter the user name and password, frequent input user name and password is a very annoying thing. Some people may say that you can use some of the client tools, such as: SECURECRT, and so on, it is very convenient for using these software, but these software is not expensive commercial software is attached to a specific platform to install the use, so today I am talking about using SSH The convenience that comes with the ability to use a client-side tool is to use SSH's public key for automatic login.
Test environment:
Operating system: Red Hat Enterprise Linux as Release 4 (Nahant Update 8)
Software version: OPENSSH_3.9P1, OpenSSL 0.9.7a
Management Server: ip:192.168.0.1 machine Name: Server
Managed Server: ip:192.168.0.2 machine Name: Client
First step: Generate SSH Public key pair
First of all, if you do not install OpenSSH, please install first, this nonsense, our current Linux server is installed by default OpenSSH software.
Generating a public key pair is generated on the Management Server:
[Email protected] ~]# Ssh-keygen-b 1024-t RSA Generating public/private RSA key pair. #提示正在生成rsa密钥对 Enter file in which to save the key (/HOME/USRNAME/.SSH/ID_DSA): #询问公钥和私钥存放的位置, enter with default location Enter passphrase (empty for no passphrase): #询问输入私钥密语, enter a passphrase Enter same passphrase again: #再次提示输入密语确认 Your identification has been saved IN/HOME/USRNAME/.SSH/ID_DSA. #提示公钥和私钥已经存放在 the/root/.ssh/directory Your public key has been saved in/home/usrname/.ssh/id_dsa.pub. The key fingerprint is: x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 [email protected] #提示key的指纹
|
Simply explain:
-B 1024 uses a 1024-byte public/private key pair, a maximum of 4096 bytes, a general 1024 or 2048 is sufficient to meet security needs, too long, encryption and decryption takes time to grow.
-T RSA uses RSA encryption public/private key pair, in addition to RSA and DSA mode, RSA mode can not be less than 768 bytes length.
Refer to man Ssh-keygen if you need to use more other parameters.
In the process of generating a key pair you are asked: Enter a password passphrase (empty for no passphrase), password (passphrase) is you use a phrase or a word as a password input, After the encryption or hashing algorithm inside the system to generate the virtual password, the next step of authentication. The advantage is enhanced security is not easy to crack. Read a lot of articles, the inside of this sentence input is empty, that is, the representative does not use a password. Here I strongly ask you to enter a password. Some people will say that the use of passwords after the login to enter the password is no more than the use of user name and password landing convenient how much, I said please do not hurry, and then read my article.
Note: If you generate a key pair without setting a passphrase, then if your private key is lost, then your problem may be worse than losing your username and password.
Step Two: Copy your public key to the managed server
Copy your public key to the user directory on the managed server that you want to log on automatically on your Management server.
[Email protected] ~]# SCP. ssh/id_dsa.pub [email protected]: #比如你想使用用户peter登陆, remote_usrname please use Peter instead
|
Renaming and Setting permissions
Login to the managed server, enter the user directory that requires remote login, put the public key into the user directory. SSH directory (if the directory does not exist, you need to create the ~/.SSH directory, and set the directory permissions to 700), the public key renamed to Authorized_keys2, and set its user rights to 600.
[[email protected] ~]$ ls Id_rsa.pub [[email protected] ~]$ mkdir ~/.ssh #如果当前用户目录下没有. SSH directory, please create a directory first [Email protected] ~]$ chmod ~/.ssh [Email protected] ~]$ MV Id_rsa.pub ~/.ssh [Email protected] ~]$ CD ~/.SSH [email protected] ~]$ cat id_rsa.pub >> authorized_keys2 [Email protected] ~]$ rm-f id_rsa.pub [Email protected] ~]$ chmod authorized_keys2 [Email protected] ~]$ ls-l Total 4 -RW-------1 Peter Peter 225 Oct 11:28 Authorized_keys2
|
Testing a remote login using a key pair
[[email protected] ~]# SSH [email protected] Enter passphrase for key '/root/.ssh/id_rsa ': #提示输入密码短语, enter the passphrase you just set Last Login:sun Oct ten 11:32:14 from 192.168.0.1 [Email protected] ~]$
|
If you can't log in correctly, you should check your AUTHORIZED_KEYS2 permissions again. You may also want to check the permissions of the. SSH directory.
Use Ssh-agent (SSH proxy) to automatically enter passphrase
Keep in mind your "passphrase" and now you can log in to your server with your key instead of the password, but this still doesn't save anything, you still have to enter the key "passphrase". Is there a more convenient way to do it? The answer is to use an SSH proxy (ssh-agent), a program to help you remember the phrase "passphrase." Ssh-agent is the SSH agent that is included by default in OpenSSH.
Log in to the Management Server
[Email protected] ~]# ssh-agent ssh_auth_sock=/tmp/ssh-vegjcm2147/agent.2147; Export Ssh_auth_sock; ssh_agent_pid=2148; Export ssh_agent_pid; echo Agent pid 2148;
|
When you run ssh-agent, it will print out the environment and variables it uses for SSH. There are two ways to use these variables, one is to declare environment variables manually, and the other is to run the eval command to automatically declare environment variables.
Method One: Manually declare environment variables
[Email protected] ~]# ssh_auth_sock=/tmp/ssh-vegjcm2147/agent.2147; Export Ssh_auth_sock; [Email protected] ~]# ssh_agent_pid=2148; Export ssh_agent_pid; [Email protected] ~]# Printenv | grep ssh #检查 SSH environment variable has been added to the environment variable of the current session ssh_agent_pid=2148 ssh_auth_sock=/tmp/ssh-vegjcm2147/agent.2147
|
Method Two: Run the eval command to automatically declare environment variables
[[Email protected] ~]# eval ' ssh-agent ' Agent PID 2157 [Email protected] ~]# Printenv | grep ssh #检查 SSH environment variable has been added to the environment variable of the current session ssh_agent_pid=2148 ssh_auth_sock=/tmp/ssh-vegjcm2147/agent.2147
|
Now Ssh-agent is already running, but the ssh-agent inside is blank and there is no private key to decrypt. We're going to tell him where we have the private key and the private key. This requires the use of the Ssh-add command to add our private key to the ssh-agent cache.
[Email protected] ~]# Ssh-add ~/.SSH/ID_DSA Enter Passphrase FOR/HOME/USER/.SSH/ID_DSA: #输入你的密码短语 Identity added:/home/user/.ssh/id_dsa (/HOME/USER/.SSH/ID_DSA) [[email protected] ~]# ssh-add-l #查看 The cached content of the SSH proxy 1024x768 72:78:5e:6b:16:fd:f2:8c:81:b1:18:e6:9f:77:6e:be/root/.ssh/id_rsa (RSA) |
Enter a password, now you can log in to your remote server without entering your passphrase, and your private key is password protected. It's not cool to try!
[[email protected] ~]# SSH [email protected] Last Login:sun Oct ten 11:32:45 from 192.168.0.1 [Email protected] ~]$
|
Login server After the operation is over, remember to turn off the ssh-agent, or other people can be remote after landing.
[Email protected] ~]# ssh-agent-k Unset Ssh_auth_sock; Unset ssh_agent_pid; Echo Agent pid 2148 killed; [Email protected] ~]# ssh-add-l #查看一下, there's no key in the cache. The agent has no identities.
|
Oh, cool, of course. If you manage a large number of servers (the number of servers ≥ 2 digits), the first time to upload the public key may be more tired work, but in the future can be in the maintenance work of the public key to realize the convenience of automatic landing.