Use the SSH Public Key for password-free Login
SSH password-less logon requires the public key and private key. In Linux, ssh-keygen can be used to generate public/private key pairs. The following uses centos as an example.
There are machines A (10.207.160.34) and B (10.221.32.234 ). Now I want a to log on to B via SSH without a password.
First, use the root account as an example.
1. Generate a public/private key pair on host.
ssh-keygen -t rsa -P ‘‘
-P indicates the password.-P ''indicates that the password is empty, or you do not need the-p parameter. In this case, you have to press enter three times and press enter once with-P.
The command will be in ~ /. A pair of keys id_rsa and id_rsa.pub are generated under the SSH directory.
The ssh rsa key is generally used:
Id_rsa Private Key
Id_rsa.pub Public Key
The following command generates different types of keys
Ssh-keygen-T DSA
Ssh-keygen-T RSA
Ssh-keygen-T rsa1
Execution result:
[[email protected]_32_234_centos ~]$ ssh-keygen -t rsa -P ‘‘Generating public/private rsa key pair.Enter file in which to save the key (/home/hadoop/.ssh/id_rsa): Created directory ‘/home/hadoop/.ssh‘.Your identification has been saved in /home/hadoop/.ssh/id_rsa.Your public key has been saved in /home/hadoop/.ssh/id_rsa.pub.The key fingerprint is:c6:ae:f2:7b:d1:54:eb:30:c3:ee:a1:ea:89:14:da:97 [email protected]_32_234_centosThe key‘s randomart image is:+--[ RSA 2048]----+| || . || . . . || . * . || . S+ = || o . +. + . || . o E .+ . || ..o oo . || .+B+ |+-----------------+
2. Place ~ /. Ssh/id_rsa.pub copy to ~ of machine B ~ In the/. Ssh/authorized_keys file, you must first create ~ /. Use SCP to copy the directory ssh.
scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keys
Execution result:
[email protected]_160_34_centos:~> scp ~/.ssh/id_rsa.pub [email protected]:~/.ssh/authorized_keysThe authenticity of host ‘node1 (10.221.32.234)‘ can‘t be established.RSA key fingerprint is 4a:bc:1e:ca:18:87:39:af:e4:dd:c4:ce:c1:7b:c7:66.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added ‘node1,10.221.32.234‘ (RSA) to the list of known hosts.[email protected]‘s password: id_rsa.pub 100% 405 0.4KB/s 00:00
Because no password-free logon is available, you need to enter the password of the current user B once.
[email protected]_160_34_centos:~> ssh Node1[email protected]‘s password: Last login: Tue Aug 19 21:29:46 2014 from master
3.The authorized_keys permission is 600 !!!
chmod 600 ~/.ssh/authorized_keys
4. Machine A logs on to machine B.
[[email protected]_32_234_centos ~]$ ssh node1Last login: Tue Aug 19 22:05:43 2014 from master
Ssh-keygen usage
Assume that machine a is the customer machine, and machine B is the target machine;
Goals:
Machine A does not need to enter a password to log on to machine B through SSH;
Select RSA for encryption. | DSA is supported. The default value is DSA.
Practice:
1. log on to machine
2. Ssh-keygen-T [RSA | DSA] will generate the key file and private key file id_rsa, id_rsa.pub or id_dsa, id_dsa.pub
3. Copy the. Pub file to the. Ssh directory of machine B and CAT id_dsa.pub >> ~ /. Ssh/authorized_keys
4. As a result, the user no longer needs a password to log on to the target account of machine B from machine;
Ssh-keygen performs password verification to enable SSH on the target machine. SCP does not need a password.
The specific method is as follows:
Ssh-keygen-T RSA
Then press enter to use the default value.
In this way, a key pair is generated and stored in the user directory ~ /. Ssh.
Test the public key in the user directory of the target machine and copy it ~ /. Ssh/authorized_keys.
Make sure that both. SSH and authorized_keys have write permission only for the user. Otherwise, the verification is invalid. (This is the problem we have encountered today. I have been looking for a long time.) In fact, I think about it carefully to avoid system vulnerabilities.