ssh免密
记一次ssh免密登录
概念
1 | Secure Shell(安全外壳协议,ssh),是一种加密的网络传输协议,可在不安全的网络中为网络服务提供安全的传输环境。SSH通过在网络中创建安全隧道来实现SSH客户端与服务器之间的连接。虽然如何网络服务都可以通过SSH实现安全传输,SSH最常见的用途是远程登陆系统,通常利用SSH来传输命令行界面和远程执行命令。 |
对称加密
对称加密使用同一个密钥来进行加密和解密。账号密码(口令)可以看作一种对称加密方式
非对称加密
非对称加密有两个密钥:私钥和公钥,数据使用公钥加密后,只能用私钥进行解密。
- 公钥:加密,公开
- 私钥:解密,私有
SSH的两种登录方式
- 口令登录
密钥登录
1
提前将公钥发送到目标服务器中
- 发送登录请求并发送一个公钥指纹,服务器对指纹进行验证,查看指纹是否一致
- 服务器随机生成一串随机数,使用公钥加密
- 客户端使用私钥进行解密,并发送解密后的信息
- 对解密后的信息对比是否一致
路由器配置ssh免密登录
以H3C路由器为例,HCL环境
配置IP地址略
生成密钥对
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26win10的cmd下生成的,也可使用其它工具进行生成
C:\Users\Tao>ssh-keygen -t rsa -b 2048
t 指定密钥类型 默认rsa
b 指定密钥长度 默认2048
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\Tao/.ssh/id_rsa): Tao # 保存的文件名
Enter passphrase (empty for no passphrase): # 这里设置密钥的密码 按需设置
Enter same passphrase again: # 这里确认密钥的密码
Your identification has been saved in Tao.
Your public key has been saved in Tao.pub.
The key fingerprint is:
SHA256:B0k4N7yruAZ3CYD9a3wbOq97kNKvwa/tmdmg1PNhWFo tao@DESKTOP-3TSULKA # 指纹信息
The key's randomart image is:
+---[RSA 2048]----+
| o o. |
|. o o.+. |
| o ooo |
| o .. |
| o + .E.. |
| o.O.==.. |
| =+B*+o |
| .===X . |
| .B@O o |
+----[SHA256]-----+将公钥放置路由器
我这里使用的win10的IIS中的FTP配置过程略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41<H3C>ftp 192.168.56.101 # 使用ftp登录
Press CTRL+C to abort.
Connected to 192.168.56.101 (192.168.56.101).
220 Microsoft FTP Service
User (192.168.56.101:(none)): anonymous # 输入用户名 匿名用户名为:anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
dir # 列出文件
227 Entering Passive Mode (192,168,56,101,249,170).
125 Data connection already open; Transfer starting.
05-16-21 08:35AM 402 Tao.pub # 这是我们的公钥 ,生成两个文件后缀为.pub的是公钥,没有后缀的是私钥
226 Transfer complete.
get Tao.pub # 下载
227 Entering Passive Mode (192,168,56,101,249,171).
125 Data connection already open; Transfer starting.
.
226 Transfer complete.
402 bytes received in 0.002 seconds (196.29 Kbytes/s)
quit # 退出ftp
221 Goodbye.
<H3C>dir # 查看路由器的文件
Directory of flash:
0 -rw- 402 May 16 2021 08:36:36 Tao.pub
1 drw- - May 15 2021 17:19:14 diagfile
2 -rw- 402 May 16 2021 04:31:50 h3c.pub # 这就是我们刚刚下载下来的公钥
3 -rw- 735 May 16 2021 04:32:38 hostkey
4 -rw- 43136 May 15 2021 17:19:14 licbackup
5 drw- - May 15 2021 17:19:14 license
6 -rw- 43136 May 15 2021 17:19:14 licnormal
7 drw- - May 15 2021 17:19:14 logfile
8 -rw- 0 May 15 2021 17:19:14 msr36-cmw710-boot-a7514.bin
9 -rw- 0 May 15 2021 17:19:14 msr36-cmw710-system-a7514.bin
10 drw- - May 15 2021 17:19:20 pki
11 drw- - May 15 2021 17:19:14 seclog
12 -rw- 591 May 16 2021 04:32:38 serverkey
1046512 KB total (1046356 KB free)
<H3C>配置路由器SSH
1
2
3
4
5
6
7
8
9
10
11
12
13[H3C]public-key local create rsa # 生成rsa密钥对
[H3C]ssh server enable # 开启ssh
[H3C]line vty 0 4 # 配置虚拟接口
[H3C-line-vty0-4]authentication-mode scheme # 认证方式
[H3C-line-vty0-4]quit
[H3C]public-key peer h3c import sshkey Tao.pub # 导入公钥并更名为h3c
配置ssh用户的认证方式并指定公钥为h3c
[H3C]ssh user xiaowangc service-type stelnet authentication-type publickey assign publickey h3c
[H3C]local-user xiaowangc class manage # 创建本地用户
[H3C-luser-manage-xiaowangc]service-type ssh # 服务器类型
[H3C-luser-manage-xiaowangc]authorization-attribute user-role network-admin # 用户角色
[H3C-luser-manage-xiaowangc]quit测试连接
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15C:\Users\Tao>ssh xiaowangc@192.168.56.110 -c aes128-cbc -i Tao
i 指定私钥
c 指定加密类型
The authenticity of host '192.168.56.110 (192.168.56.110)' can't be established.
RSA key fingerprint is SHA256:wMmxasuUNqNvee0426c5wUcV5rcdphvVoGw3SaR7vBU.
Are you sure you want to continue connecting (yes/no)? yes # 是否永久添加到列表
Warning: Permanently added '192.168.56.110' (RSA) to the list of known hosts.
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<H3C>
如果不想每次连接都指定加密类型和密钥可配置config文件(略)
Linux配置ssh免密登录
安装,网络拓扑
生成密钥对
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26win10的cmd下生成的,也可使用其它工具进行生成
C:\Users\Tao>ssh-keygen -t rsa -b 2048
t 指定密钥类型 默认rsa
b 指定密钥长度 默认2048
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\Tao/.ssh/id_rsa): Tao # 保存的文件名
Enter passphrase (empty for no passphrase): # 这里设置密钥的密码 按需设置
Enter same passphrase again: # 这里确认密钥的密码
Your identification has been saved in Tao.
Your public key has been saved in Tao.pub.
The key fingerprint is:
SHA256:B0k4N7yruAZ3CYD9a3wbOq97kNKvwa/tmdmg1PNhWFo tao@DESKTOP-3TSULKA # 指纹信息
The key's randomart image is:
+---[RSA 2048]----+
| o o. |
|. o o.+. |
| o ooo |
| o .. |
| o + .E.. |
| o.O.==.. |
| =+B*+o |
| .===X . |
| .B@O o |
+----[SHA256]-----+将公钥上传至服务器,并进行配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23[root@localhost ~]# yum -y install ftp # 安装ftp客户端
[root@localhost ~]# ftp 192.168.204.1 # 登录
Connected to 192.168.204.1 (192.168.204.1).
220 Microsoft FTP Service
Name (192.168.204.1:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
dir
227 Entering Passive Mode (192,168,204,1,253,61).
125 Data connection already open; Transfer starting.
05-16-21 08:35AM 402 Tao.pub
226 Transfer complete.
get Tao.pub # 下载公钥
local: Tao.pub remote: Tao.pub
227 Entering Passive Mode (192,168,204,1,253,63).
125 Data connection already open; Transfer starting.
226 Transfer complete.
402 bytes received in 0.0001 secs (4020.00 Kbytes/sec)
quit
[root@localhost ~]# mkdir .ssh # 创建.ssh文件
[root@localhost ~]# cat Tao.pub >> .ssh/authorized_keys # 将公钥存放至文件测试
1
2
3C:\Users\Tao>ssh root@192.168.204.131 -i Tao
Last login: Sun May 16 09:41:55 2021 from 192.168.204.1
[root@localhost ~]#
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 尤妤!
