客户端:192.168.1.10 zhangsan用户 服务端:192.168.1.20 lisi用户 在客户端中创建密钥对:
代码语言:javascript复制[zhangsan@localhost /]$ ssh-keygen -t ecdsa # -t 用来指定算法类型:ecdsa和dsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/zhangsan/.ssh/id_ecdsa): # 指定私钥位置
Created directory '/home/zhangsan/.ssh'.
Enter passphrase (empty for no passphrase): # 设置私钥短语
Enter same passphrase again: # 确认所设置的私钥短语
Your identification has been saved in /home/zhangsan/.ssh/id_ecdsa.
Your public key has been saved in /home/zhangsan/.ssh/id_ecdsa.pub.
The key fingerprint is:
81:3b:35:3b:8f:12:60:ba:f5:68:57:b0:ae:35:2c:fe zhangsan@localhost.localdomain
The key's randomart image is:
--[ECDSA 256]---
| |
| . |
| o o |
| o . = |
| . . = S | # 一般出来左边这一串就说明对了
| o = |
| . O . . |
| o = o |
| o.E |
-----------------
私钥短语用来对私钥文件进行保护,在进行远程连接时必须要输入正确的私钥短语。若不设置私钥短语,那么在连接时,就实现了无口令登录,不建议这样做。 一般是经过 客户端创建密钥对、将公钥上传至服务器、在服务器中导入公钥文本、在客户端使用密钥验证 这里第二步和第三步是可以采用另一种方法来实现的:
代码语言:javascript复制[zhangsan@localhost /]$ ssh-copy-id -i ~/.ssh/id_ecdsa.pub lisi@192.168.1.20 -p 2345 # -i 选项用来指定公钥文件
The authenticity of host '[192.168.1.20]:2345 ([192.168.1.20]:2345)' can't be established.
ECDSA key fingerprint is 68:df:0f:ac:c7:75:df:02:88:7d:36:6a:1a:ae:27:23.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
lisi@192.168.1.20's password: # lisi 用户的密码 验证后会将公钥添加到lisi宿主目录下的./sshauthorized_keys 文件
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '2345' 'lisi@192.168.1.20'"
and check to make sure that only the key(s) you wanted were added.
使用秘钥对验证:
代码语言:javascript复制[zhangsan@localhost /]$ ssh -p 2345 lisi@192.168.1.20
Enter passphrase for key '/home/zhangsan/.ssh/id_ecdsa': # 这里输入私钥短语,就不需要输入lisi的密码了
Last login: Fri Aug 16 18:19:48 2019 from 192.168.1.10
[lisi@mysql ~]$