ssh 配置及使用(ssh-keygen,ssh-copy-id,known_hosts)
一 核心命令
- 创建密钥对:ssh-keygen
- 转发密钥:ssh-copy-id -i ~/.ssh/id_rsa.pub puppet@Hadoop-NN-02
常用密钥类型:
- ssh-keygen -t dsa
- ssh-keygen -t rsa
- ssh-keygen -t rsa1
二 原理
(一)基础
1) 公钥:用于加密,存在于服务器
2) 私钥:用于解密,存在于客户机
(二)流程
1)客户端向服务器发出连接请求
2)服务器查看客户端公钥(~/.ssh/authorized_keys)该客户机(客户机标志:用户@Host)对应的公钥
3)服务器验证公钥合法,则产生一条随机数(challenge),用公钥加密发送给客户端
4)客户端用私钥解密回传服务器端。
5)随机数一致,认证通过。
三 样例
(一)ssh-keygen
[puppet@BigData-01 cdh4.4]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/puppet/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/puppet/.ssh/id_rsa. Your public key has been saved in /home/puppet/.ssh/id_rsa.pub. The key fingerprint is: af:e2:f5:3a:e8:24:64:c1:f3:d9:bc:44:3d:9a:84:a0 puppet@BigData-01 The key's randomart image is: +--[ RSA 2048]----+ | . | | o . . . | | E + . o o | | + * o . | | o o S | | o . o | | . ..o . | | oo..o | | oo.oo. | +-----------------+
注:
1)公钥( id_rsa.pub ):
[puppet@BigData-01 .ssh]$ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm 6LfMzLguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZDHKpvByUHS4ZZV YVtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pXkqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocL KBILj56Lt+b9KhVtPbllsP8TA8Vino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvL HtPZPwi3xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3w==puppet@BigData-01
2)私钥(id_rsa):
[puppet@BigData-01 .ssh]$ cat id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEoQIBAAKCAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm6LfMz Lguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZ DHKpvByUHS4ZZVYVtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pX kqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocLKBILj56Lt+b9KhVtPbllsP8TA8V ino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvLHtPZPwi3 xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3wIBIwKCAQA9wfFZD1dVYyrVU6rZ NVufikiUIy6m+Bb7lM275Cf0QgtNpO/nRNFc2PL+2WOm6IGvMQo5dyKPQT5kaIVW ZZ6jurKIzgp9qgOOsedFmj0v2/K/npM9txW0B1lJVP83UKZ+vtxA49jFUw2OG8yX gvPNpDrV31fnvHC6zl4G9F4x8eiW97O3CV+BBF2zdGFNgkliya7qyQFPjHsExnJE Y+dp22lszjDKBCLHmVpg/x1BiM5vtWvdA0xzJNqTgo1q2Kw4iuL1RsWEz2DW6p01 kYFdmhy/gsC4SyhEjPGu6F0B8WpZJbmvPRrzVlxoet4yXJ4sU1kOG3hURuUzXAcn iNV7AoGBAPrwBbYzV0G4HgJrifZM1BRe4gNvD1LCExhmoCvLuPAqlE9d1qWxNIuf p1+he0Cnc87KZvnSchgzrV8v/u03drNsZc9XbxGoWGgg8SIpNSV3vQxeJTEKSVPU QjeTbFF2yyx8oZPuIWZ6Ee1+KCj8SUFwiYItlrkRMDHL7wRIY0r5AoGBAPUDeHSz 9KXPZmPcqaVb15RkoQzdFFQLXOfhPNh63m8tfdCbDRbBYhdMyQhhYqTwdQqyyiLq wm29y0zuEDdwyib08d1zq4ziE3E409Ra7LXdm0nCap4MOZX+Cs9PMoG87A8u1G4s /FEGo8Jw8EthsxPoYV9uPPtKUERaHWJcX/2XAoGBAIENuctq3Grw+X2WZDWGmPSI kX4b2/6s8+CpzrdwFffbYjdyFp5bIlZvXWRhrRnvt+axPEX3M1znYHoYrv2nft/u msJnevMjYKqUmUTEvD8now2swquBog3a4DnWyf4ClGAFlOz+H85NaE5A4XQp+cni GtU8BF8taT4uXapuXvNbAoGAdwGviSQ1ABRHrNjkr2cfkTgw956U2F1KYf+v1tyX 7NuU4aplcXPfL+N3llsv6bafP7XtJucN+snmZzHNXMHBRh8zphOcd6ECIQz5LKEx JSJ+oCs7GZDoxTI/w8dhrLrZDrBYjUkM1uX3xNfFK+2gH5zBlMCEBQbWh5l7/JNE kR0CgYA3ip6Mo+6iXLeXmsSwT+p3CGDdZe1SsQElLDDgOZvMEpy8wzZ1sIKYY0Oe lsc23TrC+BHoJHaMKa9CHuZTwdQXGQuVam313WaGtD/3q6Inq6PosQj60v02jogx rsfnG3WOSygeNS03PEflKpf6k5A0b3EZyZ5gatql/7I4D/3MPA== -----END RSA PRIVATE KEY-----
(二)公钥上传服务器
[puppet@BigData-01 .ssh]$ ssh-copy-id -i ~/.ssh/id_rsa.pub puppet@Hadoop-NN-02 puppet@hadoop-nn-02's password: Now try logging into the machine, with "ssh 'puppet@Hadoop-NN-02'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
注:
1)服务器公钥(authorized_keys ):
[puppet@BigData-02 .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8CscWlgavdb76EVfhZadM4uMBzN8iVMEC0KuTHdGCzm6 LfMzLguf90uw+4ZKpYgxN4XSbbLbu1MPFLLqFxlo7oC2TOhhr84N1Zdm8jtfuh53IhNZDHKpvByUHS4ZZVY VtAKt3+fZOEL700+p228JdQzkzfLHoaPvSD774igY+yB4d3pXkqk+fUALkE2H1hgbfJNjMoar5lls6KfdF6ocLK BILj56Lt+b9KhVtPbllsP8TA8Vino9eF1TeCdKnRmxBFdYTBFlx8s1gRx2VHQnwVpUJcUuVPyGaxvPNXvLHt PZPwi3xJmSFpPB9y8pzID1WqDKKAWkv7CcJqstIhBN3w==puppet@BigData-01
四 客户端公钥记录文件(known_hosts)
登陆到服务器时,比对服务器公钥与客户端记录是否一致,防止伪造的服务器。
(一)流程
1)客户端登陆服务器
2)客户端接收服务器公钥,查看~/.ssh/known_hosts查看是否记录,没有则提示用户选择是否记录
3)服务器端公钥已记录则验证一致性,一致则进行验证,否则警告。
警告样例:
[puppet@BigData-01 .ssh]# sshpuppet@BigData-02 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ <==警告有问题 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is a7:2e:58:51:9f:1b:02:64:56:ea:cb:9c:92:5e:79:f9. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:1 <==该数字为文件中有问题的行号 RSA host key for localhost has changed and you have requested strict checking. Host key verification failed.
(二)公钥记录验证失败的解决方法
删除known_hosts中对应的记录。
相关推荐
projava 2020-11-14
WanKaShing 2020-11-12
airfish000 2020-09-11
tryfind 2020-09-14
yegen00 2020-09-10
kkaazz 2020-09-03
风语者 2020-09-02
BraveWangDev 2020-08-19
lichuanlong00 2020-08-15
gsl 2020-08-15
pandaphinex 2020-08-09
yhuihon 2020-08-09
CheNorton 2020-08-02
xiangqiao 2020-07-28
hpujsj 2020-07-26
hpujsj 2020-07-26
sshong 2020-07-19
BraveWangDev 2020-07-19
annan 2020-07-18