Linux(Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).)
第一种 在客户端生成密钥对,并将公钥上传到服务器端
一、客户端操作:
#ssh-keygen -t rsa -b 2048 //生成公钥和私钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): //可输入私钥保护密码
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
#scp -P 22 .ssh/id_rsa.pub root@122.112.84.50: //将公钥上传到服务器的username目录
二、服务器端操作:(需要被连接的)
使用username登录
#mkdir -p .ssh
#chmod 700 .ssh
#cat .ssh/id_rsa.pub>>.ssh/authorized_keys
#chmod 600 .ssh/authorized_keys
#ssh root@122.112.84.50 //客户端登录服务端
--------------------
第二种 使用PUTTY或Xshell或SecureCRT生成密钥对
1:使用username登录
#mkdir -p .ssh
#chmod 700 .ssh
2:使用puttygen生成公钥和私钥,将公钥上传到服务器端username的.ssh目录下
3:#cat .ssh/id_rsa.pub>>.ssh/authorized_keys
#chmod 600 .ssh/authorized_keys
3:用putty私钥登陆出现server refused our key //打开sshd_config找到StrictModes yes修改为StrictModes no
#/etc/init.d/sshd reload 重新加载下即可 //修改验证文件,不推荐
--------------------
第三种 在服务器端生成密钥对,把私钥下载下来使用
1:在目标服务器生成公钥和私钥对(这里以root,也可以使用其他username)
#ssh-keygen -t rsa -b 2048 //生成公钥和私钥
#ssh-keygen -t rsa -b 4096
#ssh-keygen -t rsa -b 16384 //key bits exceeds maximum 16384
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): //可输入私钥保护密码
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
2:#chmod 700 .ssh
#cat .ssh/id_rsa.pub>>.ssh/authorized_keys
#chmod 600 .ssh/authorized_keys
3:下载id_rsa(私钥)文件,使用puttygen保存为PUTTY能识别的文件(*.ppk),(Xshell 能直接使用id_rsa文件)登录服务器。
--------------------
第四种 已经生成好的公钥和私钥对
1:把公钥文件(id_rsa.pub)放到目标服务器/root/.ssh/中
2:#cat .ssh/id_rsa.pub>>.ssh/authorized_keys
chmod 600 .ssh/authorized_keys
3:把私钥文件(id_rsa)放到客户服务器/root/.ssh/中
chmod 600 ./ssh/id_rsa //否则提示 Permissions 0644 for '/root/.ssh/id_rsa' are too open.
//It is required that your private key files are NOT accessible by others.
//This private key will be ignored.
4:客户服务器登录目标服务器 ssh root@195.154.128.169 -p 4096
最后
修改服务器(或目标服务器)sshd服务配置只允许使用私钥文件登录 //先用密钥测试是否能正常登录服务器,然后再修改。
#vim /etc/ssh/sshd_config
将PasswordAuthentication yes 修改成 PasswordAuthentication no
重启sshd服务
Debian/Ubuntu执行/etc/init.d/ssh restart
CentOS执行:/etc/init.d/sshd restart
服务器拒绝接受我们的密钥 (server refused our key)
这样需要修改安全上下文的配置或者修改为正确的上下文
#getenforce (查看是否开启)
#vi /etc/sysconfig/selinux
SELINUX=enforcing
修改SELINUX=enforcing 为 SELINUX=disabled
#reboot //必须重启才生效
ls -Z 查看上下文
restorecon -R -v .ssh 恢复文件默认上下文
改变文件的上下文
chcon -R --reference=/etc/ssh/ssh_host_key.pub /root/.ssh/authorized_keys /root/.ssh/authorized_keys 参照文件/etc/ssh/ssh_host_key.pub 的上下文
安全上下文的错误信息日志
cat /var/log/audit/audit.log
type=AVC msg=audit(1467157590.251:90): avc: denied { read } for pid=1477 comm="sshd" name="authorized_keys" dev=sda3 ino=392460 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
完成
2015.9.18