In present (post production) IT infrastructure many different workstations, servers etc. have to be maintained on a daily basis. When running on *nix operating systems, the main tool to log into and execute arbitrary code on a remote machine is SSH .

Usually with a call like

ssh bob@comp-b

you would be asked every time to enter the password of user Bob. This is not very efficient and also less secure then using key based authentication.

Furthermore the usage of passwords hinders the use of tools like Python fabric for automating certain tasks inside your pipeline e.g. remote backup scripts, deployment scripts.

Keep in mind that with ssh you are not limited to machines inside your local network. You can also use keybased ssh to securely log into machines in remote datacenters and even cloud computers like EC2 instances inside the Amazon public cloud (AWS).

In this tutorial we want to establish a password less and secure connection over ssh between two different computers in your IT environment. Computer A (COMP-A) with user Alice wants to connect to Computer B (COMP-B) with the user Bob.

In order to do so, we will be connecting over ssh with previously set private/public keys. The steps in this tutorial involve:

  1. Creating authentication keys on computer A
  2. Create a .ssh directory on computer B
  3. Store or send the generated public key to computer B
  4. Set correct rights to the key file and folder

We will explain the commands used in the tutorial when they occur. For details on the commands used or on SSH in general please check out the manual pages of e.g. ssh with

man ssh

and the Further Reading section at the end.

Step 1: Create authentication keys on Computer A

Start (or login) on Computer A with user Alice and generate RSA private/public keys by executing the following command in your Terminal:

ssh-keygen -t rsa

When executing above command, you will be asked several questions. The first will be about where to store the keys. Leave it at its default and simply press Enter. The second prompt will ask you for a security passphrase, do not enter anything and leave it empty. Again just press Enter to proceed. The passphrase is another layer of security you can add to your keys. For internal usage it is not necessary.

Your Terminal output will look similar to this:

Generating public/private rsa key pair.

Enter file in which to save the key (/home/alice/.ssh/id_rsa): [Press enter key]

Created directory '/home/alice/.ssh'.

Enter passphrase (empty for no passphrase): [Press enter key]

Enter same passphrase again: [Press enter key]

Your identification has been saved in /home/alice/.ssh/id_rsa.

Your public key has been saved in /home/alice/.ssh/id_rsa.pub.

The key fingerprint is:

af:4f:35:82:d4:04:61:10:6d:11:f0:eb:1d:69:54:4f alice@comp-a

The key's randomart image is:

+--[ RSA 2048]----+

|        ..oooF.++|

|         +. o.o  |

|          ..   . |

|         o  . . .|

|        S .  . + |

|       + .    . o|

|      . . o    +.|

|       + +       |

|        +.       |

+-----------------+

Step 2: Create the .ssh directory on Computer B

After the creation of your local keys you need to transfer them to Computer B. Therefore a specific folder called .ssh needs to be created inside the home folder of Bob on Computer B (if it doesn't already exist). OpenSSH needs this folder to lookup previously stored keys and connected hosts.

Use SSH from Computer A to connect Computer B using Bob as user and create the .ssh directory. You can use the following command:

ssh bob@com-b mkdir -p .ssh

This command will connect to Computer B and then use mkdir to create the folder .ssh inside Bob's home folder.

If this is your first time connecting to Computer B, you will be prompted an authenticity message. This is for security reasons and will ask you if you know the host you are connecting to. Read it carefully and then enter yes. After that you will be as usual prompted with the password of the user Bob for this machine.

Your output will look similar to:

The authenticity of host 'comp-b (192.167.1.1)' can't be established.

RSA key fingerprint is e5:51:92:42:c3:cf:d7:e2:d0:0d:00:7f:12:37:25:2b.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.167.1.1' (RSA) to the list of known hosts.

bob@comp-b password: [Enter Your Password Here]

After this the folder .ssh should have been created on Computer B.

Step 3: Upload your generated public key to Computer B

From Step 1 the generated RSA keys have been stored into the .ssh folder inside the home folder of Alice. Go check them out as user Alice on Computer A with

cd ~/.ssh

You will find the following files inside this directory by listing them with the ls command:

alice@comp-a:~/.ssh$ ls

id_rsa  id_rsa.pub  known_hosts

The file id_rsa contains your private key. You have to keep this file secret and secure. Your job (life) depends on it.

The file id_rsa.pub contains your public key. This is the file you can share with computers to which you want to connect without entering a password.

Again you can use SSH to connect to Computer B and upload the id_rsa.pub public file into the recently created .ssh folder. The file needs to be renamed to authorized_keys.

Enter the following command as Alice on Computer A to send the contents of id_rsa.pub into the new file authorized_keys on Computer B:

cat .ssh/id_rsa.pub | ssh bob@comp-b 'cat >> .ssh/authorized_keys'

The above command uses cat to print out the contents of id_rsa.pub to standard out and immediately pipes the output with the pipe operator | into the command that is run after the ssh connection is established to Computer B.

This final command is again a cat which is used in conjunction with the output redirection operator >> to create a new file authorized_keys inside the .ssh folder.

You will be yet again prompted to enter the password. Just hold up - we are almost in password-less ssh heaven.

[alice@comp-a ~]$ cat .ssh/id_rsa.pub | ssh bob@comp-b 'cat >> .ssh/authorized_keys'

bob@comp-b password: [Enter Your Password Here]

Step 4: Set Permissions on Computer B

The final step is to set the correct permissions with chmod for the authorized_keys file and the .ssh directory on Computer B. This is due to security reasons and different SSH versions that might be running on both computers in connection.

ssh bob@comp-b "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

You will be prompted the last time for a password. After this call you are done.

Optional Step: Restore your SELinux settings on Computer B

If you are running a Linux version which has SELinux enabled, you might have to run the following command on the home folder of Bob.

  restorecon -R -v /home/bob/.ssh

Step 5: Password less login from Computer A to Computer B

Finally! If you ssh from user Alice on Computer A to user B on Computer B there should not be any password prompt.

ssh bob@comp-b

In case your keyfile is not located in the .ssh folder you can use the -i argument of ssh to define the path to the private keyfile:

  ssh -i /path/to/private_key bob@comp-b

原文链接:   http://vfx.engineering/2014/05/11/infrastructure-how-to-establish-passwordless-login-with-ssh/

[转载] 构造linux 系统下免密码ssh登陆  _How to establish password-less login with SSH的更多相关文章

  1. 【转载】在Linux系统下用dd命令制作ISO镜像U盘启动盘

    #### 将U盘插入USB接口 #umount /dev/sdb* #dd if=/iso存放路径/XXX.iso of=/dev/sdb bs=1M ##### [转载]在Linux系统下用dd命令 ...

  2. Linux系统下root密码遗忘等系统故障的修复方法 - 运维总结

    IDC机房有一台centos系统的服务器,由于这台服务器的系统装了好长时间,且root密码中间更新过几次,后面去机房现场维护时,登陆密码遗忘了,悲催啊~没办法,只能开机进入“单用户模式”进行密码重置了 ...

  3. 【转载】Linux系统下命令行连接蓝牙设备 查看查找 蓝牙

    Linux系统下命令行连接蓝牙设备 2018年11月26日 10:47:27 Zz笑对一切 阅读数:741   1.打开系统蓝牙 sudo service bluetooth start 1 进入bl ...

  4. linux系统下,11款常见远程桌面控制软件(转载)

    远程控制能够给人们带来很多便利,本文介绍了11款常见的Linux系统下的远程桌面控制工具,总有一款能适合您. 一. Grdc 它是一个用GTK+编写的,适用于gnome桌面环境的远程桌面访问软件.看图 ...

  5. Java基础 之软引用、弱引用、虚引用 ·[转载]

    Java基础 之软引用.弱引用.虚引用 ·[转载] 2011-11-24 14:43:41 Java基础 之软引用.弱引用.虚引用 浏览(509)|评论(1)   交流分类:Java|笔记分类: Ja ...

  6. 【转】Linux系统下的ssh使用

    Linux系统下的ssh使用(依据个人经验总结)   对于linux运维工作者而言,使用ssh远程远程服务器是再熟悉不过的了!对于ssh的一些严格设置也关系到服务器的安全维护,今天在此,就本人工作中使 ...

  7. Linux系统下远程文件拷贝scp命令

    在Linux系统下,不同机器上实现文件拷贝 一.将本地文件拷贝到远程机器: scp /home/administrator/news.txt root@192.168.6.129:/etc/squid ...

  8. 解决Linux系统下Mysql数据库中文显示成问号的问题

    当我们将开发好的javaWEB项目部署到linux系统上,操作数据库的时候,会出现中文乱码问题,比如做插入操作,发现添加到数据库的数据中文出现论码,下面就将解决linux下mysql中文乱码问题! 打 ...

  9. Linux系统下如何设置IP地址?

    Linux系统下如何设置IP地址?我们可以通过命令设定IP的方法,不过此方法的前提条件是用户需root权限.在linux系统的 /etc/sysconfig/network-script/ifcfg- ...

随机推荐

  1. R自动数据收集第二章HTML笔记1(主要关于handler处理器函数和帮助文档所有示例)

    本文知识点:     1潜在畸形页面使用htmlTreeParse函数 2startElement的用法 3闭包 4handler函数的命令和函数体主要写法 5节点的丢弃,取出,取出标签名称.属性.属 ...

  2. CentOS 6 部署GlusterFS

    首先需要关闭CentOS的防火墙和selinux,否则glusterfs将可能无法正常工作. /etc/init.d/iptables status 会得到一系列信息,说明防火墙开着. /etc/in ...

  3. AD域-让共享目录只显示用户有权限访问的文件夹

    问题: 在AD域中,我们一般都会用到共享,如果有很多部门,我们可能还会按部门.职位配置权限.比如CSD,IT,PA等,但文件夹一多,用户看着就头大,而且用户没权限访问的文件夹误点击进去还会提示无权限访 ...

  4. Ajax工作原理

    在写这篇文章之前,曾经写过一篇关于AJAX技术的随笔,不过涉及到的方面很窄,对AJAX技术的背景.原理.优缺点等各个方面都很少涉及null.这次写这篇文章的背景是因为公司需要对内部程序员做一个培训.项 ...

  5. CP

    cp:copy files and directories,如果要拷贝目录,则使用-a或者-r参数,则能够拷贝目录, 如果源文件是多个,那目标文件在最后,且是目录. Cp [-aifpru] [源文件 ...

  6. 在js中实现邮箱格式的验证

    在js中实现邮箱格式的验证 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><htm ...

  7. Stm32F107VCT6硬件资源

    一直在用stm32系列的单片机,最近因为需要使用到以太网,所以采用了stm32f107vc这款芯片.对于存储资源一直不是非常清楚,今天专门到官网看了一下. 如下: RAM------>64kB ...

  8. nubia Z5 mini 小牛 黑砖qhsusb dload修复

    给手机分区,用了分区助手,将一些分区移动. 结果分区坏了,只有两三个分区在电脑显示,当时晕菜把数据线拔了重插. 手机变砖,不能启动,黑屏,不能进recovery... 参考 http://bbs.nu ...

  9. 项目vue2.0仿外卖APP(四)

    组件拆分 先把项目搭建时生成的代码给清了吧 现在static目录下引入reset.css 接着在index.html引入,并且设置<meta> 有时候呢,为了让代码符合我们平时的编码习惯, ...

  10. 【Tomcat】配置Tomcat

    写这篇博文的原因:因为发布Maven项目的时候,始终无法访问.所以顺便重新配置了Tomcat. 1.首先到官网下载一个Tomcat7版本的zip包,解压后,放入C盘(根据个人需求放置). 2.修改co ...