In present (post production) IT infrastructure many different workstations, servers etc. have to be maintained on a daily basis. When running on *nix operating systems, the main tool to log into and execute arbitrary code on a remote machine is SSH .

Usually with a call like

ssh bob@comp-b

you would be asked every time to enter the password of user Bob. This is not very efficient and also less secure then using key based authentication.

Furthermore the usage of passwords hinders the use of tools like Python fabric for automating certain tasks inside your pipeline e.g. remote backup scripts, deployment scripts.

Keep in mind that with ssh you are not limited to machines inside your local network. You can also use keybased ssh to securely log into machines in remote datacenters and even cloud computers like EC2 instances inside the Amazon public cloud (AWS).

In this tutorial we want to establish a password less and secure connection over ssh between two different computers in your IT environment. Computer A (COMP-A) with user Alice wants to connect to Computer B (COMP-B) with the user Bob.

In order to do so, we will be connecting over ssh with previously set private/public keys. The steps in this tutorial involve:

  1. Creating authentication keys on computer A
  2. Create a .ssh directory on computer B
  3. Store or send the generated public key to computer B
  4. Set correct rights to the key file and folder

We will explain the commands used in the tutorial when they occur. For details on the commands used or on SSH in general please check out the manual pages of e.g. ssh with

man ssh

and the Further Reading section at the end.

Step 1: Create authentication keys on Computer A

Start (or login) on Computer A with user Alice and generate RSA private/public keys by executing the following command in your Terminal:

ssh-keygen -t rsa

When executing above command, you will be asked several questions. The first will be about where to store the keys. Leave it at its default and simply press Enter. The second prompt will ask you for a security passphrase, do not enter anything and leave it empty. Again just press Enter to proceed. The passphrase is another layer of security you can add to your keys. For internal usage it is not necessary.

Your Terminal output will look similar to this:

Generating public/private rsa key pair.

Enter file in which to save the key (/home/alice/.ssh/id_rsa): [Press enter key]

Created directory '/home/alice/.ssh'.

Enter passphrase (empty for no passphrase): [Press enter key]

Enter same passphrase again: [Press enter key]

Your identification has been saved in /home/alice/.ssh/id_rsa.

Your public key has been saved in /home/alice/.ssh/id_rsa.pub.

The key fingerprint is:

af:4f:35:82:d4:04:61:10:6d:11:f0:eb:1d:69:54:4f alice@comp-a

The key's randomart image is:

+--[ RSA 2048]----+

|        ..oooF.++|

|         +. o.o  |

|          ..   . |

|         o  . . .|

|        S .  . + |

|       + .    . o|

|      . . o    +.|

|       + +       |

|        +.       |

+-----------------+

Step 2: Create the .ssh directory on Computer B

After the creation of your local keys you need to transfer them to Computer B. Therefore a specific folder called .ssh needs to be created inside the home folder of Bob on Computer B (if it doesn't already exist). OpenSSH needs this folder to lookup previously stored keys and connected hosts.

Use SSH from Computer A to connect Computer B using Bob as user and create the .ssh directory. You can use the following command:

ssh bob@com-b mkdir -p .ssh

This command will connect to Computer B and then use mkdir to create the folder .ssh inside Bob's home folder.

If this is your first time connecting to Computer B, you will be prompted an authenticity message. This is for security reasons and will ask you if you know the host you are connecting to. Read it carefully and then enter yes. After that you will be as usual prompted with the password of the user Bob for this machine.

Your output will look similar to:

The authenticity of host 'comp-b (192.167.1.1)' can't be established.

RSA key fingerprint is e5:51:92:42:c3:cf:d7:e2:d0:0d:00:7f:12:37:25:2b.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.167.1.1' (RSA) to the list of known hosts.

bob@comp-b password: [Enter Your Password Here]

After this the folder .ssh should have been created on Computer B.

Step 3: Upload your generated public key to Computer B

From Step 1 the generated RSA keys have been stored into the .ssh folder inside the home folder of Alice. Go check them out as user Alice on Computer A with

cd ~/.ssh

You will find the following files inside this directory by listing them with the ls command:

alice@comp-a:~/.ssh$ ls

id_rsa  id_rsa.pub  known_hosts

The file id_rsa contains your private key. You have to keep this file secret and secure. Your job (life) depends on it.

The file id_rsa.pub contains your public key. This is the file you can share with computers to which you want to connect without entering a password.

Again you can use SSH to connect to Computer B and upload the id_rsa.pub public file into the recently created .ssh folder. The file needs to be renamed to authorized_keys.

Enter the following command as Alice on Computer A to send the contents of id_rsa.pub into the new file authorized_keys on Computer B:

cat .ssh/id_rsa.pub | ssh bob@comp-b 'cat >> .ssh/authorized_keys'

The above command uses cat to print out the contents of id_rsa.pub to standard out and immediately pipes the output with the pipe operator | into the command that is run after the ssh connection is established to Computer B.

This final command is again a cat which is used in conjunction with the output redirection operator >> to create a new file authorized_keys inside the .ssh folder.

You will be yet again prompted to enter the password. Just hold up - we are almost in password-less ssh heaven.

[alice@comp-a ~]$ cat .ssh/id_rsa.pub | ssh bob@comp-b 'cat >> .ssh/authorized_keys'

bob@comp-b password: [Enter Your Password Here]

Step 4: Set Permissions on Computer B

The final step is to set the correct permissions with chmod for the authorized_keys file and the .ssh directory on Computer B. This is due to security reasons and different SSH versions that might be running on both computers in connection.

ssh bob@comp-b "chmod 700 .ssh; chmod 640 .ssh/authorized_keys"

You will be prompted the last time for a password. After this call you are done.

Optional Step: Restore your SELinux settings on Computer B

If you are running a Linux version which has SELinux enabled, you might have to run the following command on the home folder of Bob.

  restorecon -R -v /home/bob/.ssh

Step 5: Password less login from Computer A to Computer B

Finally! If you ssh from user Alice on Computer A to user B on Computer B there should not be any password prompt.

ssh bob@comp-b

In case your keyfile is not located in the .ssh folder you can use the -i argument of ssh to define the path to the private keyfile:

  ssh -i /path/to/private_key bob@comp-b

原文链接:   http://vfx.engineering/2014/05/11/infrastructure-how-to-establish-passwordless-login-with-ssh/

[转载] 构造linux 系统下免密码ssh登陆  _How to establish password-less login with SSH的更多相关文章

  1. 【转载】在Linux系统下用dd命令制作ISO镜像U盘启动盘

    #### 将U盘插入USB接口 #umount /dev/sdb* #dd if=/iso存放路径/XXX.iso of=/dev/sdb bs=1M ##### [转载]在Linux系统下用dd命令 ...

  2. Linux系统下root密码遗忘等系统故障的修复方法 - 运维总结

    IDC机房有一台centos系统的服务器,由于这台服务器的系统装了好长时间,且root密码中间更新过几次,后面去机房现场维护时,登陆密码遗忘了,悲催啊~没办法,只能开机进入“单用户模式”进行密码重置了 ...

  3. 【转载】Linux系统下命令行连接蓝牙设备 查看查找 蓝牙

    Linux系统下命令行连接蓝牙设备 2018年11月26日 10:47:27 Zz笑对一切 阅读数:741   1.打开系统蓝牙 sudo service bluetooth start 1 进入bl ...

  4. linux系统下,11款常见远程桌面控制软件(转载)

    远程控制能够给人们带来很多便利,本文介绍了11款常见的Linux系统下的远程桌面控制工具,总有一款能适合您. 一. Grdc 它是一个用GTK+编写的,适用于gnome桌面环境的远程桌面访问软件.看图 ...

  5. Java基础 之软引用、弱引用、虚引用 ·[转载]

    Java基础 之软引用.弱引用.虚引用 ·[转载] 2011-11-24 14:43:41 Java基础 之软引用.弱引用.虚引用 浏览(509)|评论(1)   交流分类:Java|笔记分类: Ja ...

  6. 【转】Linux系统下的ssh使用

    Linux系统下的ssh使用(依据个人经验总结)   对于linux运维工作者而言,使用ssh远程远程服务器是再熟悉不过的了!对于ssh的一些严格设置也关系到服务器的安全维护,今天在此,就本人工作中使 ...

  7. Linux系统下远程文件拷贝scp命令

    在Linux系统下,不同机器上实现文件拷贝 一.将本地文件拷贝到远程机器: scp /home/administrator/news.txt root@192.168.6.129:/etc/squid ...

  8. 解决Linux系统下Mysql数据库中文显示成问号的问题

    当我们将开发好的javaWEB项目部署到linux系统上,操作数据库的时候,会出现中文乱码问题,比如做插入操作,发现添加到数据库的数据中文出现论码,下面就将解决linux下mysql中文乱码问题! 打 ...

  9. Linux系统下如何设置IP地址?

    Linux系统下如何设置IP地址?我们可以通过命令设定IP的方法,不过此方法的前提条件是用户需root权限.在linux系统的 /etc/sysconfig/network-script/ifcfg- ...

随机推荐

  1. word2vec参数调整 及lda调参

     一.word2vec调参   ./word2vec -train resultbig.txt -output vectors.bin -cbow 0 -size 200 -window 5 -neg ...

  2. 【Java之对象清理】finalize()的用途

    Java允许在类中定义一个名为finalize()的方法.它的工作原理是:一旦垃圾回收器准备好释放对象占用的存储空间,将首先调用其finalize()方法.并且在下一次垃圾回收动作发生时,才会真正回收 ...

  3. jq添加数组

    var array=new Array(); array.push(值); //向数组中添加值 array.shift(值);//向数组中移除值

  4. Linux less 命令

    - less 打开文件后: shift + g 转至文件末尾 g 转至文件开头 搜索字段(/<pattern>)后: n 转至下一个匹配的字段 shift + n 转至上一个匹配的字段 同 ...

  5. C# I/O

    获取运行时的动态目录 private static string GetDataDir_Data() { var parent = Directory.GetParent(Directory.GetC ...

  6. AxureRp 打开SVN上的团队项目

    打开Axure,在菜单项中,点击 "团队" 菜单,选择 "获取团队项目": 切换到 "SVN" 选项, 填写正确的Axure项目的路径,打开 ...

  7. mysql主从复制实现数据库同步

    mysql主从复制相信已经用得很多了,但是由于工作原因一直没怎么用过.趁着这段时间相对空闲,也就自己实现一遍.尽管互联网上已有大把类似的文章,但是自身实现的仍然值得记录. 环境: 主服务器:cento ...

  8. 《A Convolutional Neural Network Cascade for Face Detection》

    文章链接:   http://pan.baidu.com/s/1bQBJMQ  密码:4772 作者在这里提出了基于神经网络的Cascade方法,Cascade最早可追溯到Haar Feature提取 ...

  9. Gnome_Terminal

    快捷键 ctrl shift m 我自定义的快捷键,可以给终端命名 ctrl shift t 新建标签页,并且目录为当前目录 ctrl shift pageup 标签页往前移 ctrl shift p ...

  10. 基于ACE的c++线程封装

    1. 基本需求 1) 一个基类,其某个方法代表一个线程的生命运行周期.之后通过继承自这个基类来实现个性化线程类: 2) 具备类似QObject的定时器设置功能: 3) 提供在线程对象中同步和异步执行方 ...