close
SSH login without password
Your aim
You want to use Linux and OpenSSH to automize your tasks. Therefore you need an automatic login from host A / user a to Host B / user b. You don't want to enter any passwords, because you want to call ssh from a within a shell script.
How to do it
First log in on A as user a and generate a pair of authentication keys. Do not enter a passphrase:
a@A:~> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/a/.ssh/id_rsa):
Created directory '/home/a/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/a/.ssh/id_rsa.
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A
Now use ssh to create a directory ~/.ssh as user b on B. (The directory may already exist, which is fine):
a@A:~> ssh b@B mkdir -p .ssh
b@B's password:
Finally append a's new public key to b@B:.ssh/authorized_keys and enter b's password one last time:
a@A:~> cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
b@B's password:
From now on you can log into B as b from A as a without password:
a@A:~> ssh b@B
or
a@A:~> ssh -i /.ssh/id_rsa b@B
The id_rsa file should be in the connecting users .ssh folder, and the permissions set as you described for the server.
If it is present, then try
ssh -vvv <server> This will give you more detailed logging and will provide more clues as to why it isn't working.
A note from one of our readers: Depending on your version of SSH you might also have to do the following changes:
- Put the public key in .ssh/authorized_keys2
- Change the permissions of .ssh to 700
- Change the permissions of .ssh/authorized_keys2 to 640
不用密碼直接用 ssh 登入到遠端電腦
參考文件
多年前 telnet 當道,但在安全意識漸漸浮上檯面之後,telnet 在登入時的安全就被大家質疑,後來 ssh (Secure Shell) 出現時,改變了當初的習慣,大家在管理 Linux 時,現在都使用 ssh 來登入,而 ssh 好處我在這也不再多做說明,因為他還可以配合 rsync 做出遠端備份,一旦設定好 ssh 之後,還會有 scp 可以使用!這樣就可以在不同電腦間 copy 檔案,並且為傳輸的資料加密了!
Shell Script & ssh
自動化的工作可以讓管理員有效率的完成目標,也不用浪費人力和時間做同樣的事情,在無人職守的情況下,要讓 script 自動連入遠端系統做事是件有些麻煩的事,因為您必需登入系統才可以繼續工作,為了不略過登入系統這個步驟,我們可以製做一個 public key 讓遠端的機器信任我們,如此就只要直接連入就可以,而不用再輸入帳號和密碼。
製作 public keys & private keys
利用 ssh-keygen 來做出公用和私有鑰匙,並傳送 public key 到遠端機器使其信任本機登入。
- pinfo ssh-keygen
- Linux 伺服器安全防護 (O'REILLY, ISBN: 986-7794-18-4)
多年前 telnet 當道,但在安全意識漸漸浮上檯面之後,telnet 在登入時的安全就被大家質疑,後來 ssh (Secure Shell) 出現時,改變了當初的習慣,大家在管理 Linux 時,現在都使用 ssh 來登入,而 ssh 好處我在這也不再多做說明,因為他還可以配合 rsync 做出遠端備份,一旦設定好 ssh 之後,還會有 scp 可以使用!這樣就可以在不同電腦間 copy 檔案,並且為傳輸的資料加密了!
Shell Script & ssh
自動化的工作可以讓管理員有效率的完成目標,
製作 public keys & private keys
利用 ssh-keygen 來做出公用和私有鑰匙,並傳送 public key 到遠端機器使其信任本機登入。
| [steven@cute steven]$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/steven/.ssh/id_dsa): Enter passphrase (empty for no passphrase): <- 不用輸入 Enter same passphrase again: <- 不用輸入 Your identification has been saved in /home/steven/.ssh/id_dsa. Your public key has been saved in /home/steven/.ssh/id_dsa.pub. The key fingerprint is: fa:c9:a9:e4:d5:70:52:88:cc:f3: [steven@cute steven]$ |
接著,再到 /home/steven/.ssh 裡看看,會多出 id_dsa 和 id_dsa.pub 這兩個檔案。
| [steven@cute steven]$ cd .ssh [steven@cute .ssh]$ ls id_dsa id_dsa.pub known_hosts [steven@cute .ssh]$ |
現在我們要使遠端機器 mirror.abc.com,使用 sandy 登入時不用輸入密碼,因為,我們應該複製一份 id_dsa.pub 到 sandy@mirror.abc.com 去,並加入到 authorized_keys。
| [steven@cute .ssh]$ scp id_dsa.pub sandy@mirror.abc.com:~/id_dsa_ sandy@mirror.abc.com's password: id_dsa.pub 100% |***************************** [steven@cute .ssh]$ |
登入 sandy@mirror.abc.com
| [steven@cute .ssh]$ ssh sandy@mirror.abc.com sandy@mirror.abc.com's password: -bash-2.05b$ ls id_dsa_steven.pub id_dsa_steven.pub -bash-2.05b$ cat id_dsa_steven.pub >> .ssh/authorized_keys -bash-2.05b$ exit |
完成後離開,回到本機,再做一次 ssh 到 mirror.abc.com
| [steven@cute .ssh]$ ssh sandy@mirror.abc.com -bash-2.05b$ |
如此就不用輸入密碼就直接登入了!
保護你的私有金匙
在製做 dsa key 時,會有一份私有和一份公有金匙,實務上會保留起來,並做備份,
ssh keygen 免輸入密碼
懶得打密碼, 以 key 做認證登錄.
步驟如下:
- ssh-keygen -t rsa 或 ssh-keygen -d (dsa) => 產生出 id_rsa, id_rsa.pub
- scp id_rsa.pub server_hostname:~/.ssh/
- ssh server_hostname
- cat .ssh/id_rsa.pub >> .ssh/authorized_keys 即可
- 這樣子就可以 key 認證登入, 不需輸入密碼.
注意: gen 時會問 Enter passphrase (empty for no passphrase): # 此處直接 enter 跳過,下次才不會詢問password
簡單解說一下:
- id_rsa: private key
- id_rsa.pub: public key
將 public key(id_rsa.pub) 拷貝到遠端的電腦後, 加到那 user 的 .ssh/authorized_keys 中.
之後連線時, 就會用本機的 private key(id_rsa) 與遠端電腦的 public key(authorized_keys) 做認證, 確認完成就可以直接登入, 不需輸入帳號密碼, 而且也比較安全.
相關網頁
全站熱搜
留言列表