网络安全之SSH加密公钥添加

一般需要查阅这篇靠RSA搜素出来的工具文章的时候,就是我需要添加公钥来免密shh访问或者scp/sftp/sycn传输文件的时候。简单列出重点以方便查阅:

  • 假设访问发起方为A,被访问对象为B,谁需要keygen?答案:A需要生成两个密钥,一个私,一个公。
  • 被访问对象B如何添加A所给的公钥id_rsa.pub?答案:添加到B的隐藏ssh目录,~/.ssh下
  • 如何根据复杂程度来决定ssh的访问发起方?

写这样一篇的缘由是因为我遇到之前懵懂搞不清楚的问题,在添加完公钥后却不能免密ssh、sftp、rsync -P,用ssh -vvv来debug看到了系统还是自动循例id_rsa.pub而不是去找mbp1_rsa.pub

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<span class="pln">debug2</span><span class="pun">:</span><span class="pln"> ssh_connect_direct
debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connecting</span><span class="pln"> to </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pln"> </span><span class="pun">[</span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pun">]</span><span class="pln"> port </span><span class="lit">22.</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connection</span><span class="pln"> established</span><span class="pun">.</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_dsa type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_dsa</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ecdsa type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ecdsa</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ed25519 type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ed25519</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_xmss type </span><span class="pun">-</span><span class="lit">1</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_xmss</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span>
<span class="pln">debug2</span><span class="pun">:</span><span class="pln"> ssh_connect_direct debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connecting</span><span class="pln"> to </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pln"> </span><span class="pun">[</span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pun">]</span><span class="pln"> port </span><span class="lit">22.</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connection</span><span class="pln"> established</span><span class="pun">.</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_dsa type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_dsa</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ecdsa type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ecdsa</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ed25519 type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_ed25519</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_xmss type </span><span class="pun">-</span><span class="lit">1</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> identity file </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qingqizeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_xmss</span><span class="pun">-</span><span class="pln">cert type </span><span class="pun">-</span><span class="lit">1</span>
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.189 [192.168.1.189] port 22.
debug1: Connection established.
debug1: identity file /Users/qingqizeng/.ssh/id_rsa type -1
debug1: identity file /Users/qingqizeng/.ssh/id_rsa-cert type -1
debug1: identity file /Users/qingqizeng/.ssh/id_dsa type -1
debug1: identity file /Users/qingqizeng/.ssh/id_dsa-cert type -1
debug1: identity file /Users/qingqizeng/.ssh/id_ecdsa type -1
debug1: identity file /Users/qingqizeng/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/qingqizeng/.ssh/id_ed25519 type -1
debug1: identity file /Users/qingqizeng/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/qingqizeng/.ssh/id_xmss type -1
debug1: identity file /Users/qingqizeng/.ssh/id_xmss-cert type -1

这就让我蒙了,为什么添加了公钥还是不能免密ssh呢?原来我错误的理解了id_rsa.pub这个名字的用意。添加公钥的方法是把无论什么key都cat xxx.key >> authorized_keys 里面,因为这样authorized_keys里面就有了 xxx.key的内容。你问我是怎么知道的,我告诉你,我vim了authorized_keys以下,看到了大致的内容,从下面的图中你可以看到两个加密公钥的“指纹”:ssh-rsa

所以在添加公钥的服务器的~/.ssh目录下,id_rsa.pub只是一个“代数”或者说是一个“过客”,当追加“cat”完authorized keys之后,它就没有用了。系统不会根据你给xxx_rsa.pub起一个什么名字,就去对应找xxx_rsa去解密,而是会在接通ssh后链接到本地的~/.ssh下去照旧寻找id_rsa,这样authorized key公钥的“指纹”配上本地id_rsa就解密成功了。之前我一直以为~/.ssh需要存储所有的公钥,所以需要保存id1_rsa.pub;id2_rsa.pub;id3_rsa.pub;…..idN_rsa.pub 现在看来是我想错了。

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<span class="com">#第一步:本地鸡生成id_rsa.pub,输入指令一路回车,不要想太多</span><span class="pln">
</span><span class="pun">本地鸡</span><span class="pln">$ ssh</span><span class="pun">-</span><span class="pln">keygen </span><span class="pun">-</span><span class="pln">t rsa
</span><span class="typ">Generating</span><span class="pln"> </span><span class="kwd">public</span><span class="pun">/</span><span class="kwd">private</span><span class="pln"> rsa key pair</span><span class="pun">.</span><span class="pln">
</span><span class="typ">Enter</span><span class="pln"> file </span><span class="kwd">in</span><span class="pln"> which to save the key </span><span class="pun">(</span><span class="str">/Users/</span><span class="pln">qxxxxxzeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">):</span><span class="pln">
</span><span class="typ">Enter</span><span class="pln"> passphrase </span><span class="pun">(</span><span class="pln">empty </span><span class="kwd">for</span><span class="pln"> </span><span class="kwd">no</span><span class="pln"> passphrase</span><span class="pun">):</span><span class="pln">
</span><span class="typ">Enter</span><span class="pln"> same passphrase again</span><span class="pun">:</span><span class="pln">
</span><span class="typ">Your</span><span class="pln"> identification has been saved </span><span class="kwd">in</span><span class="pln"> </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qxxxxxzeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln">
</span><span class="typ">Your</span><span class="pln"> </span><span class="kwd">public</span><span class="pln"> key has been saved </span><span class="kwd">in</span><span class="pln"> </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qxxxxxzeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln">pub</span><span class="pun">.</span><span class="pln">
</span><span class="typ">The</span><span class="pln"> key fingerprint </span><span class="kwd">is</span><span class="pun">:</span><span class="pln">
SHA256</span><span class="pun">:</span><span class="pln">qJmWKqbhGQSpyrQtntfMLK5ExiixuJczILIly1T6RWU qxxxxxzeng@MBP
</span><span class="typ">The</span><span class="pln"> key</span><span class="str">'s randomart image is:
+---[RSA 3072]----+
| E |
| . o |
|+ . . |
|*oo . . |
|@O. .. S |
|&B+..= |
|*B=o@ |
|=+=B = |
|+B=.. |
+----[SHA256]-----+
本地鸡$
#第二步:本地鸡scp公钥到远端的usr@ip:~/.ssh目录下,记得输入ssh的密码
本地鸡$ scp id_rsa.pub QQ@192.168.1.189:~/.ssh
本地鸡$ QQ@192.168.1.189'</span><span class="pln">s password</span><span class="pun">:</span><span class="pln">
</span><span class="pun">本地鸡</span><span class="pln">$ id_rsa</span><span class="pun">.</span><span class="pln">pub </span><span class="lit">100</span><span class="pun">%</span><span class="pln"> </span><span class="lit">568</span><span class="pln"> </span><span class="lit">10.3KB</span><span class="pun">/</span><span class="pln">s </span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pln">
</span><span class="com">#第三步:远端服务器下,用[cat]追加~/.ssh/id_rsa.pub 到authorized_keys</span><span class="pln">
cat </span><span class="pun">~</span><span class="str">/.ssh/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln">pub </span><span class="pun">>></span><span class="pln"> </span><span class="pun">~</span><span class="str">/.ssh/</span><span class="pln">authorized_keys
</span><span class="com">#如果你闲着没事,并且接的之前authorized_keys的内容,你可以看看cat之后是不是多了一个本地鸡的指纹</span><span class="pln">
</span><span class="com">#本地鸡$ vim ~/.ssh/authorized_keys</span><span class="pln">
</span><span class="com">#第四部:在本地鸡中用ssh验证免密,本地鸡是192.168.1.156</span><span class="pln">
</span><span class="pun">本地鸡</span><span class="pln">$ ssh </span><span class="pun">-</span><span class="pln">vvv QQ@192</span><span class="pun">.</span><span class="lit">168.1</span><span class="pun">.</span><span class="lit">189</span><span class="pln">
</span><span class="typ">OpenSSH_8</span><span class="pun">.</span><span class="lit">1p1</span><span class="pun">,</span><span class="pln"> </span><span class="typ">LibreSSL</span><span class="pln"> </span><span class="lit">2.7</span><span class="pun">.</span><span class="lit">3</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Reading</span><span class="pln"> configuration data </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">ssh_config
debug1</span><span class="pun">:</span><span class="pln"> </span><span class="str">/etc/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">ssh_config line </span><span class="lit">47</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Applying</span><span class="pln"> options </span><span class="kwd">for</span><span class="pln"> </span><span class="pun">*</span><span class="pln">
debug2</span><span class="pun">:</span><span class="pln"> resolve_canonicalize</span><span class="pun">:</span><span class="pln"> hostname </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pln"> </span><span class="kwd">is</span><span class="pln"> address
debug2</span><span class="pun">:</span><span class="pln"> ssh_connect_direct
debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connecting</span><span class="pln"> to </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pln"> </span><span class="pun">[</span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pun">]</span><span class="pln"> port </span><span class="lit">22.</span><span class="pln">
debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connection</span><span class="pln"> established</span><span class="pun">.</span>
<span class="com">#第一步:本地鸡生成id_rsa.pub,输入指令一路回车,不要想太多</span><span class="pln"> </span><span class="pun">本地鸡</span><span class="pln">$ ssh</span><span class="pun">-</span><span class="pln">keygen </span><span class="pun">-</span><span class="pln">t rsa </span><span class="typ">Generating</span><span class="pln"> </span><span class="kwd">public</span><span class="pun">/</span><span class="kwd">private</span><span class="pln"> rsa key pair</span><span class="pun">.</span><span class="pln"> </span><span class="typ">Enter</span><span class="pln"> file </span><span class="kwd">in</span><span class="pln"> which to save the key </span><span class="pun">(</span><span class="str">/Users/</span><span class="pln">qxxxxxzeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">):</span><span class="pln"> </span><span class="typ">Enter</span><span class="pln"> passphrase </span><span class="pun">(</span><span class="pln">empty </span><span class="kwd">for</span><span class="pln"> </span><span class="kwd">no</span><span class="pln"> passphrase</span><span class="pun">):</span><span class="pln"> </span><span class="typ">Enter</span><span class="pln"> same passphrase again</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Your</span><span class="pln"> identification has been saved </span><span class="kwd">in</span><span class="pln"> </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qxxxxxzeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln"> </span><span class="typ">Your</span><span class="pln"> </span><span class="kwd">public</span><span class="pln"> key has been saved </span><span class="kwd">in</span><span class="pln"> </span><span class="pun">/</span><span class="typ">Users</span><span class="pun">/</span><span class="pln">qxxxxxzeng</span><span class="pun">/.</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln">pub</span><span class="pun">.</span><span class="pln"> </span><span class="typ">The</span><span class="pln"> key fingerprint </span><span class="kwd">is</span><span class="pun">:</span><span class="pln"> SHA256</span><span class="pun">:</span><span class="pln">qJmWKqbhGQSpyrQtntfMLK5ExiixuJczILIly1T6RWU qxxxxxzeng@MBP </span><span class="typ">The</span><span class="pln"> key</span><span class="str">'s randomart image is: +---[RSA 3072]----+ | E | | . o | |+ . . | |*oo . . | |@O. .. S | |&B+..= | |*B=o@ | |=+=B = | |+B=.. | +----[SHA256]-----+ 本地鸡$ #第二步:本地鸡scp公钥到远端的usr@ip:~/.ssh目录下,记得输入ssh的密码 本地鸡$ scp id_rsa.pub QQ@192.168.1.189:~/.ssh 本地鸡$ QQ@192.168.1.189'</span><span class="pln">s password</span><span class="pun">:</span><span class="pln"> </span><span class="pun">本地鸡</span><span class="pln">$ id_rsa</span><span class="pun">.</span><span class="pln">pub </span><span class="lit">100</span><span class="pun">%</span><span class="pln"> </span><span class="lit">568</span><span class="pln"> </span><span class="lit">10.3KB</span><span class="pun">/</span><span class="pln">s </span><span class="lit">00</span><span class="pun">:</span><span class="lit">00</span><span class="pln"> </span><span class="com">#第三步:远端服务器下,用[cat]追加~/.ssh/id_rsa.pub 到authorized_keys</span><span class="pln"> cat </span><span class="pun">~</span><span class="str">/.ssh/</span><span class="pln">id_rsa</span><span class="pun">.</span><span class="pln">pub </span><span class="pun">>></span><span class="pln"> </span><span class="pun">~</span><span class="str">/.ssh/</span><span class="pln">authorized_keys </span><span class="com">#如果你闲着没事,并且接的之前authorized_keys的内容,你可以看看cat之后是不是多了一个本地鸡的指纹</span><span class="pln"> </span><span class="com">#本地鸡$ vim ~/.ssh/authorized_keys</span><span class="pln"> </span><span class="com">#第四部:在本地鸡中用ssh验证免密,本地鸡是192.168.1.156</span><span class="pln"> </span><span class="pun">本地鸡</span><span class="pln">$ ssh </span><span class="pun">-</span><span class="pln">vvv QQ@192</span><span class="pun">.</span><span class="lit">168.1</span><span class="pun">.</span><span class="lit">189</span><span class="pln"> </span><span class="typ">OpenSSH_8</span><span class="pun">.</span><span class="lit">1p1</span><span class="pun">,</span><span class="pln"> </span><span class="typ">LibreSSL</span><span class="pln"> </span><span class="lit">2.7</span><span class="pun">.</span><span class="lit">3</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Reading</span><span class="pln"> configuration data </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">ssh_config debug1</span><span class="pun">:</span><span class="pln"> </span><span class="str">/etc/</span><span class="pln">ssh</span><span class="pun">/</span><span class="pln">ssh_config line </span><span class="lit">47</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Applying</span><span class="pln"> options </span><span class="kwd">for</span><span class="pln"> </span><span class="pun">*</span><span class="pln"> debug2</span><span class="pun">:</span><span class="pln"> resolve_canonicalize</span><span class="pun">:</span><span class="pln"> hostname </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pln"> </span><span class="kwd">is</span><span class="pln"> address debug2</span><span class="pun">:</span><span class="pln"> ssh_connect_direct debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connecting</span><span class="pln"> to </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pln"> </span><span class="pun">[</span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.189</span><span class="pun">]</span><span class="pln"> port </span><span class="lit">22.</span><span class="pln"> debug1</span><span class="pun">:</span><span class="pln"> </span><span class="typ">Connection</span><span class="pln"> established</span><span class="pun">.</span>
#第一步:本地鸡生成id_rsa.pub,输入指令一路回车,不要想太多
本地鸡$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/qxxxxxzeng/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/qxxxxxzeng/.ssh/id_rsa.
Your public key has been saved in /Users/qxxxxxzeng/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:qJmWKqbhGQSpyrQtntfMLK5ExiixuJczILIly1T6RWU qxxxxxzeng@MBP
The key's randomart image is:
+---[RSA 3072]----+
|       E         |
| .    o          |
|+  . .           |
|*oo .  .         |
|@O.  .. S        |
|&B+..=           |
|*B=o@            |
|=+=B =           |
|+B=..            |
+----[SHA256]-----+
本地鸡$ 
 
#第二步:本地鸡scp公钥到远端的usr@ip:~/.ssh目录下,记得输入ssh的密码
本地鸡$ scp id_rsa.pub QQ@192.168.1.189:~/.ssh
本地鸡$ QQ@192.168.1.189's password: 
本地鸡$ id_rsa.pub                                    100%  568    10.3KB/s   00:00 

#第三步:远端服务器下,用[cat]追加~/.ssh/id_rsa.pub 到authorized_keys
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
#如果你闲着没事,并且接的之前authorized_keys的内容,你可以看看cat之后是不是多了一个本地鸡的指纹
#本地鸡$ vim ~/.ssh/authorized_keys


#第四部:在本地鸡中用ssh验证免密,本地鸡是192.168.1.156
本地鸡$ ssh -vvv QQ@192.168.1.189
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.189 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.189 [192.168.1.189] port 22.
debug1: Connection established.

自此,你已经看到connection established,链接成功了

重置ssh的key

一般看到这里,你就已经不是第一次设置ssh的id_rsa.pub的key,那么问题来了:如果本地服务器A,它在你远端服务器B重置前就已经ssh成功访问过旧的远端服务器B,那么本地A的knownhost就会存储之前版本的远程服务B的ip地址,现在就有个问题了,对于本地服务器A,新旧两个版本的密钥的远端服务器B共用一个IP,这正好就是类似middle-man攻击的特征,所以ssh访问被取消。这里就需要清除某个ip地址的ssh的密钥,再重新ssh-key访问以刷新一次id_rsa.pub的密钥,清除和刷新的过程就是重置ssh的key之过程。

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
<span class="pln">ssh</span><span class="pun">-</span><span class="pln">keygen </span><span class="pun">-</span><span class="pln">R </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.xxx</span><span class="pln"> </span><span class="pun">(服务器</span><span class="pln">ip</span><span class="pun">地址)</span>
<span class="pln">ssh</span><span class="pun">-</span><span class="pln">keygen </span><span class="pun">-</span><span class="pln">R </span><span class="lit">192.168</span><span class="pun">.</span><span class="lit">1.xxx</span><span class="pln"> </span><span class="pun">(服务器</span><span class="pln">ip</span><span class="pun">地址)</span>
ssh-keygen -R 192.168.1.xxx (服务器ip地址)