一般需要查阅这篇靠RSA搜素出来的工具文章的时候,就是我需要添加公钥来免密shh访问或者scp/sftp/sycn传输文件的时候。简单列出重点以方便查阅:
- 假设访问发起方为A,被访问对象为B,谁需要keygen?答案:A需要生成两个密钥,一个私,一个公。
- 被访问对象B如何添加A所给的公钥id_rsa.pub?答案:添加到B的隐藏ssh目录,~/.ssh下
- 如何根据复杂程度来决定ssh的访问发起方?
写这样一篇的缘由是因为我遇到之前懵懂搞不清楚的问题,在添加完公钥后却不能免密ssh、sftp、rsync -P,用ssh -vvv来debug看到了系统还是自动循例id_rsa.pub而不是去找mbp1_rsa.pub
debug2: ssh_connect_direct debug1: Connecting to 192.168.1.189 [192.168.1.189] port 22. debug1: Connection established. debug1: identity file /Users/qingqizeng/.ssh/id_rsa type -1 debug1: identity file /Users/qingqizeng/.ssh/id_rsa-cert type -1 debug1: identity file /Users/qingqizeng/.ssh/id_dsa type -1 debug1: identity file /Users/qingqizeng/.ssh/id_dsa-cert type -1 debug1: identity file /Users/qingqizeng/.ssh/id_ecdsa type -1 debug1: identity file /Users/qingqizeng/.ssh/id_ecdsa-cert type -1 debug1: identity file /Users/qingqizeng/.ssh/id_ed25519 type -1 debug1: identity file /Users/qingqizeng/.ssh/id_ed25519-cert type -1 debug1: identity file /Users/qingqizeng/.ssh/id_xmss type -1 debug1: identity file /Users/qingqizeng/.ssh/id_xmss-cert type -1
这就让我蒙了,为什么添加了公钥还是不能免密ssh呢?原来我错误的理解了id_rsa.pub这个名字的用意。添加公钥的方法是把无论什么key都cat xxx.key >> authorized_keys 里面,因为这样authorized_keys里面就有了 xxx.key的内容。你问我是怎么知道的,我告诉你,我vim了authorized_keys以下,看到了大致的内容,从下面的图中你可以看到两个加密公钥的“指纹”:
所以在添加公钥的服务器的~/.ssh目录下,id_rsa.pub只是一个“代数”或者说是一个“过客”,当追加“cat”完authorized keys之后,它就没有用了。系统不会根据你给xxx_rsa.pub起一个什么名字,就去对应找xxx_rsa去解密,而是会在接通ssh后链接到本地的~/.ssh下去照旧寻找id_rsa,这样authorized key公钥的“指纹”配上本地id_rsa就解密成功了。之前我一直以为~/.ssh需要存储所有的公钥,所以需要保存id1_rsa.pub;id2_rsa.pub;id3_rsa.pub;…..idN_rsa.pub 现在看来是我想错了。
#第一步:本地鸡生成id_rsa.pub,输入指令一路回车,不要想太多 本地鸡$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/qxxxxxzeng/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/qxxxxxzeng/.ssh/id_rsa. Your public key has been saved in /Users/qxxxxxzeng/.ssh/id_rsa.pub. The key fingerprint is: SHA256:qJmWKqbhGQSpyrQtntfMLK5ExiixuJczILIly1T6RWU qxxxxxzeng@MBP The key's randomart image is: +---[RSA 3072]----+ | E | | . o | |+ . . | |*oo . . | |@O. .. S | |&B+..= | |*B=o@ | |=+=B = | |+B=.. | +----[SHA256]-----+ 本地鸡$ #第二步:本地鸡scp公钥到远端的usr@ip:~/.ssh目录下,记得输入ssh的密码 本地鸡$ scp id_rsa.pub QQ@192.168.1.189:~/.ssh 本地鸡$ QQ@192.168.1.189's password: 本地鸡$ id_rsa.pub 100% 568 10.3KB/s 00:00 #第三步:远端服务器下,用[cat]追加~/.ssh/id_rsa.pub 到authorized_keys cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys #如果你闲着没事,并且接的之前authorized_keys的内容,你可以看看cat之后是不是多了一个本地鸡的指纹 #本地鸡$ vim ~/.ssh/authorized_keys #第四部:在本地鸡中用ssh验证免密,本地鸡是192.168.1.156 本地鸡$ ssh -vvv QQ@192.168.1.189 OpenSSH_8.1p1, LibreSSL 2.7.3 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 47: Applying options for * debug2: resolve_canonicalize: hostname 192.168.1.189 is address debug2: ssh_connect_direct debug1: Connecting to 192.168.1.189 [192.168.1.189] port 22. debug1: Connection established.
自此,你已经看到connection established,链接成功了
重置ssh的key
一般看到这里,你就已经不是第一次设置ssh的id_rsa.pub的key,那么问题来了:如果本地服务器A,它在你远端服务器B重置前就已经ssh成功访问过旧的远端服务器B,那么本地A的knownhost就会存储之前版本的远程服务B的ip地址,现在就有个问题了,对于本地服务器A,新旧两个版本的密钥的远端服务器B共用一个IP,这正好就是类似middle-man攻击的特征,所以ssh访问被取消。这里就需要清除某个ip地址的ssh的密钥,再重新ssh-key访问以刷新一次id_rsa.pub的密钥,清除和刷新的过程就是重置ssh的key之过程。
ssh-keygen -R 192.168.1.xxx (服务器ip地址)