今天想给自己新弄的一个主机配一下SSH,突然发现忘了部分操作细节,在此记录一下。

1.生成密钥对

使用ssh-gen

ssh-keygen -t [rsa|dsa]

过程当中会要求输入密码,但是如果输入了,那么远程登录主机的时候就会要求键入改密码
;如果想要的目的是免密码登录,密码请留空

2.将公钥拷贝到目标主机

将公钥拷贝到~/.ssh中,远程上传可以使用scp命令

scp -r your/target/file/path [email protected]:your/remote/file/path/

如果主机下已经有authorized_keys,注意不要覆盖改文件,没有的话主动创建文件

touch ~/.ssh/authorized_keys

然后执行

cat rsa.pub >> authorized_keys

或者本地执行

cat ~/.ssh/rsa.pub | ssh [email protected] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

3.在本机添加标识

打开~/.ssh/config,没有的话就创建一个,书写格式为(替换[]中的内容为自己的配置)

1
2
3
4
5
Host [myHost]
Hostname [123.123.123.123]
Port [21]
User [myUser]
IdentityFile [ ~/.ssh/local_private_rsa]

4.登录

使用 ssh myHost 进行登录

More

5.1 生成host自签CA证书

1
ssh-keygen -s ~/.ssh/ca_host_key -I certificate_ID -h -Z host_name.example.com -V -start:+end /etc/ssh/ssh_host_rsa.pub

The -Z option restricts this certificate to a specific host within the domain. The -V option is for adding a validity period; this is highly recommend. Where the validity period is intended to be one year, fifty two weeks, consider the need for time to change the certificates and any holiday periods around the time of certificate expiry.

e.g.

1
2
3
~]# ssh-keygen -s ~/.ssh/ca_host_key -I host_name -h -Z host_name.example.com -V -1w:+54w5d /etc/ssh/ssh_host_rsa.pub
Enter passphrase:
Signed host key /root/.ssh/ssh_host_rsa-cert.pub: id "host_name" serial 0 for host_name.example.com valid from 2015-05-15T13:52:29 to 2016-06-08T13:52:29

5.2 OpenSSL or ssh-keygen

ssh-keygen实际上调用了OpenSSL lib,通过两个方式产生ssh keys并没有明显的区别。可以直接使用ssh-keygen来直接产生key pair。