当SSH免密登录的私钥被移动之后... ...-阿里云开发者社区

当SSH免密登录的私钥被移动之后... ...

2017-12-06 1102

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介： 一、设置免密登录在主机192.168.237.21通过ssh-keygen生成私钥及对应公钥,分发公钥到192.168.237.22、192.168.237.23主机上。

一、设置免密登录

在主机192.168.237.21通过ssh-keygen生成私钥及对应公钥,分发公钥到192.168.237.22、192.168.237.23主机上。从主机192.168.237.21分别免密登录192.168.237.22、192.168.237.23，如图：

[root@GeeklpTset01 ~]# ssh-keygen -b 2048 -t rsa -C root-21
[root@GeeklpTset01 .ssh]# ssh-copy-id -p id_rsa.pub root@192.168.237.22
[root@GeeklpTset01 .ssh]# ssh-copy-id -i id_rsa.pub root@192.168.237.23
[root@GeeklpTset01 .ssh]# ssh 192.168.237.22
Last login: Wed Dec  6 09:34:40 2017 from 192.168.237.1
[root@GeeklpTset01 .ssh]# ssh 192.168.237.23
Last login: Wed Dec  6 09:34:36 2017 from 192.168.237.1

二、移动SSH私钥

[root@GeeklpTest020 ~]# mkdir .ssh
[root@GeeklpTest020 ~]# cd .ssh
[root@GeeklpTset01 .ssh]# scp id_rsa root@192.168.237.20:/root/.ssh
[root@GeeklpTset01 .ssh]# scp id_rsa root@192.168.237.20:/root/.ssh
The authenticity of host '192.168.237.20 (192.168.237.20)' can't be established.
ECDSA key fingerprint is SHA256:ixhXgxxTUxKX9P66vAR92uJohhgMa0kkg9vk7U+9MAg.
ECDSA key fingerprint is MD5:98:00:32:6a:c1:a1:a6:fa:6f:be:08:53:94:6e:6b:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.237.20' (ECDSA) to the list of known hosts.
root@192.168.237.20's password:
id_rsa                                                                                                                               100% 1679     1.6MB/s   00:00

三、尝试登录

（1）从192.168.237.20登录192.168.237.21

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.22
The authenticity of host '192.168.237.22 (192.168.237.22)' can't be established.
ECDSA key fingerprint is SHA256:ixhXgxxTUxKX9P66vAR92uJohhgMa0kkg9vk7U+9MAg.
ECDSA key fingerprint is MD5:98:00:32:6a:c1:a1:a6:fa:6f:be:08:53:94:6e:6b:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.237.22' (ECDSA) to the list of known hosts.
Last login: Wed Dec  6 10:06:34 2017 from 192.168.237.151

再次登录

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.22
Last login: Wed Dec  6 10:16:27 2017 from 192.168.237.154

（2）从192.168.237.20登录192.168.237.22

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.23
The authenticity of host '192.168.237.23 (192.168.237.23)' can't be established.
ECDSA key fingerprint is SHA256:ixhXgxxTUxKX9P66vAR92uJohhgMa0kkg9vk7U+9MAg.
ECDSA key fingerprint is MD5:98:00:32:6a:c1:a1:a6:fa:6f:be:08:53:94:6e:6b:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.237.23' (ECDSA) to the list of known hosts.
Last login: Wed Dec  6 10:09:40 2017 from 192.168.237.151

再次登录

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.23
Last login: Wed Dec  6 10:34:35 2017 from 192.168.237.154

四、结论

（1）如果设置了ssh免密登录，私钥被移动到其他机器上之后同样是可以轻易实现免密登录的。因此，ssh私钥的管理尤为重要，如果私钥被不法分子取得，后果将不可设想。

（2）细心的小伙伴可能会发现，在登录成功显示的ip并不是我在图中规划的ip地址，这的确是我粗心大意了，没有关闭网卡的dhcp，造成网卡第一个ip是通过dhcp来获取的，固定ip被设置为第二ip了。

当SSH免密登录的私钥被移动之后... ...

热门文章

最新文章

相关电子书