Linux ssh 安全配置

452432

                      Linux  ssh 安全登陆  
创建ssh密钥
[iyunv@localhost ~]# ssh-keygen -t rsa           #创建密钥
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):      # 密钥位置
Enter passphrase (empty for no passphrase):        #输入密钥，可以为空
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.    #私钥
Your public key has been saved in /root/.ssh/id_rsa.pub.   #公钥
The key fingerprint is:
40:96:bf:a5:89:c2:66:a3:bd:dc:79:a3:b5:a8:1f:8d root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|      o.         |
|     o.          |
|      ..         |
|       .. .      |
|   .   .S=       |
|    * .o+        |
|   = oE o        |
|  .... =o.       |
|    ++*o..       |
+-----------------+
[iyunv@localhost .ssh]# ls
id_rsa  id_rsa.pub         #把公钥上传到远程的linux机器上   
[iyunv@localhost .ssh]#     
[iyunv@localhost ~]# clear
[iyunv@localhost ~]# ssh-copy-id -i .ssh/id_rsa.pub root@10.0.0.2
The authenticity of host '10.0.0.2 (10.0.0.2)' can't be established.
RSA key fingerprint is fb:82:7c:05:f1:74:86:47:52:64:87:3c:86:fd:cd:ee.
Are you sure you want to continue connecting (yes/no)? yes    #第一次需要确认一下
Warning: Permanently added '10.0.0.2' (RSA) to the list of known hosts.
root@10.0.0.2's password:
Now try logging into the machine, with "ssh 'root@10.0.0.2'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[iyunv@localhost ~]#
[iyunv@localhost ~]# ssh 10.0.0.2      
Enter passphrase for key '/root/.ssh/id_rsa':      #需要输入密钥
Last login: Wed Oct 29 16:47:08 2014 from 10.0.0.1
[iyunv@postgresql ~]# ls -a .ssh/
.  ..  authorized_keys      # 公钥查看ok
[iyunv@postgresql ~]#         # 重启一下ssh就ok了。
为了使系统更加安全，关闭密码认证启用密钥认证
[iyunv@localhost ~]# vi /etc/ssh/sshd_config
Protocol 2                    #启用ssh2  
PubkeyAuthentication yes        #启用密钥认证
AuthorizedKeysFile      .ssh/authorized_keys   #密钥存放位置
PasswordAuthentication no                 #关闭密码认证
[iyunv@localhost ~]# /etc/init.d/sshd restart     #重启ssh 服务  


       
把系统默认的22端口改为四位数端口，并且修改ssh文件
vi /etc/ssh/sshd_config
如果需要登陆，将公钥的文件拷贝出来就ok了。
如果需要使用工具的话，那么可以在工具上配置密钥
       
前面创建的是单向的密钥
创建双向密钥对两个机器都执行 # ssh-keygen t rsa   使用相同的密钥
将生成的密钥拷贝对方机器~/.ssh/ 目录下  并且更改名字为  authorized_krys（两个名字修改后拷贝对方的用户~/.ssh/ 目录下） 修改sshd_config 文件
vbx       
   ，。        
测试
       
不需要任何认证，还有锁定网络ip等