当SSH免密登录的私钥被移动之后... ...

耕耘实录

发布于 2018-12-20 09:51:52

7020

发布于 2018-12-20 09:51:52

在主机192.168.237.21通过ssh-keygen生成私钥及对应公钥,分发公钥到192.168.237.22、192.168.237.23主机上。从主机192.168.237.21分别免密登录192.168.237.22、192.168.237.23，如图：

[root@GeeklpTset01 ~]# ssh-keygen -b 2048 -t rsa -C root-21
[root@GeeklpTset01 .ssh]# ssh-copy-id -p id_rsa.pub root@192.168.237.22
[root@GeeklpTset01 .ssh]# ssh-copy-id -i id_rsa.pub root@192.168.237.23
[root@GeeklpTset01 .ssh]# ssh 192.168.237.22
Last login: Wed Dec  6 09:34:40 2017 from 192.168.237.1
[root@GeeklpTset01 .ssh]# ssh 192.168.237.23
Last login: Wed Dec  6 09:34:36 2017 from 192.168.237.1

二、移动SSH私钥

[root@GeeklpTest020 ~]# mkdir .ssh
[root@GeeklpTest020 ~]# cd .ssh
[root@GeeklpTset01 .ssh]# scp id_rsa root@192.168.237.20:/root/.ssh
[root@GeeklpTset01 .ssh]# scp id_rsa root@192.168.237.20:/root/.ssh
The authenticity of host '192.168.237.20 (192.168.237.20)' can't be established.
ECDSA key fingerprint is SHA256:ixhXgxxTUxKX9P66vAR92uJohhgMa0kkg9vk7U+9MAg.
ECDSA key fingerprint is MD5:98:00:32:6a:c1:a1:a6:fa:6f:be:08:53:94:6e:6b:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.237.20' (ECDSA) to the list of known hosts.
root@192.168.237.20's password:
id_rsa                                                                                                                               100% 1679     1.6MB/s   00:00

三、尝试登录

（1）从192.168.237.20登录192.168.237.21

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.22
The authenticity of host '192.168.237.22 (192.168.237.22)' can't be established.
ECDSA key fingerprint is SHA256:ixhXgxxTUxKX9P66vAR92uJohhgMa0kkg9vk7U+9MAg.
ECDSA key fingerprint is MD5:98:00:32:6a:c1:a1:a6:fa:6f:be:08:53:94:6e:6b:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.237.22' (ECDSA) to the list of known hosts.
Last login: Wed Dec  6 10:06:34 2017 from 192.168.237.151

再次登录

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.22
Last login: Wed Dec  6 10:16:27 2017 from 192.168.237.154

（2）从192.168.237.20登录192.168.237.22

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.23
The authenticity of host '192.168.237.23 (192.168.237.23)' can't be established.
ECDSA key fingerprint is SHA256:ixhXgxxTUxKX9P66vAR92uJohhgMa0kkg9vk7U+9MAg.
ECDSA key fingerprint is MD5:98:00:32:6a:c1:a1:a6:fa:6f:be:08:53:94:6e:6b:f7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.237.23' (ECDSA) to the list of known hosts.
Last login: Wed Dec  6 10:09:40 2017 from 192.168.237.151

再次登录

[root@GeeklpTest020 .ssh]# ssh root@192.168.237.23
Last login: Wed Dec  6 10:34:35 2017 from 192.168.237.154

四、结论

（1）如果设置了ssh免密登录，私钥被移动到其他机器上之后同样是可以轻易实现免密登录的。因此，ssh私钥的管理尤为重要，如果私钥被不法分子取得，后果将不可设想。

（2）细心的小伙伴可能会发现，在登录成功显示的ip并不是我在图中规划的ip地址，这的确是我粗心大意了，没有关闭网卡的dhcp，造成网卡第一个ip是通过dhcp来获取的，固定ip被设置为第二ip了。

本文参与腾讯云自媒体分享计划，分享自作者个人站点/博客。

原始发表：2017年12月06日，如有侵权请联系 cloudcommunity@tencent.com 删除

ssh

本文分享自作者个人站点/博客前往查看

如有侵权，请联系 cloudcommunity@tencent.com 删除。

本文参与腾讯云自媒体分享计划，欢迎热爱写作的你一起参与！

ssh

登录后参与评论

0 条评论

热度

当SSH免密登录的私钥被移动之后... ...

当SSH免密登录的私钥被移动之后... ...

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐