Secure Shell(SSH) 是建立在应用层和传输层基础上的安全协议,由 IETF 的网络工作小组(Network Working Group)所制定。SSH 是目前较可靠,专为远程登录会话和其他网络服务提供安全性的协议。利用 SSH 协议可以有效防止远程管理过程中的信息泄露问题。SSH 客户端与服务器端的通信的安全验证除了用户名密码的口令验证方式以外,还可以使用密钥的验证方式。
假如有两台unix服务器,需要在A服务器上使用scp在服务器A、B直接传送数据,B服务器用户希望用户只能从A服务器访问(双方都不希望对方知道自己的密码),这时我们只要建立A到B的自动信任就好了,也就是设置SSH公钥认证,我们可以生成A服务器用户的公钥,然后传送给B服务器用户,B服务器用户把A服务器用户公钥放置好就可以了。这样也可以不需要每次都输入密码。
A服务器步骤
1.通ssh-keygen生成公钥私钥
[oracle@db1 ~]$ ssh-keygen
Generating public/private rsa key pair. 默认使用RSA加密算法(RSA,DSA)Enter file in which to save the key (/home/oracle/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/oracle/.ssh/id_rsa. Your public key has been saved in /home/oracle/.ssh/id_rsa.pub. The key fingerprint is: 70:9e:47:10:a1:22:bd:54:97:7b:4f:4d:00:b2:fe:bd oracle@db1 The key's randomart image is: +--[ RSA 2048]----+ | . *+.... | | . . o.+ . | | . + o o.. o | | o o =.o. . . | | . S..o | | o .. | | . . | | . | | E | +-----------------+ [oracle@db1 ~]$ [oracle@db1 ~]$ cd .ssh/ [oracle@db1 .ssh]$ ls id_rsa id_rsa.pub
2.把~/.ssh目录下id_rsa.pub传送到B服务器
3.如果知道B服务器用户密码,可以使用ssh-copy-id传送公钥。如果不知道,忽略这一步,继续下面的步骤
[oracle@db1 ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub web@10.0.0.120
The authenticity of host '10.0.0.120 (10.0.0.120)' can't be established.
RSA key fingerprint is 1d:bd:2e:1c:68:20:65:68:c8:1a:1c:6e:0e:dc:85:2e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.120' (RSA) to the list of known hosts.
web@10.0.0.120's password:
Now try logging into the machine, with "ssh 'web@10.0.0.120'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
B服务器步骤
1.在用户家目录下建立.ssh目录
[web@db2 ~]$ mkdir .ssh
[web@db2 ~]$ cd .ssh/
2.把id_rsa.pub(从A服务器上的获取)放置在用户家目录下的.ssh目录
[web@db2 .ssh]$ ls
id_rsa.pub
3.重命名文件名
[web@db2 .ssh]$ mv id_rsa.pub authorized_keys
在A服务器上测试
[oracle@db1 ~]$ scp web@db2:/tmp/a.sql .
The authenticity of host '10.0.0.120 (10.0.0.120)' can't be established.
RSA key fingerprint is 1d:bd:2e:1c:68:20:65:68:c8:1a:1c:6e:0e:dc:85:2e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.120' (RSA) to the list of known hosts.
a.sql 100% 392 0.4KB/s 00:00
[oracle@db1 ~]$ ls
[oracle@db1 ~]$ cd .ssh/
[oracle@db1 .ssh]$ ls
id_rsa id_rsa.pub known_hosts
known_hosts访问过的主机都会在这个文件里显示
[oracle@db1 .ssh]$
[oracle@db1 ~]$ scp cdb1 web@db2:~
cdb1 100% 136 0.1KB/s 00:00
[oracle@db1 ~]$
我们也可以在windows上使用scp,需要我们在windows上安装一个ssh服务器就好,Bitvise SSH Server就非常不错
https://www.bitvise.com/ssh-server
操作步骤
Open easy setting–>Virtual accounts
新建一个账户,把Unix上的用户id_rsa.pub公钥导入即可实现unix服务器到windows服务器的自动传输
Reference
RFC4716: The Secure Shell (SSH) Public Key File Format
使用 Java 进行 OpenSSH 和 PuTTY private key 密钥格式的解析与转换
https://wiki.archlinux.org/index.php/SSH_keys
https://www.bitvise.com/ssh-server-guide-public-key
http://www.opensource.apple.com/source/OpenSSH/OpenSSH-7.1/openssh/ssh-keygen.c
https://sourceforge.net/projects/orion-ssh2/
http://www.cs.rpi.edu/research/groups/vision/doc/auto/ssh/ssh_public_key_authentication.html
http://www.ipsure.com/blog/2010/ssh-public-key-w-rsa-authentication-and-ssh-tunneling-part-1/
http://www.360doc.com/content/11/1028/13/3688062_159831530.shtml