SSH 自动连接

1，在客户端生成公钥证书

执行命令：ssh-keygen -t rsa

2，然后将公钥copy到服务端改名authorized_keys

执行命令：scp ~/.ssh/id_rsa.pub root@服务端ip:/root/.ssh/authorized_keys

                   cat  id_rsa.pub  >> authorized_keys

**注意**：

两台服务器的 .ssh 目录权限要一致

3，SH连接慢的问题需要提一下：

使用 ssh -v IPhost

debug1: Authentications that can continue:publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code mayprovide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor codemay provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor codemay provide more information

debug1: Next authentication method: publickey

上面显示了ssh连接时默认采用了gssapi-with-mic认证方式
打开被连接服务器/etc/ssh/ssh_config 把里面的 GSSAPIAuthentication yes 改成 no 关掉它，同时设置UseDNS no，即可让 ssh 直接尝试美妙的 publickey 认证方式。


1、生成密钥文件

在Windows客户机的SecureCRT程序的Tools菜单中，调出"Create Publib Key"向导，依提示产生一密钥对。默认产生的密钥对会存放在 "C:\Documents and Settings\%USERNAME%\Application Data\VanDyke\"，其中 Identity 是私钥文件，Identity.pub 是公钥文件。

2、在Linux服务器上编辑 sshd.config 文件

#vi /usr/local/etc/sshd_config
  做如下修改：
PasswordAuthentication no  （关闭口令认证）
PubkeyAuthentication yes  （开启公钥认证）
AuthorizedKeysFile .ssh/authorized_keys  （认证公钥文件位置） 

然后，进入要增加密钥的用户的目录，
#mkdir /home/dacongtou/.ssh  (要给那个用户生成密钥就在谁的目录下建立.ssh文件夹)
#chmod 700 /home/dacongtou/.ssh  (修改.ssh文件夹的用户权限)

然后上传Windows客户机SecureCRT生成的公钥文件 

Identity.pub，并执行
#ssh-keygen -i -f Identity.pub >> /home/dacongtou/.ssh/authorized_keys

另备份：

默认配置
默认sshd_config文件
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
#默认使用22端口
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
#使用ssh2协议
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#主机密钥存储在此
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
#需要sshd用户启动ssh服务
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
服务器在启动时生成这个密钥。并以固定的周期重新生成。这里指定长度是768位，最小为512，周期为3600。
# Logging
SyslogFacility AUTH
#设置syslog的facility（KERN,DAEMON,USER,AUTH,MAIL等）
LogLevel INFO
#指定记录日志级别为INFO，该值从低到高顺序是：QUIET,FATAL,ERROR,INFO,VERBOSE,DEBUG,使用DEBUG会侵犯用
户的隐私权，这个级别只能用于诊断，而不能用于普通操作。
# Authentication:
LoginGraceTime 120
#设置如果用户不能成功登录，在切断连接之前服务器需要等待的时间（以秒为单位）。
PermitRootLogin yes
#允许root登录
StrictModes yes
#设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所有权。这通常是必要的，因为新手经常会把自己的目录和文件设成任何人都有写权限。
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
#完全禁止SSHD使用.rhosts文件
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
#设置是否使用用RSA算法的基于rhosts的安全验证。
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
#设置ssh　daemon是否在进行RhostsRSAAuthentication安全验证的时候忽略用户的“$HOME/.ssh/known_hosts”　
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
#设置不允许使用空密码
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
#关闭挑战响应
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
#设置是否使用明文密码认证
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#有关Kerberos的相关选项
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#有关GSSAPI的相关选项
X11Forwarding yes
#允许X转发
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
如果没有特别要求使用默认设置即可满足使用要求.
基于口令的认证
缺省情况下，ssh仍然使用传统的口令验证，在使用这种认证方式时，我们不需要进行任何配置。你可以使用自己帐号和口令登录到远程主机。所有传输的数据都会被加密，但是不能保证你正在连接的服务器就是你想连接的服务器。可能会有别的服务器在冒充真正的服务器，也就是受到“中间人”这种方式的攻击。
使用以下方法登录服务器：
$  ssh
tony@1Array2.168.102.50
[email=tony@1Array2.168.102.50’s]tony@1Array2.168.102.50’s[/email]
password:
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:3Array:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Dec  8 12:31:58 2006 from 1Array2.168.102.24Array
$
基于密钥的认证
密匙认证需要依靠密匙，可以使用ssh-keygen 命令生成密钥对，将会把生成的私钥存储在 /.ssh/id_rsa文件中，公钥存储在/.ssh/id_rsa.pub文件中,需要将其复制到远程服务器上, 这样当登录远程服务器时，客户端软件就会向服务器发出请求，请求用你的密匙进行认证,服务器收到请求之后，先在你在该服务器的宿主目录下寻找你的公匙,进行身份认证. ssh-keygen 默认使用rsa算法生成密钥，如果要使用dsa算法，则需要使用-t 指定比如($ ssh-keygen -t dsa)
[email=tony@tonybox:~$]tony@tonybox:~$[/email]
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tony/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tony/.ssh/id_rsa.
Your public key has been saved in /home/tony/.ssh/id_rsa.pub.
The key fingerprint is:
5e:25:fe:32:af:Array6:e5:e2:cArray:55:ad:fArray:d2:f1:67:5d
[email=tony@tonybox]tony@tonybox[/email]
[email=tony@tonybox:~$]tony@tonybox:~$[/email]

然后使用scp 命令将公钥上传到远程SSH服务器的对应用户的.ssh目录下，并更名为authorized_keys并确保权限为644
[email=tony@tonybox:~/.ssh$]tony@tonybox:~/.ssh$[/email]
scp id_rsa.pub  
[email=tony@1Array2.168.102.50:.ssh/authorized_keys]tony@1Array2.168.102.50:.ssh/authorized_keys[/email]
[email=tony@1Array2.168.102.50’s]tony@1Array2.168.102.50’s[/email]
password:
id_rsa.pub                                                      100%  3Array4     0.4KB/s   00:00   
[email=tony@tonybox:~/.ssh$]tony@tonybox:~/.ssh$[/email]

这样，以后登录这台SSH服务器的时候，就会使用您上传的公钥进行身份认证。
[email=tony@tonybox:~$]tony@tonybox:~$[/email]
ssh
tony@1Array2.168.102.50
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:3Array:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 26 12:5Array:12 2006 from 1Array2.168.102.43
[email=tony@vmdebian:~$]tony@vmdebian:~$[/email]

如果为密钥设置了 passphrase, 则登录过程如下:
[email=tony@tonybox:~$]tony@tonybox:~$[/email]
ssh
tony@1Array2.168.102.50
Enter passphrase for key ’/home/tony/.ssh/id_rsa’:
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:3Array:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 26 14:27:58 2006 from 1Array2.168.102.43
[email=tony@vmdebian:~$]tony@vmdebian:~$[/email]

如果将客户端私钥 id_rsa 更名, 并在服务器端sshd_config文件中做如下设置:
PasswordAuthentication  no

[email=tony@tonybox:$]tony@tonybox:$[/email]
mv  /home/tony/.ssh/id_rsa /home/tony/.ssh/id_rsa.bak
[email=tony@tonybox:$]tony@tonybox:$[/email]
ssh
tony@1Array2.168.102.50
Permission denied (publickey).
[email=tony@tonybox:~$]tony@tonybox:~$[/email]

如果在服务器端sshd_config文件中做如下设置:
PasswordAuthentication  yes
则当密钥口令输入错误, 或密钥不存在是,就会使用口令认证
[email=tony@tonybox:~$]tony@tonybox:~$[/email]
ssh
tony@1Array2.168.102.50
Enter passphrase for key ’/home/tony/.ssh/id_rsa’:
[email=tony@1Array2.168.102.50’s]tony@1Array2.168.102.50’s[/email]
password:
Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:3Array:04 UTC 2006 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct 26 17:30:43 2006 from 1Array2.168.102.43
[email=tony@vmdebian:~$]tony@vmdebian:~$[/email]