1. $ ssh-keygen -C"baxiang@roobo.com"
  2. Generating public/private rsa key pair.
  3. Enter file in which to save the key (/home/baxiang/.ssh/id_rsa): 
  4. Created directory '/home/baxiang/.ssh'.
  5. Enter passphrase (empty for no passphrase): 
  6. Enter same passphrase again: 
  7. Your identification has been saved in /home/baxiang/.ssh/id_rsa.
  8. Your public key has been saved in /home/baxiang/.ssh/id_rsa.pub.
  9. The key fingerprint is:
  10. SHA256:T/xaWUh9DDLE+ZVxk5D8ApaGbqo7GK9xQ7YVgQFHVdE baxiang@roobo.com
  11. The key's randomart image is:
  12. +---[RSA 2048]----+
  13. |   .o++o.o+o*o+o=|
  14. |    ..  .. Eo* =+|
  15. |       .. o o.o.o|
  16. |        .+ . o.o |
  17. |     o .S o . o  |
  18. |   .o o. o . o   |
  19. |   .++.   . +    |
  20. |   .o+.    o     |
  21. |   ...o   .      |
  22. +----[SHA256]-----+

但是后来发现原本好使的SSH再次登陆服务器时却提示:Permission denied (publickey).的错误。解决办法是用 ssh-add privateKey
ssh-add 永久将私钥添加到 Keychain
我们配置完SSH之后执行 ssh-add privateKey 将 SSH 的私钥添加进去,但是发现了一个问题就是每次重启电脑后都需要重新 ssh-add,显然每次重启后都需要重新添加让我等程序员肯定受不了,解决办法就是在添加 ssh 私钥的时候使用如下命令: ssh-add -K privateKey,即可一劳永逸将私钥添加进 Mac 本身的钥匙串中,即 Keychain。下面简单解释下原理。

首先得了解一件事:ssh-add 这个命令不是用来永久性的记住你所使用的私钥的。实际上,它的作用只是把你指定的私钥添加到 ssh-agent 所管理的一个 session 当中。而 ssh-agent 是一个用于存储私钥的临时性的 session 服务,也就是说当你重启之后,ssh-agent 服务也就重置了,session 会话也就失效了。

既然 ssh-agent 是个临时的,那么对于 Mac 来说,哪里可以永久存储的,显然就是 Keychain 了,在执行 ssh-add -K privateKey 后可

Apple updated its Technical Notes to indicate that since 10.12.2, macOS includes version 7.3p1 of OpenSSH and its new behaviors.

In ~/.ssh create config file with the following content:

Host * (asterisk for all hosts or add specific host)
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile <key> (e.g. ~/.ssh/userKey)

添加远程登录公钥

ssh-copy-id -i ~/.ssh/id_rsa.pub 远程用户名@IP地址

查看 远程登录的公钥信息

cat ~/.ssh/authorized_keys

umperServer 免密登录

用了JumperServer后,每次要连远程服务器,需要选一次私钥文件,输入两次密码,输入一次ip,非常麻烦,能不能一个简短的指令就搞定呢?答案是可以的

简化步骤:

  1. 将jumperServer 私钥转换为 无密码私钥
  2. ssh-add 将私钥添加到 Keychain
  3. 设置命令 alias,简化命令

1. 将jumperServer 私钥转换为 无密码私钥

使用openssl将私钥转换为无密码私钥

# 指令
openssl rsa -in server.key -out server2.key
# 实际
openssl rsa -in shenlongguang_aliyun.pem -out shenlongguang_aliyun_passwordless.pem

2. ssh-add 将私钥添加到 Keychain

ssh-add -k /Users/sloong/Documents/company/analysys/jumperServerKeys/shenlongguang_aliyun_passwordless.pem

如果出现下面异常,则是私钥文件的权限问题:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/sloong/Documents/company/analysys/jumperServerKeys/shenlongguang_aliyun_passwordless.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.

# 修改文件权限
chmod 700 shenlongguang_aliyun_passwordless.pem

3. 设置命令 alias,简化输入

修改 ~/.zshrc 文件(bash 也差不多),增加 下列 alias:

alias ssh-add-ali='ssh-add -k /Users/sloong/Documents/company/analysys/jumperServerKeys/shenlongguang_aliyun_passwordless.pem'
alias ssh-ali='ssh shenlongguang@123.56.25.ip'

这样执行 ssh-add-ali 就可以直接添加私钥到 Keychain(重启后执行一次即可,重启后会失效)。下次需要ssh 到远程服务器 只需要执行 ssh-ali 即可,ip/密码什么都不用输入

~ ssh-add-uc
Identity added: /Users/sloong/xxx/shenlongguang_aliyun_passwordless.pem)
~ ssh-ali
Last login: Wed May  3 09:25:25 2017 from 218.76.1.ip

Welcome to aliyun Elastic Compute Service!
......

$ ssh root@123.***.***.34
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:xv9d+LHzS3VcVK4PVwMcmzoGRQ5ZPqvDGmdJ0CjCB9o.
Please contact your system administrator.
Add correct host key in /Users/faker/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /Users/faker/.ssh/known_hosts:2
ECDSA host key for 123.***.***.34 has changed and you have requested strict checking.
Host key verification failed.

$ ssh-keygen -R 123.***.***.34
# Host 123.***.***.34 found: line 2
/Users/faker/.ssh/known_hosts updated.
Original contents retained as /Users/faker/.ssh/known_hosts.old