如何在两个不同的帐户之间设置无密码身份验证 [英] How to setup the passwords-less authentication between two different accounts
问题描述
我们可以在两台机器的两种不同用途之间设置少密码验证吗?
Can we setup a password less authentication between two different uses in two machine.
例如:计算机A具有用户A,计算机B具有用户B. 我们能否为用户A从计算机A设置密码ssh以使用其用户帐户(A)登录到计算机B.
Eg: Computer A has user A,Computer B has user B. Can we setup passwords ssh that User A from Computer A to log into computer B using his User account(A).
谢谢!
推荐答案
如果我理解您的问题,您是否可以设置ssh-keys
允许用户A 和用户B 登录到两台不同的计算机 A& B 没有提供密码?可以,但是用户A 不能通过ssh登录到用户B 的帐户,而用户A 只能登录用户B 在本地计算机上的帐户. ($HOME
等的目录所有权是不同的.这就是su
的用途.)
If I understand your question, can you set up ssh-keys
to allow user A and user B to log into to two different computers A & B without providing a password? Sure, but user A can't log into user B's account via ssh any more than user A can log into user B's account on a local machine. (directory ownerships are different for the $HOME
, etc.. That's what su
is for).
要创建较少密码的登录名,让我们以用户A 和计算机A 为例,该用户在计算机B 上拥有一个帐户,并且希望ssh hostnameB
并在不提供密码的情况下登录.
To create a password less login, let's take user A and computer A who has an account on computer B and would like to ssh hostnameB
and login without providing a password.
(1)用户A使用ssh-keygen -t ecdsa
在计算机A 上创建 public_key 和 private_key (ecdsa
加密密钥.由于当前opensh中的不安全性,不再支持dsa
密钥).运行ssh-keygen
时,它将创建两个文件(默认情况下,在$HOME/.ssh
中).密钥为id_edcsa
(私钥)和id_ecdsa.pub
(公钥).
(1) user A creates a public_key and private_key on computer A with ssh-keygen -t ecdsa
(for an ecdsa
encryption key. dsa
keys are no longer supported due to insecurity in the current openssh). When ssh-keygen
is run it will create two files (by default in $HOME/.ssh
). The keys are id_edcsa
(the private key) and id_ecdsa.pub
(the public key).
(2),用户A 在没有密码的情况下登录计算机B ,他必须首先转移他的 public_key 到计算机B 并将其添加到他在计算机B 上的$HOME/.ssh/authorized_keys
文件中.例如从计算机A :
(2) for user A to login to computer B without a password, he must first transfer his public_key to computer B and add it to his $HOME/.ssh/authorized_keys
file on computer B. e.g. from computer A:
$ ssh-keygen -t ecdsa # generate key-pair
$ cd ~/.ssh # verify private and public keys created
$ rsync -a id_ecdsa.pub hostnameB:~/.ssh/id_ecdsa.pub.hostA
password: enter pw
$ ssh hostnameB
password: enter pw
$ cd ~/.ssh
$ cat id_dsa.pub.hostA >> authorized_keys # permissions must be 0600
$ exit # exit hostnameB
注意:,如果您确定尚不存在公钥目录,则可以在上面的计算机B ~/.ssh/authorized_keys
文件中将rsync
的公共目录rsync
跳过将复制的文件复制到上面的最后一步.例如
note: above you could rsync
the public_key directory to the computer B ~/.ssh/authorized_keys
file if you are sure one does NOT already exist to save time a completely skip the last step copying the transferred file into it above. e.g.
$ rsync -a id_ecdsa.pub hostnameB:~/.ssh/authorized_keys
(随后您可能必须检查计算机B 上的权限)
(you may have to check permissions on computer B afterwards)
现在进行测试,用户A 不再需要密码即可进入计算机B .从计算机A :
Now for the test, user A should no longer need a password to long into computer B. From computer A:
$ ssh hostnameB
$ welcome to hostnameB>
现在,您只需重复为每个用户创建密钥对并将 public_key 转移到您想要访问其密码的主机并添加 public_key 的过程.到 authorized_keys 文件. (请注意:您可以只将相同的 private_key 复制到每个人的~/.ssh
目录中,然后将相同的 public_key 添加到每个人的~/.ssh/authorized_keys
文件中,但是这样做的目的是具有单独的键). 注意:每个authorized_keys
文件必须由拥有$HOME/.ssh
目录的用户拥有,并且文件许可权必须为0600
(-rw-------
)或sshd
不允许连接.
Now you simply repeat the process of creating key-pairs for each user and transferring the public_key to the host you want to access w/o a password and add the public_key to the authorized_keys file. (note: you can just copy the same private_key to everyone's ~/.ssh
directory and add the same public_key to everyone's ~/.ssh/authorized_keys
file, but that sort of defeats the purpose of having separate keys). note: each authorized_keys
file must be owned by the user owning the $HOME/.ssh
directory and the file permissions must be 0600
(-rw-------
) or sshd
will not allow a connection.
仅此而已(您可以签入/etc/ssh/sshd_config
以确保authorized_keys
文件的名称未更改为其他名称.
That's all there is to it (you can check in /etc/ssh/sshd_config
to insure the name of authorized_keys
file has not been changed to something else.
尝试一下,如果您有任何疑问,请告诉我.我做了数百次-只要您遵守这些规则,就没有问题.
Give it a try and let me know if you have questions. I done it hundreds of times -- no issues as long as your follow those rules.
这篇关于如何在两个不同的帐户之间设置无密码身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!